in elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/enrich_greynoise/module.py [0:0]
def get_last_es_data(self, ip_address):
"""Get greynoise data from ES if less than 1 day old"""
es_query = {
"size": 1,
"sort": [{"@timestamp": {"order": "desc"}}],
"query": {
"bool": {
"filter": [
{
"range": {
"source.greynoise.query_timestamp": {
"gte": f"now-{self.cache}s",
"lte": "now",
}
}
},
{"term": {"tags": "enrich_greynoise"}},
{"term": {"host.ip": ip_address}},
]
}
},
}
es_results = raw_search(es_query, index="redirtraffic-*")
self.logger.debug(es_results)
# Return the latest hit or False if not found
if es_results and len(es_results["hits"]["hits"]) > 0:
return es_results["hits"]["hits"][0]
return False