search

brimdata / zui

Zui is a powerful desktop application for exploring and working with data. The official front-end to the Zed lake.
https://www.brimdata.io/download/
Other
1.8k stars 132 forks source link

Tag records with color #843

Open siskojr opened 4 years ago

siskojr commented 4 years ago

Request As a User I would like to tag logs with a color classification so that I can mark my threat hunting results.

User flow

  1. Log selection.
  2. Right click to Tag.
  3. Tag logs.

Tagging options The different types should have a different color for easier identifications "Interesting", "Suspicious", "Malicious" or "Evidence"

Log selection options

  1. Mouse click and keyboard selections
  1. Select all logs option valid (Edit → Select All) [query results don’t fit in visible screen]

Desired functionality

  1. Multiple tags at the same time.
  2. Multiple icons in Tag column.Multiple tags possible. Collaboration, one analyst marks as suspicious, another as evidence.
  3. Filter by tag should be possible. Example: Filter all suspicious, then export to ZNG as usual (collaboration).
  4. History annotation desired.

Reference Wireframe: image.png

Reference from Molo.ch: image.png

philrz commented 4 years ago

This also came up in an inquiry from a community user on the Brim public Slack:

https://brimsec.slack.com/archives/C010DR0HHMF/p1586091392037100

jameskerr commented 2 years ago

Another community request for this feature in a Slack thread:

what kind of lift would it be to let users tag individual records? for e.g I want to right click a row and tag "follow-up" or something similar

We also asked the user a follow-up question about persisting the data.

Q: Maybe this goes without saying, but can we assume that you’ll want the tags to persist with the data, e.g., your tags should live with the saved pool data rather than being unique to a single session in the app? I ask because in the prior discussions we’ve had about the challenges of implementing this, being able to do something “lite” that only persists within a single session of the app would probably be easier to bang out sooner, but we also recognize that something persistent is what many users probably imagine.

A:

Yea exactly - ideally it should get saved in the pool somewhere. Otherwise if it's staying with a session - maybe a dialogue prompt to save session data somewhere - that can then be re- imported later on or automatically... I can see that working too

philrz commented 2 years ago

We had a discussion as a team to assess the current feasibility of implementing, given the evolution in the Zed technology since the time the issue was opened. There was consensus that the CRUD-like operations envisioned in https://github.com/brimdata/zed/issues/4024 may indeed make this easier to implement than it had been in the past. It was also noted that a short term solution might be to commit tags/notes to a separate pool and then do a join on this to re-attach them to the original records in another pool.