Hugging Face's logo

ineso22
/
Mozdef

Model card Files
xet
 Community
Mozdef
File size: 3,033 Bytes
7c89ed7
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
Match/Query Classes
-------------------

ExistsMatch
^^^^^^^^^^^

Checks to see if a specific field exists in a document

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import ExistsMatch

   ExistsMatch("randomfield")


TermMatch
^^^^^^^^^

Checks if a specific field matches the key

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import TermMatch

   TermMatch("details.ip", "127.0.0.1")


TermsMatch
^^^^^^^^^^

Checks if a specific field matches any of the keys

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import TermsMatch

   TermsMatch("details.ip", ["127.0.0.1", "1.2.3.4"])


WildcardMatch
^^^^^^^^^^^^^

Allows regex to be used in looking for documents that a field contains all or part of a key

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import WildcardMatch

   WildcardMatch('summary', 'test*')


PhraseMatch
^^^^^^^^^^^

Checks if a field contains a specific phrase (includes spaces)

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import PhraseMatch

   PhraseMatch('summary', 'test run')


BooleanMatch
^^^^^^^^^^^^

Used to apply specific "matchers" to a query. This will unlikely be used outside of SearchQuery.

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import ExistsMatch, TermMatch, BooleanMatch

   must = [
       ExistsMatch('details.ip')
   ]
   must_not = [
       TermMatch('type', 'alert')
   ]

   BooleanMatch(must=must, should=[], must_not=must_not)


MissingMatch
^^^^^^^^^^^^

Checks if a field does not exist in a document

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import MissingMatch

   MissingMatch('summary')


RangeMatch
^^^^^^^^^^

Checks if a field value is within a specific range (mostly used to look for documents in a time frame)

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import RangeMatch

   RangeMatch('utctimestamp', "2016-08-12T21:07:12.316450+00:00", "2016-08-13T21:07:12.316450+00:00")


QueryStringMatch
^^^^^^^^^^^^^^^^

Uses a custom query string to generate the "match" based on (Similar to what you would see in kibana)

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import QueryStringMatch

   QueryStringMatch('summary: test')


SubnetMatch
^^^^^^^^^^^^^^^^

Checks if an IP field is within the bounds of a subnet

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import SubnetMatch

   SubnetMatch('details.sourceipaddress', '10.1.1.0/24')


Aggregation
^^^^^^^^^^^

Used to aggregate results based on a specific field

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import Aggregation, SearchQuery, ExistsMatch

   search_query = SearchQuery(hours=24)
   must = [
       ExistsMatch('seenindicator')
   ]
   search_query.add_must(must)
   aggr = Aggregation('details.ip')
   search_query.add_aggregation(aggr)
   results = search_query.execute(es_client, indices=['events','events-previous'])