msiempy.event._QueryExecuteManager : API documentation

class documentation

class msiempy.event._QueryExecuteManager(FilteredQueryList): (source)

Known subclasses: msiempy.EventManager, msiempy.GroupedEventManager

Abstract class to handle common filters properties that grouped and non-grouped queries share.

Also provide helper functions to wait the query and get the results (see source code). Only Events query are currently supported.

Method	__init__	Create a query list
Method	add_filter	Add a filter to the query.
Static Method	get_field_nickname	Resolve SIEM events field nickname base on `Event.SIEM_FIELDS_MAP_INTERNAL_NAME_TO_NICKNAME` mapping. Returns the valid query field nickname if found else the initial value.
Class Variable	_TYPE	`EVENT`: Flow queries are not implemented (yet)
Instance Variable	_filters	Undocumented
Method	_get_filters	Returns SIEM formatted filters for the query structured from `msiempy.event.GroupFilter` and/or `msiempy.event.FieldFilter` See `msiempy.core.query.FilteredQueryList.filters`.
Method	_close_query	Close the query
Method	_wait_for	Wait and sleep for the query.
Method	_get_events	Internal method that will get the query events. Called by `_qry_load_data`. By default, `numRows` correspond to `limit`.

Inherited from FilteredQueryList:

Instance Variable	not_completed	Boolean signals the query is not completed
Instance Variable	filters	Query filters
Instance Variable	start_time	Start time of the query in the right SIEM format.
Instance Variable	end_time	End time of the query in the right SIEM format.
Instance Variable	time_range	Query time range. Defaults to `"CURRENT_DAY"`.
Class Variable	DEFAULT_TIME_RANGE	Default time range : `"CURRENT_DAY"`
Class Variable	POSSIBLE_TIME_RANGE	No summary
Method	clear_filters	Remove all filters to the query. Abstract declaration.
Method	load_data	Load the data from the SIEM into the list. Abstract declaration.
Instance Variable	_time_range	Undocumented
Instance Variable	_start_time	Undocumented
Instance Variable	_end_time	Undocumented
Method	_get_time_range	Undocumented
Method	_set_time_range	Undocumented
Method	_get_start_time	Undocumented
Method	_set_start_time	Undocumented
Method	_get_end_time	Undocumented
Method	_set_end_time	Undocumented
Method	_set_filters	Undocumented
Method	_qry_load_data	Method to load the data from the SIEM. Rturns a `tuple ((items, completed))`. Abstract declaration.

Inherited from NitroList (via FilteredQueryList):

Instance Variable	data	Underlying `list` object
Method	__str__	str(obj) -> return text string.
Method	keys	List items keys. Every items should have the same set of keys.
Method	get_text	Return a csv or table string representation of the list
Method	text	Defaut table string, a shorcut to `get_text()` with no arguments.
Method	json	JSON list of dicts representing the list.
Method	search	Search elements in the list with a regex pattern
Method	refresh	Execute refresh function on all items.
Method	perform	Wrapper to execute a function on the list of elements
Static Method	_confirm_func	Ask user inut to confirm the calling of `func` on `elements`.

Inherited from NitroObject (via FilteredQueryList, NitroList):

Class	NitroJSONEncoder	Custom JSON encoder that will use the approprtiate propertie depending of the type of NitroObject. TODO support json json dumping of QueryFilers, may be by making them inherits from NitroDict.
Instance Variable	nitro	`msiempy.core.session.NitroSession` object. Interface to the SIEM.

_TYPE = (source)

EVENT: Flow queries are not implemented (yet)

(type: str)

def __init__(self, *args, **kwargs): (source)

overrides msiempy.core.query.FilteredQueryList.__init__

overridden in msiempy.EventManager, msiempy.GroupedEventManager

Create a query list

Arguments:

time_range (str): Query time range. String representation of a time range.

See msiempy.core.query.FilteredQueryList.POSSIBLE_TIME_RANGE.
start_time (str or a datetime): Query start time.
end_time (str or a datetime): Query end time.
filters: List of filters applied to the query.

_filters = (source)

overridden in msiempy.EventManager, msiempy.GroupedEventManager

Undocumented

(type: List)

def _get_filters(self): (source)

overrides msiempy.core.query.FilteredQueryList._get_filters

Returns SIEM formatted filters for the query structured from msiempy.event.GroupFilter and/or msiempy.event.FieldFilter See msiempy.core.query.FilteredQueryList.filters.

def add_filter(self, afilter): (source)

overrides msiempy.core.query.FilteredQueryList.add_filter

Add a filter to the query.

Called by the filters property setter.

Arguments:

afilter (tuple(field, [values]) or tuple(field, value) or msiempy.event.GroupFilter or msiempy.event.FieldFilter): The filter

def _close_query(self, resultID): (source)

Close the query

Internal method called by _qry_load_data

def _wait_for(self, resultID, wait_timeout_sec, sleep_time=0.2): (source)

Wait and sleep for the query.

Internal method called by _qry_load_data

Arguments:

resultID: Query result ID
wait_timeout_sec (int): Duration in seconds until the query is completed or countdown arrives at zero.
sleep_time (float): Time to sleep in the waiting loop

Returns:

True

Raises:

msiempy.NitroError: 'ResultUnavailable' error some times...
TimeoutError: Query wait timeout

def _get_events(self, resultID, startPos=0, numRows=500): (source)

Internal method that will get the query events. Called by _qry_load_data. By default, numRows correspond to limit.

@staticmethod
def get_field_nickname(field): (source)

Resolve SIEM events field nickname base on Event.SIEM_FIELDS_MAP_INTERNAL_NAME_TO_NICKNAME mapping. Returns the valid query field nickname if found else the initial value.

API Documentation for msiempy, generated by pydoctor 20.7.1 at 2020-11-18 14:02:21.