Timesketch allows full text search within timelines. Good way to get started is by selecting one of pre-set search templates and adjusting them to the data in your timeline.
Simple search queries relies on Query String Query mini-language, but it is also possible to use the full potential of Elasticsearch query language in Advanced queries.
Data fields will vary depending on the source being uploaded, but here are some that are mandatory, and therefore will be present in any timeline.
| Field | Description | Example query |
|---|---|---|
message |
String with information about event | message:”This is a message” |
timestamp |
Timestamp as microseconds since Unix epoch | timestamp:”363420000” |
datetime |
Date and time in ISO8601 format | datetime:”2016-03-31T22:56:32+00:00” |
timestamp_desc |
String explaining what type of timestamp it is | timestamp_desc:”Content Modification Time” |
Additional fields come from the imported Plaso file and depend on source type. You can see which additional fields are available in your timeline by clicking on any event and seeing the detailed list of all fields and their values.
| Field | Description | Example query |
|---|---|---|
data_type |
Data types present in timeline (depends on source) | data_type:"windows:registry:key_value" |
filename |
Search for particular filetypes | filename:*.exe |
strings: |
Search for a particular string | strings:"PsExec" |
Query String supports boolean search operators AND, OR and NOT.
Wildcards can be run on individual search terms using ? for a single character and * for zero or more characters. Be aware that wildcards can use a lot of memory.
Regular expression patterns can be embedded in the query string by wrapping them in forward-slashes ("/"):
Some characters are reserved for regular expressions and must be escaped in the pattern
. ? + * | { } [ ] ( ) " \
Below are syntax elements and example regular expressions
| Sign | Meaning | Example |
"."
|
Match any character | For "aaabbb":
|
"+"
|
One or more | For "aaabbb":
|
"*"
|
Zero-or-more | For "aaabbb":
|
"?"
|
Zero-or-one | For "aaabbb":
|
"{}"
|
Min-to-max repetitions | For "aaabbb":
|
"()"
|
Forms sub-patterns | For "ababab"
|
"|"
|
Acts as "OR" operator | For "aabb"
|
"[]".
|
Sets range of potential characters | For "abcd":
|
Advanced search queries are in JSON format, and let you use the full power of Elasticsearch. You can view your existing Query String query as an advanced Elasticsearch query by clicking "Advanced" button below the query entry field.
Views are saved results of your search queries, for easier access later.
To save search results as a view, run your search query, apply filters if needed, and click the “Save view” button under the query field. Now you can access this view from Overview page, from the “Views” tab, and from “Saved views” drop-down menu on Explore page of your sketch.
You can further refine the data in your views by manually hiding certain events. To do it, click a small eye icon next to the icon. If you have hidden events in your view, they can be un-hidden by clicking red button “Show hidden events” in the upper right corner of your timeline.
You can save changes to your views by clicking “Update View” button
Search templates allow quick creation of most commonly used views. You can browse available templates in the “Search templates” drop-down menu below search query window on “Explore page”
On “Views” page, you can quickly generate and add a view from a template to your sketch. To do so, just scroll down to the template you want to use, and click “Quick add”