FR: Timeline Annotations to Timesketch uploads

[mtreanor-r7]

Is it possible to have timeline annotations uploaded to Timesketch instead of the entire timeline?

if we have a new methodology put in place to have analysts import findings (understand that data should be trimmed down to an extent) into a timeline but only annotate key big high level findings, the annotation timeline would provide bigger value from a supertimeline perspective when viewing multiple assets during an investigation.

Trying to pivot away from the kitchen sink of sending a KAPE package to plaso to Timesketch then reviewing is going to posture analysts to timeline natively in VR and have a more standardised way of doing a review. Doing testing locally before we spin up a dev test is proving fruitful to be able to use multiple hunts into one timeline and annotate is painting a new way forward but the annotation with having detailed notes will be a game changer.

[scudette]

The annotation timeline is just a regular timeline and you can read it with VQL, therefore you can also upload to timesketch

See https://docs.velociraptor.app/artifact_references/pages/server.utils.timesketchupload/

[mtreanor-r7]

Great thank you for this resource, will do some further testing, also note that we can download the annotation CSV and remap the headers during manual upload to TS too.