def get_scan_insight_format(client, now, last_fetch_timestamp=None, feed_type=None): """Gets a scan object in insight format""" time_field = client.time_field range_field = { time_field: { 'gt': last_fetch_timestamp, 'lte': now } } if last_fetch_timestamp else { time_field: { 'lte': now } } es = client.es query = QueryString(query=time_field + ":*") indices = client.fetch_index if feed_type == FEED_TYPE_CORTEX_MT: indices = '*-shared*' tenant_hash = demisto.getIndexHash() if tenant_hash: # all shared indexes minus this tenant shared indices += f',-*{tenant_hash}*-shared*' elif not indices: indices = '_all' search = Search(using=es, index=indices).filter({ 'range': range_field }).query(query) return search
def get_indicators_search_scan(): now = datetime.now() time_field = "calculatedTime" last_fetch = demisto.getLastRun().get('time') range_field = { time_field: { 'gt': datetime.fromtimestamp(float(last_fetch)), 'lte': now } } if last_fetch else { time_field: { 'lte': now } } es = elasticsearch_builder() query = QueryString(query=time_field + ":*") tenant_hash = demisto.getIndexHash() # all shared indexes minus this tenant shared indexes = f'*-shared*,-*{tenant_hash}*-shared*' search = Search(using=es, index=indexes).filter({ 'range': range_field }).query(query) return search, str(now.timestamp())