Create initial notebook based on the current view timeline viewport

gui/velociraptor/src/components/events/event-notebook.jsx

@@ -4,6 +4,8 @@ import {CancelToken} from 'axios';
 import api from '../core/api-service.jsx';
 import NotebookRenderer from '../notebooks/notebook-renderer.jsx';
 import _ from 'lodash';
+import UserConfig from '../core/user.jsx';
+import moment from 'moment';
 
 const POLL_TIME = 5000;
 
@@ -13,10 +15,13 @@ export const get_notebook_id = (artifact, client_id)=>{
 
 
 export default class EventNotebook extends React.Component {
+    static contextType = UserConfig;
+
     static propTypes = {
         artifact: PropTypes.string,
         client_id: PropTypes.string,
         start_time: PropTypes.number,
+        end_time: PropTypes.number,
     };
 
     state = {
@@ -48,6 +53,12 @@ export default class EventNotebook extends React.Component {
         clearInterval(this.interval);
     }
 
+
+    formatTime = ts=>{
+        let timezone = this.context.traits.timezone || "UTC";
+        return moment.tz(ts, timezone).format();
+    }
+
     fetchNotebooks = () => {
         if (!this.props.artifact || !this.props.client_id) {
             return;
@@ -81,7 +92,10 @@ export default class EventNotebook extends React.Component {
                 env: [
                     {key: "ArtifactName", value: this.props.artifact},
                     {key: "ClientId", value: this.props.client_id},
-                    {key: "StartTime", value: JSON.stringify(this.props.start_time)},
+                    {key: "StartTime",
+                     value: this.formatTime(this.props.start_time)},
+                    {key: "EndTime",
+                     value: this.formatTime(this.props.end_time)},
                     {key: "NotebookId", value: notebook_id},
                 ],
             };

gui/velociraptor/src/components/events/events.jsx

@@ -432,6 +432,7 @@ class EventMonitoring extends React.Component {
                     artifact={this.state.artifact.artifact}
                     client_id={client_id}
                     start_time={this.state.start_time}
+                    end_time={this.state.end_time}
                   /> :
                   <div className="no-content">
                     {T("Please select an artifact to view above.")}

gui/velociraptor/src/components/events/timeline-viewer.jsx

@@ -542,7 +542,11 @@ export default class EventTimelineViewer extends React.Component {
             visibleTimeStart: visibleTimeStart,
             visibleTimeEnd: visibleTimeEnd,
         });
-        this.props.time_range_setter(visibleTimeStart, visibleTimeEnd);
+
+        // Set the time ranges in real UTC times
+        this.props.time_range_setter(
+            moment(visibleTimeStart).valueOf(),
+            moment(visibleTimeEnd).valueOf());
     }
 
     // Jump to the previous page.
@@ -568,7 +572,9 @@ export default class EventTimelineViewer extends React.Component {
                     visibleTimeStart: visibleTimeStart,
                     visibleTimeEnd: visibleTimeEnd,
                 });
-                this.props.time_range_setter(visibleTimeStart, visibleTimeEnd);
+                this.props.time_range_setter(
+                    moment(visibleTimeStart).valueOf(),
+                    moment(visibleTimeEnd).valueOf());
             }
 
             this.fetchRows();

gui/velociraptor/src/components/timeline/timeline.jsx

@@ -291,18 +291,13 @@ class TimelineTableRow extends Component {
     };
 
     render() {
-        let data = this.props.row || {};
+        let event = this.props.row || {};
         let row_class = "timeline-data ";
         if(!this.state.expanded) {
             row_class += "hidden";
         }
 
-        let timestamp = ToStandardTime(data.Timestamp).getTime() * 1000000;
-
-        // For normal rows we show the raw data.
-        let message = data.Message;
-        let event = data;
-        let notes = data.Notes || "";
+        let timestamp = ToStandardTime(event.Timestamp).getTime() * 1000000;
 
         return (
             <React.Fragment >
@@ -333,7 +328,7 @@ class TimelineTableRow extends Component {
                       </Button>
                     </ToolTip>
 
-                    { data._Source !== "Annotation" ?
+                    { event._Source !== "Annotation" ?
                       <ToolTip tooltip={T("Annotate event")}>
                         <Button variant="default"
                                 onClick={()=>this.setState(
@@ -369,7 +364,7 @@ class TimelineTableRow extends Component {
                   timestamp={timestamp}
                   notebook_id={this.props.notebook_id}
                   super_timeline={this.props.super_timeline}
-                  event={data}
+                  event={event}
                   onClose={() => {
                       this.setState({showAnnotateDialog: false});
                       if(this.props.onUpdate) {

services/notebook/initial.go

@@ -336,17 +336,18 @@ func getCellsForEvents(ctx context.Context,
 
 	// If there are no custom cells, add the default cell.
 	if len(result) == 0 {
-		// Start the event display 1 day ago.
-		start_time := utils.GetTime().Now().AddDate(0, 0, -1).UTC().Format(time.RFC3339)
-		if notebook_metadata.Context.StartTime > 0 {
-			start_time = utils.ParseTimeFromInt64(
-				notebook_metadata.Context.StartTime).UTC().Format(time.RFC3339)
+		// Get the start and end times of the timeline displayed in
+		// the GUI as a string so we can preserve the GUI timezone.
+		start_time, pres := getKeyFromEnv(notebook_metadata.Env, "StartTime")
+		if !pres {
+			// Start the event display 1 day ago.
+			start_time = utils.GetTime().Now().
+				AddDate(0, 0, -1).UTC().Format(time.RFC3339)
 		}
 
-		end_time := utils.GetTime().Now().UTC().Format(time.RFC3339)
-		if notebook_metadata.Context.EndTime > 0 {
-			end_time = utils.ParseTimeFromInt64(
-				notebook_metadata.Context.EndTime).UTC().Format(time.RFC3339)
+		end_time, pres := getKeyFromEnv(notebook_metadata.Env, "EndTime")
+		if !pres {
+			end_time = utils.GetTime().Now().UTC().Format(time.RFC3339)
 		}
 
 		result = append(result, &api_proto.NotebookCellRequest{