sysdiagnose icon indicating copy to clipboard operation
sysdiagnose copied to clipboard
verified publisher icon EC-DIGIT-CSIRC

[analyser] timesketch full rewrite / revamp

Open cvandeplas opened this issue 1 year ago • 2 comments

Completely re-assess the timesketch analyser as with the change of model to time-based events it becomes redundant. Summarized: ideally there should not be a timesketch analyser: the jsonl output of the parsers should be compatible. So contain the mandatory fields, and use timestamp in microseconds.

Also the message field, which is a human readable summary, should be implemented in the parser.

In the meantime the timesketch analyser is declared broken and disabled (changed file extension to .broken

cvandeplas avatar Nov 05 '24 10:11 cvandeplas

Partially rebuild using the new architecture in hackthon25 branch

ddurvaux avatar Apr 08 '25 15:04 ddurvaux

New version of the analyser finished

  • took input from all the parsers that returns timestamp
  • put as message all the elements returned by the parsers as a JSON object
  • put as as timestamp_desc the name of the parser.

ddurvaux avatar Apr 09 '25 07:04 ddurvaux

re-implemented it natively as discussed in the original message

cvandeplas avatar May 15 '25 11:05 cvandeplas