To play with timesketch without any installation visit demo.timesketch.org
tsctl is a command line tool to control timesketch.
Parameters:
--config / -c (optional)
Example
tsctl runserver -c /etc/timesketch/timesketch.conf
Will start the timesketch server
Command:
tsctl runserver
Command:
tsctl add_user
Parameters:
--name / -n
--password / -p (optional)
Example
tsctl add_user --name foo
To change a user password, the add_user command can be used, as it is checking if the user exists if yes it will update the update.
Command:
tsctl add_user
Parameters:
--username / -u
--password / -p (optional)
Example
tsctl add_user --username foo
Not yet implemented.
Command:
tsctl add_group
Parameters:
--name / -n
Not yet implemented.
Add or remove a user to a group. To add a user, specify the group and user. To remove a user, include the -r option.
Command:
tsctl manage_group
Parameters:
--remove / -r (optional)
--group / -g
--user / -u
Example:
tsctl manage_group -u user_foo -g group_bar
Create a new Timesketch searchindex.
Command:
tsctl add_index
Parameters:
--name / -n
--index / -i
--user / -u
Example:
tsctl add_index -u user_foo -i test_index_name -n sample
Command:
tsctl db
Will drop all databases.
Comand:
tsctl drop_db
Command:
tsctl json2ts
Delete timeline permanently from Timesketch and Elasticsearch. It will alert if a timeline is still in use in a sketch and promt for confirmation before deletion.
Args:
index_name: The name of the index in Elasticsearch
Comand:
tsctl purge
Export/Import search templates to/from file.
Command:
tsctl search_template
Parameters:
--import / -i
--export / -e
import_location: Path to the yaml file to import templates. export_location: Path to the yaml file to export templates.
Creates a new Timesketch timeline from a file. Supported file formats are: plaso, csv and jsonl.
Command:
tsctl import
Parameters:
--file / -f
--sketch_id / -s (optional)
--username / -f (optional)
--timeline_name / -n (optional)
The sketch id is inferred from the filename if it starts with a number. The timeline name can also be generated from the filename if not specified.
Command:
tsctl similarity_score
Timesketch is built on multiple sketches, where one sketch is usually one case. Every sketch can consist of multiple timelines with multiple views.
There is a dedicated document to walk you through Sketches
- Create timeline from JSON/JSONL/CSV file
- Create timeline from Plaso file
- Enable Plaso upload via HTTP
To manually adding an event, visit the sketch view. Within that screen, there is the possibility to star an event, hide an event as well as add a manual event (marked with a little +). This event will have the previously selected time pre-filled but can be changed.
All about reducing noise in the result views. Hit the little eye to hide events from the list making it possible to curate views to emphasize the important things. The events are still there and can be easily shown for those who want to see them. Hit the big red button to show/hide the events.
The heatmap aggregation calculates on which day of the week and at which hour events happened. This can be very useful e.g. when analyzing lateral movement or login events.
A story is a place where you can capture the narrative of your technical investigation and add detail to your story with raw timeline data. The editor let you to write and capture the story behind your investigation and at the same time enable you to share detailed findings without spending hours writing reports.
you can add events from previously saved searches. Just hit enter to start a new paragraph and choose the saved search from the dropdown menu.
See Medium article
There is a dedicated document called SearchQueryGuide to help you create custom searches.
All data within Timesketch is stored in elasticsearch. So the search works similar to ES.
Using the advances search, a JSON can be passed to Timesketch
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*"
}
}
]
}
},
"sort": {
"datetime": "asc"
}
}