Add information for what analyzer results mean

google / timesketch

Collaborative forensic timeline analysis

Apache License 2.0

2.61k stars 588 forks source link

Add information for what analyzer results mean #862

Open Onager opened 5 years ago

Onager commented 5 years ago

It's not obvious what makes a domain "phishy" or what "outside normal hours" might mean, technically, and there isn't an easy way to see this in the UI.

berggren commented 5 years ago

Good point and I agree. I have been playing with the idea to have "info cards" in the explore UI as soon as the result set contains analyzed events. I'll mock something up in a few days.

@kiddinn for this specific analyzer for any other ideas to explain what an analyzer result means.

kiddinn commented 4 years ago

this is solved by having the analyzers generate a story to explain their results.

This is already implemented for browser search and timeframe. Phishy domains should also be updated to include a story generation, in which it is explained why a domain is considered phishy, etc. Will assign this to me and add that.

kiddinn commented 4 years ago

Missing:

[ ] Adding an automated story to phishy domains analyzer

jkppr commented 1 year ago

This is tackled as part of the overall rework of the analyzer results.

We have introduced the verbose analyzer output.
Analyzer results are now linked to their generated results (e.g. tags, stories, saved searches, etc)

Still open tasks:

Document analyzers and link their entries to this documentation as a reference to explain all details.
Update all analyzers to make use of the verbose output.

jaegeral commented 2 months ago

@jkppr do you think it would be safe to close that issue?

jkppr commented 2 months ago

The documentation for analyzers is still missing. So either we move this into a separate issue or keep tracking it here?