Match/Query Classes
-------------------

ExistsMatch
^^^^^^^^^^^

Checks to see if a specific field exists in a document

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import ExistsMatch

   ExistsMatch("randomfield")


TermMatch
^^^^^^^^^

Checks if a specific field matches the key

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import TermMatch

   TermMatch("details.ip", "127.0.0.1")


TermsMatch
^^^^^^^^^^

Checks if a specific field matches any of the keys

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import TermsMatch

   TermsMatch("details.ip", ["127.0.0.1", "1.2.3.4"])


WildcardMatch
^^^^^^^^^^^^^

Allows regex to be used in looking for documents that a field contains all or part of a key

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import WildcardMatch

   WildcardMatch('summary', 'test*')


PhraseMatch
^^^^^^^^^^^

Checks if a field contains a specific phrase (includes spaces)

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import PhraseMatch

   PhraseMatch('summary', 'test run')


BooleanMatch
^^^^^^^^^^^^

Used to apply specific "matchers" to a query. This will unlikely be used outside of SearchQuery.

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import ExistsMatch, TermMatch, BooleanMatch

   must = [
       ExistsMatch('details.ip')
   ]
   must_not = [
       TermMatch('type', 'alert')
   ]

   BooleanMatch(must=must, should=[], must_not=must_not)


MissingMatch
^^^^^^^^^^^^

Checks if a field does not exist in a document

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import MissingMatch

   MissingMatch('summary')


RangeMatch
^^^^^^^^^^

Checks if a field value is within a specific range (mostly used to look for documents in a time frame)

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import RangeMatch

   RangeMatch('utctimestamp', "2016-08-12T21:07:12.316450+00:00", "2016-08-13T21:07:12.316450+00:00")


QueryStringMatch
^^^^^^^^^^^^^^^^

Uses a custom query string to generate the "match" based on (Similar to what you would see in kibana)

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import QueryStringMatch

   QueryStringMatch('summary: test')


SubnetMatch
^^^^^^^^^^^^^^^^

Checks if an IP field is within the bounds of a subnet

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import SubnetMatch

   SubnetMatch('details.sourceipaddress', '10.1.1.0/24')


Aggregation
^^^^^^^^^^^

Used to aggregate results based on a specific field

.. code-block:: python
   :linenos:

   from mozdef_util.query_models import Aggregation, SearchQuery, ExistsMatch

   search_query = SearchQuery(hours=24)
   must = [
       ExistsMatch('seenindicator')
   ]
   search_query.add_must(must)
   aggr = Aggregation('details.ip')
   search_query.add_aggregation(aggr)
   results = search_query.execute(es_client, indices=['events','events-previous'])