SIEM vs Digital Forensic Incidence Response platforms (DFIR)

While >Velociraptor focuses on endpoint visibility and forensic investigation, a SIEM platform (like Splunk or Wazuh) focuses on log aggregation and event correlation across the entire network. SIEM tools collect and analyze logs from servers, firewalls, and cloud systems to detect suspicious activity, whereas DFIR / Velociraptor provides deep, real-time insight into what is actually happening on each endpoint. Many security teams use both: the SIEM for detection and Velociraptor for investigation and response.

We shall first take a look at Velociraptor

A Crash Course in Velociraptor

A free open-source platform - Velociraptor, originally developed by Google, is an endpoint visibility and response platform. It enables security teams to query, collect, and analyze forensic data from endpoints across the network. Unlike many commercial DFIR platforms, Velociraptor focuses on transparency, flexibility, and forensic depth.

Here’s how it works:

Image source: https://docs.velociraptor.app/

• Server: Coordinates tasks, stores collected data.
• Assets: Assets are endpoint devices (PC, Laptop, Servers) with lightweight Velociraptor clients installed
• Web Admin UI: Analysts run "Hunts" (explained later), VQL queries, and receive alerts.

Velociraptor consists of a central server that coordinates endpoints and stores data, lightweight agents on each device that collect information and run VQL queries, and a web-based console where analysts can monitor events and investigate alerts in real time.

Insider Threat Scenario

Consider a case where the company would want to monitor employee logins during non-office hours, where their account logins might be compromised. System admin can setup run a VQL as below via the Web Admin UI - to search for events logged by Velociraptor agents.

SELECT Username, LogonTime
FROM Windows.EventLogs.Security
WHERE LogonType = "Interactive"
AND hour(LogonTime) NOT BETWEEN 8 AND 20

VQL are then wrapped by "Hunts", which runs the VQL request across all agents and return results to the server.

Example results

Admins can then setup schedule tasks with these "Hunts" for querying such data in any timeframe e.g. daily, weekly etc. Alerts can be setup as well and sent to users to inform of the breach.

Checking USB Device Usage

Velociraptor can monitor USB device activity to detect potential data exfiltration. It tracks device names, serial numbers, and connection times, allowing analysts to flag unauthorized usage and quickly investigate suspicious activity. NOTE: If USB ports are disabled, no connection events will appear. Though admin can check on Velociraptor to ensure there are no USB connection in the VQL logs.

SELECT DeviceName, SerialNumber, LastConnected
FROM Windows.USBDevices()
WHERE LastConnected > now() - 1d

Example Results (Non JSON format)

Conclusion

With the ongoing digital transformation, more and more “wealth” is becoming digitized — from everyday bank transfers to payments made with a simple tap on a mobile device. In this rapidly evolving technological landscape, having a solid foundation in cybersecurity is essential. This is especially true given the growing adoption of cryptocurrencies, smart contracts, and other digital assets. In our next article, we will explore Splunk (SIEM) — a platform widely used by corporations to provide a centralized dashboard that integrates and visualizes events from a variety of sources (services, devices, routers etc.) across their network.