in elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/enrich_greynoise/module.py [0:0]
def enrich_greynoise(self):
"""Get all lines in redirtraffic that have not been enriched with 'enrich_greynoise'
Filter documents that were before the last run time of enrich_iplist (to avoid race condition)"""
iplist_lastrun = get_last_run("enrich_iplists")
es_query = {
"sort": [{"@timestamp": {"order": "desc"}}],
"query": {
"bool": {
"filter": [
{"range": {"@timestamp": {"lte": iplist_lastrun.isoformat()}}}
],
"must_not": [{"match": {"tags": info["submodule"]}}],
}
},
}
es_result = raw_search(es_query, index="redirtraffic-*")
if es_result is None:
not_enriched_results = []
else:
not_enriched_results = es_result["hits"]["hits"]
# Created a dict grouped by IP address (from source.ip)
ips = {}
for not_enriched in not_enriched_results:
# pylint: disable=invalid-name
ip = get_value("_source.source.ip", not_enriched)
if ip in ips:
ips[ip].append(not_enriched)
else:
ips[ip] = [not_enriched]
hits = []
# For each IP, get the greynoise data
# pylint: disable=invalid-name
for ip, ip_val in ips.items():
# If no ip, skip it
if not ip:
continue
# Get data from redirtraffic if within interval
last_es_data = self.get_last_es_data(ip)
if not last_es_data:
greynoise_data = self.get_greynoise_data(ip)
else:
greynoise_data = get_value("_source.source.greynoise", last_es_data)
# If no greynoise data found, skip the IP
if not greynoise_data:
continue
for doc in ip_val:
# Fields to copy: greynoise.*
es_result = self.add_greynoise_data(doc, greynoise_data)
if es_result:
hits.append(es_result)
return hits