-
Notifications
You must be signed in to change notification settings - Fork 480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create an option to tag rows in notebooks' tables #3243
Comments
Thanks for your feature request. This is a great idea which we have been thinking about for a while (It is a duplicate of #714 ) There are a number of issues to figure out though. First, unlike excel we have a lot of large tables so for example when collecting many artifacts there may be a lot of tables (one for each artifact). People dont usually look through every row of the table, but instead they use a notebook with a VQL query to narrow data down. So say I have collected the entire MFT - this is maybe 500k rows of data. I would then in the notebook use a query to filter for .exe in a time range say. Now I have another table of say 10 different rows. Tagging one of these rows is fine but how do I then link it to the original 500k line table? Also in this case the smaller table is just a filtered version of the larger table but this does not have to be the case - because it is produced from a VQL query it can be completely different and in fact not even related to the original table. So this idea is actually very hard to implement because it is hard to know exactly what we want to achieve with it:
These two requirements are completely different. For requirement 1 we need to think about how often we view the same table again? bearing in mind that a transformed table (e.g. via a VQL query) is actually a completely different table - so if I highlight a specific row in the MFT table but then have another query it is unlikely to show that file as highlighted ( we dont really have a concept of a data model so we dont know what a "file" in the MFT is - all we see are rows and tables without really understanding what each row represents). For requirement 2 a different approach will work - say we have a concept of a "case" then "tags" within the case, then we can tag a row by just copying it to the case tag view. So we can look at the GUI and see all our suspicious MFT files in the one place and maybe have references back to the original query say. So maybe an implementation like 2 will work as well as maybe tagging the row in 1 just to show the row was tagged, but if the table is refreshed or the notebook cell is recalculated, then the tagging will disappear. |
Thank you @scudette for the comprehensive breakdown of the technical and logical challenge. I'm definitely in favor of the requirement 2, as it seems reasonable and could be well utilized by analysts effectively. I can picture this feature being implemented in a similar manner to "Copy Cell" feature. In other words, If we create the concept of "cases" or "reports", then as we are conducting post-analysis and generating tables dynamically, we can then tag/select the row of interest -> "copy to report" -> then a prompt will pop up to select which report/case you would like to send/attach the tagged rows to. Once the analysis concluded, the analyst can then navigate to "report xyz" and find all their tagged rows from different kind of tables depicted as exhibits, and perhaps we can provide the analyst the flexibility to add some markdown-comments, and then they can export that report in any desired format pdf, RTF, doc...etc. ready to be consumed by other stakeholders. |
Hello,
Inspired by MS-Excel or Timeline Explorer by Eric Zimmerman, I was wondering if we can introduce the feature of tagging rows when you display the results in notebooks. Whether it's Hunt Manager notebooks or global notebooks, or any kind of notebook that display results. I think adding this feature would be valuable for the analyst when they conduct analysis and needed to bookmark/tag rows for further assessment, or selective export...etc.
The way I picture it would be along the lines of below snippet. A little check-box on the left hand side of each row of the table.
Thank you
The text was updated successfully, but these errors were encountered: