Add json and tab output to CLI client

google · Jul 6, 2023 · 2961c19 · 2961c19
1 parent 497a94c
commit 2961c19
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 2 deletions.
diff --git a/cli_client/python/timesketch_cli_client/commands/analyze.py b/cli_client/python/timesketch_cli_client/commands/analyze.py
@@ -85,13 +85,35 @@ def run_analyzer(ctx, analyzer_name, timeline_id):
 
 
 @analysis_group.command("list")
+@click.option(
+    "--output-format",
+    "output",
+    required=False,
+    help="Set output format [json, text] (overrides global setting).",
+)
 @click.pass_context
-def list_analyzers(ctx):
+def list_analyzers(ctx, output):
     """List all available analyzers.
 
     Args:
         ctx: Click CLI context object.
+        output-format: Output format to use. Available values: 'json','text' or 'tabular'
     """
     sketch = ctx.obj.sketch
+    if not output:
+        output = ctx.obj.output_format
+    # Show header row if output is tabular
+    if output == "tabular":
+        click.echo(f"Name\tDisplay Name\tIs Multi")
+
     for analyzer in sketch.list_available_analyzers():
-        click.echo(analyzer.get("name"))
+        if output == "json":
+            click.echo(f"{analyzer}")
+            continue
+        elif output == "tabular":
+            click.echo(
+                f"{analyzer.get('name')}\t{analyzer.get('display_name')}\t{analyzer.get('is_multi')}"
+            )
+            continue
+        else:
+            click.echo(analyzer.get("name"))
diff --git a/docs/guides/user/cli-client.md b/docs/guides/user/cli-client.md
@@ -136,6 +136,43 @@ List all available analyzers:
 timesketch analyze list
 ```
 
+To get information about analyzers available in the Timesketch instance the command `timesketch analyze list` can be used.
+If no sketch is defined in the config yet, it can also be passed as an argument, e.g.:
+
+```bash
+timesketch --sketch 1 analyze list --output-format tabular
+Name	Display Name	Is Multi
+login	Windows logon/logoff events	False
+ntfs_timestomp	NTFS timestomp detection	False
+chain	Chain linked events	False
+tagger	Tagger	True
+ssh_sessionizer	SSH sessions	False
+sigma	Sigma	False
+ssh_bruteforce_sessionizer	SSH bruteforce	False
+evtx_gap	EVTX gap	False
+hashr_lookup	hashR lookup	False
+domain	Domain	False
+web_activity_sessionizer	Web activity sessions	False
+similarity_scorer	Similarity Scorer	False
+sessionizer	Time based sessions	False
+safebrowsing	Google Safe Browsing	False
+gcp_servicekey	Google Compute Engine actions	False
+win_crash	Windows application crashes	False
+browser_timeframe	Browser timeframe	False
+gcp_logging	Google Cloud Logging Analyzer	False
+misp_analyzer	MISP	False
+hashlookup_analyzer	Hashlookup	False
+feature_extraction	Feature extractor	True
+geo_ip_maxmind_db	Geolocate IP addresses (MaxMind Database based)	False
+sshbruteforceanalyzer	SSH Brute Force Analyzer	False
+phishy_domains	Phishy domains	False
+geo_ip_maxmind_web	Geolocate IP addresses (MaxMind Web client based)	False
+yetiindicators	Yeti threat intel indicators	False
+account_finder	Account finder	False
+browser_search	Browser search terms	False
+windowsbruteforceanalyser	Windows Login Brute Force Analyzer	False
+```
+
 Run a specific analyzer. In this example the `domain` analyzer on timeline 1:
 
 ```