salehmuhaysin
commented
2 years ago hi,
thanks for the notes, the issue is that it is missing a timeline views, if the record does not match any timeline view condition, it will use the default view https://github.com/DFIRKuiper/Kuiper/blob/master/kuiper/files/timeline_views/default.yaml
unfortunately, currently kuiper timeline view only support ether match a specific view or use the default view, if you create a specific view for Windows event data_type:"Events" it will couse conflect since the other view with condition data_type:"Events" AND Data.Event.System.EventID.#text:"22" AND Data.Event.System.Channel:"Microsoft\-Windows\-TerminalServices\-LocalSessionManager\/Operational" it will use the first hit always.
for the next release, there will be a view level, for example
view Events_Incoming_RDP_connection_22 has level 3
view default_windows_event has level 2
view Default has level 1
and it will use always the highest level
but this not implemented so far -_-
Describe the bug When exporting a timeline, some entries are populated with empty fields.
To Reproduce Steps to reproduce the behavior: I am not sure exactly how to reproduce this error.
In the above screenshot - we see event ID 22 shows up fine, but other event log entries do not.
The entries with empty data are always at the bottom of the excel document.
The empty sections in the timeline DO have values populated in the timeline.
Example of missing Event IDs - but have them populated in the timeline view:
Example of missing UAL entries - but with data in the timeline view:
Expected behavior One would assume at least the event IDs would be populated on events - even if a description cant be derived.
Screenshots Above