def get_scan_insight_format(client,
now,
last_fetch_timestamp=None,
feed_type=None):
"""Gets a scan object in insight format"""
time_field = client.time_field
range_field = {
time_field: {
'gt': last_fetch_timestamp,
'lte': now
}
} if last_fetch_timestamp else {
time_field: {
'lte': now
}
}
es = client.es
query = QueryString(query=time_field + ":*")
indices = client.fetch_index
if feed_type == FEED_TYPE_CORTEX_MT:
indices = '*-shared*'
tenant_hash = demisto.getIndexHash()
if tenant_hash:
# all shared indexes minus this tenant shared
indices += f',-*{tenant_hash}*-shared*'
elif not indices:
indices = '_all'
search = Search(using=es, index=indices).filter({
'range': range_field
}).query(query)
return search
def get_indicators_search_scan():
now = datetime.now()
time_field = "calculatedTime"
last_fetch = demisto.getLastRun().get('time')
range_field = {
time_field: {
'gt': datetime.fromtimestamp(float(last_fetch)),
'lte': now
}
} if last_fetch else {
time_field: {
'lte': now
}
}
es = elasticsearch_builder()
query = QueryString(query=time_field + ":*")
tenant_hash = demisto.getIndexHash()
# all shared indexes minus this tenant shared
indexes = f'*-shared*,-*{tenant_hash}*-shared*'
search = Search(using=es, index=indexes).filter({
'range': range_field
}).query(query)
return search, str(now.timestamp())