Skip to content
Assorted classes and methods for indexing reports and retrieving information from an elastic index
Python Batchfile
Branch: master
Clone or download
unknown unknown
unknown and unknown added version and logging format
Latest commit 2227873 Jul 6, 2016
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
etc
report_examples Added GcLinkParser output to indexing examples Oct 27, 2015
scripts
.gitignore
README.md
elastichandler.py
index_reports.bat
setup.py

README.md

ElasticHandler

Assorted classes and methods for indexing reports and retrieving information from an elastic index.

Indexing a file:

elastichandler.py --host 127.0.0.1 --index case_index --config etc\sbe_config.json --report report_examples\sbe.donald.usrclass.dat.tsv

Config Files

When indexing a file with the elastichandler, you must pass in a configuration file. This file tells the handler how to index the report.

Example for Eric Zimmerman's SBECmd.exe (http://binaryforay.blogspot.com/p/software.html) version 0.6.1.0 report:

{
	#report format#
	"report_format":"txt",
	
	#delimiter of report columns#
	"delimiter":"\t",
	
	#line to start indexing from#
	"start_line":"2",
	
	#name of document type#
	"type":"sbe",
	
	#Mapping to create for the type#
	"map_file":"etc\\sbe_0.6.1.0.mapping",
	
	#Column order and names#
	"columns":[
		"BagPath",
		"Slot",
		"NodeSlot",
		"MRUPosition",
		"AbsolutePath",
		"ShellType",
		"Value",
		"ChildBags",
		"CreatedOn",
		"ModifiedOn",
		"AccessedOn",
		"LastWriteTime",
		"MFTEntry",
		"MFTSequenceNumber",
		"ExtensionBlockCount",
		"FirstExplored",
		"LastExplored",
		"Miscellaneous"
	],
	
	#Extra columns to create#
	"add_columns":{
		
	}
}

Adding Columns

Mapping Files

The map_file attribute points to a json file that is used to apply the document mapping to the document type specified by the type attribute.

You can’t perform that action at this time.