get_hunt_results

Retrieve digital forensics data from Velociraptor hunts to analyze endpoint activity and investigate security incidents.

Instructions

Get results from a Velociraptor hunt.

Args: hunt_id: The hunt ID (e.g., 'H.1234567890') artifact: Optional specific artifact to get results for limit: Maximum number of result rows to return (default 1000)

Returns: Hunt results data from all clients.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`hunt_id`	Yes
`artifact`	No
`limit`	No

Implementation Reference

src/megaraptor_mcp/tools/hunts.py:234-303 (handler)

The implementation of the get_hunt_results tool, which queries hunt results from Velociraptor and formats the output.

async def get_hunt_results(
    hunt_id: str,
    artifact: Optional[str] = None,
    limit: int = 1000,
) -> list[TextContent]:
    """Get results from a Velociraptor hunt.

    Args:
        hunt_id: The hunt ID (e.g., 'H.1234567890')
        artifact: Optional specific artifact to get results for
        limit: Maximum number of result rows to return (default 1000)

    Returns:
        Hunt results data from all clients.
    """
    try:
        # Input validation
        hunt_id = validate_hunt_id(hunt_id)
        limit = validate_limit(limit)
        client = get_client()

        # Build the VQL query
        if artifact:
            vql = f"SELECT * FROM hunt_results(hunt_id='{hunt_id}', artifact='{artifact}') LIMIT {limit}"
        else:
            vql = f"SELECT * FROM hunt_results(hunt_id='{hunt_id}') LIMIT {limit}"

        results = client.query(vql)

        return [TextContent(
            type="text",
            text=json.dumps({
                "hunt_id": hunt_id,
                "artifact": artifact,
                "result_count": len(results),
                "results": results[:limit],
            }, indent=2, default=str)
        )]

    except grpc.RpcError as e:
        error_response = map_grpc_error(e, f"hunt results for {hunt_id}")
        # Check if it's a not-found error
        if "NOT_FOUND" in error_response.get("grpc_status", ""):
            error_response["hint"] = f"Hunt {hunt_id} may not exist. Use list_hunts() to see available hunts."
        return [TextContent(
            type="text",
            text=json.dumps(error_response)
        )]

    except ValueError as e:
        # Validation errors
        return [TextContent(
            type="text",
            text=json.dumps({
                "error": str(e),
                "hint": "Provide a valid hunt ID starting with 'H.'"
            })
        )]

    except Exception:
        # Generic errors - don't expose internals
        return [TextContent(
            type="text",
            text=json.dumps({
                "error": "Failed to get hunt results",
                "hint": "Check hunt ID and try again"
            })
        )]

Megaraptor MCP

get_hunt_results

Instructions

Input Schema

Implementation Reference

Other Tools

Latest Blog Posts

MCP directory API