How to use the timesketch.lib.analyzers.interface.BaseSketchAnalyzer function in timesketch
To help you get started, we’ve selected a few timesketch examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
google / timesketch / timesketch / lib / analyzers / sessionizer.py View on Github 
"""Sessionizing sketch analyzer plugin."""
from __future__ import unicode_literals
from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager
class SessionizerSketchPlugin(interface.BaseSketchAnalyzer):
"""Sessionizing sketch analyzer. All events in sketch with id sketch_id
are grouped in sessions based on the time difference between them. Two
consecutive events are in the same session if the time difference between
them is less or equal then max_time_diff_micros.
Attributes:
NAME (str): The name of the sessionizer.
max_time_diff_micros (int): The maximum time difference between two
events in the same session, in microseconds.
query (str): The Elasticsearch query string query identifying the
events to be sessionized.
session_type (str): Used to label the events that are sessionized.
"""
NAME = 'sessionizer'
# TODO max_time_diff_micros should be configurabledef build_query_for_indicators(indicators):
"""Builds an Elasticsearch query for Yeti indicator patterns.
Prepends and appends .* to the regex to be able to search within a field.
Returns:
The resulting ES query string.
"""
query = []
for domain in indicators:
query.append('domain:/.*{0:s}.*/'.format(domain['pattern']))
return ' OR '.join(query)
class YetiIndicators(interface.BaseSketchAnalyzer):
"""Index analyzer for Yeti threat intel indicators."""
NAME = 'yetiindicators'
DEPENDENCIES = frozenset(['domain'])
def __init__(self, index_name, sketch_id):
"""Initialize the Index Analyzer.
Args:
index_name: Elasticsearch index name
"""
super(YetiIndicators, self).__init__(index_name, sketch_id)
self.intel = {}
self.yeti_api_root = current_app.config.get('YETI_API_ROOT')
self.yeti_api_key = current_app.config.get('YETI_API_KEY')
self.yeti_indicator_labels = current_app.config.get("""Sketch analyzer plugin for browser search."""
from __future__ import unicode_literals
import logging
import re
import six
from six.moves import urllib_parse as urlparse
from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager
from timesketch.lib import emojis
class BrowserSearchSketchPlugin(interface.BaseSketchAnalyzer):
"""Sketch analyzer for BrowserSearch."""
NAME = 'browser_search'
DEPENDENCIES = frozenset()
# Here we define filters and callback methods for all hits on each filter.
_URL_FILTERS = frozenset([
('Bing', re.compile(r'bing\.com/search'),
'_extract_search_query_from_url', 'q'),
('DuckDuckGo', re.compile(r'duckduckgo\.com'),
'_extract_search_query_from_url', 'q'),
('GMail', re.compile(r'mail\.google\.com'),
'_extract_urlpart_search_query', None),
('Google Inbox', re.compile(r'inbox\.google\.com'),
'_extract_urlpart_search_query', None),hours = sorted(hours)
runs = get_list_of_consecutive_sequences(hours)
# There should either be a single run or at most two.
number_runs = len(runs)
if number_runs == 1:
return hours, threshold, frame_count
if number_runs == 2 and runs[0][0] == 0:
# Two runs, first one starts at hour zero.
return hours, threshold, frame_count
return fix_gap_in_list(hours), threshold, frame_count
class BrowserTimeframeSketchPlugin(interface.BaseSketchAnalyzer):
"""Sketch analyzer for BrowserTimeframe."""
NAME = 'browser_timeframe'
DEPENDENCIES = frozenset()
def __init__(self, index_name, sketch_id):
"""Initialize The Sketch Analyzer.
Args:
index_name: Elasticsearch index name
sketch_id: Sketch ID
"""
self.index_name = index_name
super(BrowserTimeframeSketchPlugin, self).__init__(
index_name, sketch_id)from timesketch.lib import emojis
from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager
RE_FLAGS = [
're.ASCII',
're.IGNORECASE',
're.LOCALE',
're.MULTILINE',
're.DOTALL',
're.VERBOSE',
]
class FeatureExtractionSketchPlugin(interface.BaseSketchAnalyzer):
"""Sketch analyzer for FeatureExtraction."""
NAME = 'feature_extraction'
CONFIG_FILE = 'features.yaml'
FORM_FIELDS = [
{
'name': 'query_string',
'type': 'ts-dynamic-form-text-input',
'label': 'The filter query to narrow down the result set',
'placeholder': 'Query',
'default_value': ''
},
{
'name': 'query_dsl',from __future__ import unicode_literals
import collections
import difflib
from flask import current_app
from datasketch.minhash import MinHash
from timesketch.lib import emojis
from timesketch.lib import similarity
from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager
from timesketch.lib.analyzers import utils
class PhishyDomainsSketchPlugin(interface.BaseSketchAnalyzer):
"""Sketch analyzer for phishy domains."""
