Skip to content

Tagger analyzer

The tagger analyzer tags events that match a specific search filter. Different searches and different tags can be specified in the tags.yaml file.

Configuration attributes

Each tags.yaml entry must define either a query_string or a query_dsl. This is the filter that will be used to select events that should be tagged.

save_search is an optional boolean that determines whether a saved search should be created if there are hits for the aforementioned query. The name of the saved search is defined through the search_name attribute.

tags and emojis are arrays of tags or emojis that will be applied to matching events.

The tagger analyzer will iterate over the matching events, and apply all specified tags and emojis to each event. Only if tagging happens will the saved searches be created.

A simple configuration looks like this:

    query_string: 'test'
    tags: ['test-tag']
    emojis: ['FISHING_POLE']
    save_search: true
    search_name: 'TEST the tag'

With the above entry, events matching the search query test will be tagged with test-tag and have the FISHING_POLE emoji attached to them. If any events are tagged, a saved search containing this events will be created and called TEST the tag.

Advanced configuration

The tagger analyzer supports some more advanced configuration for selecting and tagging events.

Regular expression matching

regular_expression and re_attribute can be used to further narrow down which events to tag.

If specified, regular_expression will be checked on the attribute specified in re_attribute, and only if it matches will the tags / emojis be applied to that event.

Regular expression flags can be passed through the re_flags attribute. Possible values are the flags supported by Python's re module:

Given the following configuration:

    query_string: 'test'
    tags: ['secure']
    save_search: true
    search_name: 'HTTPS requests'
    regular_expression: '^https://'
    re_attribute: 'message'
    re_flags: ['IGNORECASE']

all events matching the query test will initially be selected, and for each , the regular expression ^http:// with the IGNORECASE flag will be applied to the event's message attribute. If there is a match, the event will be tagged 'secure'. If events are tagged this way, a saved search called 'HTTPS requests' will be created.

Dynamic tagging

Dynamic tagging allows to tag events with values derived from event attributes.

Consider events that have a yara_match attribute that specify which Yara rule matched a specific file (this is the default behavior of timelines generated by Plaso).

By prefixing a tag name with $ (e.g. '$yara_match'), the value of the tag applied to the event will be the value of the event's yara_match attribute.

Dynamic tagging also supports modifiers, such as split or upper. These modifiers are defined in the MODIFIERS class attribute of the TaggerSketchPlugin class. They are applied sequentially to the extracted attribute value.

Using this example configuration:

  query_string: '_exists_:yara_match AND NOT yara_match.keyword:"-"'
  tags: ['yara', '$yara_match']
  modifiers: ['split']
  save_search: true
  search_name: 'Yara rule matches'

and considering an event that has the following attribute:

yara_match: 'yara_rule1 yara_rule2'

Using the split modifier will split the value of yara_match into ['yara_rule1', 'yara_rule2']. These will be applied as individual tags to the event, along with yara, which was specified without a leading $.