20251114

🚀 Timesketch 20251114 Release: Critical Stability Hotfix & The Intelligence
Deploying on November 14, 2025.

If you upgraded to 20251112, please roll out this release asap, as your explore api might not return any results due to a bug that is fixed with this release.

🛡️ Core Stability & Code Hardening
Critical updates to fortify your database and ensure a seamless exploration experience.

Database Fortification: We upgraded SQLAlchemy to 1.4.54. This ensures your core database interactions are stable, secure, and ready for high-volume operations.

Fix: update sqlalchemy to 1.4.54 by @jaegeral in #3592

Targeted Error Handling: Refined the code in explore.py to intelligently handle comments. We now use a more precise try-catch block, preventing unexpected interruptions and guaranteeing a smoother exploration experience.

Fix: only add a try catch block for comments in explore.py by @jaegeral in #3593

You are absolutely right. For release notes, clarity, accuracy, and a factual tone are paramount.

Here is the revised, factual description for the Timesketch 20251114 release, ensuring all technical details, authors, and links are accurately presented without marketing language:

🛠️ Timesketch Release 20251114
Release Date: November 14, 2025

This is a focused release addressing core stability, dependency management, and the introduction of a new log analysis agent.

✨ Feature
The introduction of a new agent for log analysis utilizing Sec-Gemini capabilities.

Sec-Gemini Log Analysis Agent: Implements a new agent for processing and analyzing log data using the Sec-Gemini feature set.

feat: Sec-Gemini log analysis agent by @itsmvd in #3591

Full Changelog: 2025111...2025111

20251112

🚀 Timesketch Release Notes

🛡️ Security & Dependencies

These changes address critical security vulnerabilities and keep our third-party libraries up-to-date.

• Critical Security Fix: Upgrade Redis to version 7.2.11 to address critical vulnerability by @jaegeral in (#3551)
• Dependency Bumps:
  • Bump vite from 5.4.20 to 5.4.21 in /timesketch/frontend-v3 by @dependabot[bot] in (#3558)
  • Bump happy-dom from 15.11.7 to 20.0.0 in /timesketch/frontend-ng by @dependabot[bot] in (#3556)
  • Build (deps): Bump the npm_and_yarn group with 3 updates by @dependabot[bot] in (#3577)
  • Bumping some frontend-ng packages by @jkppr in (#3565)

---

✨ New Features & LLM Integrations

Introducing new capabilities for analysis, including performance tracking and support for new providers.

• New Providers:
  • Add Azure provider support by @JeremyTar in (#3526)
  • Update sec-gemini provider & feature by @itsmvd in (#3560)
• Log Analyzer Improvements:
  • Improve Log Analyzer robustness and update JSON format by @jaegeral in (#3550)
  • Introduce a log_pretext in log_analyzer.py by @jaegeral in (#3552)
• Performance Monitoring: Add performance monitoring to Timesketch by @jaegeral in (#3568)
• tsctl Enhancement: Enhance tsctl sketch-info with data source details by @jaegeral in (#3585)

---

🐞 Bug Fixes & Stability

Important fixes addressing errors, preserving data integrity, and improving the user interface.

• Time Filter UX:
  • Fix time filter menu by @Annoraaq in (#3555)
  • V3 time filters introduced by @Annoraaq in (#3557)
  • Re-create component on panel close by @Annoraaq in (#3575)
  • Append to body (UI fix) by @Annoraaq in (#3570)
• Data Integrity: Fix: Preserve Sub-Second Timestamp Precision in timesketch_importer by @jaegeral in (#3578)
• API Stability: Fix: AttributeError in Sketch API when user is admin and sketch non existant by @jaegeral in (#3582)
• Minor Fixes: Fix: A small typo by @jaegeral in (#3580)

---

⚙️ Refactoring, Testing, & Platform

Updates to the underlying infrastructure, code quality, and testing environments.

