Posts

Showing posts with the label timesketch
Image
  Timesketch, Header Mapping for CSV imports Introduction Timesketch  is an open-source tool for collaborative forensic timeline analysis. The Timesketch user interface allows a user to  upload CSV, JSONL  and  Plaso  storage files. This blogpost will focus on Timesketch's CSV import capability. CSV  is a common denominator format for data change between analytic tools. Timesketch's current CSV import feature requires the file having a set of columns representing a message, a timestamp and its description. These fields need to be named in a certain way otherwise the Timesketch server will discard them. For this reason, usually, users have to pre-process their CSVs between export from a tool and import into Timesketch to guarantee this constraint. This blogpost describes a new solution to overcome this limitation, i.e., uploading a CSV without one or more required headers. This new functionality is called  header mapping  because it allows the user to map one or more missing req

Use EVTX files on VirusTotal with Timesketch and Sigma (Part 2)

Image
  Use VirusTotal EVTX files to test / verify Sigma rules (Part 2) This is the second part of a blog series. In the first part we covered manual and automated ways to download a recently added feature of VirusTotal to download EVTX from Sandbox execution. This second part explores ways to use a VirusTotal EVTX file to test a Sigma rule and adjust Sigma config in Timesketch to make the rule work. For this we will use a different sample than in part 1 that matches a rule that would not work out of the box in Timesketch. Disclaimer Most of our other blog posts cover open source techniques. The API feature described in this post is part of a commercial offering from VirusTotal and is not available to free tier accounts. Similar files could be created with Cuckoo Sandbox, an open source malware analysis system. Sigma rule This article assumes the reader is familiar with basic use of Sigma in Timesketch that was covered in Sigma in Timesketch - let's rule the sketch . To get started we w

Use EVTX files on VirusTotal with Timesketch and Sigma (Part1)

Image
  TDLR: VirusTotal added a new feature to allow VirusTotal Enterprise customers to download Windows XML EventLog files (.evtx) for a sandbox execution of submitted samples. This article covers how this feature can help incident responders and digital forensic analysts develop detections and how to use the new API to test an existing detection pipeline. Over the course of the article, tools like DFTimewolf, Plaso and Timesketch will be used. Disclaimer Most of our other blog posts cover open source techniques. The API feature described in this post is part of a commercial offering from VirusTotal and is not available to free tier accounts. Similar files could be created with Cuckoo Sandbox , an open source malware analysis system. Prerequisite In order to follow this guide, we will need a running Timesketch server and docker on our local computer and installed DFTimewolf . In addition we need access to the private API of VirusTotal. Context Windows EventLogs are an important source fo