class msiempy.GroupedEventManager(_QueryExecuteManager): (source)
List-Like object. Interface to execute a grouped event query.
Query the curent day events filtered by IPSID grouped by ScrIP.
from msiempy import GroupedEventManager import pprint query = GroupedEventManager( time_range='LAST_3_DAYS', field='SrcIP', filters=[('IPSID', '144116287587483648')]) query.load_data() # Sort the results by total count results = list(reversed(sorted(query, key=lambda k: int(k['SUM(Alert.EventCount)'])))) # Display top 10 top10=results[:10] pprint.pprint(top10)
GroupedEvent.| Method | __init__ | Create a new grouped query |
| Instance Variable | field | Grouped query field |
| Method | load_data | Load the data into the list. |
| Instance Variable | data | Undocumented |
| Method | clear_filters | Replace all filters by a non filtering rule with all datasources IPSIDs (Using msiempy.device.DevTree). Acts like there is no filters. |
| Instance Variable | _filters | Undocumented |
| Method | _qry_load_data | No summary |
Inherited from _QueryExecuteManager:
| Method | add_filter | Add a filter to the query. |
| Static Method | get_field_nickname | Resolve SIEM events field nickname base on Event.SIEM_FIELDS_MAP_INTERNAL_NAME_TO_NICKNAME mapping. Returns the valid query field nickname if found else the initial value. |
| Class Variable | _TYPE | EVENT: Flow queries are not implemented (yet) |
| Method | _get_filters | Returns SIEM formatted filters for the query structured from msiempy.event.GroupFilter and/or msiempy.event.FieldFilter See msiempy.core.query.FilteredQueryList.filters. |
| Method | _close_query | Close the query |
| Method | _wait_for | Wait and sleep for the query. |
| Method | _get_events | Internal method that will get the query events. Called by _qry_load_data. By default, numRows correspond to limit. |
Inherited from FilteredQueryList (via _QueryExecuteManager):
| Instance Variable | not_completed | Boolean signals the query is not completed |
| Instance Variable | filters | Query filters |
| Instance Variable | start_time | Start time of the query in the right SIEM format. |
| Instance Variable | end_time | End time of the query in the right SIEM format. |
| Instance Variable | time_range | Query time range. Defaults to "CURRENT_DAY". |
| Class Variable | DEFAULT_TIME_RANGE | Default time range : "CURRENT_DAY" |
| Class Variable | POSSIBLE_TIME_RANGE | No summary |
| Instance Variable | _time_range | Undocumented |
| Instance Variable | _start_time | Undocumented |
| Instance Variable | _end_time | Undocumented |
| Method | _get_time_range | Undocumented |
| Method | _set_time_range | Undocumented |
| Method | _get_start_time | Undocumented |
| Method | _set_start_time | Undocumented |
| Method | _get_end_time | Undocumented |
| Method | _set_end_time | Undocumented |
| Method | _set_filters | Undocumented |
Inherited from NitroList (via _QueryExecuteManager, FilteredQueryList):
| Method | __str__ | str(obj) -> return text string. |
| Method | keys | List items keys. Every items should have the same set of keys. |
| Method | get_text | Return a csv or table string representation of the list |
| Method | text | Defaut table string, a shorcut to get_text() with no arguments. |
| Method | json | JSON list of dicts representing the list. |
| Method | search | Search elements in the list with a regex pattern |
| Method | refresh | Execute refresh function on all items. |
| Method | perform | Wrapper to execute a function on the list of elements |
| Static Method | _confirm_func | Ask user inut to confirm the calling of func on elements. |
Inherited from NitroObject (via _QueryExecuteManager, FilteredQueryList, NitroList):
| Class | NitroJSONEncoder | Custom JSON encoder that will use the approprtiate propertie depending of the type of NitroObject. TODO support json json dumping of QueryFilers, may be by making them inherits from NitroDict. |
| Instance Variable | nitro | msiempy.core.session.NitroSession object. Interface to the SIEM. |
Create a new grouped query
field (str): The field that will be selected when this query is executed.filters (list): list of filters. A filter can be a tuple(field, [values]) or it can be a msiempy.event.FieldFilter or msiempy.event.GroupFilter if you wish to use advanced filtering.time_range (str): Query time range. String representation of a time range. Not need to specify "CUSTOM" if start_time and end_time are set.start_time (str or a datetime): Query start time.end_time (str or a datetime): Query end time.Load the data into the list.
GroupedEventManagermsiempy.device.DevTree).
Acts like there is no filters.list, Query completed? bool )msiempy.core.session.NitroError if any unhandled errors.TimeoutError if wait_timeout_sec counter gets to 0.ValueError if an IPSID filter is not present.