Merge branch 'master' into master

Author: jaegeral

.github/workflows/linters.yml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-20.04, ubuntu-22.04]
-        python-version: ['3.9', '3.10']
+        python-version: ["3.9", "3.10"]
 
     steps:
       - uses: actions/checkout@v2
@@ -36,28 +36,6 @@ jobs:
       - uses: actions/checkout@v2
       - uses: psf/black@stable
 
-  ESLint-frontend:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./timesketch/frontend
-    strategy:
-      matrix:
-        os: [ubuntu-20.04, ubuntu-22.04]
-        node-version: ["18"]
-    steps:
-      - uses: actions/checkout@v2
-      - name: Set up Node ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
-        with:
-          node-version: ${{ matrix.node-version }}
-      - name: Install dependencies
-        run: yarn add eslint@5.16.0
-      - name: Run eslint
-        run: |
-          git config pull.rebase false && git fetch -p origin master
-          for FILE in `git --no-pager diff origin/master --name-only --diff-filter=ACMR | grep -e \.vue$ -e \.js$ | grep -v dist\/js | grep ^timesketch\/frontend\/ | sed s/'^timesketch\/frontend\/'/''/`; do echo "Running eslint against ${FILE}"; yarn run eslint ${FILE}; done
-
   ESLint-frontend-ng:
     runs-on: ubuntu-latest
     defaults:
@@ -66,7 +44,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-20.04, ubuntu-22.04]
-        node-version: ["18"]
+        node-version: ["20"]
     steps:
       - uses: actions/checkout@v2
       - name: Set up Node ${{ matrix.node-version }}

.github/workflows/unit-tests.yml

@@ -38,7 +38,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-20.04, ubuntu-22.04]
-        node-version: ["18"]
+        node-version: ["20"]
     steps:
       - uses: actions/checkout@v2
       - name: Set up Node ${{ matrix.node-version }}

api_client/python/timesketch_api_client/version.py

@@ -14,7 +14,7 @@
 """Version information for Timesketch API Client."""
 
 
-__version__ = "20241129"
+__version__ = "20250112"
 
 
 def get_version():

cli_client/python/timesketch_cli_client/version.py

@@ -13,7 +13,7 @@
 # limitations under the License.
 """Version information for the Timesketch CLI client."""
 
-__version__ = "20230721"
+__version__ = "20250112"
 
 
 def get_version():

contrib/nginx.conf

@@ -8,6 +8,20 @@ http {
         listen [::]:80;
         client_max_body_size 0m;
         location / {
+            # Unauthenticated ReDoS prevention
+            set $redos_check "";
+            if ($request_uri ~* "(/login)"){
+              set $redos_check U;
+            }
+            if ($request_method = POST){
+              set $redos_check "${redos_check}M";
+            }
+            if ($http_content_type != "application/x-www-form-urlencoded"){
+              set $redos_check "${redos_check}CT";
+            }
+            if ($redos_check = UMCT){
+              return 403;
+            }
             proxy_buffer_size 128k;
             proxy_buffers 4 256k;
             proxy_busy_buffers_size 256k;
@@ -18,6 +32,20 @@ http {
             proxy_set_header X-Forwarded-Proto $scheme;
         }
         location /legacy/ {
+            # Unauthenticated ReDoS prevention
+            set $redos_check "";
+            if ($request_uri ~* "(/login)"){
+              set $redos_check U;
+            }
+            if ($request_method = POST){
+              set $redos_check "${redos_check}M";
+            }
+            if ($http_content_type != "application/x-www-form-urlencoded"){
+              set $redos_check "${redos_check}CT";
+            }
+            if ($redos_check = UMCT){
+              return 403;
+            }
             proxy_buffer_size 128k;
             proxy_buffers 4 256k;
             proxy_busy_buffers_size 256k;

data/intelligence_tag_metadata.yaml

@@ -10,21 +10,36 @@
 
 malware:
   weight: 100
-  class: 'danger'
+  type: 'danger'
+
+bad:
+  weight: 90
+  type: 'danger'
 
 suspicious:
   weight: 50
-  class: 'warning'
+  type: 'warning'
+
+good:
+  weight: 10
+  type: 'legit'
 
 legit:
   weight: 10
-  class: 'success'
+  type: 'legit'
 
 default:
   weight: 0
-  class: 'info'
+  type: 'default'
+
+export:
+  weight: 100
+  type: 'info'
 
 regexes:
   '^GROUPNAME':
-    weight: 100
-    class: 'danger'
+      weight: 100
+      type: 'danger'
+  '^inv_':
+      weight: 80
+      type: 'warning'

data/timesketch.conf

@@ -379,16 +379,16 @@ LLM_PROVIDER_CONFIGS = {
             'project_id': '',
         },
     },
-    'llm_summarization': {
+    'llm_summarize': {
         'aistudio': {
             'model': 'gemini-2.0-flash-exp',
             'project_id': '',
         },
     },
     'default': {
-        'aistudio': {
-             'api_key': '',
-             'model': 'gemini-2.0-flash-exp',
+        'ollama': {
+            'server_url': 'http://ollama:11434',
+            'model': 'gemma:7b',
         },
     }
 }

docker/dev/build/Dockerfile

@@ -30,7 +30,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
   && rm -rf /var/lib/apt/lists/*
 
