Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hayabusa timelines from multiple systems are merged into one timeline in Timesketch #4

Open
ecapuano opened this issue Feb 26, 2025 · 2 comments
Open

Hayabusa timelines from multiple systems are merged into one timeline in Timesketch #4

ecapuano opened this issue Feb 26, 2025 · 2 comments
Assignees
@berggren

Comments

@ecapuano
Copy link

ecapuano commented Feb 26, 2025
edited
Loading

I have created multiple separate workflows to run Hayabusa on separate triages, but send to the same Sketch in Timesketch... This replicates a scenario where there are multiple systems involved in the same investigation, but ideally, we'd have separate timelines for each system within the sketch.

However, the way the Hayabusa worker sends data to timesketch, it unpredictably merges all Hayabusa outputs (even if from separate workflows) into the same timeline in Timesketch, likely because Hayabusa worker is configured to always produce a static output filename of Hayabusa_CSV_timeline.csv which causes it to be merged into any preexisting timeline by the same name.

Coincidentally If the jobs are all started in parallel, some condition is created which causes Hayabusa_CSV_timeline.csv to inherit some unique identifier such as Hayabusa_CSV_timeline.csv_233af -- and I am not sure why.

In my test scenario, I separately sent 6 triages through separate Hayabusa workflows and into Timesketch.

All 6 systems ended up in one timeline called Hayabusa_CSV_timeline.csv. However, only one of the systems (ACC-07) also had rogue entries in both Hayabusa_CSV_timeline.csv_4b297 (14.7k rows) and Hayabusa_CSV_timeline.csv_233af (50k rows)

Individual workflows in OpenRelik

Image

Example of one of the individual workflows

Image

Resulting timelines in the Sketch

Image

Ideal behavior is that each unique output of Hayabusa would result in a unique timeline in Timesketch, similarly to how the Plaso worker uses the UUID of the plaso output file as the timesketch timeline name.

I believe the culprit is in how the Timesketch worker is using the display_name to set the timeline name
https://github.com/openrelik/openrelik-worker-timesketch/blob/main/src/tasks.py#L156

And the hayabusa worker sets a display_name, whereas the Plaso worker does not set a display_name so the UUID of the raw filename is used instead, ensuring uniqueness.
https://github.com/openrelik/openrelik-worker-hayabusa/blob/main/src/csv_timeline.py#L63
@ecapuano
Copy link
Author

CC @shortstack

@berggren
Copy link
Contributor

Great report - yes this highlights that we need to be more flexible in how we name the timelines for timesketch. A few alternatives.

  • Do not use the display_name and use a uniq string instead
  • Use the workflow name? That will result in one timeline for all hayabusa runs in the same workflow though..
  • We could solve this with a change to the hayabusa worker to set a uniq prefix to each output file.

@berggren berggren self-assigned this Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@berggren berggren

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@berggren @ecapuano