timesketch icon indicating copy to clipboard operation
timesketch copied to clipboard
verified publisher icon google

Run selected/analyzers from "timesketch importer"

Open hasamba opened this issue 1 year ago • 8 comments

im using a script that creates a plaso file from kape output and upload the output file to timesketch, it would be very helpful if there will be an argument for timesketch_importer that will auto run selected or all analyzers/tagger after uploads and indexing finishes.

thanks

hasamba avatar May 19 '24 12:05 hasamba

Hi @hasamba We are using dftimewolf for this use-case and its TimesketchExporter module supports triggering Analyzers on the uploaded timelines. For example with the upload_ts recipe.

Adding this feature to the timesketch_importer is not on the road map for now, but something that sounds like a great opportunity for a community contribution. I'm happy to review the PR if anyone wants to take a stab.

jkppr avatar May 20 '24 05:05 jkppr

@hasamba @jkppr Hi there ! I am a new contributor to this repository and would love to contribute by solving this issue. Could you please assign this issue to me ?

wiredinhp avatar May 23 '24 10:05 wiredinhp

Hi @wiredinhp thanks for offering to implement this feature request. I have assigned you the issue.

  • Please find the getting started guide here: https://timesketch.org/developers/getting-started/
  • Feel free to submit a draft PR early to gather some review feedback.

jkppr avatar May 23 '24 10:05 jkppr

@wiredinhp How is it going with this issue? Are you still working on it?

jkppr avatar Jul 17 '24 09:07 jkppr

@jkppr Hi ! Actually I am working on this issue and I would try to finish it in few days. My apologies I got paused in between due to some reasons and not informed. Am still working on it and if have some issue I would contact you here 👍 . Thanks for your support 👍

wiredinhp avatar Jul 18 '24 05:07 wiredinhp

@wiredinhp Do you happen to have an update on this? We are facing this same issue and deciding whether we should invoke the analyzers via API call or wait for this fix now.

abroglesc avatar Aug 09 '24 21:08 abroglesc

@jkppr Could you assign me to resolve this issue please? Thanks!

YiChiCanCode avatar Aug 14 '24 21:08 YiChiCanCode

Reassigning this issue due to inactivity.

jkppr avatar Aug 15 '24 07:08 jkppr

@hasamba @abroglesc Thanks to the efforts by @YiChiCanCode you can now use the timesketch_importer.py script to trigger analyzers on uploaded Timelines once they have finished processing. python tools/timesketch_importer.py --analyzer-names feature_extraction domain account_finder --sketch_name importer_analyzer_test /tmp/firefox.plaso

-analyzer_names [ANALYZER_NAMES ...], --analyzer-names [ANALYZER_NAMES ...]
               Set of analyzers that we will automatically run right after the timelines are uploaded. 
               The input needs to be the analyzers names. Provided as strings separated by space

If you import the ImportStreamer class into your own scripts you can trigger the analyzer by calling ImportStreamer._trigger_analyzers(analyzer_names=<List of Analyzer names>).

jkppr avatar Oct 02 '24 11:10 jkppr