Removing the old feature extractor analyzer.

google · Nov 2, 2023 · 7fd1470 · 7fd1470
1 parent 8eaff71
commit 7fd1470
Show file tree

Hide file tree

Showing 7 changed files with 4 additions and 603 deletions.
diff --git a/data/features.yaml → data/regex_features.yaml b/data/features.yaml → data/regex_features.yaml
@@ -183,84 +183,6 @@ ssh_failed_method:
         store_as: 'authentication_method'
         re: 'Failed (?P<authentication_method>[^\s]+) for .*ssh\d'
 
-win_login_subject_username:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'subject_username'
-        re: '"SubjectUserName">(?P<subject_username>[^<]+)</Data>'
-
-win_login_subject_domain:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'subject_domain'
-        re: '"SubjectDomainName">(?P<subject_domain>[^<]+)</Data>'
-
-win_login_subject_logon_id:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'subject_logon_id'
-        re: '"SubjectLogonId">(?P<subject_logon_id>[^<]+)</Data>'
-
-win_login_username:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'username'
-        re: '"TargetUserName">(?P<username>[^<]+)</Data>'
-
-win_login_domain:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'domain'
-        re: '"TargetDomainName">(?P<domain>[^<]+)</Data>'
-
-win_login_logon_id:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'logon_id'
-        re: '"TargetLogonId">(?P<logon_id>[^<]+)</Data>'
-
-win_login_logon_type:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'logon_type'
-        re: '"LogonType">(?P<logon_type>[^<]+)</Data>'
-
-win_login_logon_process_name:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'logon_process_name'
-        re: '"LogonProcessName">(?P<logon_process_name>[^<]+)</Data>'
-
-win_login_workstation_name:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'workstation_name'
-        re: '"WorkstationName">(?P<workstation_name>[^<]+)</Data>'
-
-win_login_process_id:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'process_id'
-        re: '"ProcessId">(?P<process_id>[^<]+)</Data>'
-
-win_login_process_name:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'process_name'
-        re: '"ProcessName">(?P<process_name>[^<]+)</Data>'
-
-win_login_ip_address:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'ip_address'
-        re: '"IpAddress">(?P<ip_address>[^<]+)</Data>'
-
-win_login_port:
-        query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
-        attribute: 'xml_string'
-        store_as: 'port'
-        re: '"IpPort">(?P<port>[^<]+)</Data>'
-
 win_bits_client_ipv4_addresses:
         query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client'
         attribute: 'strings'

diff --git a/timesketch/lib/analyzers/__init__.py b/timesketch/lib/analyzers/__init__.py
@@ -21,7 +21,6 @@
 from timesketch.lib.analyzers import domain
 from timesketch.lib.analyzers import expert_sessionizers
 from timesketch.lib.analyzers import feature_extraction_plugin
-from timesketch.lib.analyzers import feature_extraction
 from timesketch.lib.analyzers import gcp_logging
 from timesketch.lib.analyzers import geoip
 from timesketch.lib.analyzers import hashr_lookup