When working on a new sketch the initial explore page has a lot of white space and no information on how to get started. The analyst has just their list of timelines and an empty search bar (see screenshot below).
While observing how analysts work with timesketch and from feedback, we noticed that many analysts start by running the * search to get all events for all timelines. This operation gets more and more expensive with larger timelines until it can even break (e.g. searching * on 50M events, does not work well and will most likely generate an error 500.)
The main task with this issue is to explore and track possible options to improve the start of an investigation.
Possible ideas that have been provided during feedback sessions:
Show the omnibar in the empty space to allow for a quick start to search on specific data_types, tags or saved searches (screenshot below).
Have some guidance displayed on how to start an efficient search
Nudge the analyst to use the Investigate (DFIQ) feature to define what they ware looking to answer and then follow the approaches.
When working on a new sketch the initial explore page has a lot of white space and no information on how to get started. The analyst has just their list of timelines and an empty search bar (see screenshot below).
While observing how analysts work with timesketch and from feedback, we noticed that many analysts start by running the
*search to get all events for all timelines. This operation gets more and more expensive with larger timelines until it can even break (e.g. searching*on 50M events, does not work well and will most likely generate an error 500.)The main task with this issue is to explore and track possible options to improve the start of an investigation.
Possible ideas that have been provided during feedback sessions: