Tagging Analysis Plugin
Notes on how to use the tagging analysis plugin.
Creating a tagging file
A tagging file is an UTF-8 encoded text file that contains tagging rules.
A tagging rule consists of:
# Short description LABEL EVENT FILTER EXPRESSION
task_schedule data_type is 'windows:evt:record' and source_name is 'Security' and event_identifier is 602 data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Security-Auditing' and event_identifier is 4698
Running the analysis plugin
First run log2timeline to extract events:
log2timeline.py --storage-file timeline.plaso image.raw
Next run psort to tag events:
psort.py --analysis tagging --tagging-file tagging-file.txt -o null timeline.plaso
This will tag events based on the tagging rules.
The last step would be to export a timeline with the tags:
psort.py -o dynamic --fields datetime,timestamp_desc,source,source_long,message,parser,tag -w timeline.csv timeline.plaso