Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionbuilding-incident-timeline-with-timesketchExecute the skills CLI command in your project's root directory to begin installation:
Fetches building-incident-timeline-with-timesketch from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate building-incident-timeline-with-timesketch. Access via /building-incident-timeline-with-timesketch in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | building-incident-timeline-with-timesketch |
| description | Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation. |
| domain | cybersecurity |
| subdomain | incident-response |
| tags | - timesketch - timeline-analysis - forensic-timeline - plaso - dfir - incident-investigation - collaborative-forensics |
| mitre_attack | - T1070 - T1059 - T1053 |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Executable Denylisting - Execution Isolation - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis |
| nist_csf | - RS.MA-01 - RS.MA-02 - RS.AN-03 - RC.RP-01 |
Timesketch is an open-source collaborative forensic timeline analysis tool developed by Google that enables security teams to visualize and analyze chronological data from multiple sources during incident investigations. It ingests logs and artifacts from endpoints, servers, and cloud services, normalizes them into a unified searchable timeline, and provides powerful analysis capabilities including built-in analyzers, tagging, sketch annotations, and story building. Timesketch integrates with Plaso (log2timeline) for artifact parsing and supports direct CSV/JSONL ingestion for rapid timeline construction during active incidents.
Evidence Sources --> Plaso/log2timeline --> Plaso storage file (.plaso)
| |
v v
CSV/JSONL --> Timesketch Importer --> OpenSearch Index
|
v
Timesketch Web UI
(Search, Analyze, Story)
# Clone Timesketch repository
git clone https://github.com/google/timesketch.git
cd timesketch
# Run deployment helper script
cd docker
sudo docker compose up -d
# Default access: https://localhost:443
# Admin credentials generated during first run
# Process disk image with log2timeline
log2timeline.py --storage-file evidence.plaso /path/to/disk/image
# Process Windows event logs
log2timeline.py --parsers winevtx --storage-file windows_events.plaso /path/to/evtx/
# Process multiple evidence sources
log2timeline.py --parsers "winevtx,prefetch,amcache,shimcache,userassist" \
--storage-file full_analysis.plaso /path/to/mounted/image/
# Import Plaso file into Timesketch
timesketch_importer -s "Case-2025-001" -t "Endpoint-WKS01" evidence.plaso
message,datetime,timestamp_desc,source,hostname
"User login detected","2025-01-15T08:30:00Z","Event Recorded","Security Log","DC01"
"PowerShell execution","2025-01-15T08:31:15Z","Event Recorded","PowerShell","WKS042"
# Import CSV directly
timesketch_importer -s "Case-2025-001" -t "Quick-Triage" events.csv
{"message": "Suspicious logon from 10.1.2.3", "datetime": "2025-01-15T08:30:00Z", "timestamp_desc": "Event Recorded", "source_short": "Security", "hostname": "DC01"}
# Upload Sigma rules for automated detection
timesketch_importer --sigma-rules /path/to/sigma/rules/
1. Log into Timesketch web interface
2. Create new sketch (investigation case)
3. Add relevant timelines to the sketch
4. Set sketch description and tags
Timesketch includes analyzers that automatically identify:
# Search examples in Timesketch query language
# Find all events related to specific user
source_short:Security AND message:"john.admin"
# Find PowerShell execution events
data_type:"windows:evtx:record" AND event_identifier:4104
# Find lateral movement indicators
source_short:Security AND event_identifier:4624 AND xml_string:"LogonType\">3"
# Find events within specific time range
datetime:[2025-01-15T00:00:00 TO 2025-01-15T23:59:59]
# Find file creation events
data_type:"fs:stat" AND timestamp_desc:"Creation Time"
# Search with tags
tag:"suspicious" OR tag:"lateral_movement"
1. Create new story within the sketch
2. Add search views that support each finding
3. Annotate key events with investigator notes
4. Link events to MITRE ATT&CK techniques
5. Document the attack narrative chronologically
6. Export story for inclusion in incident report
from timesketch_api_client import config
from timesketch_api_client import client as ts_client
# Connect to Timesketch
ts = ts_client.TimesketchApi(
host_uri="https://timesketch.local",
username="analyst",
password="password"
)
# Get sketch
sketch = ts.get_sketch(1)
# Search events
search = sketch.explore(
query_string='event_identifier:4624 AND LogonType:3',
return_fields='datetime,message,hostname,source_short'
)
# Add tags to events
for event in search.get('objects', []):
sketch.tag_event(event['_id'], ['lateral_movement'])
# Use Dissect for faster artifact parsing (alternative to Plaso)
target-query -f timesketch://timesketch.local/case-001 \
targets/hostname/ -q "windows.evtx" --limit 0
| Source | Parser | Evidence Value |
|---|---|---|
| Windows Event Logs (.evtx) | winevtx | Authentication, process execution, services |
| Prefetch Files | prefetch | Program execution history |
| MFT ($MFT) | mft | File system activity |
| Registry Hives | winreg | System configuration, persistence |
| Browser History | chrome/firefox | Web activity, downloads |
| Syslog | syslog | Linux/network device events |
| CloudTrail Logs | jsonl | AWS API activity |
| Azure Activity Logs | jsonl | Azure resource operations |
| Firewall Logs | csv/jsonl | Network connections |
| Proxy Logs | csv/jsonl | HTTP/HTTPS traffic |
| Technique | Timeline Indicators |
|---|---|
| Initial Access (TA0001) | First malicious event, phishing email receipt |
| Execution (T1059) | PowerShell/CMD events, process creation |
| Persistence (TA0003) | Registry modifications, scheduled tasks, services |
| Lateral Movement (TA0008) | Remote logons, SMB connections, RDP sessions |
| Exfiltration (TA0010) | Large data transfers, cloud storage uploads |
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
building-incident-timeline-with-timesketch is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
building-incident-timeline-with-timesketch fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: building-incident-timeline-with-timesketch is the kind of skill you can hand to a new teammate without a long onboarding doc.
We added building-incident-timeline-with-timesketch from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
building-incident-timeline-with-timesketch has been reliable in day-to-day use. Documentation quality is above average for community skills.
Solid pick for teams standardizing on skills: building-incident-timeline-with-timesketch is focused, and the summary matches what you get after install.
Keeps context tight: building-incident-timeline-with-timesketch is the kind of skill you can hand to a new teammate without a long onboarding doc.
building-incident-timeline-with-timesketch has been reliable in day-to-day use. Documentation quality is above average for community skills.
building-incident-timeline-with-timesketch has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: building-incident-timeline-with-timesketch is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 28