• Ubuntu 24.04 Migration:
  • Upgrade Docker development environment to Ubuntu 24.04 by @jkppr in (#3567)
  • Update release Dockerfile to use the Ubuntu 24.04 base image by @jkppr in (#3584)
  • Fix unit-tests for Ubuntu 24.04 containers by @jkppr in (#3569)
  • Fix: Start Ubuntu 24.04 e2e tests by @jaegeral in (#3524)
  • Fix: Make staging tests for Plaso 24.04 for now optional by @jaegeral in (#3583)
• Error Handling & Debugging:
  • Refactor: Enhance JSON decoding error logging in API client by @jaegeral in (#3547)
  • Display contents of actual failed response by @tomchop in (#3559)
  • Feat: Log secGemini response to /tmp/ if timesketch app mode is set to DEBUG by @jaegeral in (#3562)
  • Feat: Enhanced e2e Test Debugging by @jaegeral in (#3549)
• Test Suite Improvements:
  • Refactor (e2e): Move event-related tests to a dedicated file by @jaegeral in (#3554)
  • Test (e2e): Add sketch export functionality test by @jaegeral in (#3553)

---

📝 Documentation Updates

Documentation improvements to help users and developers understand new and existing features.

• Docs: Adjusting performance monitoring docs by @jaegeral in (#3571)
• Docs: Improve tsctl documentation by @jaegeral in (#3572)

New Contributors

• @JeremyTar made their first contribution in #3526

Full Changelog: 2025092...2025111

20250929

What's Changed

✨ New Features & Major Enhancements

• [feat] Keep track of used time filters for searches by @Annoraaq in #3512
• feat(opensearch): Add support for custom CA certificates by @jkppr in #3528
• Enhance Scenario and Question API Client Functionality by @jkppr in #3508
• Support Sec-Gemini log analysis agent: Refactor log_analyzer feature & sec-gemini provider by @itsmvd in #3536
• Sketch delete by @jaegeral in #3261
• [tsctl] Archive improvements by @jaegeral in #3431
• Add support of SQLAlchemy engine options by @jbaptperez in #3481

📈 Improvements & Refinements

• feat: tsctl add export-db / import-db / check-opensearch-links by @jaegeral in #3472
• DFIQv2 and Yeti Analyzer Refactor by @jkppr in #3501
• [API] Enhancing the sketchlist functionality by introducing a new 'all' scope by @jaegeral in #3470
• feat: add unit test for datetime parsing by @jaegeral in #3505
• feat: tscl improvements by @jaegeral in #3511
• feat: tsctl find-inconsistent-archives by @jaegeral in #3517
• fix: Update yetiindicators.py by @jaegeral in #3519
• add better error mesage to count message in opensearch.py by @jaegeral in #3521
• fix: improve logging in aggregation.py by @jaegeral in #3532
• fix: improve error_handling in interface of e2e by @jaegeral in #3533
• fix: move pinfo earlier in the tasks check by @jaegeral in #3537
• fix: introduce a retry loop for tasks.py by @jaegeral in #3534
• fix: [API client] remove a warning in explore() by @jaegeral in #3538

🐛 Bug Fixes

• fix: remove "version" from the toplevel from docker-compose files by @jaegeral in #3510
• refactor: s/prometheus_multiproc_dir/PROMETHEUS_MULTIPROC_DIR by @jaegeral in #3515
• [Fix] Empty Sketch List Overview by @jkppr in #3527
• [Fix] Update Yeti certificate handling by @jkppr in #3529
• fix: Update importer.py error message for label import by @jaegeral in #3541
• fix: [import_client] improve error message handling for importing_files by @jaegeral in #3539

⬆️ Dependency Updates

• [CI] Remove python 3.9 checks by @jkppr in #3502
• Bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot[bot] in #3520
• Bump axios from 1.9.0 to 1.12.0 in /timesketch/frontend-v3 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #3530
• Bump sha.js from 2.4.11 to 2.4.12 in /timesketch/frontend-ng in the npm_and_yarn group by @dependabot[bot] in #3504
• Bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot[bot] in #3531

Full Changelog: 2025080...2025092

20250807

What's Changed

✨ New Features & Major Enhancements

• Introduce Investigation View and AI Capabilities by @jkppr @iamdcj @ktaftaf @itsmvd @dianakramer in #3491

📈 Improvements & Refinements

• Feat: Enhance CSV parser for robust timestamp handling by @jaegeral in #3463
• Refactor: Centralize OpenSearch Datastore Connection Configuration by @jkppr in #3483
• Update upgrade.md by @matthewthomaskelly in #3464
• [docs] Timesketch at Blackhat 2025 by @jkppr in #3474
• Add documentation for Investigation View and AI features by @jkppr in #3485
• [tsctl] display the latest timeskertch commit used on the system in tsctl by @jaegeral in #3473

🐛 Bug Fixes

• Frontend Fix: Robust File Uploads by @jaegeral in #3465
• Fix: Correctly parse microsecond epoch timestamps in CSV files by @jaegeral in #3462
• Call validate_on_submit() on the login form. by @jonathan-greig in #3468
• Fix tag error by @Annoraaq in #3477
• [Security] sanatize password from import_client.py by @jaegeral in #3471
• fix: Gemini styleguide by @jaegeral in #3486
• fix: Improve Visibility of Data Source Import Errors by @jaegeral in #3488
• Update nginx.conf by @jkppr in #3493
• Fix deployment of the v3 web container by @jkppr in #3494
• Fix link between ng & v3 UI by @jkppr in #3495

⬆️ Dependency Updates

• Bump form-data from 4.0.1 to 4.0.4 in /timesketch/frontend-v3 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #3478

New Contributors

• @matthewthomaskelly made their first contribution in #3464
• @iamdcj made their first contributions in #3491
• @ktaftaf made their first contributions in #3491

Full Changelog: 2025070...2025080

20250708

What's Changed

✨ New Features & Major Enhancements

• Allow batch editing of tags. by @Annoraaq in #3451
• Batch tags v3 by @Annoraaq in #3458
• Introduce unified SearchGuideCard to help users start exploring by @jkppr in #3454
• Adding SearchGuideCard to the v3 frontend by @jkppr in #3455
• Vue3 migration: Explore view (phase one) by @berggren in #3429
• Link Events with DFIQ conclusions by @dianakramer in #3357

📈 Improvements & Refinements

• Enable support for vue3 UI by @jkppr in #3445
• Update Admin CLI to reflect changes to User and Group commands by @Aevyz in #3437
• [DB] Changes to cascade within the Sketch object by @jaegeral in #3406
• Add bloom prefix to tags from bloom analyzer by @tomchop in #3443
• [tsctl] introduce read only access to a sketch via tsctl by @jaegeral in #3444
• Introduce a tsctl check-orphaned-objects command by @jaegeral in #3442
• Update timesketch.conf by @itsmvd in #3428
• V3 timeline chips by @Annoraaq in #3432
• Update README.md by @jkppr in #3460

🐛 Bug Fixes

• Fix UI issue with nl2q by @jkppr in #3461
• Fix Story bug when no DFIQ is used by @jkppr in #3435
• Various small changes by @jaegeral in #3440
• Update install.md by @itsmvd in #3448
• Update install.md by @itsmvd in #3447
• Update deploy_timesketch.sh by @itsmvd in #3450
• improvements to the deploy_timesketch.sh by @jaegeral in #3449
• Fix permission checks with the scenarios API by @jkppr in #3452
• Fix asset loading for v3 deployments by @jkppr in #3457

⬆️ Dependency Updates

• Bump requests from 2.32.3 to 2.32.4 in the pip group by @dependabot in #3446
• Bump pbkdf2 from 3.1.2 to 3.1.3 in /timesketch/frontend-ng in the npm_and_yarn group by @dependabot in #3456

Full Changelog: 2025052...2025070

20250521

What's Changed

✨ New Features & Major Enhancements

• Efficient Bulk Export with Opensearch using PIT and Slicing by @jkppr in #3409
• tsctl:
  • Add tsctl export-sketch command for sketch data archival by @jaegeral in #3397
  • Add tsctl list-config Command by @jaegeral in #3382
  • type=int in click argument in various commands by @jaegeral in #3395
  • searchindex_status show all values (if available) by @jaegeral in #3412
• cli client:
  • Add generate-dummy-csv command by @jaegeral in #3405
  • Add sketch export-only-with-annotations command by @jaegeral in #3398

