in elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/enrich_tor/module.py [0:0]
def enrich_tor(self, iplist): # pylint:disable=no-self-use
"""Get all lines in redirtraffic that have not been enriched with 'enrich_iplist' or 'enrich_tor'
Filter documents that were before the last run time of enrich_iplist (to avoid race condition)"""
iplist_lastrun = get_last_run("enrich_iplists")
query = {
"sort": [{"@timestamp": {"order": "desc"}}],
"query": {
"bool": {
"filter": [
{"range": {"@timestamp": {"lte": iplist_lastrun.isoformat()}}}
],
"must_not": [{"match": {"tags": info["submodule"]}}],
}
},
}
res = raw_search(query, index="redirtraffic-*")
if res is None:
not_enriched = []
else:
not_enriched = res["hits"]["hits"]
# For each IP, check if it is in tor exit node data
hits = []
for not_e in not_enriched:
ip = get_value("_source.source.ip", not_e) # pylint: disable=invalid-name
if ip in iplist:
hits.append(not_e)
return hits