msiempy.FieldFilter

class documentation

class msiempy.FieldFilter(_QueryFilter): (source)

View In Hierarchy

Query field filter

Based on EsmFieldFilter SIEM API object.

This class is automatically used when instanciating EventManager objects. It automatically creates filters in the right dict format from tuples passed to the filter argument of EventManager:

>>> e = EventManager(time_range='LAST_MINUTE', filters=[ ('SrcIP', ['10.5.0.0/16']) ])

Default operator is "IN". To change the operator, create s custom FieldFilter.

Exemple to filter by Signature ID:

>>> e = EventManager(time_range='LAST_24_HOURS', filters=[ FieldFilter('DSIDSigID', ["49190-4294967295"], operator='EQUALS') ])
Note:
Make sure the filter name is valid by checking the result of EventManager.get_possible_filters or use the provided script in the sample folder
See:
Object GroupFilter
Class Variable DOCUMENTED_FILTERS List fo documented filter names, show a warning if trying to filter on a unknown filter name
Method __init__ Create a new field filter for a query.
Instance Variable operator Filter operator. Throws AttributeError if trying to set an unknown operator.
Instance Variable values List of values of the filter.
Instance Variable name Name of the field
Instance Variable data Undocumented
Class Variable POSSIBLE_OPERATORS List of possibles operators
Class Variable POSSIBLE_VALUE_TYPES List of possible value type. See add_value.
Method add_value Add a new value to the filter.
Method add_basic_value Wrapper arround add_value method to simply add a EsmBasicValue.
Instance Variable _operator Undocumented
Instance Variable _values Undocumented
Method _get_operator Undocumented
Method _set_operator Undocumented
Method _get_values Undocumented
Method _set_values Undocumented
DOCUMENTED_FILTERS = (source)
List fo documented filter names, show a warning if trying to filter on a unknown filter name
(type: List[str])
def __init__(self, name, values, operator="""IN"""): (source)

Create a new field filter for a query.

Arguments:
  • name (str): field name as string. Field name property. Example : "SrcIP". See full list here: https://github.com/mfesiem/msiempy/blob/master/static/all_filters.json
  • values (list): list of values the field is going to be tested againts with the specified orperator.
  • orperator (str): One of: IN, NOT_IN, GREATER_THAN, LESS_THAN, GREATER_OR_EQUALS_THAN, LESS_OR_EQUALS_THAN, NUMERIC_EQUALS, NUMERIC_NOT_EQUALS, DOES_NOT_EQUAL, EQUALS, CONTAINS, DOES_NOT_CONTAIN, REGEX
_operator = (source)
Undocumented
_values = (source)
Undocumented
operator = (source)
Filter operator. Throws AttributeError if trying to set an unknown operator.
values = (source)

List of values of the filter.

Values will be added with:

Values will always be added to the filter. To remove values, handle directly the _values property.

Example:

filter = FieldFilter(name='DstIP', values=[{'type':'EsmWatchlistValue', 'watchlist':42}], operator='IN')
name = (source)
Name of the field
data = (source)
Undocumented
POSSIBLE_OPERATORS = (source)
List of possibles operators
(type: List[str])
POSSIBLE_VALUE_TYPES = (source)
List of possible value type. See add_value.
(type: List)
def _get_operator(self): (source)
Undocumented
def _set_operator(self, operator): (source)
Undocumented
def _get_values(self): (source)
Undocumented
def _set_values(self, values): (source)
Undocumented
def add_value(self, type=None, **kwargs): (source)

Add a new value to the filter.

Arguments:
  • type (str): Type of the value
  • value (str): If type is "EsmBasicValue"
  • watchlist (int): If type is "EsmWatchlistValue"
  • variable (int): If type is "EsmVariableValue"
  • values (list): If type is "EsmCompoundValue"
Raises:
KeyError or AttributeError if you don't respect the correct type/key/value combo.
Note:
Filtering query with other type of filter than EsmBasicValue is not tested.
def add_basic_value(self, value): (source)
Wrapper arround add_value method to simply add a EsmBasicValue.
API Documentation for msiempy, generated by pydoctor 20.7.1 at 2020-11-18 14:02:21.