How to write an analysis plugin
Create file and class
Write minimal tests
Write a test that loads your plugin
It will fail initially, but running the test while you’re developing your plugin gives you a quick way to see if your code is doing what you expect.
Implement your subclass of AnalysisPlugin
You’ll need to define/override:
You may also want to override:
ENABLE_IN_EXTRACTION, if your plugin is eligible to run while Plaso is extracting events.
Add additional tests that test your plugin
plaso/analysis/__init__.pyto import your plugin in the correct alphabetical order.