How to use the timesketch.lib.analyzers.manager function in timesketch
To help you get started, we’ve selected a few timesketch examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
google / timesketch / timesketch / lib / analyzers / sessionizer.py View on Github 
if curr_timestamp - last_timestamp > self.max_time_diff_micros:
session_num += 1
self.annotateEvent(event, session_num)
last_timestamp = curr_timestamp
except StopIteration:
pass
return ('Sessionizing completed, number of session created:'
' {0:d}'.format(session_num))
def annotateEvent(self, event, session_num):
event.add_attributes({'session_id': {self.session_type: session_num}})
event.commit()
manager.AnalysisManager.register_analyzer(SessionizerSketchPlugin)total_num_events = len(minhashes)
for key, minhash in minhashes.items():
event_id, event_type, index_name = key
event_dict = dict(_id=event_id, _type=event_type, _index=index_name)
event = interface.Event(event_dict, self.datastore)
score = similarity.calculate_score(lsh, minhash, total_num_events)
attributes_to_add = {'similarity_score': score}
event.add_attributes(attributes_to_add)
# Commit the event to the datastore.
event.commit()
msg = 'Similarity scorer processed {0:d} events for data_type {1:s}'
return msg.format(total_num_events, self._config.data_type)
manager.AnalysisManager.register_analyzer(SimilarityScorer)# Commit the event to the datastore.
event.commit()
simple_counter += 1
# Create a saved view with our query.
if simple_counter:
self.sketch.add_view(
view_name='GCP ServiceKey activity', analyzer_name=self.NAME,
query_string=query)
return ('GCP ServiceKey analyzer completed',
'{0:d} service key marked'.format(simple_counter))
manager.AnalysisManager.register_analyzer(GcpServiceKeySketchPlugin)attributes = {
'chain_id_list': chain_id_list,
'chain_plugins': chain_plugins_list}
event.add_attributes(attributes)
event.add_emojis([link_emoji])
event.commit()
number_of_chains = len(counter.keys()) - 1
return (
'{0:d} base events annotated with a chain UUID for {1:d} '
'chains for a total of {2:d} events.'.format(
number_of_base_events, number_of_chains,
counter['total']))
manager.AnalysisManager.register_analyzer(ChainSketchPlugin)query_string='tag:"browser-search"')
params = {
'field': 'search_string',
'limit': 20,
}
self.sketch.add_aggregation(
name='Top 20 browser search queries.', agg_name='field_bucket',
agg_params=params, view_id=view.id, chart_type='hbarchart',
description='Created by the browser search analyzer')
return (
'Browser Search completed with {0:d} search results '
'extracted.').format(simple_counter)
manager.AnalysisManager.register_analyzer(BrowserSearchSketchPlugin)def _get_index_analyzers():
"""Get list of index analysis tasks to run.
Returns:
Celery chain of index analysis tasks as Celery subtask signatures or
None if index analyzers are disabled in config.
"""
tasks = []
index_analyzers = current_app.config.get('AUTO_INDEX_ANALYZERS')
if not index_analyzers:
return None
for analyzer_name, _ in manager.AnalysisManager.get_analyzers(
index_analyzers):
tasks.append(run_index_analyzer.s(analyzer_name))
return chain(tasks)indicator['name'], name))
if found:
actors_found.append(name)
self.sketch.add_view(
'Domain activity for actor {0:s}'.format(name),
self.NAME,
query_string=query)
if actors_found:
return '{0:d} actors were found! [{1:s}]'.format(
len(actors_found), ', '.join(actors_found))
return 'No indicators were found in the timeline.'
manager.AnalysisManager.register_analyzer(YetiIndicators)from __future__ import unicode_literals
from timesketch.lib.analyzers import manager
from timesketch.lib.analyzers.sessionizer import SessionizerSketchPlugin
class WebActivitySessionizerSketchPlugin(SessionizerSketchPlugin):
"""Sessionizer for web activity events"""
NAME = 'web_activity_sessionizer'
max_time_diff_micros = 600000000 # 10 minutes
query = 'source_short:"WEBHIST"'
session_type = 'web_activity'
manager.AnalysisManager.register_analyzer(WebActivitySessionizerSketchPlugin)def get(self, sketch_id):
"""Handles GET request to the resource.
Returns:
A list of all available analyzer names.
"""
sketch = Sketch.query.get_with_acl(sketch_id)
if not sketch.has_permission(current_user, 'read'):
abort(
HTTP_STATUS_CODE_FORBIDDEN,
'User does not have read access to sketch')
analyzers = [
x for x, y in analyzer_manager.AnalysisManager.get_analyzers()]
return analyzersif aggregate_results:
params = {
'field': store_as,
'limit': 20,
}
self.sketch.add_aggregation(
name='Top 20 for: {0:s} [{1:s}]'.format(store_as, name),
agg_name='field_bucket', agg_params=params,
description='Created by the feature extraction analyzer',
view_id=view.id, chart_type='hbarchart')
return 'Feature extraction [{0:s}] extracted {1:d} features.'.format(
name, event_counter)
manager.AnalysisManager.register_analyzer(FeatureExtractionSketchPlugin)
Popular timesketch functions
- timesketch.api.v1.resources.ResourceMixin
- timesketch.apps.sketch.models.Sketch
- timesketch.apps.sketch.models.Sketch.objects.create
- timesketch.apps.sketch.models.Sketch.objects.get
- timesketch.lib.analyzers.interface
- timesketch.lib.analyzers.interface.BaseSketchAnalyzer
- timesketch.lib.analyzers.manager
- timesketch.lib.analyzers.manager.AnalysisManager
- timesketch.lib.analyzers.manager.AnalysisManager.register_analyzer
- timesketch.lib.emojis.get_emoji
- timesketch.lib.forms.BaseForm
- timesketch.models.db_session
- timesketch.models.db_session.add
- timesketch.models.db_session.commit
- timesketch.models.sketch.SearchIndex
- timesketch.models.sketch.SearchIndex.query.filter_by
- timesketch.models.sketch.Sketch
- timesketch.models.sketch.Sketch.query.get_with_acl
- timesketch.models.sketch.View
- timesketch.models.user.User