Creating Analyzers

[lucky-luk3]

Hello!
(First of all, thanks for the project, it's amazing!)

I'm trying to create a simple analyzer in order to test this functionality and create more after that.

I used logon analyzer like a base to create another for RDP (21|24) events from EVTX and I have some problems.

• When I tried to use analyzer_run.py, I have to create the class with "interface.BaseSketchAnalyzer" instead of "interface.BaseAnalyzer" like your analyzers in code. I can imagine that interface.py are not updated in "test_tools". am I right? In order to put my analyzer in "production" I have to inherit from "interface.BaseAnalyzer"?
• I was not able to create a data sample to test this anlyzer. I tried to use a timeline from plaso and also I tried to export csv from timesketch web with the RDP events. Those events doesn't have headers like "event_identifier". In the documentation I saw this link https://github.com/google/timesketch/blob/master/user-guide/create-timeline-from-json-csv but it's broken.
• To finish, I tried to put the analyzer in docker folder "/usr/local/lib/python3.8/dist-packages/timesketch/lib/analyzers/" to try to use it in web but after restart the project this anlyzer doesn't appears.

I'm sure that I'm doing all wrong xD but I preferred to try before ask.

Thanks in advance!

[itsmvd]

Hi @lucky-luk3,

Sorry for the late answer here.

1. Correct, interface.BaseAnalyzer is the object to use
2. I'll have a look at the broken page. In the mean time I would recommend simply getting the Event Logs from a Windows machine, running log2timeline and then importing them to Timesketch
3. In order for your analyzer, or changes to it, to show up you have to restart Celery

[jaegeral]

The documentation you are looking for is located here:
https://timesketch.org/learn/create-timeline-from-json-csv/

The easiest to help is if you can to link to a fork of the repo so see the actual code you are trying to run.

Note that the analyzer_run.py does mock the results.