https://github.com/chainguard-dev/kolide-timeline

Turn Kolide pipeline logs into a timeline
https://github.com/chainguard-dev/kolide-timeline

incident-response kolide timeline

Last synced: 4 months ago
JSON representation

Turn Kolide pipeline logs into a timeline

• Host: GitHub
• URL: https://github.com/chainguard-dev/kolide-timeline
• Owner: chainguard-dev
• License: apache-2.0
• Created: 2023-05-12T20:49:24.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2024-09-05T12:42:53.000Z (9 months ago)
• Last Synced: 2024-11-13T22:36:17.247Z (6 months ago)
• Topics: incident-response, kolide, timeline
• Language: Go
• Homepage:
• Size: 201 KB
• Stars: 2
• Watchers: 3
• Forks: 1
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# kolide-timeline

[![stable](http://badges.github.io/stability-badges/dist/stable.svg)](http://github.com/badges/stability-badges)

kolide-timeline generates a timeline in CSV format from Kolide pipeline logs, using both query timestamps and any

timestamps returned by the queries.

This tool is geared toward security investigations and incident response.

![screenshot](images/sheet.png?raw=true "screenshot")

## Requirements

* Go v1.20 or newer

## Installation

```shell

go install github.com/chainguard-dev/kolide-timeline/cmd/kolide-timeline@latest

go install github.com/chainguard-dev/kolide-timeline/cmd/copy-from-gs@latest

```

## Usage

Timeline generation assumes that pipeline logs have been locally downloaded:

```

kolide-timeline 

```

If your Kolide pipeline logs are stored in Google Cloud Storage, there is a tool to simplify downloading recent logs for a single device:

```

copy-from-gs \

  --bucket chainguard-kolide-logs \

  --prefix kolide/results \

  --device-id=183909 \

  --max-age=72h            

```

To find the device ID, visit https://k2.kolide.com/, click on the Device, and view its URL: it will end in `/inventory/devices//overview`.