Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a context lookup mechanism for field values #2439

Closed
8 tasks done
jkppr opened this issue Dec 1, 2022 · 2 comments
Closed
8 tasks done

Create a context lookup mechanism for field values #2439

jkppr opened this issue Dec 1, 2022 · 2 comments
Assignees

Comments

@jkppr
Copy link
Collaborator

jkppr commented Dec 1, 2022

Feature Idea

Provide a mechanism to lookup individual event values within Timesketch by linking it to other tools. The analyst will see some indicator in the event detail view and can manually trigger that mechanism to open the lookup for that specific value in another tab.

Background

Sometimes we analysts want to get additional information on a specific value in an event from external tools. For example looking up the hash value of a suspicious file in VirusTotal or checking a domain against an internal CTI tool.
With the current state of Timesketch, an analyst needs to copy/paste the value into a lookup tool of their choice. This also requires that each analyst knows the best and approved lookup tools for the job.

This feature would benefit the UX workflow for analysts by reducing the copy/paste activity and spreading the knowledge about lookup options in the team.

Use-Case ideas:

  • Link IoC fields like IP, Hash, Domain, URL to a lookup at a favorite CTI platform
  • Quickly decode a URL using unfurl
  • Sent data to your cyberchef instance for decoding/converting
  • Link documentation for Windows event IDs for a quick lookup
  • Submit URLs to your favorite sandbox tool

Basic Requirements

  • A configuration schema for the Timesketch administrator to define which fields should be linked to a lookup in their instance.
  • An UI element with each configured field in the event detail view that clearly indicates a call to action for analysts and provides the selection of prepared links.
  • A redirect warning feature, that prevents analysts from accidental sharing investigation data with external platforms.
  • The feature needs to be documented in the Timesketch docs.

Development steps

  • Add a configuration schema/file
  • API endpoint
  • Add tests for the API endpoint
  • Update API client in the front-end
  • Update the EventDetail.vue component
  • Add documentation on how to use the feature
  • Add the feature to the change log docs/changelog/2022-12.md
  • Create GitHub issues for future development and new ideas of the context links.
@jkppr jkppr self-assigned this Dec 1, 2022
@jkppr jkppr changed the title Create a lookup mechanism for field values Create a context lookup mechanism for field values Dec 1, 2022
@jkppr
Copy link
Collaborator Author

jkppr commented Dec 6, 2022

Here are some demo gifs that show how the feature looks in action (merged with #2448 ).

  1. A context link that triggers the redirect warning (in this case to VirusTotal)

TS_ContextLinks_RedirectWarn

  1. If a verification_regex is configured for a context link, it will only show the trigger when the value matches the regex. The gif shows two fields called hash, but only one shows the context link trigger.

TS_ContextLinks_HashIsNotHash

  1. If the linked service is run internally, a redirect warning might not be necessary. So e.g. for a self hosted unfurl instance, it can be skipped.

TS_ContextLinks_unfurl

@jkppr
Copy link
Collaborator Author

jkppr commented Dec 7, 2022

The feature is now implemented and future features are tracked in separate issues.

@jkppr jkppr closed this as completed Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant