Velociraptor Extension - #2

Still having issues with the Velociraptor extension (as noted in my previous case). After initiating a Kape collection I am seeing the error - lc_error_code:EXTENSION_ERROR - no evtx files found in 469aa656-8dc5-4228-bf68-47397f0ddba4 for ext-hayabusa.
There are zero timeline events for the Hayabusa sensor.

There is a single event in the Plaso sensor - job_queued from over an hour ago.

There are several events listed in the Velociraptor sensor timeline - artifact_generated, job_created, upload_generated, artifact_uploaded, and velociraptor_collection.

Does the Vélociraptor contain those evtx files? The Plaso and Hayabusa extensions have not changed in many months.

The Velociraptor artifact uploaded is 54.1 KB. So I don’t think it contains much of anything.

I re-ran the collection using the artifact of Windows.KapeFiles.Targets instead of Windows.Triage.Targets and the Hayabusa events and detections are working as expected. But the Plaso sensor only shows the ‘job_queued’ event in the timeline.

Tested again and am seeing the same thing. Hayabusa is working as expected when using the artifact of Windows.KapeFiles.Targets but the only Plaso events are job_queued and job_started.

Thanks for the update. We’re looking into this.

Do you see any artifact_failed events in the Velociraptor timeline? If so, what error code/message do they contain?

Hello,
No artifact failed messages in the Velociraptor timeline. There is a 500+MB artifact generated and uploaded to Artifacts by the Velociraptor sensor.
Thank you!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.