Mcp Velociraptor
What is Mcp Velociraptor
mcp-velociraptor is a Model Context Protocol bridge designed to expose Large Language Models (LLMs) to MCP clients, facilitating interaction and data retrieval from various systems.
Use cases
Use cases include querying for network connections on a target machine, identifying suspicious processes, and retrieving artifacts from the USN journal.
How to use
To use mcp-velociraptor, set up an API account, generate a configuration file, clone the repository, and connect to your preferred MCP client. Follow the installation steps to ensure proper configuration and functionality.
Key features
Key features include the ability to query specific machines for network connections and suspicious processes, as well as the dynamic creation of collections for artifact retrieval.
Where to use
mcp-velociraptor is primarily used in digital forensics and incident response (DFIR) environments, where it aids in the analysis and investigation of systems.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Overview
What is Mcp Velociraptor
mcp-velociraptor is a Model Context Protocol bridge designed to expose Large Language Models (LLMs) to MCP clients, facilitating interaction and data retrieval from various systems.
Use cases
Use cases include querying for network connections on a target machine, identifying suspicious processes, and retrieving artifacts from the USN journal.
How to use
To use mcp-velociraptor, set up an API account, generate a configuration file, clone the repository, and connect to your preferred MCP client. Follow the installation steps to ensure proper configuration and functionality.
Key features
Key features include the ability to query specific machines for network connections and suspicious processes, as well as the dynamic creation of collections for artifact retrieval.
Where to use
mcp-velociraptor is primarily used in digital forensics and incident response (DFIR) environments, where it aids in the analysis and investigation of systems.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Content
Velociraptor MCP
Velociraptor MCP is a POC Model Context Protocol bridge for exposing LLMs to MCP clients.
Initial version has several Windows orientated triage tools deployed. Best use is querying usecase to target machine name.
e.g
can you give me all network connections on MACHINENAME and look for suspicious processes?
can you tell me which artifacts target the USN journal
Installation
1. Setup an API account
https://docs.velociraptor.app/docs/server_automation/server_api/
Generate an api config file:
velociraptor --config /etc/velociraptor/server.config.yaml config api_client --name api --role administrator,api api_client.yaml
2. Clone mcp-velociraptor repo and test API
- copy api_client.yaml to preferred config location and ensure configuration correct (pointing to appropriate IP address).
- modify test_api.py to appropriate location.
- Run test_api.py to confirm working
- Modify mcp_velociraptor_bridge.py to correct API config
3. Connect to Claude desktop or MCP client of choice
The easiest configuration is to run your venv python directly calling mcp_velociraptor_bridge.
"mcpServers": { "velociraptor": { "command": "/path/to/venv/bin/python", "args": [ "/path/to/mcp_velociraptor_bridge.py" ] } } }
3. Caveats
Due to the nature of DFIR, results depend on amount of data returned, model use and context window.
I have included a function to find artifacts and dynamically create collections but had mixed results.
I have been pleasantly surprised with some results and disappointed when running other collections that cause lots of rows.
Please let me know how you go and feel free to add PR!
can you give me all network connections on MACHINENAME and look for suspicious processes?
can you tell me which artifacts target the USN journal
Dev Tools Supporting MCP
The following are the main code editors that support the Model Context Protocol. Click the link to visit the official website for more information.
