hide | |
---|---|
|
The tagger analyzer tags events that match a specific search filter. Different
searches and different tags can be specified in the tags.yaml
file.
Each tags.yaml
entry must define either a query_string
or a query_dsl
. This
is the filter that will be used to select events that should be tagged.
save_search
is an optional boolean that determines whether a saved
search should be created if there are hits for the aforementioned query.
The name of the saved search is defined through the search_name
attribute.
tags
and emojis
are arrays of tags or emojis that will be applied to
matching events.
The tagger analyzer will iterate over the matching events, and apply all specified tags and emojis to each event. Only if tagging happens will the saved searches be created.
A simple configuration looks like this:
test_tagger:
query_string: 'test'
tags: ['test-tag']
emojis: ['FISHING_POLE']
save_search: true
search_name: 'TEST the tag'
With the above entry, events matching the search query test
will be tagged with test-tag
and
have the FISHING_POLE
emoji attached to them. If any events are tagged, a saved search containing this
events will be created and called TEST the tag
.
The tagger analyzer supports some more advanced configuration for selecting and tagging events.
regular_expression
and re_attribute
can be used to further narrow down
which events to tag.
If specified, regular_expression
will be checked on the attribute specified in
re_attribute
, and only if it matches will the tags / emojis be applied to that
event.
Regular expression flags can be passed through the re_flags
attribute.
Possible values are the flags supported by Python's re
module:
https://docs.python.org/3/library/re.html#re.A
Given the following configuration:
test_tagger:
query_string: 'test'
tags: ['secure']
save_search: true
search_name: 'HTTPS requests'
regular_expression: '^https://'
re_attribute: 'message'
re_flags: ['IGNORECASE']
all events matching the query test
will initially be selected, and for each
, the regular expression ^http://
with the IGNORECASE
flag will be applied
to the event's message
attribute. If there is a match, the event will be
tagged 'secure'
. If events are tagged this way, a saved search called
'HTTPS requests'
will be created.
Dynamic tagging allows to tag events with values derived from event attributes.
Consider events that have a yara_match
attribute that specify which Yara rule
matched a specific file (this is the default behavior of timelines generated by Plaso).
By prefixing a tag name with $
(e.g. '$yara_match'
), the value of the tag
applied to the event will be the value of the event's yara_match
attribute.
Dynamic tagging also supports modifiers, such as split
or upper
. These modifiers are
defined in the MODIFIERS
class attribute of the TaggerSketchPlugin
class.
They are applied sequentially to the extracted attribute value.
Using this example configuration:
yara_match_tagger:
query_string: '_exists_:yara_match AND NOT yara_match.keyword:"-"'
tags: ['yara', '$yara_match']
modifiers: ['split']
save_search: true
search_name: 'Yara rule matches'
and considering an event that has the following attribute:
yara_match: 'yara_rule1 yara_rule2'
Using the split
modifier will split the value of yara_match
into
['yara_rule1', 'yara_rule2']
. These will be applied as individual tags to
the event, along with yara
, which was specified without a leading $
.