Skip to content

2022-09

XML Viewer for xml_string attribute

Plaso can parse WINEVTX logs. It creates an attribute xml_string that is the "dump" of the log itself. The next figure shows how it is represented in Timesketch.

This valuable information might be hard to interpret since it is written in a compat format. With this PR we aim to create an icon to visualize better this attribute.

XML View screenshot

Python Notebook to debug the most common Timesketch API

A new Notebook was added with common Timesketch API interactions such as:

  • Timeline information
  • create a new sketches
  • run an analyzer
  • retrieve analyzer results

Add manual event in frontend-ng

Creating a new manual event correlated to an existing timeline event at the bottom of the page.

Manual event 1 screenshot Manual event 2 screenshot

File upload in frontent-ng

Non fully indexed files are constantly monitored to give the user an idea of the "indexing-progress".

This feature allows the user to upload a large file (e.g., a large Plaso file) and having an idea about the status of the file on the server (e.g., 40% indexed).

Add a status dialog that summarize the information of the file (how many events, the status, i.e., ready, processing, or fail).

The user can directly add a new timeline from the Explore tab. The user can only enable the timelines that have been successfully uploaded.

Timeline is ready: the user can explore it: Upload file 1 screenshot

Timeline is failed: the user can not explore it. A failed timeline can be spotted because it has a red background color and it cannot be opened.

Upload file 2 screenshot

Timeline is processing: the user can check how many events have already been indexed and the remaining time for the timeline to be ready. A "processing" timeline can be spotted because is not fully colored and it cannot be opened.

Upload file 3 screenshot

Sigma support in API client

  • Change the expected storage from Sigma rules from file system to database
  • Update the JS API client to add recent additions of the File based API
  • replace the term es_query with query_string to be consistent with
  • the rest of the codebase
  • make API client methods deprecated that will soon be gone away as they link to the file based API
  • add methods in the API client that talk to the databased Sigma Rule API

Extend datasource model schema

  • Introduced a new field to the datasource model.
  • This PR adds the needed DB migration scripts.

Extend Search Templates model to support user defined parameters

  • Extend Search Templates model to support user defined parameters.
  • This PR extend the model to include template_uuid and template_json to support importing of templates, and support for user defined input parameters.

Bugfixes

Uploads not working with newest Plaso

When trying to upload a plaso file, the upload failed with psort.py: error: unrecognized arguments: --elastic_user opensearch --elastic_password opensearch

Search history tree generation

The History tree used a naive approach to find a reasonable root node to generate the tree from. In some edge cases, the last node was not present in the tree and the UI failed to render the history.

Now it always starts from the last node, and then traverse backwards in the tree 10 nodes. After that generate the full sub tree with all children etc.

docs: Fix a few typos

Some typos in documentation have been fixed

add vsvode and notebook checkpoints to .gitignore

New additions to the .gitignore file to make it more usable.

fix for Export Sketch feature

Fixed an HTTP Error 500 when attempting to export a Sketch.

And some other minor bugfixes