startbootstrap icon indicating copy to clipboard operation
startbootstrap copied to clipboard

Published 20 hours ago verified publisher icon BlackrockDigital

Create style guide for EventData contents

Open Onager opened this issue 6 years ago • 7 comments

Points to cover:

  • What level of meaning to aim for in eventdata vs formatter (bool/string)
  • Naming conventions

Onager avatar Sep 06 '18 10:09 Onager

Make changes to codebase after guide is completed:

  • is_friend in plaso/parsers/sqlite_plugins/tango_android.py

joachimmetz avatar Sep 17 '18 05:09 joachimmetz

Some more points to address:

  • storing binary data
  • storing data as-is or e.g. int representing a boolean or converting to Python types first
  • current role of the formatter
    • should we extend the formatter to unify output?

joachimmetz avatar Sep 17 '18 05:09 joachimmetz

More points to address:

  • event attributes should not be dictionaries (e.g. regvalue)
    • not supported by event filter

joachimmetz avatar May 28 '19 09:05 joachimmetz

+1 on attributes should not be dictionaries, this is also problematic for Elasticsearch for example.

berggren avatar May 28 '19 10:05 berggren

@Onager I've taken a first stab at writing something down https://github.com/log2timeline/plaso/pull/2917. You think we can get this completed as part of the May release?

joachimmetz avatar May 03 '20 06:05 joachimmetz

Don't see this happening before next release, bumping milestone

joachimmetz avatar Dec 04 '21 10:12 joachimmetz

Marking as blocked, make this part of the migration to dfKinds

joachimmetz avatar Nov 13 '22 09:11 joachimmetz