def query_tests(self): tests = { WildcardMatch('summary', 'te*'): [ { 'summary': 'example summary' }, { 'summary': 'tabs 4 spaces' }, ], WildcardMatch('details.ip', '19*'): [ { 'details': { 'ip': '10.1.1.1' } }, { 'details': { 'ip': '2.168.1.192' } }, { 'details': { 'ip': '10.19.1.1' } }, { 'details': { 'ipaddress': '10.19.1.1' } }, ], } return tests
def query_tests(self): tests = { WildcardMatch('summary', 'te*'): [ {'summary': 'test'}, {'summary': 'test summary'}, {'summary': 'example test summary'}, {'summary': 'example summary test'}, ], WildcardMatch('summary', '*te*'): [ {'summary': 'abcteabc'}, {'summary': 'abc te abc'}, {'summary': 'abc te'}, ], WildcardMatch('details.ip', '19*'): [ {'details': {'ip': '192.168.1.1'}}, {'details': {'ip': '19.168.1.1'}}, ], WildcardMatch('details.ip', '*1.0'): [ {'details': {'ip': '192.168.1.0'}}, ], } return tests
def main(self): search_query = SearchQuery(minutes=15) search_query.add_must([ TermMatch('category', 'ldapChange'), TermMatch('details.changetype', 'modify'), PhraseMatch("summary", "groups") ]) # ignore test accounts and attempts to create accounts that already exist. search_query.add_must_not([ WildcardMatch('details.actor', '*bind*'), WildcardMatch('details.changepairs', 'delete:*member*') ]) self.filtersManual(search_query) self.searchEventsAggregated('details.email', samplesLimit=50) self.walkAggregations(threshold=1, config={})
def main(self): search_query = SearchQuery(minutes=15) search_query.add_must([ TermMatch('category', 'ldapChange'), TermMatch('details.changetype', 'modify'), PhraseMatch("summary", "groups") ]) # ignore test accounts and attempts to create accounts that already exist. search_query.add_must_not([ WildcardMatch('details.actor', '*bind*'), WildcardMatch('details.changepairs', '*delete:member*') ]) self.filtersManual(search_query) # Search events self.searchEventsSimple() self.walkEvents()
def main(self): search_query = SearchQuery(minutes=15) search_query.add_must([ TermMatch('category', 'ldapChange'), TermMatch('details.changetype', 'add') ]) # ignore test accounts and attempts to create accounts that already exist. search_query.add_must_not([ WildcardMatch('details.actor', '*bind*'), ]) self.filtersManual(search_query) # Search events self.searchEventsSimple() self.walkEvents()
def main(self): search_query = SearchQuery(minutes=10) search_query.add_must([ TermMatch('tags', 'firefoxaccounts'), PhraseMatch('details.action', 'accountCreate') ]) # ignore test accounts and attempts to create accounts that already exist. search_query.add_must_not([ WildcardMatch('details.email', '*restmail.net'), ]) self.filtersManual(search_query) # Search aggregations on field 'ip', keep X samples of events at most self.searchEventsAggregated('details.ip', samplesLimit=10) # alert when >= X matching events in an aggregation self.walkAggregations(threshold=10)