Replies: 3 comments
-
|
For flow, hunt and event artifact notebooks we can embed custom cells in the artifact definition. This is more effective that just copy/pasting notebooks because we can easily share artifacts on the artifact exchange and write a more generic reusable notebook. You can see an example of a custom notebook in an artifact here (this is actually the test file and includes most of the advanced notebook features like graphs timelines etc): Putting notebooks in artifacts attaches them to the particular thing collected - so if we have a commonly used artifact that requires a particular type of postprocessing we can encode it in the yml file. perhaps it makes sense to extend this to the general notebooks as well? |
Beta Was this translation helpful? Give feedback.
-
|
This is in line with what i was requesting for a "create_notebook" plugin |
Beta Was this translation helpful? Give feedback.
-
|
Check out this commit from @mgreen27 1c71f7f It is adding some default notebook analysis to a particular artifact that are related to what it is collecting. NOTE: you do not have to actually have any queries in an artifact - you can just collect it for the notebook |
Beta Was this translation helpful? Give feedback.
-
Having the ability to clone notebooks would be incredibly useful when working with hosts from multiple sites. My current workflow is a notebook for each location and pulling hunt results run across all sites, which is then refined by the "Fqdn =~" filter.
I'm currently having to re-create the same notebook with 10-15 VQL queries manually, whereas a cloned version would only require the "Fqdn =~" to be changed to the relevant site.
Beta Was this translation helpful? Give feedback.
All reactions