You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Provide a mechanism to lookup individual event values within Timesketch by linking it to other tools. The analyst will see some indicator in the event detail view and can manually trigger that mechanism to open the lookup for that specific value in another tab.
Background
Sometimes we analysts want to get additional information on a specific value in an event from external tools. For example looking up the hash value of a suspicious file in VirusTotal or checking a domain against an internal CTI tool.
With the current state of Timesketch, an analyst needs to copy/paste the value into a lookup tool of their choice. This also requires that each analyst knows the best and approved lookup tools for the job.
This feature would benefit the UX workflow for analysts by reducing the copy/paste activity and spreading the knowledge about lookup options in the team.
Use-Case ideas:
Link IoC fields like IP, Hash, Domain, URL to a lookup at a favorite CTI platform
Quickly decode a URL using unfurl
Sent data to your cyberchef instance for decoding/converting
Link documentation for Windows event IDs for a quick lookup
Submit URLs to your favorite sandbox tool
Basic Requirements
A configuration schema for the Timesketch administrator to define which fields should be linked to a lookup in their instance.
An UI element with each configured field in the event detail view that clearly indicates a call to action for analysts and provides the selection of prepared links.
A redirect warning feature, that prevents analysts from accidental sharing investigation data with external platforms.
The feature needs to be documented in the Timesketch docs.
Development steps
Add a configuration schema/file
API endpoint
Add tests for the API endpoint
Update API client in the front-end
Update the EventDetail.vue component
Add documentation on how to use the feature
Add the feature to the change log docs/changelog/2022-12.md
Create GitHub issues for future development and new ideas of the context links.
The text was updated successfully, but these errors were encountered:
Here are some demo gifs that show how the feature looks in action (merged with #2448 ).
A context link that triggers the redirect warning (in this case to VirusTotal)
If a verification_regex is configured for a context link, it will only show the trigger when the value matches the regex. The gif shows two fields called hash, but only one shows the context link trigger.
If the linked service is run internally, a redirect warning might not be necessary. So e.g. for a self hosted unfurl instance, it can be skipped.
Feature Idea
Provide a mechanism to lookup individual event values within Timesketch by linking it to other tools. The analyst will see some indicator in the event detail view and can manually trigger that mechanism to open the lookup for that specific value in another tab.
Background
Sometimes we analysts want to get additional information on a specific value in an event from external tools. For example looking up the hash value of a suspicious file in VirusTotal or checking a domain against an internal CTI tool.
With the current state of Timesketch, an analyst needs to copy/paste the value into a lookup tool of their choice. This also requires that each analyst knows the best and approved lookup tools for the job.
This feature would benefit the UX workflow for analysts by reducing the copy/paste activity and spreading the knowledge about lookup options in the team.
Use-Case ideas:
Basic Requirements
Development steps
EventDetail.vue
componentdocs/changelog/2022-12.md
The text was updated successfully, but these errors were encountered: