New LLM feature: Starred events to forensic report (stored as a Story) #3332

itsmvd · 2025-03-11T14:47:30Z

This PR adds a new LLM-powered feature to automatically generate forensic reports (stored as a Story) from starred events.

Adds a "Generate forensic report" button that appears when starred events filter is active
Processes starred events through an LLM provider to create a forensic analysis report
Stores the generated report as a Story
Implements metrics for tracking events processed and stories created
Limits initial implementation to 1000 starred events per report (will be expanded once we add max_token_count tracking for LLM providers)

New button in EventList.vue (only visible when viewing starred events)

Example LLM generated report from starred events

… provider

…he frontend

…hizzle

itsmvd · 2025-03-11T16:47:34Z

Two notes:

Will add tests after first review is done
_run_timesketch_query will be abstracted to a helper function in a next PR, as we refactor it to use streaming instead
This first version does not yet take tags and comments of events into account, will add that in a next PR (Include "tags" and "comments" to the llm_forensic_report feature #3333)

jaegeral · 2025-03-11T16:50:18Z

comment from the sideline, I believe keeping the limit to 1000 events is plenty, even if we increase the possible number to use for llm in general, having somewhat of a limit here could be just fine.

data/timesketch.conf

docker/dev/build/docker-entrypoint.sh

jkppr · 2025-03-29T09:51:35Z

timesketch/frontend-ng/src/components/Explore/EventList.vue

          this.isSummaryLoading = false
        })
    },
+    generateForensicReport() {


Do you really want to call it a Forensic Report? The term could be misunderstood, so maybe something more specific to what this function is doing: keyEventReport?

Fair point, in that case I opt we go for generateStarredEventsReport, and to call the feature llm_starred_events_report etc. Agreed?

timesketch/frontend-ng/src/mixins/snackBar.js

timesketch/lib/llms/actions.py

…hizzle

jkppr

round 2

jkppr · 2025-04-07T12:12:14Z

timesketch/lib/stories/utils.py

The new placement makes sense to me. However, please remove all mentions of any AI/LLM context, since this utils should be used independently. (e.g. the default title)

jkppr · 2025-04-07T12:14:21Z

data/timesketch.conf

Please rename variables as discussed. llm_starred_events_report etc

jkppr · 2025-04-07T12:16:23Z

docker/dev/build/docker-entrypoint.sh

I think for the prod deployment we also need add the prompt file to the # Fetch default Timesketch config files step in the contrib/deploy_timesketch.sh and ps1 files.

timesketch/frontend-ng/src/components/Explore/EventList.vue

jkppr · 2025-04-07T12:24:19Z

timesketch/frontend-ng/src/components/Explore/EventList.vue

+        this.warningSnackBar('This feature is currently limited to a 1000 starred events, try setting a timerange filter. ' +
+        'This limit will be increased soon.', 10000);


What about making this limit configurable in the timesketch.conf? This would allow admins to increase it themself if the like to any time.

In general: Lets remove the "This limit will be increased soon." part from the message. It is out of the control of the TS operator or user and we don't have a timeline for when we can increase it. So not having this, is long-term more reliable than having this and never increase the limit.

Will remove this last part of the message. Making it configurable for an admin I'm not a fan of at the moment, because if they increase the limit to a size that won't fit inside the chosen LLM provider's context window, the feature will break. So better if we can control this setting for now until we can include such granular settings.