当前位置: 首页>>代码示例>>Python>>正文


Python SearchQuery.add_must方法代码示例

本文整理汇总了Python中mozdef_util.query_models.SearchQuery.add_must方法的典型用法代码示例。如果您正苦于以下问题:Python SearchQuery.add_must方法的具体用法?Python SearchQuery.add_must怎么用?Python SearchQuery.add_must使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在mozdef_util.query_models.SearchQuery的用法示例。


在下文中一共展示了SearchQuery.add_must方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: test_writing_event_defaults

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
    def test_writing_event_defaults(self):
        query = SearchQuery()
        default_event = {}
        self.populate_test_event(default_event)
        self.refresh(self.event_index_name)

        query.add_must(ExistsMatch('summary'))
        results = query.execute(self.es_client)
        assert len(results['hits']) == 1
        assert sorted(results['hits'][0].keys()) == ['_id', '_index', '_score', '_source', '_type']
        saved_event = results['hits'][0]['_source']
        assert 'category' in saved_event
        assert 'details' in saved_event
        assert 'hostname' in saved_event
        assert 'mozdefhostname' in saved_event
        assert 'processid' in saved_event
        assert 'processname' in saved_event
        assert 'receivedtimestamp' in saved_event
        assert 'severity' in saved_event
        assert 'source' in saved_event
        assert 'summary' in saved_event
        assert 'tags' in saved_event
        assert 'timestamp' in saved_event
        assert 'utctimestamp' in saved_event
        assert 'category' in saved_event
开发者ID:gdestuynder,项目名称:MozDef,代码行数:27,代码来源:test_elasticsearch_client.py

示例2: main

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
    def main(self):

        superquery = None
        run = 0

        for user in self._config['users'].values():
            if run == 0:
                superquery = PhraseMatch('summary', user)
            else:
                superquery |= PhraseMatch('summary', user)
            run += 1

        search_query = SearchQuery(minutes=10)

        search_query.add_must([
            TermMatch('category', 'syslog'),
            TermMatch('details.program', 'sshd'),
            QueryStringMatch('summary:"session opened"')
        ])

        for expectedtime in self._config['scan_expected'].values():
            r1 = datetime.datetime.now().replace(hour=int(expectedtime['start_hour']), minute=int(expectedtime['start_minute']), second=int(expectedtime['start_second'])).isoformat()
            r2 = datetime.datetime.now().replace(hour=int(expectedtime['end_hour']), minute=int(expectedtime['end_minute']), second=int(expectedtime['end_second'])).isoformat()
            search_query.add_must_not([
                RangeMatch('utctimestamp', r1, r2)
            ])

        search_query.add_must(superquery)

        self.filtersManual(search_query)
        self.searchEventsAggregated('details.program', samplesLimit=10)
        self.walkAggregations(threshold=1)
开发者ID:IFGHou,项目名称:MozDef,代码行数:34,代码来源:session_opened_sensitive_user.py

示例3: test_simple_aggregation_note_field

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
    def test_simple_aggregation_note_field(self):
        events = [
            {"test": "value", "note": "abvc"},
            {"test": "value", "note": "abvc"},
            {"test": "value", "note": "think"},
            {"test": "value", "summary": "think"},
            {"test": "value", "note": "abvc space line"},
        ]
        for event in events:
            self.populate_test_object(event)
        self.refresh(self.event_index_name)

        search_query = SearchQuery()
        search_query.add_must(TermMatch('test', 'value'))
        search_query.add_aggregation(Aggregation('note'))
        results = search_query.execute(self.es_client)

        assert results['aggregations'].keys() == ['note']

        assert results['aggregations']['note'].keys() == ['terms']
        assert len(results['aggregations']['note']['terms']) == 3
        assert results['aggregations']['note']['terms'][0].keys() == ['count', 'key']

        assert results['aggregations']['note']['terms'][0]['count'] == 2
        assert results['aggregations']['note']['terms'][0]['key'] == 'abvc'

        assert results['aggregations']['note']['terms'][1]['count'] == 1
        assert results['aggregations']['note']['terms'][1]['key'] == 'abvc space line'

        assert results['aggregations']['note']['terms'][2]['count'] == 1
        assert results['aggregations']['note']['terms'][2]['key'] == 'think'
开发者ID:IFGHou,项目名称:MozDef,代码行数:33,代码来源:test_aggregation.py

示例4: test_beginning_time_seconds_received_timestamp

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
    def test_beginning_time_seconds_received_timestamp(self):
        query = SearchQuery(seconds=10)
        query.add_must(ExistsMatch('summary'))
        assert query.date_timedelta == {'seconds': 10}

        default_event = {
            "receivedtimestamp": UnitTestSuite.current_timestamp(),
            "summary": "Test summary",
            "details": {
                "note": "Example note",
            }
        }
        self.populate_test_event(default_event)

        too_old_event = default_event
        too_old_event['receivedtimestamp'] = UnitTestSuite.subtract_from_timestamp({'seconds': 11})
        too_old_event['utctimestamp'] = UnitTestSuite.subtract_from_timestamp({'seconds': 11})
        self.populate_test_event(too_old_event)

        not_old_event = default_event
        not_old_event['receivedtimestamp'] = UnitTestSuite.subtract_from_timestamp({'seconds': 9})
        not_old_event['utctimestamp'] = UnitTestSuite.subtract_from_timestamp({'seconds': 9})
        self.populate_test_event(not_old_event)

        self.refresh(self.event_index_name)

        results = query.execute(self.es_client)
        assert len(results['hits']) == 2
开发者ID:IFGHou,项目名称:MozDef,代码行数:30,代码来源:test_search_query.py

示例5: test_aggregation_multiple_layers

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
    def test_aggregation_multiple_layers(self):
        events = [
            {
                "test": "value",
                "details": {"ip": "127.0.0.1"},
            },
            {
                "test": "value",
                "details": {"ip": "127.0.0.1"},
            },
            {
                "test": "value",
                "details": {"ip": "192.168.1.1"},
            },
        ]

        for event in events:
            self.populate_test_object(event)
        self.refresh(self.event_index_name)

        search_query = SearchQuery()
        search_query.add_must(TermMatch('test', 'value'))
        search_query.add_aggregation(Aggregation('details.ip'))
        results = search_query.execute(self.es_client)

        assert results['aggregations'].keys() == ['details.ip']
        assert results['aggregations']['details.ip'].keys() == ['terms']
        assert len(results['aggregations']['details.ip']['terms']) == 2

        assert results['aggregations']['details.ip']['terms'][0]['count'] == 2
        assert results['aggregations']['details.ip']['terms'][0]['key'] == "127.0.0.1"

        assert results['aggregations']['details.ip']['terms'][1]['count'] == 1
        assert results['aggregations']['details.ip']['terms'][1]['key'] == "192.168.1.1"
开发者ID:IFGHou,项目名称:MozDef,代码行数:36,代码来源:test_aggregation.py

示例6: test_simple_query_execute

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
    def test_simple_query_execute(self):
        query = SearchQuery()
        query.add_must(ExistsMatch('note'))
        assert query.date_timedelta == {}

        self.populate_example_event()
        self.refresh(self.event_index_name)

        results = query.execute(self.es_client)

        assert results.keys() == ['hits', 'meta']
        assert results['meta'].keys() == ['timed_out']
        assert results['meta']['timed_out'] is False
        assert len(results['hits']) == 1

        assert results['hits'][0].keys() == ['_score', '_type', '_id', '_source', '_index']
        assert type(results['hits'][0]['_id']) == unicode
        assert results['hits'][0]['_type'] == 'event'

        assert results['hits'][0]['_index'] == datetime.now().strftime("events-%Y%m%d")

        assert results['hits'][0]['_source']['note'] == 'Example note'
        assert results['hits'][0]['_source']['summary'] == 'Test Summary'

        assert results['hits'][0]['_source']['details'].keys() == ['information']
        assert results['hits'][0]['_source']['details']['information'] == 'Example information'

        with pytest.raises(KeyError):
            results['abcdefg']

        with pytest.raises(KeyError):
            results['abcdefg']['test']
开发者ID:IFGHou,项目名称:MozDef,代码行数:34,代码来源:test_search_query.py

示例7: getESAlerts

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
def getESAlerts(es):
    search_query = SearchQuery(minutes=50)
    # We use an ExistsMatch here just to satisfy the
    # requirements of a search query must have some "Matchers"
    search_query.add_must(ExistsMatch('summary'))
    results = search_query.execute(es, indices=['alerts'], size=10000)
    return results
开发者ID:Phrozyn,项目名称:MozDef,代码行数:9,代码来源:syncAlertsToMongo.py

示例8: test_without_time_defined

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
    def test_without_time_defined(self):
        query = SearchQuery()
        query.add_must(ExistsMatch('summary'))
        assert query.date_timedelta == {}

        default_event = {
            "utctimestamp": UnitTestSuite.current_timestamp(),
            "summary": "Test summary",
            "details": {
                "note": "Example note",
            }
        }

        self.populate_test_event(default_event)
        default_event['utctimestamp'] = UnitTestSuite.subtract_from_timestamp({'days': 11})
        default_event['receivedtimestamp'] = UnitTestSuite.subtract_from_timestamp({'days': 11})
        self.populate_test_event(default_event)

        not_old_event = default_event
        not_old_event['utctimestamp'] = UnitTestSuite.subtract_from_timestamp({'days': 9})
        not_old_event['receivedtimestamp'] = UnitTestSuite.subtract_from_timestamp({'days': 9})
        self.populate_test_event(not_old_event)

        self.refresh(self.event_index_name)

        results = query.execute(self.es_client)
        assert len(results['hits']) == 3
开发者ID:IFGHou,项目名称:MozDef,代码行数:29,代码来源:test_search_query.py

示例9: main

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
    def main(self):
        self.parse_config("proxy_drop_executable.conf", ["extensions"])

        search_query = SearchQuery(minutes=20)

        search_query.add_must(
            [
                TermMatch("category", "proxy"),
                TermMatch("details.proxyaction", "TCP_DENIED"),
            ]
        )

        # Only notify on certain file extensions from config
        filename_regex = "/.*\.({0})/".format(self.config.extensions.replace(",", "|"))
        search_query.add_must(
            [QueryStringMatch("details.destination: {}".format(filename_regex))]
        )

        self.filtersManual(search_query)

        # Search aggregations on field 'hostname', keep X samples of
        # events at most
        self.searchEventsAggregated("details.sourceipaddress", samplesLimit=10)
        # alert when >= X matching events in an aggregation
        # I think it makes sense to alert every time here
        self.walkAggregations(threshold=1)
开发者ID:IFGHou,项目名称:MozDef,代码行数:28,代码来源:proxy_drop_executable.py

示例10: kibanaDashboards

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
def kibanaDashboards():
    resultsList = []
    try:
        es_client = ElasticsearchClient((list('{0}'.format(s) for s in options.esservers)))
        search_query = SearchQuery()
        search_query.add_must(TermMatch('_type', 'dashboard'))
        results = search_query.execute(es_client, indices=['.kibana'])

        for dashboard in results['hits']:
            resultsList.append({
                'name': dashboard['_source']['title'],
                'url': "%s#/%s/%s" % (
                    options.kibanaurl,
                    "dashboard",
                    dashboard['_id']
                )
            })

    except ElasticsearchInvalidIndex as e:
        sys.stderr.write('Kibana dashboard index not found: {0}\n'.format(e))

    except Exception as e:
        sys.stderr.write('Kibana dashboard received error: {0}\n'.format(e))

    return json.dumps(resultsList)
开发者ID:IFGHou,项目名称:MozDef,代码行数:27,代码来源:index.py

示例11: esSearch

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
def esSearch(es, macassignments=None):
    '''
    Search ES for an event that ties a username to a mac address
    This example searches for junos wifi correlations on authentication success
    Expecting an event like: user: [email protected]; mac: 5c:f9:38:b1:de:cf; author reason: roamed session; ssid: ANSSID; AP 46/2\n
    '''
    usermacre=re.compile(r'''user: (?P<username>.*?); mac: (?P<macaddress>.*?); ''',re.IGNORECASE)
    correlations={}

