The tagger analyzer tags events that match a specific search filter. Different
searches and different tags can be specified in the
tags.yaml entry must define either a
query_string or a
is the filter that will be used to select events that should be tagged.
save_search is an optional boolean that determines whether a saved
search should be created if there are hits for the aforementioned query.
The name of the saved search is defined through the
emojis are arrays of tags or emojis that will be applied to
The tagger analyzer will iterate over the matching events, and apply all specified tags and emojis to each event. Only if tagging happens will the saved searches be created.
A simple configuration looks like this:
test_tagger: query_string: 'test' tags: ['test-tag'] emojis: ['FISHING_POLE'] save_search: true search_name: 'TEST the tag'
With the above entry, events matching the search query
test will be tagged with
FISHING_POLE emoji attached to them. If any events are tagged, a saved search containing this
events will be created and called
TEST the tag.
The tagger analyzer supports some more advanced configuration for selecting and tagging events.
Regular expression matching
re_attribute can be used to further narrow down
which events to tag.
regular_expression will be checked on the attribute specified in
re_attribute, and only if it matches will the tags / emojis be applied to that
Regular expression flags can be passed through the
Possible values are the flags supported by Python's
Given the following configuration:
test_tagger: query_string: 'test' tags: ['secure'] save_search: true search_name: 'HTTPS requests' regular_expression: '^https://' re_attribute: 'message' re_flags: ['IGNORECASE']
all events matching the query
test will initially be selected, and for each
, the regular expression
^http:// with the
IGNORECASE flag will be applied
to the event's
message attribute. If there is a match, the event will be
'secure'. If events are tagged this way, a saved search called
'HTTPS requests' will be created.
Dynamic tagging allows to tag events with values derived from event attributes.
Consider events that have a
yara_match attribute that specify which Yara rule
matched a specific file (this is the default behavior of timelines generated by Plaso).
By prefixing a tag name with
'$yara_match'), the value of the tag
applied to the event will be the value of the event's
Dynamic tagging also supports modifiers, such as
upper. These modifiers are
defined in the
MODIFIERS class attribute of the
They are applied sequentially to the extracted attribute value.
Using this example configuration:
yara_match_tagger: query_string: '_exists_:yara_match AND NOT yara_match.keyword:"-"' tags: ['yara', '$yara_match'] modifiers: ['split'] save_search: true search_name: 'Yara rule matches'
and considering an event that has the following attribute:
yara_match: 'yara_rule1 yara_rule2'
split modifier will split the value of
['yara_rule1', 'yara_rule2']. These will be applied as individual tags to
the event, along with
yara, which was specified without a leading