 # Install NodeJS for frontend development
-RUN curl -sL https://deb.nodesource.com/setup_18.x -o nodesource_setup.sh
+RUN curl -sL https://deb.nodesource.com/setup_20.x -o nodesource_setup.sh
 RUN bash nodesource_setup.sh
 RUN apt-get update && apt-get install -y --no-install-recommends \
     nodejs \

docker/release/config.env

@@ -1,7 +1,7 @@
 # Timesketch version to run. Latest is build from the master branch and a release
 # number is build from a release tag. Using latest means that you are running
 # the bleeding edge version and we cannot guarantee that it will not be broken.
-TIMESKETCH_VERSION=20241009
+TIMESKETCH_VERSION=20250112
 
 # Timesketch PATH local etc/timesketch
 TIMESKETCH_CONFIG_PATH=./etc/timesketch

docs/assets/images/enable_ts_llm_features.gif

@@ -508,6 +508,98 @@ Corresponding Timeline id: 3 in Sketch Id: 2
 Corresponding Sketch id: 2 Sketch name: asdasd
 ```
 
+### Timeline status
+
+The `tsctl timeline-status` command allows to get or set a timeline status.
+This can be useful in the following scenarios:
+
+* Monitoring processing In large-scale investigations, timelines can take a considerable amount of time to process.
+This feature allows administrators or automated scripts to monitor the processing status of timelines, ensuring that they are progressing as expected.
+
+* Automated Status updates: Scripts can be used to automatically update the status of timelines based on the results of automated analysis or processing steps. For example, if an automated script detects a critical error during analysis, it can set the timeline status to "fail."
+
+* Toubeshooting and Error handling: 
+** Quickly identifying timelines with a "fail" status allows investigators to troubleshoot issues and re-process data if necessary.
+** By monitoring the status of timelines, administrators can identify potential bottlenecks or errors in the processing pipeline.
+** Set the status to `fail` is a task is stuck.
+
+Usage:
+
+```bash
+tsctl timeline-status [OPTIONS] TIMELINE_ID
+--action [get|set]
+        Specify whether to get or set the timeline status.
+        - "get": Retrieves the current status of the timeline.
+        - "set": Sets the status of the timeline to the value specified by "--status".
+        (Required)
+
+    --status [ready|processing|fail]
+        The desired status to set for the timeline.
+        This option is only valid when "--action" is set to "set".
+        Valid options are:
+        - "ready": Indicates that the timeline is ready for analysis.
+        - "processing": Indicates that the timeline is currently being processed.
+        - "fail": Indicates that the timeline processing failed.
+        (Required when --action is set to set)
+```
+
+Examples:
+```bash
+# Get the status of timeline with ID 123:
+    tsctl timeline-status --action get 123
+
+    # Set the status of timeline with ID 456 to "ready":
+    tsctl timeline-status --action set --status ready 456
+
+    # Set the status of timeline with ID 789 to "fail":
+    tsctl timeline-status --action set --status fail 789
+
+    # Try to set a status without the action set to set.
+    tsctl timeline-status --status fail 789
+    # This will fail and display an error message.
+```
+
+### Searchindex-status
+
+The `tsctl searchindex-status` command allows to get or set a searchindex status.
+
+Usage:
+```
+tsctl searchindex-status --help
+Usage: tsctl searchindex-status [OPTIONS] SEARCHINDEX_ID
+
+  Get or set a searchindex status
+
+  If "action" is "set", the given value of status will be written in the
+  status.
+
+  Args:     action: get or set searchindex status.     status: searchindex
+  status. Only valid choices are ready, processing, fail.
+
+Options:
+  --action [get|set]              get or set timeline status.
+  --status [ready|processing|fail]
+                                  get or set timeline status.
+  --searchindex_id TEXT           Searchindex ID to search for e.g.
+                                  4c5afdf60c6e49499801368b7f238353.
+                                  [required]
+  --help                          Show this message and exit.
+```
+
+
+Examples:
+```bash
+tsctl searchindex-status --action set 1 --status fail
+Searchindex 1 status set to fail
+To verify run: tsctl searchindex-status 1 --action get
+tsctl searchindex-status --action set --status fail 1
+Searchindex 1 status set to fail
+To verify run: tsctl searchindex-status 1 --action get
+tsctl searchindex-status 1 --action get
+searchindex_id index_name                       created_at                 user_id description status
+1              f609b138aa1e4c448ece6c012dcb2bab 2025-03-07 09:23:37.172143 1       #           fail
+```
+
 ### Sigma
 
 #### List Sigma rules

docs/guides/admin/admin-cli.md

@@ -0,0 +1,88 @@
+---
+hide:
+  - footer
+---
+
+# LLM Features Configuration
+
+Timesketch includes experimental features leveraging Large Language Models (LLMs) to enhance analysis capabilities. These features include event summarization and AI-generated queries (NL2Q - Natural Language to Query). This document outlines the steps required to configure these features for Timesketch administrators.
