What is Timeline?

The Timeline utility is part of our open source Response Utils collection. As the name suggests, it can be used to generate a complete timeline of activity given a set of selectors. This is invaluable when conducting an investigation, particularly when the complete scope of an issue has not yet been determined.  

Quick start

Prerequisites

  1. Python 2.6+ or 3.4+
  2. cbapi-python

Installation

No installation is required to use Response Utils. Simply clone the repository from Github:

git clone https://github.com/redcanaryco/redcanary-response-utils.git

Or download the latest version here.

Authentication

If you haven't already done so, create a cbapi credential file that will allow the Python API client to interact with the Cb Response server.

Generate your first timeline

First, identify the type of activity that you'd like to extract from Cb Response. As an example, we're going to focus on anything that has happened on endpoint win7pro64 within the past 24 hours:

python timeline.py --query 'hostname:win7pro64' --days 1

Upon execution, the utility will tell us how many total results (processes) were returned, and will then begin to extract events from each process. 

NOTE: Each process may have dozens, hundreds, or thousands of events. Scope your query to return as narrow a process set as you are able, without excluding events of interest. 

Once the script completes, open timeline.csv to view results. The output file is structured such that each unique process-level event is in its own column. Each file modification event, for instance, will have one or more of the following fields set:

  • filemod_path
  • filemod_type
  • filemod_md5  

This allows the operator to use command line tools, filtering, or pivot tables to quickly isolate a unique set of events. Here we've decided to identify all files written to the user's Dropbox folder:

This was done by filtering for FirstWrote events where the filemod_path value includes "rcadmin\dropbox\". This same logic can be applied to isolate and time-order any combination of events. 

Did this answer your question?