msiempy.core.utils

module documentation
(source)

A few quick static util methods.
Variable __pdoc__ Undocumented
Function dehexify A URL and Hexadecimal Decoding Method.
Function tob64 Encode a string to base64 almost like echo '123' | base64 would do.
Function fromb64 Decode a string to base64 almost like echo 'MTIzCg==' | base64 --decode would do.
Function timerange_gettimes Convert a string time range to a tuple of datetime objects. Only works for certain time ranges.
Function divide_times Divide the time range based on a delta or on a number of slots or another time,.
Function regex_match Returns: True if the string match the regex.
Function format_esm_time Converts time object to ESM time string.
Function convert_to_time_obj Converts given timestamp string to datetime object
Function parse_query_result Parse the query results into a list of dict
Function format_fields_for_query Format fields names to cann query module.
Function parse_timedelta Parse a time string e.g. (2h13m) into a timedelta object.
Function nitro_tz Maps McAfee SIEM/Nitro ESM internal timezone IDs to the tz database at: http://web.cs.ucla.edu/~eggert/tz/tz-link.htm
__pdoc__ = (source)
Undocumented
(type: Dict)
def dehexify(data): (source)

A URL and Hexadecimal Decoding Method.

Credit: Larry Dewey.

In the case of the SIEM API, this is used only when dealing with the pricate API calls.

def tob64(s): (source)
Encode a string to base64 almost like echo '123' | base64 would do.
def fromb64(s): (source)
Decode a string to base64 almost like echo 'MTIzCg==' | base64 --decode would do.
def timerange_gettimes(time_range): (source)
Convert a string time range to a tuple of datetime objects. Only works for certain time ranges.
def divide_times(first, last, slots=0, delta=0, time=0): (source)

Divide the time range based on a delta or on a number of slots or another time,.

Returns:
list[tuple(datetime, datetime)]
def regex_match(regex, string): (source)
Returns:
True if the string match the regex.
def format_esm_time(esm_time): (source)

Converts time object to ESM time string.

Arguments:
Returns:
str in format 2019-04-08T19:35:02.971Z
def convert_to_time_obj(time_str): (source)

Converts given timestamp string to datetime object

Arguments:
  • time_str (str): timestamp in format 'YYYY/MM/DD HH:MM:SS', 'MM/DD/YYYY HH:MM:SS', or 'DD/MM/YYYY HH:MM:SS'
Returns:
datetime object or None if no format matches
def parse_query_result(columns, rows): (source)

Parse the query results into a list of dict

Arguments:

  • columns (list[dict]): Returned by the SIEM. Exemple:

    [{'name': 'Alert.LastTime'}, {'name': 'Rule.msg'}, {'name': 'Alert.DstIP'}, {'name': 'Alert.IPSIDAlertID'}]

  • rows (list[dict]): Returned by the SIEM. Exemple:

    [
    {'values': ['09/22/2020 15:51:14', 'Postfix Disconnect from host', '::', '144116287604260864|547123']},
    {'values': ['09/22/2020 15:51:14', 'Postfix Lost connection from host', '::', '144116287604260864|547122']}
]
Returns :
list[dict]

Exemple:

[
    {
        "Alert.LastTime":"09/22/2020 15:51:14",
        "Rule.msg":"Postfix Disconnect from host",
        "Alert.DstIP":"::",
        "Alert.IPSIDAlertID":"144116287604260864|547123"
    },
    {
        ...
    },
]
def format_fields_for_query(fields): (source)

Format fields names to cann query module.

Arguments:

  • fields: list of fields, exemple:

    ['field1','name','user']

Returns:

[
    {'name':'field1'},
    {'name':'name'},
    {'name':'user'},
]
def parse_timedelta(time_str): (source)

Parse a time string e.g. (2h13m) into a timedelta object.

Modified from virhilo's answer at https://stackoverflow.com/a/4628148/851699

Arguments:
  • time_str: A string identifying a duration. (eg. 2h13m)
Returns:
timedelta: A timedelta object
def nitro_tz(tz_id): (source)

Maps McAfee SIEM/Nitro ESM internal timezone IDs to the tz database at: http://web.cs.ucla.edu/~eggert/tz/tz-link.htm

Arguments:
  • tz_id (int): McAfee ESM internal timezone ID
Returns:
str: timezone name
API Documentation for msiempy, generated by pydoctor 20.7.1 at 2020-11-18 14:02:21.