AWS CloudTrail Analyzer

[raihalea]

Is your feature request related to a problem? Please describe. It would be helpful to enhance the AWS CloudTrail analyzer to allow automatic tagging of events.

Describe the solution you'd like I propose creating an analyzer that can automatically tag events based on pre-defined actions and events.

[jkppr]

Hi @raihalea, thanks for the feature idea.

It sounds like you're interested in automatically tagging events based on their content. Timesketch already has a feature that might help with this.

Have you looked into the "Tagger" analyzer? It allows you to define rules that automatically tag events based on searches. You can find more information on how to configure it for your AWS CloudTrail logs here: https://timesketch.org/guides/analyzers/tagger/

If the Tagger analyzer meets your needs, consider submitting a pull request with your tagging logic. This way, everyone in the Timesketch community can benefit from your contribution.

If the Tagger analyzer isn't quite what you're looking for, you can always create your own analyzer. Here are some resources to help you get started:

• Analyzer Development Guide: https://timesketch.org/developers/analyzer-development/
• Community Contributions Folder: This is a great place to share your custom analyzer with other Timesketch users. https://github.com/google/timesketch/tree/master/timesketch/lib/analyzers/contrib

[raihalea]

Hello @jkppr,

Thank you for the suggestion! I initially considered creating a custom analyzer, but after starting the work, I realized that the Tagger analyzer is actually sufficient for my needs.

I have a couple of quick questions:

• Should I add entries directly to /data/tags.yaml for Tagger? If there’s a tags.yaml file specifically for contributors, could you let me know?
• Will adding CloudTrail-related tags to /data/tags.yaml impact users who aren’t interested in CloudTrail, such as by cluttering their view or slowing down searches?

Thanks for your guidance!

[jkppr]

Feel free to add the config directly to the /data/tags.yaml file. There is no separate contributors config for the tagger. You can ask for my review on the PR.

To ensure the added config does not clutter anyones logs, you should be as specific as possible in your query. E.g. by focusing it on a specific data_type only. If someone does not have events matching those queries the tagger will just move on.

[raihalea]

Closed the previous PR (https://github.com/google/timesketch/pull/3217). I’ll create a new one.