File: Analysis-plugin-tagging.md

package info (click to toggle)
plaso 20201007-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 519,924 kB
  • sloc: python: 79,002; sh: 629; xml: 72; sql: 14; vhdl: 11; makefile: 10
file content (42 lines) | stat: -rw-r--r-- 835 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
# Tagging Analysis Plugin

Notes on how to use the tagging analysis plugin.

## Creating a tagging file

A tagging file is an UTF-8 encoded text file that contains tagging rules.

A tagging rule consists of:

```
# Short description
LABEL
  EVENT FILTER EXPRESSION
```

For example:

```
task_schedule
  data_type is 'windows:evt:record' and source_name is 'Security' and event_identifier is 602
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Security-Auditing' and event_identifier is 4698
```

## Running Plaso

First run log2timeline to extract events:

```
log2timeline.py timeline.plaso image.raw
```

Next run psort to tag events:

```
psort.py --analysis tagging --tagging-file tagging-file.txt timeline.plaso
```

## Also see

* [Event filters](Event-filters.md)
* [Tagging rules](Tagging-Rules.md)