📈 Improvements & Refinements

• AI/LLM:
  • Avoid needlessly calling the llm_summarize feature by @itsmvd in #3386
  • Initial Gemini Github Code Review bot config / Styleguide by @jaegeral in #3381
• Testing / Code quality:
  • Add End-to-End Tests for tsctl by @jaegeral in #3383
  • Update E2E / unit Test Matrix (drop Ubuntu20) by @jaegeral in #3384
  • [Workflows] Add 30-minute timeouts to GitHub Actions workflow jobs by @jaegeral in #3396
  • Improve OpenSearch search method docstring and error logging by @jaegeral in #3414
  • Update scenarios.py by @jaegeral in #3420
  • Replacing timeline descriptions or names with IDs in various log by @jaegeral in #3417
  • [Workflows] Run unittests in paralell in github workflow by @jaegeral in #3400
  • Timesketch CLI and E2E Test Enhancements by @jaegeral in #3399
  • [API Client] Robustness and Readability Enhancements by @jaegeral in #3402
• Others
  • Add ability to add and use Investigative Questions in Stories by @jkppr in #3348
  • .gitignore enhancement by @jbaptperez in #3423
  • [tsdev] a few addtions to tsdev.sh by @jaegeral in #3422
  • Add Yeti bloom check analyzer by @tomchop in #3372

🐛 Bug Fixes

• Fix DatastoreConnectionError AttributeError by @jkppr in #3404
• Fix TimelineChip failed mode by @jkppr in #3407
• Avoid calling run_timesketch_query twice in llm_summarize feature + update tests by @itsmvd in #3379
• Development sigma rules update by @jbaptperez in #3425
• Display search ID index on error by @emmanuel-ferdman in #3421
• Documentation fixes by @jbaptperez in #3424

⬆️ Dependency Updates

• Update docker release version by @jkppr in #3380
• Various updates to dependencies / versions by @jaegeral in #3391
• Bump vite from 5.4.17 to 5.4.19 in /timesketch/frontend-v3 in the npm_and_yarn group across 1 directory by @dependabot in #3392
• Bump vite from 5.4.17 to 5.4.19 in /timesketch/frontend-ng in the npm_and_yarn group by @dependabot in #3393
• bump pandas version by @jaegeral in #3418

Full Changelog: 2025040...2025052

20250408

What's Changed

✨ New Features & Major Enhancements

• Core Functionality & API:
  • Add Support for Searching Processing Timelines by @jbaptperez in #3241
  • Add Timeline, SearchIndex and Datasource creation to client api by @Tijnoz in #2919
• LLM Integration:
  • Add nl2q and llm_summarize as LLM features by @itsmvd in #3311
  • Add LLM features manager and interface by @itsmvd in #3308
  • Introduce LLMResource API method, tests, and add it as a method for the frontend by @itsmvd in #3310
  • Add Ollama provider with response schema support & create LLM provider directory by @itsmvd in #3306
  • Enhance LLM configuration handling and settings UI by @itsmvd in #3366
  • LLM provider fallback to default config by @itsmvd in #3307
• Vue3 Frontend Migration:
  • V3 sketch empty state by @Annoraaq in #3269
  • V3 sketch page top bar by @Annoraaq in #3275
  • V3 introduce canvas by @Annoraaq in #3285
  • V3 sketch page share card by @Annoraaq in #3286
  • Update RestApiClient in frontend-v3 by @itsmvd in #3317
• tsctl (CLI Tool) Enhancements:
  • Add timesketch-status to tsctl. by @jaegeral in #3303
  • [tsclt] searchindex set get status by @jaegeral in #3328
  • [tsctl] Add celery task management (list and cancel) by @jaegeral in #3354
  • tsctl sketch-info enhancements by @jaegeral in #3367
  • [tsctl] searchindex-info improvements by @jaegeral in #3368
  • Changes to tsctl.py by @jaegeral in #3365

