Jay Swan jayswan
jayswan
/ gist:d4ddd71a35bb5f1ad86f
Last active
August 29, 2015 14:16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| In [144]: tt = Search(using=es,index=i)\ | |
| .filter('term',TargetUserName.raw='Domain Admins')\ | |
| .filter('term',EventID=4728) | |
| File "<ipython-input-144-1b746eb83e6f>", line 1 | |
| tt = Search(using=es,index=i)\ | |
| .filter('term',TargetUserName.raw='Domain Admins')\ | |
| .filter('term',EventID=4728) | |
| SyntaxError: keyword can't be an expression |
jayswan
/ gist:3a7621d909b15c832cfb
Last active
August 29, 2015 14:16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| In [142]: d | |
| Out[142]: {'TargetUserName.raw': 'Domain Admins'} | |
| In [143]: tt = Search(using=es,index=i)\ | |
| .filter('term',**d).filter('term',EventID=4728) |
jayswan
/ gist:c04eee5287cc7cbc5ea1
Created
March 1, 2015 03:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "query": { | |
| "filtered": { | |
| "filter": { | |
| "bool": { | |
| "must": [ | |
| { | |
| "term": { | |
| "EventID": 4728 | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from collections import defaultdict | |
| from operator import itemgetter | |
| import sys | |
| FILENAME = sys.argv[1] | |
| class SimpleCounter(defaultdict): | |
| """ Scrutinizer ships with Python 2.6 and doesn't have the Counter object | |
| from collections. This is a simple version of it. | |
| """ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hashlib | |
| def hash(s,a='md5'): | |
| """ One-stop hex-digest of a string. Allows any algorithm supported by hashlib. """ | |
| f = getattr(hashlib,a) | |
| return f(s).hexdigest() | |
| def fhash(fn,a='md5'): | |
| """ Hash a file as a string. Not memory considerate. """ | |
| with open(fn) as f: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from collections import namedtuple | |
| def d2n(name,d): | |
| """ convert dict to namedtuple """ | |
| NewClass = namedtuple(name,d.keys()) | |
| return NewClass(*d.values()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from collections import Counter | |
| from csv import DictReader | |
| import gzip | |
| from pprint import pprint | |
| from sys import argv | |
| FIELDNAMES = ['ts', 'uid', 'id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p', 'proto', 'trans_id', 'query', 'qclass', 'qclass_name', 'qtype', 'qtype_name', 'rcode', 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'Z', 'answersTTLs', 'rejected'] | |
| def ingest(files, delim='\t', qchar='"'): |
NewerOlder