Created
November 28, 2014 20:40
-
-
Save jeffbryner/00f0abfe64466e700afd to your computer and use it in GitHub Desktop.
Import IOCs into Elastic Search
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Input: A json file with iocs of IP address, category and score like: | |
| { | |
| "2.3.4.5" : { | |
| "P2P" : "55" | |
| }, | |
| "1.2.3.4" : { | |
| "Brute_Forcer" : "117", | |
| "Scanner" : "117" | |
| } | |
| } | |
| Python script to Import into ES: | |
| import json | |
| import pyes | |
| from pyes.es import ES | |
| from datetime import datetime | |
| ipjson=json.load(open('pathtofile.json')) | |
| es=ES(("http", "servername", 9200)) | |
| print(datetime.now()) | |
| for k in ipjson.keys(): | |
| entry=dict() | |
| entry['ipv4indicator']=k | |
| entry['categories']=list() | |
| categories=ipjson[k].keys() | |
| for c in categories: | |
| score=ipjson[k][c] | |
| try: | |
| entry['categories'].append({c:int(score)}) | |
| except ValueError: | |
| print (k,c,score) | |
| pass | |
| es.index(index='indexname', | |
| doc_type='indicators', | |
| doc=json.dumps(entry), | |
| bulk=True) | |
| print(datetime.now()) | |
| Query via python: | |
| es=ES(("http", "servername", 9200)) | |
| q = pyes.ConstantScoreQuery(pyes.MatchAllQuery()) | |
| qType = pyes.TermFilter('_type', 'indicators') | |
| q = pyes.FilteredQuery(q,pyes.BoolFilter( | |
| must=[qType, | |
| pyes.ExistsFilter('categories.CnC'), | |
| pyes.RangeQuery(qrange=pyes.ESRange('categories.CnC', from_value=120, to_value=127)) | |
| ])) | |
| results=es.search(q,size=100,indices='indexname') | |
| results.count() | |
| Query via kibana: | |
| categories.CnC: [100 TO 130] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment