Interacting with the Operation Log Table
Using the live activity log
Last updated
Using the live activity log
Last updated
Once you are on the log entries page, you will be presented with an empty table. The following sections outline how to interact with the table and log entries.
There will be times when you will need the log's unique ID. The ID number is always displayed at the top of the page, below the log's name.
To manually create an entry, click on the "Create a new entry" button in the top right corner:
You will notice a new row is populated with the current UTC timestamps and your username in the Operator field.
You can modify fields by double-clicking the table row you want to edit. A modal form will open:
Once you submit a change, the edits will sync via WebSockets and be visible to anyone with the log open.
The Options column is home to two buttons: copy and delete. The copy button will create a clone of the selected entry. The delete button will remove the log entry.
Log entries contain fields useful for tracking but can be too much for a table view, especially if you're viewing the log in a smaller browser window or a VM. You can customize the columns displayed by clicking the Show/Hide Columns button and toggling columns on and off.
The log table provides a search bar to filter entries containing only the provided text. This filter helps you view log entries related to a specific user, host, or command. To use the filter bar, type in the keyword. The filter is applied as you type, so you can keep typing to narrow down the results further.
Note that text search will include columns you may have hidden. The filter is also limited to the currently loaded log entries. If you don't find what you want, scroll down to load additional entries and try filtering again.
In the top right corner, there is a connection status indicator:
Since all entries are created/modified/deleted using WebSockets, a persistent connection is maintained. If the connection is ever lost, the connection status will turn red and indicate that the WebSocket connection is disconnected. When disconnected, you will not be able to create/modify/or delete any rows.
Like many objects in Ghostwriter, you can add tags to a log entry to help with filtering and tracking. The log table will change how certain tags appear in the table:
Tags that include:
att&ck, attack, mitre, or ttp will appear as red tags (e.g., ttp:t1549)
creds or credentials will appear as yellow tags
vuln will appear as green tags (e.g., vulnerable:DotNetPE)
detect will appear as blue tags (e.g., detected)
objective will appear as purple tags (e.g., objective:1)
Additional styles may be added in the future for different tags. The development is open to suggestions.
By default, all new operation logs have notifications enabled. The optional Operation Log Monitor task handles notifications. If desired, a user with the admin or manager role can mute notifications from the hamburger menu in the upper-right corner of the logging page.
Notification status is also displayed in the operation logs table:
