where has the DFIQ questions gone?

[hasamba]

i enabled DFIQ in the settings,
i cloned the DFIQ repo to /etc/timesketch/dfiq/
but still cannot see any questions...i used to in earlier versions
what am i missing?

[jkppr]

The whole DFIQ feature is still experimental in Timesketch, sorry.

We moved to DFIQ 1.1 in #3163 to keep support with the Yeti project. But looks like the DFIQ project was not updated yet... I have opened google/dfiq#28 to get this sorted.

For a short term solution you have two options:

• Create your questions using the Yeti project and export them into Timesketch
• Or you can adjust the questions you need from the DFIQ v1.0 version to match the format e.g. in this test file: https://github.com/google/timesketch/blob/master/test_data/dfiq/questions/Q1001.yaml

[hasamba]

So from now on i will have to use Yeti server in order to use or export DFIQ?

[tomchop]

@hasamba no, you can still use DFIQ in Timesketch without having to setup a Yeti server. We have google/dfiq#26 which we'll merge ASAP.

[tomchop]

It's been merged! @jkppr I don't know what's left to enable this on the TS side.

[jkppr]

There should be no additional steps for Timesketch. Just move the v1.1 DFIQ content into the data/dfiq/ folder and ensure the feature is enabled in the timesketch.conf.

@hasamba let us know if it works with the updated version.

[hasamba]

i upgraded the db & timesketch docker,
cloned dfiq v1.0.1 (tried also with 1.0.0),
copied data/* timesketch/etc/timesketch/dfiq/
tried also data/* timesketch/etc/timesketch/dfiq/data

all options did not work...

[jkppr]

Are you running a dev container or the latest release?