Happy slice of mcp pizzaMCP.pizza
Fire in da houseTop Tip:Paying $100+ per month for Perplexity, MidJourney, Runway, ChatGPT and other tools is crazy - get all your AI tools in one site starting at $15 per month with Galaxy AI Fire in da houseCheck it out free

mcp-velociraptor

MCP.Pizza Chef: mgreen27

Velociraptor MCP is a server that acts as a Model Context Protocol bridge, exposing large language models (LLMs) to MCP clients. It primarily supports Windows-oriented triage tools, enabling querying of system artifacts, network connections, and suspicious processes on target machines. This server facilitates real-time forensic and incident response workflows by integrating Velociraptor's powerful endpoint visibility with LLM-driven analysis.

Use This MCP server To

Query network connections on specific Windows machines Identify suspicious processes via LLM queries Access USN journal artifacts for forensic analysis Automate endpoint triage using natural language queries Integrate Velociraptor data into AI-driven security workflows Enable real-time incident response with LLM context Bridge Velociraptor API with MCP clients for system insights

README

Velociraptor MCP

Velociraptor MCP is a POC Model Context Protocol bridge for exposing LLMs to MCP clients.

Initial version has several Windows orientated triage tools deployed. Best use is querying usecase to target machine name.

e.g

can you give me all network connections on MACHINENAME and look for suspicious processes?

can you tell me which artifacts target the USN journal

Installation

1. Setup an API account

https://docs.velociraptor.app/docs/server_automation/server_api/

Generate an api config file:

velociraptor --config /etc/velociraptor/server.config.yaml config api_client --name api --role administrator,api api_client.yaml

2. Clone mcp-velociraptor repo and test API

  • copy api_client.yaml to preferred config location and ensure configuration correct (pointing to appropriate IP address).
  • modify test_api.py to appropriate location.
  • Run test_api.py to confirm working
  • Modify mcp_velociraptor_bridge.py to correct API config

3. Connect to Claude desktop or MCP client of choice

The easiest configuration is to run your venv python directly calling mcp_velociraptor_bridge.

  "mcpServers": {
    "velociraptor": {
      "command": "/path/to/venv/bin/python",
      "args": [
        "/path/to/mcp_velociraptor_bridge.py"
      ]
    }
  }
}

image

3. Caveats

Due to the nature of DFIR, results depend on amount of data returned, model use and context window.

I have included a function to find artifacts and dynamically create collections but had mixed results. I have been pleasantly surprised with some results and disappointed when running other collections that cause lots of rows.

Please let me know how you go and feel free to add PR!

can you give me all network connections on MACHINENAME and look for suspicious processes? image image image

can you tell me which artifacts target the USN journal image

mcp-velociraptor FAQ

How do I set up Velociraptor MCP server?
Generate an API config file using Velociraptor's server API, configure mcp-velociraptor with this file, and run test scripts to confirm connectivity.
What platforms does Velociraptor MCP primarily support?
It mainly supports Windows environments with triage tools targeting Windows artifacts and processes.
Can Velociraptor MCP handle multiple target machines?
Yes, you can query specific machines by name to retrieve targeted forensic data.
How does Velociraptor MCP integrate with LLMs?
It exposes Velociraptor's forensic data through the Model Context Protocol, allowing LLMs to query and analyze endpoint information.
Is Velociraptor MCP limited to Velociraptor's API?
Yes, it acts as a bridge to Velociraptor's API but can be combined with other MCP servers for broader context.
What LLM providers are compatible with Velociraptor MCP?
It is compatible with OpenAI, Anthropic Claude, and Google Gemini via MCP clients.
How secure is the communication between Velociraptor MCP and clients?
Communication uses Velociraptor's API security features and MCP's scoped, observable interaction principles.
Can I extend Velociraptor MCP with custom triage tools?
Yes, the server is designed to be extensible with additional Windows-oriented forensic tools.