in elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/enrich_sliver/module.py [0:0]
def enrich_sliver_data(self):
""" Get all lines in rtops that have not been enriched yet (for Sliver) """
es_query = f'implant.id:* AND c2.program: sliver AND NOT c2.log.type:implant_newsession AND NOT tags:{info["submodule"]}'
not_enriched_results = get_query(es_query, size=10000, index='rtops-*')
# Created a dict grouped by implant ID
implant_ids = {}
for not_enriched in not_enriched_results:
implant_id = get_value('_source.implant.id', not_enriched)
if implant_id in implant_ids:
implant_ids[implant_id].append(not_enriched)
else:
implant_ids[implant_id] = [not_enriched]
hits = []
# For each implant ID, get the initial session line
for implant_id, implant_val in implant_ids.items():
initial_sliver_session_doc = self.get_initial_sliver_session_doc(implant_id)
# If not initial session line found, skip the session ID
if not initial_sliver_session_doc:
continue
for doc in implant_val:
# Fields to copy: host.*, implant.*, process.*, user.*
res = self.copy_data_fields(initial_sliver_session_doc, doc, ['host', 'implant', 'user', 'process'])
if res:
hits.append(res)
return hits