How to create a new analyzer

[ArnaudLhutereau]

Hi!

I'm trying to create my own analyzer but there is not a lot of information on Internet.
I duplicated a small analyzer in analyzer/ and try to play with it.

from __future__ import unicode_literals

from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager


class WinTestSketchPlugin(interface.BaseAnalyzer):
    """Analyzer test."""

    NAME = "win_test"
    DISPLAY_NAME = "Windows application test"
    DESCRIPTION = "Detect Windows test"

    def run(self):
        
        return "try"


manager.AnalysisManager.register_analyzer(WinTestSketchPlugin)

I saved my file "win_test.py" and add a line in init.py to import my file :
from timesketch.lib.analyzers import win_test

But when I try to use it in the web application with my timeline, the status stays in "PENDING".
When I check logs from "worker.log" I can see an error but I'm unable to find a solution :

[2023-01-26 16:53:45,517] celery.worker.strategy/INFO Received task: timesketch.lib.tasks.run_sketch_init[8d40fa52-e973-466c-ac06-c51ad0705933]  
[2023-01-26 16:53:45,526] celery.worker.strategy/INFO Received task: timesketch.lib.tasks.run_sketch_analyzer[8093d824-4bc8-499c-b16c-a8d45d52c17d]  
[2023-01-26 16:53:45,527] celery.app.trace/INFO Task timesketch.lib.tasks.run_sketch_init[8d40fa52-e973-466c-ac06-c51ad0705933] succeeded in 0.006168660998810083s: 'labad-c1ba879b-0f40-4a85-b8a8-88783cc0bd1c'
[2023-01-26 16:53:45,540] celery.app.trace/ERROR Task timesketch.lib.tasks.run_sketch_analyzer[8093d824-4bc8-499c-b16c-a8d45d52c17d] raised unexpected: KeyError('win_test')
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/celery/app/trace.py", line 385, in trace_task
    R = retval = fun(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/timesketch/app.py", line 225, in __call__
    return TaskBase.__call__(self, *args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/celery/app/trace.py", line 650, in __protected_call__
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/timesketch/lib/tasks.py", line 534, in run_sketch_analyzer
    analyzer_class = manager.AnalysisManager.get_analyzer(analyzer_name)
  File "/usr/local/lib/python3.8/dist-packages/timesketch/lib/analyzers/manager.py", line 121, in get_analyzer
    return cls._class_registry[analyzer_name.lower()]
KeyError: 'win_test'

Any ideas?

Thanks!

[jkppr]

Hi, let me try to help you get started with the analyzer development.

Based on your provided information I assume the problem is with the missing __init__() function.

In general I would recommend to use our scaffold script to help you with setting up all necessary files for the analyzer development: https://l2tscaffolder.readthedocs.io/en/latest/sources/user/Installation.html#install-from-sources

1. Just install the l2tscaffolder from source and then switch to your timesketch root directory and run l2t_scaffolder.py.
2. When the scaffolder script asks, choose a name for your analyzer and select timesketch & sketch_analyzer.
3. This should create 2 new files in the analyzers/ folder and modifies the analyzers/__init__.py file accordingly.
4. You can now start developing your analyzer using the analyzer/<YOUR_ANALYZER_NAME>.py file. The parts you need to adjust are marked with #TODO comments and it provides a list of available methods to interact with the timeline.

If you want to continue without the scaffold template, try adding the following function to your analyzer:

    def __init__(self, index_name, sketch_id, timeline_id=None):
        """Initialize The Sketch Analyzer.
        Args:
            index_name: Opensearch index name
            sketch_id: Sketch ID
            timeline_id: Timeline ID, default is None
        """
        self.index_name = index_name
        super().__init__(index_name, sketch_id, timeline_id=timeline_id)

[ArnaudLhutereau]

Hi!
Thank you for your help.

• I try to add an init function but same issue with "KeyError"
• I try with l2tscaffolder (nice tool!) but same issue with "KeyError"

After long hours of debugging, I finally understand how my Timesketch configuration works with Docker.
I have 2 containers :

• 1x for web UI
• 1x for worker

My docker volume was only attached on my web UI container, that's why I can see analyzers in UI list (name, display_name, description)
The execution failed because there is no analyzer file on worker container : so manager.py raises an KeyError (logical).

So now it works but I will rewrite analyzer from 0 l2tscaffolder process to have a clean file!

[jkppr]

FYI:
We updated the docs on timesketch.org with a guide on how to write analyzers for Timesketch.