Skip to content

2023-05

Add "remove tag" to timesketch-cli-client (#2732)

There is a new addition in the timesketch cli client to remove tags from an event. The new option, called remove_tag, takes a list of tags as its argument and removes those tags from the event. For example, the following command would remove the tags "suspicious" and "foobar333" from the event with the ID "k8P1MYcBkeTGnypeeKJL".

timesketch events remove_tag --timeline-id 4 --event-id k8P1MYcBkeTGnypeeKJL --tag foobar333
200

If called without --tag parameter, the client will show the current event details to make it easier to find the ones to remove.

It is also possible to provide a comma separated list of tags to remove. The following command will remove both tags foobar333and fooba123.

timesketch events remove_tag --timeline-id 4 --event-id k8P1MYcBkeTGnypeeKJL --tag foobar333,fooba123
200

Add "untag_event" and "untag_events" to timesketch-api-client (#2729)

The API client got two new methods untag_eventand untag_events in the context of a sketch.

untag_event(self, event_id: str, index, tag: str): - Untags the specified tag from the event with the specified ID. untag_events(self, events, tags_to_remove: list): - Untags the specified tag from all of the events with the specified IDs.

Example code:


import timesketch_api_client

Create a client
client = timesketch_api_client.TimesketchAPIClient()
sketch = client.get_sketch(1)

# Get the event ID
event_id = "k8P1MYcBkeTGnypeeKJL"

# Untag the event
sketch.untag_event(event_id, "foobar")

Note the maximum of events passed via API is 500. The maximum number of tags to be removed in one API call is also 500.

Add untag event to WebUI + some minor WebUI tag aspects (#2694)

A common feature request was the ability in the WebUI to remove tags added to an event. This is now possible.

  • Tags are now sorted. Quick tags first, rest alphabetically.
  • Tags can now be dynamically added and removed without the need of confirming the dialog.
  • Applied tags can be removed from the EventDetail view or via the EventTagMenu.
  • The list for new tags will only show available tags.
  • The tag menu also supports timelines with events that have no tag attribute now.

There where several smaller improvements on the backend and frontend side related to analyzer handling.

Optional feature to the AnalyzerSessionActiveListResource API endpoint which allows for also returning all session details with the same response.

  • This reduces the number of necessary API requests to one.
  • This solution is backwards compatible :)

Sigma parsing NoneType Error (#2716)

With the change of Sigma list to only parse the yaml when requested (due to performance issues in the WebUi) it was not checked what data is needed for the analyzer. That was causing basically the Sigma analyzer to not work at all.

This is now fixed

It was also found that in some instances, the rule["id"] and rule["rule_id"] is still needed while internally we try to use rule_uuid, it is worth to provide the rule["id"] as well when pulling a list.

Another long standing issue is fixed with this PR, if there are matches, it not only adds the rule_title to the events as an attribute but also the rule_id. In the past, we use to be able to lookup rules based on name (file). Now that it is switched to Database, we look up rules based on id.

Context Search in WebUI (#2715)

  • Pivot from an event and search all timelines within a time window
  • Context search result is displayed in a bottom sheet window (same as in graphs)
  • Option to "pop out" the context search and replace the current search window

Context Search

Other fixes

  • Pagination fixes
  • Timeline details were missing the Context
  • Fixed inconsistencies in left panel
  • Events without a “tag” attribute couldn’t have new tags added
  • The search can only be triggered via the enter key When no timeline is selected, it should not search (resulting in error)
  • Dark UI problem with graphs
  • With broken timelines there is an error that the event counter cannot be processed
  • Saved searches throwing errors
  • Exit early if there is no Cytoscape graph instance