Kanvas icon indicating copy to clipboard operation
Kanvas copied to clipboard
Published 4 months ago verified publisher icon WithSecureLabs

Feature Request

Open HurdDFIR opened this issue 6 months ago • 3 comments

First - great job on this. I really like the tool. After using it, I came up with a couple ideas that might be handy to implement. Unfortunately I don't have the time nor expertise to work on creating a PR for this. The following are things I feel would take this to the next level.. they are listed IMO priority order.

  1. Make the timeline sortable by timestamp (if this is already a feature I failed to find out how)
  2. Add the ability to have response actions captured in the visual timelines. Right now, a MITRE tactic is required for thing sot show in the timeline
  3. Have a dropdown for Event System and Remote System, referencing the systems in the relevant sheet
  4. Same as above, but users
  5. Add the ability to add plain text or one of the dropdowns (for most dropdown selectable items)
  6. Add ability to duplicate an entry (in any sheet)

I understand the more dropdowns you add, the more formatting the SOD would require. I think these would be valuable features though.

Let me know what you think.

HurdDFIR avatar Jul 11 '25 13:07 HurdDFIR

Thanks so much for taking the time to give feedback — really appreciate it!

Point #1: By default, the timeline is sorted chronologically by date. You can label entries based on the day with one click— for example, Day 1, Day 2, etc.

Point #2: Yes, MITRE is used as a key-value when building the timeline for now. I'm not entirely sure what you meant by "response action" — would love to hear more about your thoughts on that.

Point #3 & #4: I’ll look into how to support a dropdown with the ability to enter custom values directly, without needing an extra input box next to it.

Point #5: Noted!

Point #6: That’s a good one — I’ll explore how to implement it.

arimboor avatar Jul 12 '25 06:07 arimboor

#1 - I mean within the Timeline sheet itself. For example - if I add entries out of order, there is no way to sort them unless I visualize the Timeline. But that will not show items that are not marked to be visualized.

#2 - By response action, I mean something like containing a system, resetting user credentials, or even detecting an intrusion. Often I put these items in the timeline to help track blue team metrics.

Thanks for looking into things!

HurdDFIR avatar Jul 12 '25 14:07 HurdDFIR

Okay,

for the 'response' action, I’ve been testing a few use cases — integration with Entra ID for identity-related response actions & Velociraptor to trigger some jobs. I don’t have a timeline yet for adding these features, but thats something I will be interested too— or someone from the community may also contribute.

arimboor avatar Jul 12 '25 16:07 arimboor