{"id":19890275,"url":"https://github.com/jaegeral/timesketch-cli","last_synced_at":"2025-05-02T18:30:57.094Z","repository":{"id":47511313,"uuid":"155355669","full_name":"jaegeral/timesketch-cli","owner":"jaegeral","description":"A dedicated repo to interact with the API of Timesketch","archived":false,"fork":false,"pushed_at":"2021-09-17T22:46:17.000Z","size":67,"stargazers_count":13,"open_issues_count":8,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-07T04:33:30.358Z","etag":null,"topics":["automation","cli","cybersecurity","dfir","forensic-analysis","timeline","timesketch"],"latest_commit_sha":null,"homepage":"https://www.alexanderjaeger.de/timesketch-tools/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jaegeral.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-10-30T09:10:08.000Z","updated_at":"2025-03-07T16:22:42.000Z","dependencies_parsed_at":"2022-08-23T23:10:57.558Z","dependency_job_id":null,"html_url":"https://github.com/jaegeral/timesketch-cli","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jaegeral%2Ftimesketch-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jaegeral%2Ftimesketch-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jaegeral%2Ftimesketch-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jaegeral%2Ftimesketch-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jaegeral","download_url":"https://codeload.github.com/jaegeral/timesketch-cli/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252088269,"owners_count":21692766,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","cli","cybersecurity","dfir","forensic-analysis","timeline","timesketch"],"created_at":"2024-11-12T18:13:39.319Z","updated_at":"2025-05-02T18:30:56.694Z","avatar_url":"https://github.com/jaegeral.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# timesketch-cli\nA dedicated repo to interact with the API of Timesketch\n\nThis is an unofficial tool and is in no way supported by Google / Timesketch team.\n\nUse on your own risk, might break stuff...\n\n# Installation\n\n````\ngit clone https://github.com/deralexxx/timesketch-tools/\n````\n\nThis repo is coming with a dedicated timesketch_api_client version \nto add some more functionality (but will be removed as soon as every PR is merged).\n\n\n# Usage\n\n```\ntimesketch-tools.py -h\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.4\n\n \nusage: timesketch-tools.py [-h]\n {sketch,sketches,modify_event,searchindices,upload}\n ...\n\npositional arguments:\n {sketch,sketches,modify_event,searchindices,upload}\n\noptional arguments:\n -h, --help show this help message and exit\n\n```\n\n## add Event\n\nYou can add an event to a Sketch with:\n \n```\ntimesketch-tools.py sketch -o addevent -sid 1\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.3\n\n \nPlease provide informations to the event you would like to add timestamp, timestamp_desc, message will be promted\n\nTimestamp (use Format: YYYY-mm-ddTHH:MM:SS+00:00 2018-01-15T10:45:50+00:00) use c for current time c\ntimestamp_desc this is a description\nmessage message test\nEvent added, ID: 41 Date:2018-11-09T09:46:46+00:00 timestamp desc this is a description messagemessage test\n```\n\n## list sketches\n\nYou can list sketches in your timesketch instance\n\n```\npython3 timesketch-tools.py sketches -o list\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.4\n\n \nNamespace(func=\u003cfunction sketches at 0x7f1443dac710\u003e, option='list')\n+----+------+\n| id | Name |\n+----+------+\n| 1 | aaa |\n+----+------+\n\n```\n\n## List searchindice\n\n```\ntimesketch-tools.py searchindices -o list\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.3\n\n \n+----+--------------------------+\n| id | Searchindex name |\n+----+--------------------------+\n| 1 | redline_test |\n| 2 | redline_test |\n| 3 | sample |\n| 4 | redline_test |\n| 5 | redline_test |\n| 6 | redline_test |\n| 39 | test123 |\n| 40 | test123 |\n| 41 | test1234 |\n| 42 | sketch specific timeline |\n| 43 | my_timeline |\n+----+--------------------------+\n\n```\n\n\n## Create a new sketch\n\n\n\n```\ntimesketch-tools.py sketch -o create -n testsketch\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.3\n\n \nWhat is the description of your new sketch? this is a description\nCreated sketch testsketch URL :http://127.0.0.1:5000/sketch/2/\n\n```\n\n## list timelines in a sketch\n\n```\ntimesketch-tools.py sketch -o list -sid 1\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.3\n\n \n+----+--------------------------+\n| id | Name |\n+----+--------------------------+\n| 39 | test123 |\n| 40 | test1234 |\n| 41 | sketch specific timeline |\n| 42 | my_timeline |\n+----+--------------------------+\n\n```\n\n## Comment an event\n\n```\ntimesketch-tools.py modify_event -o addComment --event_id AWQw5_NpeBLZMUY_lr62 --index_id ae92d77b677b43c7802a2ebe767d947d\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.3\n\n \nplease provide sketch id1\nPlease provide your comment Textthis is a wonderful comment\n```\n\n## Display a single event\n\n```\ntimesketch-tools.py modify_event -o display --event_id AWQw5_NpeBLZMUY_lr62 --sketchid 1\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.3\n\n \n+---------------------+-------------------------------+--------------------------------------------------------------------+---------------------------------------+----------------------+----------------------------------+\n| datetime | timestamp_desc | message | labels | _id | _index |\n+---------------------+-------------------------------+--------------------------------------------------------------------+---------------------------------------+----------------------+----------------------------------+\n| 2013-05-15T18:38:24 | File/PEInfo/PETimestamp Files | C:\\Windows\\System32\\qlco10011.dll e7c984669e9e22c7d8ba55a101a07fcb | [__ts_comment, foo_label, labeltest2] | AWQw5_NpeBLZMUY_lr62 | ae92d77b677b43c7802a2ebe767d947d |\n+---------------------+-------------------------------+--------------------------------------------------------------------+---------------------------------------+----------------------+----------------------------------+\n```\n\n## Add a tag from pyTaxonomie to Timesketch\n\n```\npython3 timesketch-tools.py modify_event -o addLabel --event_id AWc19oPsqgYnbgC2IIEH --index_id 1f9d42fd839a4324b0c4dcc1d47b55d2\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.4\n\n \nplease provide sketch id1\nPlease provide your Text\ndo you want to search within the pyTaxonomies? (y/n) y\nTerm you want to search for e.g. PAP, TLP, ...tlp\nSuggestions\ntlp:amber\ntlp:white\ntlp:green\ntlp:ex:chr\ntlp:red\nagain?y\nTerm you want to search for e.g. PAP, TLP, ...TLP\nSuggestions\nSeems we did not find the value 'NoneType' object has no attribute 'machinetags_expanded'\nTerm you want to search for e.g. PAP, TLP, ...pap\nSuggestions\nSeems we did not find the value 'NoneType' object has no attribute 'machinetags_expanded'\nTerm you want to search for e.g. PAP, TLP, ...PAP\nSuggestions\nPAP:AMBER\nPAP:WHITE\nPAP:GREEN\nPAP:RED\nagain?n\nGive labelPAP:WHITE\n\n```\n\n## Search in a sketch\n\nThe searchterm can be used with \"*\" in front or back to have every character.\nThe search is not case sensitive.\n\n````\ntimesketch-tools.py sketch -o search -sid 1 -st *win*\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.4\n\n \nSearching for: '*win*' in sketch 'aaaUntitled sketch'\n+---------------------------+----------------------------------------------------------+--------+----------------------+----------------------------------+\n| datetime | message | labels | _id | _index |\n+---------------------------+----------------------------------------------------------+--------+----------------------+----------------------------------+\n| 2018-10-15T18:52:06+00:00 | win | [] | AWc__lO_IUecPZLawtVa | 524f5e7b530a16eba408968369e5a716 |\n| 2018-10-15T18:52:06+00:00 | Windows Domain admin credentials gone away to the hacker | [] | AWdAAExzIUecPZLawtVb | 524f5e7b530a16eba408968369e5a716 |\n+---------------------------+----------------------------------------------------------+--------+----------------------+----------------------------------+\n\n````\n\n## analyzer sketch with analyzer\n\n````\npython3 timesketch-tools.py sketch -o list -sid 1\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.5\n\n+----+--------------------------------------------------------------------+\n| id | Name |\n+----+--------------------------------------------------------------------+\n| 22 | disablestop-eventlog.evtx |\n+----+--------------------------------------------------------------------+\n````\n\nRun it:\n\n```\ntimesketch-tools.py sketch -o analyze -sid 1 -tl 22 -a sigma_windows\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.5\n\n \n{'objects': [{'analysis_session': 75}]}\n```\n\nIn the celery log you will see:\n````\n[sigma_windows] result: Applied 2 tags\n* win_susp_time_modification: 0\n* win_susp_eventlog_cleared: 2\n* win_susp_security_eventlog_cleared: 0\n* win_susp_wmi_login: 0\n* win_susp_add_sid_history: 0\n* win_account_discovery: 0\n* win_user_creation: 0\n* win_susp_codeintegrity_check_failure: 0\n* win_usb_device_plugged: 0\n````\n\nVerify the findings:\n```\ntimesketch-tools.py sketch -o search -sid 1 -st *win_susp_eventlog_cleared*\n \n _______ __ __ __ \n /_ __(_)_ _ ___ ___ / /_____ / /_____/ / \n / / / / ' \\/ -_|_-\u003c/ '_/ -_) __/ __/ _ \n /_/ /_/_/_/_/\\__/___/_/\\_\\__/\\__/\\__/_//_/-tools v0.5\n\n \nSearching for: '*win_susp_eventlog_cleared*' in sketch 'aaa'\n+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+----------------------+----------------------------------+\n| datetime | message | labels | _id | _index |\n+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+----------------------+----------------------------------+\n| 2019-04-27T21:04:26+00:00 | [104 / 0x0068] Source Name: Microsoft-Windows-Eventlog Strings: ['jwrig', 'DESKTOP-JR78RLP', 'System'] Computer Name: DESKTOP-JR78RLP Record Number: 1 Event Level: 4 | [] | -J1VS3IB6L88DsjUZZdv | 1c4b78a002ec4d199f6e93540e4ea315 |\n| 2019-04-27T21:04:32+00:00 | [104 / 0x0068] Source Name: Microsoft-Windows-Eventlog Strings: ['jwrig', 'DESKTOP-JR78RLP', 'System'] Computer Name: DESKTOP-JR78RLP Record Number: 1 Event Level: 4 | [] | -Z1VS3IB6L88DsjUZZdv | 1c4b78a002ec4d199f6e93540e4ea315 |\n+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+----------------------+----------------------------------+\n```\n\n\n# timesketch-tools vs tsctl\n\ntsctl is the tool used locally on the timesketch machine.\ntimesketch-tools is made to be used with the API from any machine that has network connection to the timesketch instance.\n\n# Test / play with timesketch-tools\n\nIf you want to play or test with timesketch-tools it is recommended to create a venv:\n````\npip3 install virtualenv\ngit clone https://github.com/deralexxx/timesketch-tools\ncd timesketch-tools\npython3 -m venv venv\nsource venv/bin/activate\n(venv)#python3 timesketch-tools -h\n````\n\nYou can either interact with the demo site (demo.timesketch.org)\nBy using the config_demo.config file.\n\nOther option is to make use of the vagrant image of timesketch:\nhttps://github.com/google/timesketch/tree/master/vagrant\nStart the vagrant image and then make:\n````\ncp config.sample config_local.config\n[TIMESKETCH]\nBASEURL = http://127.0.0.1\nUSERNAME = spock\nPASSWORD = spock\nHTTPS_VERIFY = False\nversion = 0.4\n````\n\nAnd adjust the to be used config in the timesketch-tools.py file.\n\nHappy playing\n\n\n# Open issues\n\n* add Labels to events\n* create sketches\n* get the new api_client version merged\n\n# Contributing\n\nFeel free to make pull requests or open issues to contribute to that repository\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjaegeral%2Ftimesketch-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjaegeral%2Ftimesketch-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjaegeral%2Ftimesketch-cli/lists"}