AWS CloudTrail Analyzer #3216
Comments
|
Hi @raihalea, thanks for the feature idea. It sounds like you're interested in automatically tagging events based on their content. Timesketch already has a feature that might help with this. Have you looked into the "Tagger" analyzer? It allows you to define rules that automatically tag events based on searches. You can find more information on how to configure it for your AWS CloudTrail logs here: https://timesketch.org/guides/analyzers/tagger/ If the Tagger analyzer meets your needs, consider submitting a pull request with your tagging logic. This way, everyone in the Timesketch community can benefit from your contribution. If the Tagger analyzer isn't quite what you're looking for, you can always create your own analyzer. Here are some resources to help you get started:
|
|
Hello @jkppr, Thank you for the suggestion! I initially considered creating a custom analyzer, but after starting the work, I realized that the Tagger analyzer is actually sufficient for my needs. I have a couple of quick questions:
Thanks for your guidance! |
|
Feel free to add the config directly to the To ensure the added config does not clutter anyones logs, you should be as specific as possible in your query. E.g. by focusing it on a specific data_type only. If someone does not have events matching those queries the tagger will just move on. |
|
Closed the previous PR (#3217). I’ll create a new one. |
Is your feature request related to a problem? Please describe.
It would be helpful to enhance the AWS CloudTrail analyzer to allow automatic tagging of events.
Describe the solution you'd like
I propose creating an analyzer that can automatically tag events based on pre-defined actions and events.
The text was updated successfully, but these errors were encountered: