Dict-Like object. Represents an event in the SIEM.
Using EventManager or Event.
Common keys: Rule.msg, Alert.LastTime, Alert.IPSIDAlertID And any other : dump the available fields and filters with dump_all_fields.py script.
Using AlarmManager or Event
Common keys for ipsGetAlertData events: ruleName, srcIp, destIp, protocol, lastTime, subtype, destPort, destMac, srcMac, srcPort, deviceName, sigId, normId, srcUser, destUser, normMessage, normDesc, host, domain, ipsId And others
Using AlarmManager if events_details=False is passed to AlarmManager.load_data method
ruleMessage, eventId, severity, eventCount, sourceIp, destIp, protocol, lastTime and eventSubType
We tried our best effort to match SIEM returned fields with initially requested fields.
__getitem__ and __contains__, method have been rewrote in order to offer more straight-forward dict usage.
Exemple:
>>> e = EventManager(fields=["Web_Doamin","UserIDSrc","SrcIP"]).load_data()[0]
Then, the following expressions are equivalent:
>>> e["Alert.65613"] |
is the same as | >>> e["Web_Doamin"] |
>>> e["Alert.BIN(7)"] |
is the same as | >>> e["UserIDSrc"] |
>>> e["Alert.SrcIP"] |
is the same as | >>> e["SrcIP"] |
>>> "Alert.SrcIP" in e |
is the same as | >>> "SrcIP" in e |
| Class Variable | FIELDS_TABLES | List of internal fields table : Rule,`Alert`,etc. |
| Class Variable | DEFAULTS_EVENT_FIELDS | No summary |
| Class Variable | REGULAR_EVENT_FIELDS | Offer a base list of regular fields that may be useful. |
| Class Variable | SIEM_FIELDS_MAP_INTERNAL_NAME_TO_NICKNAME | Fields name mapping. |
| Class Variable | SIEM_FIELDS_MAP_NICKNAME_TO_INTERNAL_NAME | Fields name mapping (reversed). |
| Method | __init__ | Create a new event representation |
| Method | __getitem__ | Use the fields name mapping to offer better dict usage |
| Method | __delitem__ | Use the fields name mapping to offer better dict usage |
| Method | __contains__ | Use the fields name mapping to offer better dict usage |
| Method | __setitem__ | Use the fields name mapping to offer better dict usage |
| Method | get_id | Get the event ID. |
| Method | clear_notes | Replace the notes by an empty string. Desctructive action. |
| Method | set_note | Set the event's note. Desctructive action. |
| Method | data_from_id | Load event's data. |
| Method | refresh | Re-load event's data. |
| Method | _find_key | Use the fields name mapping to resolve internal name based on nickname |
Inherited from NitroDict:
| Instance Variable | data | Underlying dict object |
| Method | __str__ | str(obj) -> return text string. |
| Method | __repr__ | repr(obj) -> return json string. |
| Method | json | JSON representation of a item |
| Method | text | Text list of item's values |
Inherited from NitroObject (via NitroDict):
| Class | NitroJSONEncoder | Custom JSON encoder that will use the approprtiate propertie depending of the type of NitroObject. TODO support json json dumping of QueryFilers, may be by making them inherits from NitroDict. |
| Instance Variable | nitro | msiempy.core.session.NitroSession object. Interface to the SIEM. |
msiempy.event.EventManager querying :
Rule.msg
Alert.LastTime
Alert.IPSIDAlertIDList[str])
Offer a base list of regular fields that may be useful.
Rule.msg, Alert.SrcIP, Alert.DstIP, Alert.SrcMac, Alert.DstMac, Rule.NormID, HostID, UserIDSrc, ObjectID, Alert.Severity, Alert.LastTime, Alert.DSIDSigID, Alert.IPSIDAlertID
List[str])
Dict[str, str])
Get the event ID.
Return the full event ID or None.
Set the event's note. Desctructive action.
IPS_ADDALERTNOTELoad event's data.
id (str): The event ID. (i.e. : "144128388087414784|747122896")use_query (bool): Uses the query module to retreive common event data. Only works with SIEM 11.2 or greater.extra_fields (list): Only when use_query=True. Additionnal event fields to load in the query.Re-load event's data.
extra_fields (list): Only when use_query=True or the Event is already a query event. Additionnal event fields to load in the query.use_query=True will reset the Events fields to whatever is passed to extra_fieldsAttributeError if the event ID has not been found.