From 216174ff95920113aa57ba870d21dfe951330180 Mon Sep 17 00:00:00 2001 From: Chris Hammond Date: Tue, 15 Aug 2023 20:41:46 -0400 Subject: [PATCH] Resolves #5 and bumps to 0.1.3 --- caracara_filters/dialects/hosts.py | 65 +++++++++++++++++++----------- pyproject.toml | 2 +- 2 files changed, 42 insertions(+), 25 deletions(-) diff --git a/caracara_filters/dialects/hosts.py b/caracara_filters/dialects/hosts.py index 8c018e7..f3fa7f3 100644 --- a/caracara_filters/dialects/hosts.py +++ b/caracara_filters/dialects/hosts.py @@ -47,6 +47,11 @@ def user_readable_string_transform(map_dict: Dict[str, str], input_str: str) -> ]), } +hosts_device_id_filter = { + "fql": "device_id", + "help": "Filter by device ID (AID).", +} + hosts_domain_filter = { "fql": "machine_domain", "help": ( @@ -55,6 +60,28 @@ def user_readable_string_transform(map_dict: Dict[str, str], input_str: str) -> ), } +hosts_first_seen_filter = { + "fql": "first_seen", + "multivariate": False, + "operator": "GTE", + "valid_operators": [ + "EQUAL", + "GT", + "GTE", + "LT", + "LTE", + ], + "transform": relative_timestamp_transform, + "validator": relative_timestamp_validator, + "help": ( + "This filter accepts two types of parameter: a fixed ISO 8601 timestamp (such as " + "2020-01-01:01:00:00Z), or a relative timestamp such as -30m. -30m means time now, " + "minus thirty minutes, so is best combined with an operator such as GTE. One example is " + "FirstSeen__GTE=-1d, to filter for all new hosts that have been added to Falcon within " + "the past 1 day." + ), +} + hosts_group_id_filter = { "fql": "groups", "help": ( @@ -96,28 +123,6 @@ def user_readable_string_transform(map_dict: Dict[str, str], input_str: str) -> ), } -hosts_first_seen_filter = { - "fql": "first_seen", - "multivariate": False, - "operator": "GTE", - "valid_operators": [ - "EQUAL", - "GT", - "GTE", - "LT", - "LTE", - ], - "transform": relative_timestamp_transform, - "validator": relative_timestamp_validator, - "help": ( - "This filter accepts two types of parameter: a fixed ISO 8601 timestamp (such as " - "2020-01-01:01:00:00Z), or a relative timestamp such as -30m. -30m means time now, " - "minus thirty minutes, so is best combined with an operator such as GTE. One example is " - "FirstSeen__GTE=-1d, to filter for all new hosts that have been added to Falcon within " - "the past 1 day." - ), -} - hosts_local_ip_address_filter = { "fql": "local_ip", "help": ( @@ -128,6 +133,14 @@ def user_readable_string_transform(map_dict: Dict[str, str], input_str: str) -> ), } +hosts_mac_address_filter = { + "fql": "mac_address", + "help": ( + "This filter accepts a MAC address string associated with a network interface, e.g., " + "01-22-33-44-55-66" + ), +} + hosts_os_version_filter = { "fql": "os_version", "help": ( @@ -172,16 +185,20 @@ def user_readable_string_transform(map_dict: Dict[str, str], input_str: str) -> HOSTS_FILTERS: Dict[str, Dict[str, Any]] = { "contained": hosts_contained_filter, + "deviceid": hosts_device_id_filter, + "device_id": hosts_device_id_filter, # pythonic "domain": hosts_domain_filter, + "firstseen": hosts_first_seen_filter, + "first_seen": hosts_first_seen_filter, # pythonic "groupid": hosts_group_id_filter, "group_id": hosts_group_id_filter, # pythonic "hostname": hosts_hostname_filter, "lastseen": hosts_last_seen_filter, "last_seen": hosts_last_seen_filter, # pythonic - "firstseen": hosts_first_seen_filter, - "first_seen": hosts_first_seen_filter, # pythonic "localip": hosts_local_ip_address_filter, "local_ip": hosts_local_ip_address_filter, # pythonic + "macaddress": hosts_mac_address_filter, + "mac_address": hosts_mac_address_filter, # pythonic "osversion": hosts_os_version_filter, "os_version": hosts_os_version_filter, # pythonic "role": hosts_role_filter, diff --git a/pyproject.toml b/pyproject.toml index 2aec64b..e7c1846 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "caracara-filters" -version = "0.1.2" +version = "0.1.3" description = "FQL generation engine for Caracara" authors = ["Chris Hammond "] license = "MIT"