msiempy.AlarmManager

class documentation

class msiempy.AlarmManager(FilteredQueryList): (source)

View In Hierarchy

List-Like object. Interface to query and manage alarms.

Exemples:
  • Acknowledge alarms:

Print all unacknowledged alarms filtered by alarm name and event message, then acknowledge the alarms. Filter with alarm match 'Test alarm' and triggering event message match 'Wordpress'.

from msiempy import AlarmManager, Alarm
# Make an alarm query
alarms=AlarmManager(
        time_range='CURRENT_YEAR',
        status_filter='unacknowledged', # passed to alarmGetTriggeredAlarms
        filters=[('alarmName', 'Test alarm')], # Regex
        event_filters=[('ruleName','Wordpress')], # Regex
        page_size=5 # Should be increased to 500 or 1000 once finish testing for better performance.
)
# Load the data into the list
alarms.load_data()
# Print results
print("Alarm list: ")
print(alarms)
print(alarms.get_text(
        fields=['id','triggeredDate','acknowledgedDate', 'alarmName', 'acknowledgedUsername']))
# Acknowledge alarms
print("Acknowledge alarms")
for alarm in alarms:
        alarm.acknowledge()
Notes:
  • The AlarmManager filtering feature is an addon to what the SIEM API offers, filters are applied locally as regular expressions.
See:
Alarm
Method __init__ Create a new alarm query
Instance Variable status_filter Status filter for the alarm query.
Instance Variable page_size Maximum number of alarms per query
Method event_filters Undocumented
Method add_filter Add a filter to the alarm query.
Method add_event_filter Add a event filter to the query.
Method clear_filters Reset local alarm and event filters.
Method load_data Load the data into the list. Default behaviour will load all alarms informations. Meaning that foreach alarms, the full details is loaded, then the trigerring event details is loaded.
Instance Variable data Undocumented
Instance Variable _alarm_filters Undocumented
Instance Variable _event_filters Undocumented
Instance Variable _status_filter Undocumented
Method _get_filters The alarm related filters
Method _get_status_filter Undocumented
Method _set_status_filter Undocumented
Method _qry_load_data No summary
Method _alarm_match Internal filter method that is going to return True if the passed alarm match all alarm related filters.
Method _event_match Internal filter method that is going to return True if any triggering event match all passed event filters.

Inherited from FilteredQueryList:

Instance Variable not_completed Boolean signals the query is not completed
Instance Variable filters Query filters
Instance Variable start_time Start time of the query in the right SIEM format.
Instance Variable end_time End time of the query in the right SIEM format.
Instance Variable time_range Query time range. Defaults to "CURRENT_DAY".
Class Variable DEFAULT_TIME_RANGE Default time range : "CURRENT_DAY"
Class Variable POSSIBLE_TIME_RANGE No summary
Instance Variable _time_range Undocumented
Instance Variable _start_time Undocumented
Instance Variable _end_time Undocumented
Method _get_time_range Undocumented
Method _set_time_range Undocumented
Method _get_start_time Undocumented
Method _set_start_time Undocumented
Method _get_end_time Undocumented
Method _set_end_time Undocumented
Method _set_filters Undocumented

Inherited from NitroList (via FilteredQueryList):

Method __str__ str(obj) -> return text string.
Method keys List items keys. Every items should have the same set of keys.
Method get_text Return a csv or table string representation of the list
Method text Defaut table string, a shorcut to get_text() with no arguments.
Method json JSON list of dicts representing the list.
Method search Search elements in the list with a regex pattern
Method refresh Execute refresh function on all items.
Method perform Wrapper to execute a function on the list of elements
Static Method _confirm_func Ask user inut to confirm the calling of func on elements.

Inherited from NitroObject (via FilteredQueryList, NitroList):

Class NitroJSONEncoder Custom JSON encoder that will use the approprtiate propertie depending of the type of NitroObject. TODO support json json dumping of QueryFilers, may be by making them inherits from NitroDict.
Instance Variable nitro msiempy.core.session.NitroSession object. Interface to the SIEM.
def __init__(self, *args, **kwargs): (source)
overrides msiempy.core.query.FilteredQueryList.__init__

Create a new alarm query

Arguments:
  • status_filter (str): status of the alarms to query. status_filter is not a filter like other cause it's computed on the SIEM side.
    Accepted values : "acknowledged", "unacknowledged", "" or None (Default value = "").
  • page_size (int): max number of rows per query.
  • filters (list[tuple(field, [values])]): Filters applied to Alarm objects. A single tuple is also accepted.
  • event_filters (list[tuple(field, [values])]): Filters applied to Event objects. A single tuple is also accepted.
  • time_range (str): Query time range. String representation of a time range.
  • start_time (str or a datetime): Query start time
  • end_time (str or a datetime): Query end time
Note:
Unlike EventManager, filters and event_filters ** are computed after the data loaded with regex matching.**
_alarm_filters = (source)
Undocumented
(type: List)
_event_filters = (source)
Undocumented
(type: List)
_status_filter = (source)
Undocumented
status_filter = (source)

Status filter for the alarm query.

Can be:
  • "acknowledged"
  • "unacknowledged"
  • or ""
page_size = (source)
Maximum number of alarms per query
@event_filters.setter
def event_filters(self, filters): (source)
Undocumented
def _get_filters(self): (source)
overrides msiempy.core.query.FilteredQueryList._get_filters
The alarm related filters
def _get_status_filter(self): (source)
Undocumented
def _set_status_filter(self, status_filter): (source)
Undocumented
def add_filter(self, afilter): (source)
overrides msiempy.core.query.FilteredQueryList.add_filter

Add a filter to the alarm query.

Some event related filters can be added with this method. See Alarm.ALARM_EVENT_FILTER_FIELDS.

Arguments :

  • afilter : Can be a a tuple (field, [values]) or (field, value) or str 'field=value'

Filters format is tuple(field, [values]).

def add_event_filter(self, afilter): (source)

Add a event filter to the query.

Arguments:
  • afilter : Can be a a tuple(field, [values]) or tuple(field, value) or str like 'field=value'.
def clear_filters(self): (source)
overrides msiempy.core.query.FilteredQueryList.clear_filters
Reset local alarm and event filters.
def load_data(self, pages=1, **kwargs): (source)
overrides msiempy.core.query.FilteredQueryList.load_data

Load the data into the list. Default behaviour will load all alarms informations. Meaning that foreach alarms, the full details is loaded, then the trigerring event details is loaded.

Arguments:
  • events_details (bool): Load detailed events infos. (Default value = True). If False, no detailed events will be loaded. Only str representation for SIEM 10.x and minimal events records from SIEM 11.x.
  • alarms_details (bool): Load detailed alarms infos. (Default value = True). If False, only return alarmGetTriggeredAlarms infos, no information on trigerring events at all is present.
  • pages (int): Number of pages to load. (Default value = 1)
  • workers (int): Number of asynchronous workers. (Default value = 10)
  • use_query (bool): Uses the query module to retreive event data. Only works with SIEM v11.2.1 or greater.
    Default behaviour will call ipsGetAlertData to retreive the complete event definition. (Default value = False)
  • extra_fields (list[str]): Applicable if use_query=True. Additionnal event fields to load in the query. See : msiempy.event.EventManager
Returns:
msiempy.alarm.AlarmManager
data = (source)
overrides msiempy.core.types.NitroList.data
Undocumented
def _qry_load_data(self, workers=10, alarms_details=(True), events_details=(True), use_query=(False), extra_fields=[], page_number=1): (source)
overrides msiempy.core.query.FilteredQueryList._qry_load_data
Method that query, filter and return the alarms data :
  • Fetch the list of alarms and load alarms details
  • Filter depending on alarms related filters
  • Load the events details
  • Filter depending on event related filters
Arguments :
  • workers : Number of asynchronous workers
  • alarms_details : Load detailed alarms infos. If False, only a couple values are loaded, no events infos.
  • events_details : Load detailed events infos. If False, no detailed events will be loaded only str representation.
  • use_query : Uses the query module to retreive event data. Only works with SIEM v11.2.1 or greater.
  • extra_fields : Only when use_query=True. Additionnal event fields to load in the query. See : msiempy.event.EventManager
  • page_number : Page number, default to 1. Do not touch if you're using pages parameter

Returns : tuple : ( Results : list , Status of the query : completed )

def _alarm_match(self, alarm): (source)
Internal filter method that is going to return True if the passed alarm match all alarm related filters.
def _event_match(self, alarm): (source)
Internal filter method that is going to return True if any triggering event match all passed event filters.
API Documentation for msiempy, generated by pydoctor 20.7.1 at 2020-11-18 14:02:21.