How to use the timesketch.lib.emojis.get_emoji function in timesketch

To help you get started, we’ve selected a few timesketch examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github google / timesketch / timesketch / lib / analyzers / yetiindicators.py View on Github external
for intrusion_set in self.intel.values():
            if not intrusion_set['indicators']:
                continue

            found = False

            for indicator in intrusion_set['indicators']:
                query = build_query_for_indicators([indicator])

                events = self.event_stream(query_string=query,
                                           return_fields=[])

                name = intrusion_set['name']
                for event in events:
                    found = True
                    event.add_emojis([emojis.get_emoji('SKULL')])
                    event.add_tags([name])
                    event.commit()
                    event.add_comment(
                        'Indicator "{0:s}" found for actor "{1:s}"'.format(
                            indicator['name'], name))

            if found:
                actors_found.append(name)
                self.sketch.add_view(
                    'Domain activity for actor {0:s}'.format(name),
                    self.NAME,
                    query_string=query)

        if actors_found:
            return '{0:d} actors were found! [{1:s}]'.format(
                len(actors_found), ', '.join(actors_found))
github google / timesketch / timesketch / lib / analyzers / phishy_domains.py View on Github external
if '.' not in domain:
                continue
            watched_domains_list.append(domain)

        watched_domains = {}
        for domain in watched_domains_list:
            minhash = self._get_minhash_from_domain(domain)
            watched_domains[domain] = {
                'hash': minhash,
                'depth': len(domain.split('.'))
            }

        similar_domain_counter = 0
        whitelist_encountered = False
        evil_emoji = emojis.get_emoji('SKULL_CROSSBONE')
        phishing_emoji = emojis.get_emoji('FISHING_POLE')
        for domain, _ in iter(domain_counter.items()):
            emojis_to_add = []
            tags_to_add = []
            text = None

            similar_domains = self._get_similar_domains(
                domain, watched_domains)

            if similar_domains:
                similar_domain_counter += 1
                emojis_to_add.append(evil_emoji)
                emojis_to_add.append(phishing_emoji)
                tags_to_add.append('phishy-domain')
                similar_text_list = ['{0:s} [score: {1:.2f}]'.format(
                    phishy_domain,
                    score) for phishy_domain, score in similar_domains]
github google / timesketch / timesketch / lib / analyzers / feature_extraction.py View on Github external
return ''
            re_flag = sum(flags)
        else:
            re_flag = 0

        try:
            expression = re.compile(expression_string, flags=re_flag)
        except re.error as exception:
            # pylint: disable=logging-format-interpolation
            logging.warning((
                'Regular expression failed to compile, with '
                'error: {0!s}').format(exception))
            return ''

        emoji_names = config.get('emojis', [])
        emojis_to_add = [emojis.get_emoji(x) for x in emoji_names]

        return_fields = [attribute]

        events = self.event_stream(
            query_string=query, query_dsl=query_dsl,
            return_fields=return_fields)

        event_counter = 0
        for event in events:
            attribute_field = event.source.get(attribute)
            if isinstance(attribute_field, six.text_type):
                attribute_value = attribute_field
            elif isinstance(attribute_field, (list, tuple)):
                attribute_value = ','.join(attribute_field)
            elif isinstance(attribute_field, (int, float)):
                attribute_value = attribute_field
github google / timesketch / timesketch / lib / analyzers / domain.py View on Github external
logging.warning('Unable to calculate the 85th percentile.')
            highest_count_domain = domain_counter.most_common(1)
            if highest_count_domain:
                _, highest_count = highest_count_domain[0]
                domain_85th_percentile = highest_count + 10
            else:
                domain_85th_percentile = 100

        common_domains = [
            x for x, y in domain_counter.most_common()
            if y >= domain_85th_percentile]
        rare_domains = [
            x for x, y in domain_counter.most_common()
            if y <= domain_20th_percentile]

        satellite_emoji = emojis.get_emoji('SATELLITE')
        for domain, count in iter(domain_counter.items()):
            emojis_to_add = [satellite_emoji]
            tags_to_add = []

            cdn_provider = utils.get_cdn_provider(domain)
            if cdn_provider:
                tags_to_add.append('known-cdn')
                cdn_counter[cdn_provider] += 1

            if domain in common_domains:
                tags_to_add.append('common_domain')

            if domain in rare_domains:
                tags_to_add.append('rare_domain')

            for event in domains.get(domain, []):
github google / timesketch / timesketch / lib / analyzers / login.py View on Github external
def run(self):
        """Entry point for the analyzer.

        Returns:
            String with summary of the analyzer result
        """
        login_emoji = emojis.get_emoji('unlock')
        logoff_emoji = emojis.get_emoji('lock')
        screen_emoji = emojis.get_emoji('screen')
        screensaver_logon = LOGON_TYPES.get('7')
        login_counter = 0
        logoff_counter = 0

        # TODO: Add EVT lookups, ID 528 for logon and 538, 540 for logoff.
        # TODO: Add RDP EVT lookups, ID 682 for logon and 683 for logoff.
        query = (
            'data_type:"windows:evtx:record" AND (event_identifier:4624 OR '
            'event_identifier:4778 OR event_identifier:4779 OR '
            'event_identifier:4634 OR event_identifier:4647)')

        return_fields = [
            'message', 'data_type', 'strings', 'strings_parsed',
            'event_identifier']
github google / timesketch / timesketch / lib / analyzers / login.py View on Github external
def run(self):
        """Entry point for the analyzer.

        Returns:
            String with summary of the analyzer result
        """
        login_emoji = emojis.get_emoji('unlock')
        logoff_emoji = emojis.get_emoji('lock')
        screen_emoji = emojis.get_emoji('screen')
        screensaver_logon = LOGON_TYPES.get('7')
        login_counter = 0
        logoff_counter = 0

        # TODO: Add EVT lookups, ID 528 for logon and 538, 540 for logoff.
        # TODO: Add RDP EVT lookups, ID 682 for logon and 683 for logoff.
        query = (
            'data_type:"windows:evtx:record" AND (event_identifier:4624 OR '
            'event_identifier:4778 OR event_identifier:4779 OR '
            'event_identifier:4634 OR event_identifier:4647)')

        return_fields = [
            'message', 'data_type', 'strings', 'strings_parsed',
            'event_identifier']

        # Generator of events based on your query.
github google / timesketch / timesketch / lib / analyzers / browser_timeframe.py View on Github external
String with summary of the analyzer result
        """
        # TODO: Once we can identify user generated events this should be
        # updated to include all user generated events instead of focusing
        # solely on browser events.
        query = 'source_short:"WEBHIST" OR source:"WEBHIST"'

        return_fields = ['timestamp', 'url', 'tag', '__ts_emojis']

        data_frame = self.event_pandas(
            query_string=query, return_fields=return_fields)

        if not data_frame.shape[0]:
            return 'No browser events discovered.'

        sleeping_emoji = emojis.get_emoji('SLEEPING_FACE')

        # This query filters out all timestamps that have a zero timestamp as
        # well as those that occur after 2038-01-01, this may need to be
        # changed in the future.
        data_frame['timestamp'] = pd.to_numeric(data_frame.timestamp)
        data_frame = data_frame[
            (data_frame.timestamp > 0) & (
                data_frame.timestamp < 2145916800000000)]

        data_frame['datetime'] = pd.to_datetime(
            data_frame.timestamp / 1e6, utc=True, unit='s')
        data_frame['hour'] = pd.to_numeric(
            data_frame.datetime.dt.strftime('%H'))

        total_count = data_frame.shape[0]
        activity_hours, threshold, aggregation = get_active_hours(data_frame)