Comments (6)
I really like this idea. The question is how to model the database and what kind of annotations we would like to put there. IP <-> hostname is a given, any other interesting use cases? I'll think about this closer, but yes this will definitely be implemented in the future.
from timesketch.
The only other thing I've run into thus far are Windows Event IDs, but I think there's an argument this should be built into the tool by default rather than added by the analyst.
from timesketch.
Yes, this should be build into the tool(s) and Plaso recently added support for event log message strings.
log2timeline/plaso#99
from timesketch.
I think a generic key/value/kind db schema would work here, and then add a new REST endpoint to get the manual added annotations for the active sketch.
from timesketch.
This would be a really useful feature. A couple thoughts (thinking out loud here, so feel free to tell me I'm completely crazy):
- Having annotations that are both local to a sketch and global to Timesketch (or extend across multiple sketches) would be awesome. Local IP -> hostname might be unique to a sketch, but something like a unique RDP client name -> "this is known bad!" or annotating significant IPs and users for my company's infrastructure would extend across multiple or all sketches.
- Extending this to annotating complete events -- i.e. creation of specific registry key -> installation of X malware -- would also be super powerful. Being able to capture an event the analyst feels is significant and automatically flag it would be helpful and speed up analysis
- This has the potential to grow up into a pretty full fledged knowledge management system if it wanted to. I think the foundation for that requires tracking the places "significant" annotations occur (see below), allowing cross-sketch queries for annotated things (which I guess is the same thing as the first item), allowing comments on the annotation (analyst explanation of what the annotation is, why one cares about it, etc), and exposing this information via the API in a way other tools can readily consume and (this is a little more complex, I think) contribute to it. Not sure if Timesketch wants to go there, but I would find it awesome. Maybe this is best suited for a separate standalone thing Timesketch could query?
- It seems like you might need to differentiate between annotations that just make life easier (like IP -> hostname) and annotations that are "significant," like hash->evil to make some of this possible.
from timesketch.
This might be interesting to re-evaluate given the work in: #1796
@tomchop WDYT?
from timesketch.
Related Issues (20)
- API doesn't have a way to redirect requests over 443 vs 80
- Add UX guidance for Tooltip usage to the dev docs
- Error 500 due to missing etc/timesketch/features.yml file HOT 1
- deploy_timesketch.ps1 does not updated correct variables in timesketch.conf file (opensearch)
- Add CRNG to deploy_windows.ps1 script for generating random keys/passwords HOT 6
- v-calendar dependency issue
- Update the Sketch is archived page HOT 1
- Update Timesketch API client "run_analyzers" "ignore_previous" handling
- Not able to import plaso file via GUI HOT 1
- Allow Timesketch to have sketch-specific Sigma rules HOT 1
- API returns 200 for non existing endpoints HOT 1
- Error after indexing a timeline HOT 3
- Finding the version of a plaso file that is supported with timesketch HOT 2
- 500 server error while crerating new blank HOT 5
- The results of uploading CSV files between timesketch_importer CLI and GUI are different HOT 1
- Timeout with API Client for retrieving sketch information after upgrading both Timesketch server and API Client HOT 1
- Timesketch LLM connectors
- Surface user management via API client
- Timesketch form validation bug
- Error when importing sigma rule with single quote
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from timesketch.