How to use the timesketch.lib.analyzers.manager function in timesketch

To help you get started, we’ve selected a few timesketch examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github google / timesketch / timesketch / lib / analyzers / sessionizer.py View on Github external
if curr_timestamp - last_timestamp > self.max_time_diff_micros:
                    session_num += 1
                self.annotateEvent(event, session_num)
                last_timestamp = curr_timestamp

        except StopIteration:
            pass

        return ('Sessionizing completed, number of session created:'
                ' {0:d}'.format(session_num))

    def annotateEvent(self, event, session_num):
        event.add_attributes({'session_id': {self.session_type: session_num}})
        event.commit()

manager.AnalysisManager.register_analyzer(SessionizerSketchPlugin)
github google / timesketch / timesketch / lib / analyzers / similarity_scorer.py View on Github external
total_num_events = len(minhashes)
        for key, minhash in minhashes.items():
            event_id, event_type, index_name = key
            event_dict = dict(_id=event_id, _type=event_type, _index=index_name)
            event = interface.Event(event_dict, self.datastore)
            score = similarity.calculate_score(lsh, minhash, total_num_events)
            attributes_to_add = {'similarity_score': score}
            event.add_attributes(attributes_to_add)
            # Commit the event to the datastore.
            event.commit()

        msg = 'Similarity scorer processed {0:d} events for data_type {1:s}'
        return msg.format(total_num_events, self._config.data_type)


manager.AnalysisManager.register_analyzer(SimilarityScorer)
github google / timesketch / timesketch / lib / analyzers / gcp_servicekey.py View on Github external
# Commit the event to the datastore.
            event.commit()
            simple_counter += 1

        # Create a saved view with our query.
        if simple_counter:
            self.sketch.add_view(
                view_name='GCP ServiceKey activity', analyzer_name=self.NAME,
                query_string=query)

        return ('GCP ServiceKey analyzer completed',
                '{0:d} service key marked'.format(simple_counter))


manager.AnalysisManager.register_analyzer(GcpServiceKeySketchPlugin)
github google / timesketch / timesketch / lib / analyzers / chain.py View on Github external
attributes = {
                    'chain_id_list': chain_id_list,
                    'chain_plugins': chain_plugins_list}
                event.add_attributes(attributes)
                event.add_emojis([link_emoji])
                event.commit()

        number_of_chains = len(counter.keys()) - 1
        return (
            '{0:d} base events annotated with a chain UUID for {1:d} '
            'chains for a total of {2:d} events.'.format(
                number_of_base_events, number_of_chains,
                counter['total']))


manager.AnalysisManager.register_analyzer(ChainSketchPlugin)
github google / timesketch / timesketch / lib / analyzers / browser_search.py View on Github external
query_string='tag:"browser-search"')
            params = {
                'field': 'search_string',
                'limit': 20,
            }
            self.sketch.add_aggregation(
                name='Top 20 browser search queries.', agg_name='field_bucket',
                agg_params=params, view_id=view.id, chart_type='hbarchart',
                description='Created by the browser search analyzer')

        return (
            'Browser Search completed with {0:d} search results '
            'extracted.').format(simple_counter)


manager.AnalysisManager.register_analyzer(BrowserSearchSketchPlugin)
github google / timesketch / timesketch / lib / tasks.py View on Github external
def _get_index_analyzers():
    """Get list of index analysis tasks to run.

    Returns:
        Celery chain of index analysis tasks as Celery subtask signatures or
        None if index analyzers are disabled in config.
    """
    tasks = []
    index_analyzers = current_app.config.get('AUTO_INDEX_ANALYZERS')

    if not index_analyzers:
        return None

    for analyzer_name, _ in manager.AnalysisManager.get_analyzers(
            index_analyzers):
        tasks.append(run_index_analyzer.s(analyzer_name))

    return chain(tasks)
github google / timesketch / timesketch / lib / analyzers / yetiindicators.py View on Github external
indicator['name'], name))

            if found:
                actors_found.append(name)
                self.sketch.add_view(
                    'Domain activity for actor {0:s}'.format(name),
                    self.NAME,
                    query_string=query)

        if actors_found:
            return '{0:d} actors were found! [{1:s}]'.format(
                len(actors_found), ', '.join(actors_found))
        return 'No indicators were found in the timeline.'


manager.AnalysisManager.register_analyzer(YetiIndicators)
github google / timesketch / timesketch / lib / analyzers / expert_sessionizers.py View on Github external
from __future__ import unicode_literals

from timesketch.lib.analyzers import manager
from timesketch.lib.analyzers.sessionizer import SessionizerSketchPlugin


class WebActivitySessionizerSketchPlugin(SessionizerSketchPlugin):
    """Sessionizer for web activity events"""
    NAME = 'web_activity_sessionizer'
    max_time_diff_micros = 600000000  # 10 minutes
    query = 'source_short:"WEBHIST"'
    session_type = 'web_activity'


manager.AnalysisManager.register_analyzer(WebActivitySessionizerSketchPlugin)
github google / timesketch / timesketch / api / v1 / resources.py View on Github external
def get(self, sketch_id):
        """Handles GET request to the resource.

        Returns:
            A list of all available analyzer names.
        """
        sketch = Sketch.query.get_with_acl(sketch_id)
        if not sketch.has_permission(current_user, 'read'):
            abort(
                HTTP_STATUS_CODE_FORBIDDEN,
                'User does not have read access to sketch')
        analyzers = [
            x for x, y  in analyzer_manager.AnalysisManager.get_analyzers()]

        return analyzers
github google / timesketch / timesketch / lib / analyzers / feature_extraction.py View on Github external
if aggregate_results:
                params = {
                    'field': store_as,
                    'limit': 20,
                }
                self.sketch.add_aggregation(
                    name='Top 20 for: {0:s} [{1:s}]'.format(store_as, name),
                    agg_name='field_bucket', agg_params=params,
                    description='Created by the feature extraction analyzer',
                    view_id=view.id, chart_type='hbarchart')

        return 'Feature extraction [{0:s}] extracted {1:d} features.'.format(
            name, event_counter)


manager.AnalysisManager.register_analyzer(FeatureExtractionSketchPlugin)