Having an issue with the Velociraptor extension and initiating Kape triage collection following this link - Automating Incident Response Workflows with LimaCharlie | LimaCharlie
The timeline for the Velociraptor extension shows the job_created event and nothing else. This has now been running for an hour. There are no errors this time in the Platform logs.
Thank you
Hello, we received a report that the latest version of Velociraptor broke backward compatibility by moving several Artifacts that used to be built-in to an external Artifact repo.
We’re working on a PR to bring back the capability. In an effort to remain as aligned to the source project it will likely mean that using these external Artifacts will be done slightly differently (like a different field), but we’re trying to make the discovery of those external Artifacts transparent.
1 Like
Thank you!! Do you have any idea on a timeline?
Not 100%, but I would like to try to get it by EOW.
Thank you very much!!
It went better than expected. We just pushed out the new version. Note that as per their new site: <span class="icon"> <i class="fa-solid fa-book"></i> </span> Rules | Triage Artifacts
the name of some of those things has changed, but the new name should be in the list of Artifact. The Kape is now under Windows.Triage.Targets.
2 Likes
Just tested and this is what I am seeing.
job_created event for the ext-velociraptor sensor shows:
```
{
“event”: {
“event”: “job_created”,
“external_artifacts”: [
“Windows.Triage.Targets (from https://triage.velocidex.com/docs/windows.triage.targets/Windows.Triage.Targets.zip)”
],
“inv_id”: “”,
“job_id”: “b07e8ec4-ce16-4aec-83e8-593f5b410b0b”,
“request”: {
“args”: “KapeTriage=Y”,
“artifact_list”: [
“Windows.Triage.Targets”
],
“collection_ttl”: 604800,
“custom_artifact”: “”,
“ignore_cert”: false,
“retention_ttl”: 7,
“sensor_selector”: “”,
“sid”: “sid of target Windows device”
```
upload_generated, artifact_generated, artifact_uploaded, and velociraptor_collection events all occur within a few seconds.
The Velociraptor artifact is 53k.
There is a Platform Log error saying no evtx files found
Also, when I try to use Show Artifact for Windows.Triage.Targets I receive this error:
Request Failed:
lc_error_code:EXTENSION_REQUEST_ERROR - lc_error_code:EXTENSION_ERROR - exit status 1
Also following 
had to make changes to https://triage.zip as well
1 Like
Ok we fixed the Listing to handle the new externally-defined Artifacts.
Investigating the rest, I also got an error this morning which I didn’t get yesterday. Apologies for the delay, I have no idea what I’m doing Velociraptor-wise 
2 Likes
Appreciate you looking into this!
If you want to collaborate, you know where to reach me 
Thanks.
I think I’ve figured out how it works now.
The challenge is that it’s not as simple as it used to be where we could execute V by effectively pointing to a file. We have to point to a directory with the file in it. And this adds delays which causes a race condition when we execute V, sometimes the directory and file have not been written yet. So we have to move to shipping bat scripts that will wait and it’s just getting really messy. 
1 Like
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.