AbdulRhmanAlfaifi
commented
2 years ago Hi,
kjson is a JSONL file (line separated JSON objects) with predefined fields. The following is an example with the data you provided:
{
"Data": {"baseurl":"www.xxxx.com/baseurl/xxxx"},
"data_type": "<ARTIFACT_NAME>",
"data_source": "<ARTIFACT_SOURCE>",
"data_path": "<ARTIFACT_SOURCE_PATH>"
}Where:
-
: is the same name as the parser name in Kuiper -
: artifact source (ex. Firefox Browser History) -
: Path to the artifact (ex. /home/u0041/.mozilla/firefox/XXXXXXXX.default/places.sqlite)
Also, make sure to add the field @timestamp to the JSON object in the field Data to be able to visualize it in the timeline otherwise it will default to 1700-01-01 00:00:00
cyber1c3
i find many parser in kuiper is builtin ,such as yum_sources
i just dont understand how to create a kjson file?,like yum_sources.kjson, what is the formate it should be?
i has try write this content to yum_sources.kjson
when upload to kuiper,and parse it
kjson parser has error,and dont tell me why?
the Artifacts view also has nothing :
so , could you please write some wiki to tell us how to create a *.kjson ,masure it can be parsed by kuiper and get a Artifacts result i want to write some parser to parse some artifacts from linux machine,but your wiki is not easy to understand