search

google / timesketch

Collaborative forensic timeline analysis
Apache License 2.0
2.53k stars 578 forks source link

Add tags or comments to multiple events at once #1701

Open honorthecode opened 3 years ago

honorthecode commented 3 years ago

Is your feature request related to a problem? Please describe. Currently there does not seem to be a way to add labels or events to multiple events as once within the UI, which means that and analyst would have to spend a lot of time adding labels and/or comments individually.

Describe the solution you'd like Right now functionality exists to select multiple events and star them. If that were expanded with the ability to add/edit label and add a comment, that would allow for much faster review of similar events, e..g. adding the label "lateral movement attempt" to hundreds of outbound SSH attempts by a known compromised user.

Describe alternatives you've considered There may be a solution for this using the API but I have not yet explorer that option.

kiddinn commented 3 years ago

This is possible in the API client, but not in the ui

kiddinn commented 3 years ago

just adding this in for completeness, there is:

sketch.label_events(self, events, label_name)

This function will add a label to multiple events at once. The events here is a list of JSON objects that contain the document ID for each of the events, as well as the index ID and document type.

however, since the functionality is missing in the UI, I'll keep this issue open

kiddinn commented 3 years ago

however, for the original question that was add label or comments to multiple events, in the API client there is:

That is the last one is only to provide a comment to a single event, instead of a list of events, there is nothing preventing a list of events to be added there as well, is that something that you think should be there? That's an easy add-on, just haven't had the need to add comments to multiple events at the same time.

The other thing that might be added here is some documentation, some code samples to show how to use this feature.

itsmvd commented 2 years ago

I'll look into adding the ability to add labels/tags to to/from multiple events at once.

Zawadidone commented 4 months ago

Labels are deprecated and removed from the UI as shown in the documentation. Should the title of the PR be "Add tags or comments to multiple events at once"?

image https://timesketch.org/guides/user/basic-concepts/