-
Notifications
You must be signed in to change notification settings - Fork 516
/
Copy pathrun.py
76 lines (62 loc) · 3.18 KB
/
run.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
import re
import textwrap
from pathlib import Path
import click
from detection_rules.misc import get_elasticsearch_client
from .utils import load_toml
class QueryRunner:
def __init__(self, es_config: dict):
"""Initialize the QueryRunner with Elasticsearch config."""
self.es_config = es_config
def load_hunting_file(self, file_path: Path):
"""Load the hunting file and return the data."""
return load_toml(file_path)
def preprocess_query(self, query: str) -> str:
"""Pre-process the query by removing comments and adding a LIMIT."""
query = re.sub(r'//.*', '', query)
if not re.search(r'LIMIT', query, re.IGNORECASE):
query += " | LIMIT 10"
click.echo("No LIMIT detected in query. Added LIMIT 10 to truncate output.")
return query
def run_individual_query(self, query: str, wait_timeout: int):
"""Run a single query with the Elasticsearch config."""
es = get_elasticsearch_client(**self.es_config)
query = self.preprocess_query(query)
try:
click.secho("Running query. Press Ctrl+C to cancel.", fg="blue")
query = query.replace("\n", " ")
# Start the query synchronously
response = es.esql.query(query=query)
self.process_results(response)
except Exception as e:
# handle missing index error
if "Unknown index" in str(e):
click.secho("This query references indexes that do not exist in the target stack.", fg="red")
click.secho("Check if index exists (via integration installation) and contains data.", fg="red")
click.secho("Alternatively, update the query to reference an existing index.", fg="red")
else:
click.secho(f"Error running query: {str(e)}", fg="red")
def run_all_queries(self, queries: dict, wait_timeout: int):
"""Run all eligible queries in the hunting file."""
click.secho("Running all eligible queries...", fg="green", bold=True)
for i, query in queries.items():
click.secho(f"\nRunning Query {i + 1}:", fg="green", bold=True)
click.echo(self._format_query(query))
self.run_individual_query(query, wait_timeout)
click.secho("\n" + "-" * 120, fg="yellow")
def process_results(self, response):
"""Process the Elasticsearch query results and display the outcome."""
response_data = response.body
if response_data.get('values'):
click.secho("Query matches found!", fg="red", bold=True)
else:
click.secho("No matches found!", fg="green", bold=True)
def _format_query(self, query: str) -> str:
"""Format the query with word wrapping for better readability."""
lines = query.split('\n')
wrapped_lines = [textwrap.fill(line, width=120, subsequent_indent=' ') for line in lines]
return '\n'.join(wrapped_lines)