New LLM feature: Starred events to forensic report (stored as a Story)

data/llm_forensic_report/prompt.txt

@@ -0,0 +1,13 @@
+You are a highly skilled digital forensic analyst. Your task is to analyze a set of security events, which have been identified as potentially significant ("starred events") in a Timesketch investigation.  Based on these events, generate a concise forensic report summary, formatted in Markdown.
+
+Focus on identifying:
+
+* **Incident Overview:**  Provide a brief summary of what appears to have happened based on these events.  What type of incident is suggested (e.g., unauthorized access, malware infection, data breach attempt)?
+* **Key Findings:**  Highlight the most important observations and indicators from the events. Be specific and mention key entities (usernames, IP addresses, file paths, process names) involved.
+* **Timeline of Significant Events (Chronological Order):** Briefly outline the sequence of key actions observed in the starred events.
+* **Potential Impact/Severity:**  Assess the potential impact or severity of the incident based on the available information.
+* **Recommended Next Steps:** Suggest 2-3 concrete next steps for the investigation based on your analysis.
+
+Use bolding (**...**) for key entities and findings.  Format the output as a Markdown document.
+
+Here are the events in JSON format: <events><EVENTS_JSON></events>

data/timesketch.conf

@@ -382,11 +382,17 @@ LLM_PROVIDER_CONFIGS = {
         },
     },
     'llm_summarize': {
-        'aistudio': {
-            'model': 'gemini-2.0-flash-exp',
+        'vertexai': {
+            'model': 'gemini-2.0-flash-001',
             'project_id': '',
         },
     },
+    'llm_forensic_report': {
+        'aistudio': {
+            'model': 'gemini-2.0-flash-001',
+            'api_key': '',
+        },
+    },
     'default': {
         'ollama': {
             'server_url': '',
@@ -404,6 +410,9 @@ EXAMPLES_NL2Q = '/etc/timesketch/nl2q/examples_nl2q'
 # LLM event summarization configuration
 PROMPT_LLM_SUMMARIZATION = '/etc/timesketch/llm_summarize/prompt.txt'
 
+# LLM starred events to forensic report configuration
+PROMPT_LLM_FORENSIC_REPORT = '/etc/timesketch/llm_forensic_report/prompt.txt'
+
 #-------------------------------------------------------------------------------
 # Timesketch UI Option
 

docker/dev/build/docker-entrypoint.sh

@@ -25,6 +25,7 @@ if [ "$1" = 'timesketch' ]; then
   ln -s /usr/local/src/timesketch/data/plaso_formatters.yaml /etc/timesketch/plaso_formatters.yaml
   ln -s /usr/local/src/timesketch/data/nl2q /etc/timesketch/
   ln -s /usr/local/src/timesketch/data/llm_summarize /etc/timesketch/
+  ln -s /usr/local/src/timesketch/data/llm_forensic_report /etc/timesketch/
 
   # Set SECRET_KEY in /etc/timesketch/timesketch.conf if it isn't already set
   if grep -q "SECRET_KEY = '<KEY_GOES_HERE>'" /etc/timesketch/timesketch.conf; then

timesketch/frontend-ng/src/assets/main.scss

@@ -208,3 +208,15 @@ html {
   -o-transition: none !important;
   transition: none !important;
 }
+
+$llm-gradient: linear-gradient(90deg,
+  #8ab4f8 0%,   
+  #81c995 20%, 
+  #f8c665 40%, 
+  #ec7764 60%,  
+  #b39ddb 80%,  
+  #8ab4f8 100%);
+
+:root {
+  --llm-gradient: #{$llm-gradient};
+}

timesketch/frontend-ng/src/components/Explore/EventList.vue

@@ -255,6 +255,17 @@ limitations under the License.
                   <v-icon title="Download current view as CSV">mdi-download</v-icon>
                 </v-btn>
 
+                <v-btn 
+                  icon 
+                  @click="generateForensicReport()" 
+                  class="ml-2" 
+                  :loading="isGeneratingReport"
+                  v-if="isStarredEventsFilterActive">
+                    <div class="ts-llm-icon-wrapper" v-if="!isGeneratingReport">
+                      <v-icon title="Generate forensic report with LLM from starred events">mdi-file-document-check</v-icon>
+                    </div>
+                </v-btn>
+
                 <v-menu v-if="!disableSettings" offset-y :close-on-content-click="false">
                   <template v-slot:activator="{ on, attrs }">
                     <v-btn icon v-bind="attrs" v-on="on">
@@ -592,6 +603,7 @@ export default {
         itemsPerPage: this.itemsPerPage,
       },
       isSummaryLoading: false,
+      isGeneratingReport: false,
       currentItemsPerPage: this.itemsPerPage,
       expandedRows: [],
       selectedFields: [{ field: 'message', type: 'text' }],
@@ -631,6 +643,11 @@ export default {
     }
   },
   computed: {
+    isStarredEventsFilterActive() {
+      return this.filterChips.some(chip => 
+        chip.type === 'label' && chip.value === '__ts_star'
+    )
+    },
     summaryInfoMessage() {
       const totalEvents = this.eventList.meta.summary_event_count
       const uniqueEvents = this.eventList.meta.summary_unique_event_count
@@ -964,7 +981,6 @@ export default {
           } else {
             this.errorSnackBar(msg)
           }
-          console.error('Error message: ' + msg)
           console.error(e)
         })
     },
@@ -986,6 +1002,35 @@ export default {
           this.isSummaryLoading = false
         })
     },
+    generateForensicReport() {
+      if (this.totalHits > 1000) {
+        this.warningSnackBar('This feature is currently limited to a 1000 starred events, try setting a timerange filter. ' +
+        'This limit will be increased soon.', 10000);
+        return;
+      }
+
+      this.isGeneratingReport = true;
+      const requestData = {
+        filter: this.currentQueryFilter
+      };
+
+      ApiClient.llmRequest(this.sketch.id, 'llm_forensic_report', requestData)
+        .then((response) => {
+          this.isGeneratingReport = false;
+          if (response.data && response.data.story_id) {
+            this.$store.dispatch('updateSketch', this.sketch.id);
+            this.successSnackBar('Forensic report generated! You can find it in the "Stories" section.');
+          } else {
+            this.errorSnackBar('Error generating report. No story was created.');
+          }
+        })
+        .catch((error) => {
+          this.isGeneratingReport = false;
+          const errorMessage = (error.response && error.response.data && error.response.data.message) || 'Unknown error occurred';
+          this.errorSnackBar(`Error generating report: ${errorMessage}`);
+          console.error('Error generating starred events report:', error);
+        });
+    },
     exportSearchResult: function () {
       this.exportDialog = true
       const now = new Date()
@@ -1277,20 +1322,19 @@ th:first-child {
   padding: 0 0 0 10px !important;
 }
 
+.ts-event-list-container {
+  display: flex;
+  flex-direction: column;
+  width: 100%; 
+  gap: 20px;  
+}
 .ts-ai-summary-card {
   border: 1px solid transparent !important;
   border-radius: 8px;
   background-color: #fafafa;
   background-image:
-      linear-gradient(white, white),
-      linear-gradient(90deg,
-          #8ab4f8 0%,
-          #81c995 20%,
-          #f8c665 40%,
-          #ec7764 60%,
-          #b39ddb 80%,
-          #8ab4f8 100%
-      );
+      linear-gradient(white, white), 
+      var(--llm-gradient);
   background-origin: border-box;
   background-clip: content-box, border-box;
   background-size: 300% 100%;
@@ -1299,38 +1343,27 @@ th:first-child {
   display: block;
   margin-bottom: 20px;
 }
-
 .v-data-table {
   display: block; /* Ensure block display for data table */
 }
-
-@keyframes borderBeamIridescent-subtle {
+@keyframes borderBeamIridescent-subtle { 
     0% {
         background-position: 0% 50%;
     }
     100% {
         background-position: 100% 50%;
     }
 }
-
 .theme--dark.ts-ai-summary-card {
   background-color: #1e1e1e;
   border-color: hsla(0,0%,100%,.12) !important;
   background-image:
-      linear-gradient(#1e1e1e, #1e1e1e),
-      linear-gradient(90deg,
-          #8ab4f8 0%,
-          #81c995 20%,
-          #f8c665 40%,
-          #ec7764 60%,
-          #b39ddb 80%,
-          #8ab4f8 100%
-      );
-      box-shadow: 0 2px 5px rgba(255, 255, 255, 0.08);
+      linear-gradient(#1e1e1e, #1e1e1e), 
+      var(--llm-gradient);;
+  box-shadow: 0 2px 5px rgba(255, 255, 255, 0.08);
   display: block;
   margin-bottom: 20px;
 }
-
 .ts-ai-summary-text {
   white-space: pre-line;
   word-wrap: break-word;
@@ -1339,37 +1372,30 @@ th:first-child {
   padding-left: 10px;
   padding-right: 10px;
 }
-
 .ts-ai-summary-card .v-btn--icon {
   cursor: pointer;
 }
-
 .ts-ai-summary-card .v-btn--icon:hover {
   opacity: 0.8;
 }
-
 .ts-summary-placeholder-line {
   height: 1em;
   background-color: #e0e0e0;
   margin-bottom: 0.5em;
   border-radius: 4px;
   width: 100%;
 }
-
 .ts-summary-placeholder-line.short {
   width: 60%;
 }
-
 .ts-summary-placeholder-line.long {
   width: 80%;
 }
-
 .shimmer {
   background: linear-gradient(to right, #e0e0e0 8%, #f0f0f0 18%, #e0e0e0 33%);
   background-size: 800px 100%;
   animation: shimmer-animation 1.5s infinite linear forwards;
 }
-
 @keyframes shimmer-animation {
   0% {
     background-position: -468px 0;
@@ -1378,32 +1404,50 @@ th:first-child {
     background-position: 468px 0;
   }
 }
-
 .ts-event-list-container {
   display: flex;
   flex-direction: column;
   width: 100%;
   gap: 20px;
 }
-
 ::v-deep .no-transition {
   transition: none !important;
 }
-
 .ts-ai-summary-card-title {
   display: flex;
   align-items: baseline;
 }
-
 .ts-ai-summary-title {
   margin-right: 8px;
   font-weight: normal;
 }
-
 .ts-ai-summary-subtitle {
   font-size: 0.7em;
   color: grey;
   vertical-align: middle;
   display: inline-block;
 }
+.ts-llm-icon-wrapper {
+  position: relative;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+}
+.ts-llm-icon-wrapper::after {
+  content: "";
+  position: absolute;
+  top: -4px;
+  left: -4px;
+  right: -4px;
+  bottom: -4px;
+  border-radius: 50%;
+  background: var(--llm-gradient);
+  background-size: 300% 100%;
+  opacity: 0.2;
+  animation: borderBeamIridescent-subtle 6s linear infinite;
+  z-index: -1;
+}
+.v-btn:hover .ts-llm-icon-wrapper::after {
+  opacity: 0.4;
+}
 </style>