NAME = 'phishy_domains'
DEPENDENCIES = frozenset(['domain'])
# This list contains entries from Alexa top 10 list (as of 2018-12-27).
# They are used to create the base of a domain watch list. For custom
# entries use DOMAIN_ANALYZER_WATCHED_DOMAINS in timesketch.conf.
WATCHED_DOMAINS_BASE_LIST = [
'google.com', 'youtube.com', 'facebook.com', 'baidu.com',
'wikipedia.org', 'qq.com', 'amazon.com', 'yahoo.com', 'taobao.com',
'reddit.com']
def __init__(self, index_name, sketch_id):
"""Initialize The Sketch Analyzer.from flask import current_app
from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager
class FileInfo(object):
"""Datastructure to track all timestamps for a file and timestamp type."""
def __init__(self, file_reference=None, timestamp_desc=None,
std_info_event=None, std_info_timestamp=None, file_names=None):
self.file_reference = file_reference
self.timestamp_desc = timestamp_desc
self.std_info_event = std_info_event
self.std_info_timestamp = std_info_timestamp
self.file_names = file_names or []
class NtfsTimestompSketchPlugin(interface.BaseSketchAnalyzer):
"""Sketch analyzer for Timestomp."""
NAME = 'ntfs_timestomp'
STD_INFO = 16
FILE_NAME = 48
def __init__(self, index_name, sketch_id):
"""Initialize The Sketch Analyzer.
Args:
index_name: Elasticsearch index name
sketch_id: Sketch ID
"""
self.index_name = index_name
self.threshold = current_app.config.get(
'NTFS_TIMESTOMP_ANALYZER_THRESHOLD', 10) * 60000000"""Sketch analyzer plugin for GCP Service Key usage."""
from __future__ import unicode_literals
from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager
class GcpServiceKeySketchPlugin(interface.BaseSketchAnalyzer):
"""Sketch analyzer for GCP Service Key usage."""
NAME = 'gcp_servicekey'
def __init__(self, index_name, sketch_id):
"""Initialize The Sketch Analyzer.
Args:
index_name: Elasticsearch index name
sketch_id: Sketch ID
"""
self.index_name = index_name
super(GcpServiceKeySketchPlugin, self).__init__(index_name, sketch_id)
def run(self):
"""Entry point for the analyzer."""Sketch analyzer plugin for domain."""
from __future__ import unicode_literals
import collections
import logging
import numpy
from timesketch.lib import emojis
from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager
from timesketch.lib.analyzers import utils
class DomainSketchPlugin(interface.BaseSketchAnalyzer):
"""Sketch analyzer for Domain."""
NAME = 'domain'
DEPENDENCIES = frozenset()
def __init__(self, index_name, sketch_id):
"""Initialize The Sketch Analyzer.
Args:
index_name: Elasticsearch index name
sketch_id: Sketch ID
"""
self.index_name = index_name
super(DomainSketchPlugin, self).__init__(index_name, sketch_id)"""Sketch analyzer plugin for feature extraction."""
from __future__ import unicode_literals
from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager
class AccountFinderSketchPlugin(interface.BaseSketchAnalyzer):
"""Sketch analyzer for AccountFinder."""
NAME = 'account_finder'
DEPENDENCIES = frozenset(['feature_extraction'])
def __init__(self, index_name, sketch_id):
"""Initialize The Sketch Analyzer.
Args:
index_name: Elasticsearch index name
sketch_id: Sketch ID
"""
self.index_name = index_name
super(AccountFinderSketchPlugin, self).__init__(
index_name, sketch_id)
Popular timesketch functions
- timesketch.api.v1.resources.ResourceMixin
- timesketch.apps.sketch.models.Sketch
- timesketch.apps.sketch.models.Sketch.objects.create
- timesketch.apps.sketch.models.Sketch.objects.get
- timesketch.lib.analyzers.interface
- timesketch.lib.analyzers.interface.BaseSketchAnalyzer
- timesketch.lib.analyzers.manager
- timesketch.lib.analyzers.manager.AnalysisManager
- timesketch.lib.analyzers.manager.AnalysisManager.register_analyzer
- timesketch.lib.emojis.get_emoji
- timesketch.lib.forms.BaseForm
- timesketch.models.db_session
- timesketch.models.db_session.add
- timesketch.models.db_session.commit
- timesketch.models.sketch.SearchIndex
- timesketch.models.sketch.SearchIndex.query.filter_by
- timesketch.models.sketch.Sketch
- timesketch.models.sketch.Sketch.query.get_with_acl
- timesketch.models.sketch.View
- timesketch.models.user.User