Annotation Database

[heatheradkins]

It might be interesting to keep an annotation database for each Sketch. For example, if I have an IP address (192.168.4.55), and I annotate it with its hostname (argv-workstation), you could highlight everytime the IP showed up in the sketch, and a tooltip/mouseover could show the annotated hostname. This would keep the analyst from having to X-reference notes constantly.

[berggren]

I really like this idea. The question is how to model the database and what kind of annotations we would like to put there. IP <-> hostname is a given, any other interesting use cases? I'll think about this closer, but yes this will definitely be implemented in the future.

[heatheradkins]

The only other thing I've run into thus far are Windows Event IDs, but I think there's an argument this should be built into the tool by default rather than added by the analyst.

[berggren]

Yes, this should be build into the tool(s) and Plaso recently added support for event log message strings. https://github.com/log2timeline/plaso/issues/99

[berggren]

I think a generic key/value/kind db schema would work here, and then add a new REST endpoint to get the manual added annotations for the active sketch.

[csash]

This would be a really useful feature. A couple thoughts (thinking out loud here, so feel free to tell me I'm completely crazy):

• Having annotations that are both local to a sketch and global to Timesketch (or extend across multiple sketches) would be awesome. Local IP -> hostname might be unique to a sketch, but something like a unique RDP client name -> "this is known bad!" or annotating significant IPs and users for my company's infrastructure would extend across multiple or all sketches.
• Extending this to annotating complete events -- i.e. creation of specific registry key -> installation of X malware -- would also be super powerful. Being able to capture an event the analyst feels is significant and automatically flag it would be helpful and speed up analysis
• This has the potential to grow up into a pretty full fledged knowledge management system if it wanted to. I think the foundation for that requires tracking the places "significant" annotations occur (see below), allowing cross-sketch queries for annotated things (which I guess is the same thing as the first item), allowing comments on the annotation (analyst explanation of what the annotation is, why one cares about it, etc), and exposing this information via the API in a way other tools can readily consume and (this is a little more complex, I think) contribute to it. Not sure if Timesketch wants to go there, but I would find it awesome. Maybe this is best suited for a separate standalone thing Timesketch could query?
• It seems like you might need to differentiate between annotations that just make life easier (like IP -> hostname) and annotations that are "significant," like hash->evil to make some of this possible.

[jaegeral]

This might be interesting to re-evaluate given the work in: https://github.com/google/timesketch/pull/1796

@tomchop WDYT?