I'd like to be able to feed ALEAPP's output into Timesketch.
The format of tl.db is not conducive to do this, specifically the "datalist" column which is serialized as a list of strings, where each string is a key:value pair. This makes the field difficult to separate into its components since the ':' separator is also part of many values.
I'd like to change the way ALEAPP stores information in the "datalist" to a json format. From reading the ALEAPP code, the modification would be a fairly small change to scripts/ilapfuncs.py:timeline.
I'd like to be able to feed ALEAPP's output into Timesketch.
The format of tl.db is not conducive to do this, specifically the "datalist" column which is serialized as a list of strings, where each string is a key:value pair. This makes the field difficult to separate into its components since the ':' separator is also part of many values.
I'd like to change the way ALEAPP stores information in the "datalist" to a json format. From reading the ALEAPP code, the modification would be a fairly small change to scripts/ilapfuncs.py:timeline.