home / mcp / velociraptor mcp server
Provides an MCP server to access Velociraptor data sources and perform DFIR actions and deployment tasks.
Configuration
View docs{
"mcpServers": {
"wagonbomb-megaraptor-mcp": {
"command": "python",
"args": [
"-m",
"megaraptor_mcp"
],
"env": {
"VELOCIRAPTOR_CONFIG_PATH": "PATH/TO/api_client.yaml"
}
}
}
}Megaraptor MCP lets AI assistants access Velociraptorβs powerful DFIR capabilities to manage endpoints, collect artifacts, run hunts, execute VQL queries, and automate deployment. It enables streamlined collaboration between AI workflows and Velociraptor infrastructure, so you can investigation, respond, and orchestrate deployments at scale.
You connect your MCP client to the local or remote MCP server and start issuing DFIR and deployment commands through the available tools. Use endpoint search and inspection tools to enumerate Velociraptor clients, schedule artifact collection, create hunts across endpoints, and run VQL queries to retrieve data. Use pre-built DFIR prompts to guide investigations and deployment workflows to manage Velociraptor servers and agents across your infrastructure.
Prerequisites you need before installing the MCP server:
- Python 3.10 or higher
- A running Velociraptor server with API access enabled
git clone https://github.com/yourusername/megaraptor-mcp.git
cd megaraptor-mcp
# Core DFIR functionality only
pip install -e .
# With deployment features
pip install -e ".[deployment]"
# With cloud deployment (AWS/Azure)
pip install -e ".[cloud]"
# All features
pip install -e ".[all]"# Core only
pip install mcp pyvelociraptor pyyaml grpcio
# For deployment features
pip install paramiko pywinrm cryptography jinja2
# For cloud deployment
pip install boto3 azure-mgmt-compute azure-identityYou can start the server directly from your environment after installation.
megaraptor-mcp{
"mcpServers": {
"velociraptor": {
"command": "python",
"args": ["-m", "megaraptor_mcp"],
"env": {
"VELOCIRAPTOR_CONFIG_PATH": "/path/to/api_client.yaml"
}
}
}
}List connected endpoints: Use the list_clients tool to show all Windows endpoints.
Investigate an endpoint: Use the investigate_endpoint prompt for client C.1234567890abcdef.
Create a threat hunt: Create a hunt for the file hash a1b2c3d4e5f6 across all endpoints.
Run a VQL query: Run this VQL query: SELECT * FROM pslist() WHERE Name =~ 'suspicious'.
VQL (Velociraptor Query Language) is the core query language. Common patterns include selecting clients, filtering by hostname, and retrieving running processes from collected data.
Example patterns: - List all clients: SELECT * FROM clients() - Get running processes: SELECT * FROM source(client_id='C.xxx', flow_id='F.xxx') - Create a hunt: SELECT hunt(artifacts='Windows.System.Pslist', description='Process audit') FROM scope()
Automation covers server deployments and agent deployments across environments. You can deploy Velociraptor servers as binaries, via Docker, or to cloud platforms, and generate deployment packages for Windows and Linux/macOS agents.
Example deployment patterns include building an enterprise-grade deployment, generating GPO or WinRM agent packages, and creating Ansible playbooks for large-scale rollout.
Follow least-privilege access for API clients. Encrypt deployment credentials at rest and protect CA certificates and private keys. Use key-based authentication where possible and limit exposure of MCP endpoints to trusted networks.
If you have a Velociraptor API client config, export the path to that file as VELOCIRAPTOR_CONFIG_PATH and point the MCP to it. You can run MCP locally with Python or via the installed command.
Check connectivity between the MCP server and Velociraptor server. Ensure your API client has the correct role permissions for the actions you attempt. Review logs for authorization errors and rate limits.
The MCP server supports a wide range of tools for endpoint management, artifact collection, hunts, flows, VQL execution, and deployment orchestration. Use the built-in prompts to guide workflows for investigation, threat hunting, triage, malware analysis, and deployment scaling.
Search and list Velociraptor endpoints
Get detailed information about a client
Add or remove labels from clients
Quarantine or release endpoints
List available Velociraptor artifacts
Get full artifact definition
Schedule artifact collection on a client
Create a mass collection campaign
List existing hunts
Retrieve results from a hunt
Start, pause, stop, or archive hunts
List collection flows for a client
Get results from a collection
Check collection status
Cancel a running collection
Execute arbitrary VQL queries
Get help on VQL syntax and plugins
Deploy Velociraptor server as standalone binary
Deploy Velociraptor server using Docker
Deploy Velociraptor server to AWS/Azure cloud
Generate server configuration with certificates
Generate GPO deployment package for Windows
Deploy agents via WinRM to Windows endpoints
Deploy agents via SSH to Linux/macOS endpoints
Generate Ansible playbook for agent deployment
Build standalone offline collector
Generate client configuration file
List tracked deployment operations
Get detailed status of a deployment
Verify deployment health and connectivity
Rollback a failed deployment
Securely store deployment credentials
List stored credential aliases
Remove stored credentials
Download Velociraptor binary for platform