📈 Improvements & Refinements

• UI/UX:
  • Make suggested queries the active questions tab by @dianakramer in #3313
  • Improve snackbar.js: add support for custom timeouts & small refactor by @itsmvd in #3330
• Documentation:
  • Add initial admin & user documentation for LLM features by @itsmvd in #3301
  • Add instructions to load DFIQ templates to documentation by @jkppr in #3322
• Testing:
  • [tests] add sketch related tests to the API unit tests by @jaegeral in #3312
  • adding unit tests for archiving a sketch by @jaegeral in #3316
  • [e2e] sketch tests by @jaegeral in #3325
• Code Health & Refactoring:
  • Update pylint & astroid by @jkppr in #3329
  • Update api_client code for new pylint version by @jkppr in #3336
  • Update importer client for new pylint config by @jkppr in #3339
  • Update cli client for new pylint config by @jaegeral in #3340
  • Remove sketch.upload() from the api client (depracated for a long time) by @jaegeral in #3349
  • Update dfiq_analyzer/manager.py logging level by @jkppr in #3309
  • Update nginx.conf by @jkppr in #3318
• Build, CI & Deployment:
  • Adding frontend-v3 build workflow automation by @jkppr in #3346
  • Update Frontend-NG Build and Deployment Workflow by @jaegeral in #3345
  • Prevent E2E / unit Tests on Documentation and Non-Code Changes by @jaegeral in #3347
  • Update deploy_timesketch.sh by @Sh3b0 in #3371
  • Update documentation.yml by @jaegeral in #3344

🐛 Bug Fixes

• Fix: Resolve race condition errors on first timeline upload with SEARCH_PROCESSING_TIMELINES=True by @jkppr in #3363
• bugfix when llm_summarize tries to summarize no events by @itsmvd in #3378
• Fix: Removal Logic Bug in Annotation Mixins by @jaegeral in #3323
• [API] Fix on how timelines are listed Two new test cases around timeline listing. by @jaegeral in #3359
• fix renaming in sidebar by @Annoraaq in #3326
• Filtered back-ticks and other trailing characters from the resulting query by @dianakramer in #3304

⬆️ Dependency Updates

• Bump vitest from 1.0.4 to 1.6.1 in /timesketch/frontend-ng in the npm_and_yarn group by @dependabot in #3280
• Bump the npm_and_yarn group in /timesketch/frontend-ng with 2 updates by @dependabot in #3338
• Bump the npm_and_yarn group in /timesketch/frontend-ng with 2 updates by @dependabot in #3361
• Bump vite from 5.4.14 to 5.4.17 in /timesketch/frontend-ng in the npm_and_yarn group by @dependabot in #3376
• Bump axios from 1.7.9 to 1.8.2 in /timesketch/frontend-v3 in the npm_and_yarn group across 1 directory by @dependabot in #3335
• Bump vite from 5.4.14 to 5.4.16 in /timesketch/frontend-v3 in the npm_and_yarn group across 1 directory by @dependabot in #3370
• Bump vite from 5.4.16 to 5.4.17 in /timesketch/frontend-v3 in the npm_and_yarn group across 1 directory by @dependabot in #3375
• Bump axios from 0.21.4 to 0.29.0 in /timesketch/frontend by @dependabot in #3337
• Bump the pip group with 2 updates by @dependabot in #3294
• Bump gunicorn from 22.0.0 to 23.0.0 in the pip group by @dependabot in #3355

New Contributors

• @jbaptperez made their first contribution in #3241
• @Tijnoz made their first contribution in #2919
• @Sh3b0 made their first contribution in #3371

Full Changelog: 2025011...2025040

20250112

What's Changed

• Add AIStudio as a supported LLM library by @itsmvd in #3254

• Add LLM event summarization feature by @itsmvd in #3281

• add context menu and sketch creation to homepage by @Annoraaq in #3237

• [CLI] Sketch label management by @jaegeral in #3262

• Feat(cli): Add field count to Timesketch index information by @jaegeral in #3274

• Enhance tsctl with User Status and Group Membership Information by @jaegeral in #3264

• Increase OpenSearch mapping limit dynamically during indexing of csv/jsonl data by @jkppr in #3257

• Dynamically update Star/Comment label counts in the left panel by @jkppr in #3267

• LLM interface & vertexai: add response_schema support, add location parameter and fix some bugs by @itsmvd in #3268

• Add User Settings Menu to Home Page by @jaegeral in #3290

• Improvements to the threat intel view by @tomchop in #3289

• Fix: Ensure consistent datetime handling during CSV import by @jkppr in #3244

• Update SSH regex feature extraction by @jkppr in #3245

• Remove duplicate import by @Annoraaq in #3247

• Fix problems with field selection for visualizations by @jkppr in #3249

• Resolve unsoundness caught by pytype --strict-none-binding. by @hnbdgr379 in #3250