+
+## LLM Provider Configuration
+
+To utilize the LLM features, the Timesketch **administrator** must configure an LLM provider in the `timesketch.conf` file. It's possible to configure a specific LLM provider and model per LLM powered feature, or to use a default provider. For most features we recommend using a fast model (such as `gemini-2.0-flash-001` ) for optimal performance, especially for the event summarization feature.
+
+Edit your `timesketch.conf` file to include the `LLM_PROVIDER_CONFIGS` dictionary.  Below is a sample configuration with explanations for each parameter.
+
+```python
+# LLM provider configs
+LLM_PROVIDER_CONFIGS = {
+    # Configure a LLM provider for a specific LLM enabled feature, or the
+    # default provider will be used.
+    # Supported LLM Providers:
+    # - ollama:  Self-hosted, open-source.
+    #   To use the Ollama provider you need to download and run an Ollama server.
+    #   See instructions at: https://ollama.ai/
+    # - vertexai: Google Cloud Vertex AI. Requires Google Cloud Project.
+    #   To use the Vertex AI provider you need to:
+    #   1. Create and export a Service Account Key from the Google Cloud Console.
+    #   2. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the full path
+    #      to your service account private key file by adding it to the docker-compose.yml
+    #      under environment:
+    #      GOOGLE_APPLICATION_CREDENTIALS=/usr/local/src/timesketch/<key_file>.json
+    #   3. Verify your instance has the `google-cloud-aiplatform` lib installed.
+    #     * $ sudo docker exec timesketch-web pip list | grep google-cloud-aiplatform
+    #     * You can install it manually using:
+    #       $ sudo docker exec timesketch-web pip install google-cloud-aiplatform==1.70.0
+    #
+    #   IMPORTANT: Private keys must be kept secret. If you expose your private key it is
+    #   recommended to revoke it immediately from the Google Cloud Console.
+    # - aistudio: Google AI Studio (API key).  Get API key from Google AI Studio website.
+    #   To use Google's AI Studio simply obtain an API key from https://aistudio.google.com/
+    #   Verify your instance runs the required library:
+    #     * $ sudo docker exec timesketch-web pip list | grep google-generativeai
+    #     * You can install it manually using:
+    #       $ sudo docker exec timesketch-web pip install google-generativeai==0.8.4
+    'nl2q': {
+        'vertexai': {
+            'model': 'gemini-2.0-flash-001',
+            'project_id': '', # Required if using vertexai
+        },
+    },
+    'llm_summarization': {
+        'aistudio': {
+            'model': 'gemini-2.0-flash-001', # Recommended model
+            'api_key': '', # Required if using aistudio
+        },
+    },
+    'default': {
+        'ollama': {
+             'server_url': 'http://localhost:11434',
+             'model': 'gemma2-2b-it',
+        },
+    }
+}
+```
+
+**Note:**  While [users can enable/disable these features](../user/llm-features-user.md), the underlying LLM provider and its configuration are managed by the Timesketch administrator. Enabling these features may incur costs depending on the chosen LLM provider. Please review the pricing details of your selected provider before enabling these features.
+
+## Prompt and Data Configuration
+
+Administrators can further customize the behavior of the LLM features by configuring the paths to various prompt and data files within the `timesketch.conf` file.
+
+```python
+# LLM nl2q configuration
+DATA_TYPES_PATH = '/etc/timesketch/nl2q/data_types.csv'
+PROMPT_NL2Q = '/etc/timesketch/nl2q/prompt_nl2q'
+EXAMPLES_NL2Q = '/etc/timesketch/nl2q/examples_nl2q'
+
+# LLM event summarization configuration
+PROMPT_LLM_SUMMARIZATION = '/etc/timesketch/llm_summarize/prompt.txt'
+```
+
+*   `DATA_TYPES_PATH`: Specifies the path to a CSV file defining common Timesketch data types for the NL2Q feature.
+*   `PROMPT_NL2Q`: Specifies the path to the prompt file used by the NL2Q feature to translate a natural language into a Timesketch search query.
+*   `EXAMPLES_NL2Q`: Specifies the path to the examples file used by the NL2Q feature. This file provides the LLM with examples of natural language queries and their corresponding Timesketch search queries, which help improve the accuracy of the NL2Q feature.
+*   `PROMPT_LLM_SUMMARIZATION`: Specifies the path to the prompt file used by the event summarization feature.  Administrators can modify this file to customize the summarization output to their specific needs. This template allows for injecting the event data into the prompt using Python-style string formatting using curly braces `{}`.
+Timesketch provides some default configuration files for both features:
+* [NL2Q default configuration](https://github.com/google/timesketch/tree/master/data/nl2q).
+* [LLM Summarization default configuration](https://github.com/google/timesketch/tree/master/data/llm_summarize).