blueteam0ps / allthingstimesketch Goto Github PK

In file tsproxy line 18 at the and shoud be ";"

Hello and happy new year!

I seem to be having some issues with getting the import working for timesketch.

Some background of my configuration

System: Proxmox
OS: Ubuntu 20.04.06
Node-red: Setup via npm (bash <(curl -sL https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered). I tried the standard npm install but there were quite a few errors....
I also tried the docker version but couldnt work out how to give the Node-Red account access to the cases folder.
TimeSketch / Log2Timeline: Installed via the recommended tsplaso_docker_install.sh script
For the script there was an error for open search so I had to remove the following items.

These are the changes I made in Node Red

Triage Artefact Processor Flow

For the process variable should I leave it as localhost or put the IP that I use to access timesketch?
Also the kape output actually has the logs in /C/Windows/System32/winevt/logs. I see from slack it says its successful so I didnt amend the path.

For log2timeline I was not sure from the documentation what to change so I left it as is.

Hayabusa Process Flow

For Hayabusa I tried the latest version which now uses a wizard prior to starting and thought that might interfere with it starting so I downgraded and used the 2.5.1 version

Slack Notifications Flow

Slack notification is configured and works fine.

Thank you for your time and help!

Warm regards,

Marc

Fields "_parser_chain" and "_event_values_hash" have been removed from OpenSearch output in Log2Timeline version 20230717 (see log2timeline/plaso#4597). Since the very most of the rules in your "tags.yaml" include the "_parser_chain" field, they do not yield results after the Timesketch platform has been upgraded to this L2T version.

See https://choosealicense.com/ for inspiration

Thanks for your work with the tags.yaml file. It's a great support when conducting an investigation !

I noticed an omitted "" in the two "source_short:REG" that causes this saved search to return 0 hit:

win_execution_indicator:
  query_string:  '(source_short:REG AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (source_short:EVTX AND event_identifier:"4688") OR (source_short:REG" AND key_path:"*LastVisitedPidlMRU*") OR (source_short:REG" AND key_path:"*LastVisitedMRU*") OR (source_short:EVTX AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500")'
  tags: ['win-execution','T1204','Execution','User-Execution','Medium']
  emojis: ['MARK']
  create_view: true
  view_name: 'T1204-Execution'

Query updated:

win_execution_indicator:
  query_string:  '(source_short:REG AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (source_short:EVTX AND event_identifier:"4688") OR (source_short:"REG" AND key_path:"*LastVisitedPidlMRU*") OR (source_short:"REG" AND key_path:"*LastVisitedMRU*") OR (source_short:EVTX AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500")'
  tags: ['win-execution','T1204','Execution','User-Execution','Medium']
  emojis: ['MARK']
  create_view: true
  view_name: 'T1204-Execution'

Hi. I am currently using Node-Red Docker, and get the following error. Has anyone seen this before?

"failed to write to file: Error: EISDIR: illegal operation on a directory, open '/data/cases/processor/rich320210922t125635z/C/Windows/System32/wbem/'"

hey blueteam0ps,

can you provide a .env file ?