    search_query = SearchQuery(minutes=options.correlationminutes)
    search_query.add_must(TermMatch('details.program', 'AUTHORIZATION-SUCCESS'))
    search_query.add_must_not(PhraseMatch('summary', 'last-resort'))

    try:
        full_results = search_query.execute(es)
        results = full_results['hits']

        for r in results:
            fields = re.search(usermacre,r['_source']['summary'])
            if fields:
                if '{0} {1}'.format(fields.group('username'),fields.group('macaddress')) not in correlations:
                    if fields.group('macaddress')[0:8].lower() in macassignments:
                        entity=macassignments[fields.group('macaddress')[0:8].lower()]
                    else:
                        entity='unknown'
                    correlations['{0} {1}'.format(fields.group('username'),fields.group('macaddress'))]=dict(username=fields.group('username'),
                                                                                                             macaddress=fields.group('macaddress'),
                                                                                                             entity=entity,
                                                                                                             utctimestamp=r['_source']['utctimestamp'])
        return correlations

    except ElasticsearchBadServer:
        logger.error('Elastic Search server could not be reached, check network connectivity')
开发者ID:Phrozyn,项目名称:MozDef,代码行数:35,代码来源:correlateUserMacAddress.py

示例12: main

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
    def main(self):
        search_query = SearchQuery(minutes=15)

        self.config = self.parse_json_alert_config('ssh_access_signreleng.json')

        if self.config['ircchannel'] == '':
            self.config['ircchannel'] = None

        search_query.add_must([
            TermMatch('tags', 'releng'),
            TermMatch('details.program', 'sshd'),
            QueryStringMatch('hostname: /{}/'.format(self.config['hostfilter'])),
            PhraseMatch('summary', 'Accepted publickey for ')
        ])

        for exclusion in self.config['exclusions']:
            exclusion_query = None
            for key, value in exclusion.iteritems():
                phrase_exclusion = PhraseMatch(key, value)
                if exclusion_query is None:
                    exclusion_query = phrase_exclusion
                else:
                    exclusion_query = exclusion_query + phrase_exclusion

            search_query.add_must_not(exclusion_query)

        self.filtersManual(search_query)
        self.searchEventsSimple()
        self.walkEvents()
开发者ID:IFGHou,项目名称:MozDef,代码行数:31,代码来源:ssh_access_signreleng.py

示例13: process_alert

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
 def process_alert(self):
     search_query = SearchQuery(minutes=20)
     content = QueryStringMatch(str(self.watchterm))
     search_query.add_must(content)
     self.filtersManual(search_query)
     self.searchEventsSimple()
     self.walkEvents()
开发者ID:mozilla,项目名称:MozDef,代码行数:9,代码来源:get_watchlist.py

示例14: test_execute_without_size

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
 def test_execute_without_size(self):
     for num in range(0, 1200):
         self.populate_example_event()
     self.refresh(self.event_index_name)
     query = SearchQuery()
     query.add_must(ExistsMatch('summary'))
     results = query.execute(self.es_client)
     assert len(results['hits']) == 1000
开发者ID:IFGHou,项目名称:MozDef,代码行数:10,代码来源:test_search_query.py

示例15: search_and_verify_event

# 需要导入模块: from mozdef_util.query_models import SearchQuery [as 别名]
# 或者: from mozdef_util.query_models.SearchQuery import add_must [as 别名]
 def search_and_verify_event(self, expected_event):
     self.refresh('events')
     search_query = SearchQuery(minutes=5)
     search_query.add_must(ExistsMatch('tags'))
     results = search_query.execute(self.es_client)
     assert len(results['hits']) == 1
     saved_event = results['hits'][0]['_source']
     self.verify_event(saved_event, expected_event)
开发者ID:Phrozyn,项目名称:MozDef,代码行数:10,代码来源:test_esworker_sns_sqs.py


注:本文中的mozdef_util.query_models.SearchQuery.add_must方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。