Velociraptor Integration

If you're an InsightIDR Ultimate customer, you have access to a version of the open source, Digital Forensic and Incident Response (DFIR) tool, Velociraptor. For Insight Ultimate customers, Velociraptor is integrated with the Insight Platform as a component of the Insight Agent.

Velociraptor access for Managed Threat Complete

For Managed Threat Complete customers, only the Ultimate tier includes access to Velociraptor. Velociraptor is not included in the Managed Threat Complete Essential and Advanced tiers.

You can use Velociraptor alongside InsightIDR to add DFIR capabilities to your investigative toolset, allowing a greater level of monitoring and swifter responses to issues. With integrated Velociraptor, you can detect on events that Velociraptor monitors and pivot to Velociraptor when researching an investigation.

Requirements

To access Velociraptor in InsightIDR, you'll need:

  • An InsightIDR Ultimate, Managed Threat Complete Ultimate, or Threat Complete Ultimate license
  • A deployed Insight Agent

Trying to deploy Velociraptor as an InsightIDR Essential or Advanced customer?

Read the Velociraptor documentation to get started with the open source version. Open source Velociraptor does not integrate with InsightIDR or the Insight Platform.

How Velociraptor works with the Insight Agent

As an InsightIDR Ultimate customer, Velociraptor is deployed after you install the Insight Agent. Unlike open source Velociraptor—which requires you to separately deploy an endpoint component and configure a dedicated server—Velociraptor integrated with the Insight Platform is ready to use as soon as the Insight Agent is installed.

The integrated version of Velociraptor is delivered by two components, which run as child processes of the Insight Agent:

Rapid7 Agent Core

This component handles communication between the Velociraptor client and the server. Its functions include:

  • Identifying and connecting to the organization’s unique Velociraptor server instance within the Insight Platform
  • Translating the standard Velociraptor client ID to the Insight Agent's asset ID, which ensures that endpoints have the same ID in both Velociraptor and the Insight Platform
  • Sending and receiving data, such as incoming hunt collection jobs and outgoing results
Rapid7 Velociraptor

This component is a version of the open source Velociraptor client executable with a few differences:

  • It contains additional modules to communicate with the Insight Platform through the Rapid7 Agent Core component.
  • It's compiled without the server and web service components that are included in the open source binaries. Only client functions are available.

Both the Rapid7 Velociraptor and Agent Core components are compatible with the operating systems currently supported by the Insight Agent. Read the Insight Agent documentation to learn more.

Do not remove the client.config.yaml file installed with the Rapid7 Velociraptor component

Although the Rapid7 Agent Core component manages server communications, the Velociraptor client requires the client.config.yaml file for start-up functions.

Although Velociraptor is available when the Insight Agent is installed, you might want to make additional configuration changes to take advantage of the Velociraptor and InsightIDR integration.

Read more about Velociraptor to understand the configuration settings that Rapid7 recommends.

User logins for Velociraptor

InsightIDR Ultimate users have access to the Velociraptor user interface through their Insight Platform credentials.

When you navigate to Velociraptor through the Insight Platform, you're logged in with your current Insight Platform session. Logging out through either Velociraptor or the Insight Platform ends your session in both places.

Read the Velociraptor topic and the open source Velociraptor documentation to learn more about how to access and use the Velociraptor user interface.

Data retention policy

The endpoint data collected by Velociraptor is retained for two weeks. This includes query results, client monitoring events, query logs, and acquired files.

User data and artifacts are not included in this policy and are retained indefinitely.