• Add nl2q config to dev container by @jkppr in #3253

• Fix pytype error in TS API client by @jkppr in #3255

• Adding postgres database connection to tsdev.sh by @jkppr in #3256

• Update frontend dependencies & UI build by @jkppr in #3266

• Fix: Handle "query_shard_exception" in OpenSearch error handling by @jaegeral in #3272

• Refactor LLM manager so that users can configure an LLM provider per feature by @itsmvd in #3278

• Add ability to delete a Story from the UI by @itsmvd in #3284

• UI frontend-ng build by @jkppr in #3288

• Upgrade frontend-ng node to v20 by @jkppr in #3292

• TagList bug fix by @jkppr in #3291

• Fix tests for intel metadata by @tomchop in #3293

• Refactor: Move ./test_data/ to dedicated ./tests/test_data/ directory by @jaegeral in #3270

• Bugfix in llm_summarize and introduce initial tests by @itsmvd in #3296

• V3 user avatar app bar by @Annoraaq in #3236

• V3 sketch list by @Annoraaq in #3240

• V3 sketch page by @Annoraaq in #3242

• V3 update tsdev by @Annoraaq in #3251

• V3 event bus by @Annoraaq in #3259

New Contributors

• @hnbdgr379 made their first contribution in #3250

Full Changelog: 2024112...2025011

20241129

What's Changed

• Add document/page title for sketches by @itsmvd in #3210
• [Tagger Analyzer] AWS cloudtrail config by @raihalea in #3224
• Fix: Correctly handle dynamic tags without modifiers by @jkppr in #3211
• Frontend v3 Scaffold by @berggren in #3188
• Change icon for opening TI view. by @jkppr in #3213
• Provide actionable error message for complex search queries by @jkppr in #3233
• Update location of tsdev.sh in docs by @itsmvd in #3209
• Update getTimelineFields to return union of Timeline fields by @sydp in #3203
• Upgrade unfurl and aiplatform dependencies by @jkppr in #3215
• Fix broken unit test workflows by @jkppr in #3231
• Bump happy-dom from 12.10.3 to 15.10.1 in /timesketch/frontend-ng in the npm_and_yarn group by @dependabot in #3222
• Bump cryptography from 43.0.0 to 43.0.1 in the pip group by @dependabot in #3176
• Fix: Resolve pytype --strict-none-binding issue in the api client by @jkppr in #3214
• Added Sigma mapping for certificateservicesclient-lifecycle-system by @pyllyukko in #3223
• Add a warning snackbar by @jkppr in #3234

New Contributors

• @pyllyukko made their first contribution in #3223

Full Changelog: 2024100...2024112

20241009

⚠️ Note ⚠️
Upgrading to this Timesketch version requires a database upgrade!
See https://timesketch.org/guides/admin/upgrade/ for more details.

What's Changed

• Add query string filtering to Visualizations by @sydp in #3182
• DFIQ Analyzer Implementation by @jkppr in #3178
• Add --skip-create-user option to enable non-interactive deployments by @raihalea in #3194
• Enable passing on auto-run analyzers parameter when using importer library by @YiChiCanCode in #3143
• Prevent opensearch from aggregating across all indices. by @jkppr in #3192
• [CLI] export archive and unarchive a sketch by @jaegeral in #3174
• Adding unittests for several csv import related timestamp / datetime edge cases by @jaegeral in #3177
• [tests] attempt to add more unit tests and e2e tests for import of vari… by @jaegeral in #3179
• Smaller refactoring, adding readmes to folders by @jaegeral in #3183
• move the tests_events folder to tests by @jaegeral in #3185
• [Tech dept] update contrib readme, update utils readme and move tsdev from contri… by @jaegeral in #3186
• Remove analyzer_run.py by @jaegeral in #3187
• 2024 09 spelling by @jaegeral in #3181
• Update the sigma_events.csv reference by @emmanuel-ferdman in #3196
• Fix analyzer parsing auth events by @dfjxs in #3190

New Contributors

• @YiChiCanCode made their first contribution in #3143
• @raihalea made their first contribution in #3194
• @emmanuel-ferdman made their first contribution in #3196
• @dfjxs made their first contribution in #3190

Full Changelog: 2024082...2024100