Change features config naming dependencies.

google · Nov 2, 2023 · 4bd9d7f · 4bd9d7f
1 parent 7fd1470
commit 4bd9d7f
Show file tree

Hide file tree

Showing 7 changed files with 12 additions and 8 deletions.
diff --git a/contrib/deploy_timesketch.ps1 b/contrib/deploy_timesketch.ps1
@@ -66,7 +66,8 @@ Write-Host "* Fetching configuration files.."
 (Invoke-webrequest -URI $GITHUB_BASE_URL/data/tags.yaml).Content | out-file timesketch\etc\timesketch\tags.yaml -encoding UTF8NoBOM
 (Invoke-webrequest -URI $GITHUB_BASE_URL/data/plaso.mappings).Content | out-file timesketch\etc\timesketch\plaso.mappings -encoding UTF8NoBOM
 (Invoke-webrequest -URI $GITHUB_BASE_URL/data/generic.mappings).Content | out-file timesketch\etc\timesketch\generic.mappings -encoding UTF8NoBOM
-(Invoke-webrequest -URI $GITHUB_BASE_URL/data/features.yaml).Content | out-file timesketch\etc\timesketch\features.yaml -encoding UTF8NoBOM
+(Invoke-webrequest -URI $GITHUB_BASE_URL/data/regex_features.yaml).Content | out-file timesketch\etc\timesketch\regex_features.yaml -encoding UTF8NoBOM
+(Invoke-webrequest -URI $GITHUB_BASE_URL/data/winevt_features.yaml).Content | out-file timesketch\etc\timesketch\winevt_features.yaml -encoding UTF8NoBOM
 (Invoke-webrequest -URI $GITHUB_BASE_URL/data/ontology.yaml).Content | out-file timesketch\etc\timesketch\ontology.yaml -encoding UTF8NoBOM
 (Invoke-webrequest -URI $GITHUB_BASE_URL/data/intelligence_tag_metadata.yaml).Content | out-file timesketch\etc\timesketch\intelligence_tag_metadata.yaml -encoding UTF8NoBOM
 (Invoke-webrequest -URI $GITHUB_BASE_URL/data/sigma_config.yaml).Content | out-file timesketch\etc\timesketch\sigma_config.yaml -encoding UTF8NoBOM

diff --git a/contrib/deploy_timesketch.sh b/contrib/deploy_timesketch.sh
@@ -89,7 +89,8 @@ curl -s $GITHUB_BASE_URL/data/timesketch.conf > timesketch/etc/timesketch/timesk
 curl -s $GITHUB_BASE_URL/data/tags.yaml > timesketch/etc/timesketch/tags.yaml
 curl -s $GITHUB_BASE_URL/data/plaso.mappings > timesketch/etc/timesketch/plaso.mappings
 curl -s $GITHUB_BASE_URL/data/generic.mappings > timesketch/etc/timesketch/generic.mappings
-curl -s $GITHUB_BASE_URL/data/features.yaml > timesketch/etc/timesketch/features.yaml
+curl -s $GITHUB_BASE_URL/data/regex_features.yaml > timesketch/etc/timesketch/regex_features.yaml
+curl -s $GITHUB_BASE_URL/data/winevt_features.yaml > timesketch/etc/timesketch/winevt_features.yaml
 curl -s $GITHUB_BASE_URL/data/ontology.yaml > timesketch/etc/timesketch/ontology.yaml
 curl -s $GITHUB_BASE_URL/data/sigma_rule_status.csv > timesketch/etc/timesketch/sigma_rule_status.csv
 curl -s $GITHUB_BASE_URL/data/tags.yaml > timesketch/etc/timesketch/tags.yaml

diff --git a/docker/dev/build/docker-entrypoint.sh b/docker/dev/build/docker-entrypoint.sh
@@ -9,7 +9,8 @@ if [ "$1" = 'timesketch' ]; then
   # Copy config files
   mkdir /etc/timesketch
   cp /usr/local/src/timesketch/data/timesketch.conf /etc/timesketch/
-  cp /usr/local/src/timesketch/data/features.yaml /etc/timesketch/
+  cp /usr/local/src/timesketch/data/regex_features.yaml /etc/timesketch/
+  cp /usr/local/src/timesketch/data/winevt_features.yaml /etc/timesketch/
   cp /usr/local/src/timesketch/data/tags.yaml /etc/timesketch/
   cp /usr/local/src/timesketch/data/intelligence_tag_metadata.yaml /etc/timesketch/
   cp /usr/local/src/timesketch/data/plaso.mappings /etc/timesketch/

diff --git a/docker/e2e/Dockerfile b/docker/e2e/Dockerfile
@@ -37,7 +37,8 @@ RUN cp /tmp/timesketch/data/timesketch.conf /etc/timesketch/
 RUN cp /tmp/timesketch/data/ontology.yaml /etc/timesketch/
 RUN cp /tmp/timesketch/data/tags.yaml /etc/timesketch/
 RUN cp /tmp/timesketch/data/intelligence_tag_metadata.yaml /etc/timesketch/
-RUN cp /tmp/timesketch/data/features.yaml /etc/timesketch/
+RUN cp /tmp/timesketch/data/regex_features.yaml /etc/timesketch/
+RUN cp /tmp/timesketch/data/winevt_features.yaml /etc/timesketch/
 RUN cp /tmp/timesketch/data/plaso.mappings /etc/timesketch/
 RUN cp /tmp/timesketch/data/generic.mappings /etc/timesketch/
 RUN cp /tmp/timesketch/data/sigma_config.yaml /etc/timesketch/

diff --git a/docs/developers/analyzer-development.md b/docs/developers/analyzer-development.md
@@ -50,8 +50,8 @@ of the following.
 If you just want to extract a simple feature, e.g. want to extract a hostname or
 IP that is somewhere in the message field, or inside another attribute you don't
 have to write a new analyzer, you can take advantage of the feature_extraction
-analyzer. All you need to do is to edit the `features.yaml` file found here:
-https://github.com/google/timesketch/blob/master/data/features.yaml
+analyzer. All you need to do is to edit the `regex_features.yaml` file found here:
+https://github.com/google/timesketch/blob/master/data/regex_features.yaml
 
 An example extraction entry looks like this:
 

diff --git a/docs/guides/analyzers/feature_extraction.md b/docs/guides/analyzers/feature_extraction.md
@@ -3,7 +3,7 @@ hide:
   - footer
 ---
 The feature extraction analyzer creates attributes out of event data based on regular expressions. Different
-features can be specified in the `data/features.yaml` file.
+features can be specified in the `data/regex_features.yaml` file.
 
 Please be aware that this analyzer does *not* extract ipv4, email-addresses and similar from *all* events, but only those that match the query_string.
 

diff --git a/timesketch/lib/analyzers/feature_extraction_plugins/regex_features.py b/timesketch/lib/analyzers/feature_extraction_plugins/regex_features.py
@@ -210,7 +210,7 @@ def extract_feature(self, name, config):
         Args:
             name: String with the name describing the feature to be extracted.
             config: A dict that contains the configuration for the feature
-                extraction. See data/features.yaml for fields and further
+                extraction. See data/regex_features.yaml for fields and further
                 documentation of what needs to be defined.
 
         Returns: