In [1]:
from elasticsearch6 import Elasticsearch
import pandas as pd

In [2]:
host='localhost'
port = 9200
index =  "events-20220502"

In [3]:
client = Elasticsearch(f'{host}:{port}')

In [4]:
def query(perimeter, hostname='VM1', size=1000):
    return {
        "query": {
        "bool": {
          "must": [
            {
              "match": {
                "category": perimeter
              }
            },
            {
              "match": {
                "hostname": hostname
              }
            }
          ],
          "must_not": [],
          "should": []
        }
        },
        "from": 0,
        "size": 1000,
        "sort": [],
        "aggs": {}
        }

# AVAILABILITY

In [5]:
raw_data_av = client.search(index=index, body=query('availability'))

In [6]:
raw_data_av['hits']['hits'][0]['_source']['details'].keys()

dict_keys(['metricset', 'event', 'service', 'ecs', 'agent', 'system', 'endpoint', 'customendpoint'])

In [7]:
raw_data_av['hits']['hits'][0]['_source']['details']

{'metricset': {'name': 'memory', 'period': 15000},
 'event': {'duration': 1951453,
  'module': 'system',
  'dataset': 'system.memory'},
 'service': {'type': 'system'},
 'ecs': {'version': '1.5.0'},
 'agent': {'id': '69c94e43-b718-4f50-8636-ef344572580d',
  'type': 'metricbeat',
  'version': '7.8.1',
  'hostname': 'VM1',
  'name': 'VM1',
  'ephemeral_id': '46260b17-874a-409d-83ae-1af30e523258'},
 'system': {'memory': {'total': 1028845568,
   'used': {'pct': 0.9126, 'bytes': 938954752},
   'actual': {'free': 611532800, 'used': {'pct': 0.4056, 'bytes': 417312768}},
   'page_stats': {'pgsteal_direct': {'pages': 125},
    'pgsteal_kswapd': {'pages': 552583},
    'direct_efficiency': {'pct': 1},
    'kswapd_efficiency': {'pct': 0.8723},
    'pgfree': {'pages': 18497109},
    'pgscan_kswapd': {'pages': 633473},
    'pgscan_direct': {'pages': 125}},
   'swap': {'in': {'pages': 0},
    'readahead': {'pages': 0, 'cached': 0},
    'used': {'pct': 0, 'bytes': 0},
    'total': 0,
    'free': 0,
   

# TRACEABILITY

In [8]:
raw_data_tr = client.search(index=index, body=query('traceability'))

In [9]:
raw_data_tr['hits']['hits'][0]['_source']['details'].keys()

dict_keys(['event', 'hostname', 'url', 'summary', 'ecs', 'agent', 'icmp', 'monitor', 'endpoint', 'customendpoint'])

In [10]:
raw_data_tr['hits']['hits'][0]['_source']['details']

{'event': {'dataset': 'uptime'},
 'hostname': 'test-conformite.netplus.priv',
 'url': {'scheme': 'icmp',
  'domain': '192.168.122.3',
  'full': 'icmp://192.168.122.3'},
 'summary': {'down': 0, 'up': 1},
 'ecs': {'version': '1.5.0'},
 'agent': {'id': '016bd43b-ef2a-47c2-8e55-e991357aec94',
  'type': 'heartbeat',
  'version': '7.9.3',
  'hostname': 'test-conformite.netplus.priv',
  'name': 'test-conformite.netplus.priv',
  'ephemeral_id': '834eb429-21b1-4e52-8972-9ebb6196d5ec'},
 'icmp': {'rtt': {'us': 1306}, 'requests': 1},
 'monitor': {'timespan': {'lt': '2022-05-05T04:58:36.000Z',
   'gte': '2022-05-05T04:58:20.000Z'},
  'id': 'dead-host-monitor-f5869335bca2e2ed',
  'status': 'up',
  'check_group': 'f5bdc4ff-cc2f-11ec-b0d1-9eb4e6ecd790',
  'type': 'icmp',
  'duration': {'us': 1360},
  'ip': '192.168.122.3',
  'name': 'dead-host-monitor'},
 'endpoint': 'logstash',
 'customendpoint': True}

In [11]:
raw_data_tr['hits']['hits'][0]['_source']['details']['monitor']

{'timespan': {'lt': '2022-05-05T04:58:36.000Z',
  'gte': '2022-05-05T04:58:20.000Z'},
 'id': 'dead-host-monitor-f5869335bca2e2ed',
 'status': 'up',
 'check_group': 'f5bdc4ff-cc2f-11ec-b0d1-9eb4e6ecd790',
 'type': 'icmp',
 'duration': {'us': 1360},
 'ip': '192.168.122.3',
 'name': 'dead-host-monitor'}

# INTEGRITY

In [12]:
client = Elasticsearch(f'{host}:{port}')
raw_data_int = client.search(index=index, body=query('integrity'))

In [13]:
raw_data_int['hits']['hits'][0]['_source']['details'].keys()

dict_keys(['hash', 'service', 'event', 'file', 'ecs', 'agent', 'endpoint', 'customendpoint'])

In [14]:
raw_data_int['hits']['hits'][0]['_source']['details']

{'hash': {'sha1': 'da39a3ee5e6b4b0d3255bfef95601890afd80709'},
 'service': {'type': 'file_integrity'},
 'event': {'category': ['file'],
  'type': ['change'],
  'action': ['attributes_modified'],
  'module': 'file_integrity',
  'dataset': 'file',
  'kind': 'event'},
 'file': {'inode': '774146',
  'ctime': '2021-09-29T08:50:27.056Z',
  'type': 'file',
  'owner': 'root',
  'hash': {'sha1': 'da39a3ee5e6b4b0d3255bfef95601890afd80709'},
  'mtime': '2021-09-29T08:50:27.056Z',
  'mode': '0644',
  'path': '/host/watchme/test',
  'size': 0,
  'uid': '0',
  'gid': '0',
  'group': 'root'},
 'ecs': {'version': '1.5.0'},
 'agent': {'id': '86dba4c3-a315-42df-b4d3-67e14c81f3d0',
  'type': 'auditbeat',
  'version': '7.8.1',
  'hostname': 'VM1',
  'name': 'VM1',
  'ephemeral_id': 'a0d3acbd-22de-4ca3-960d-293f8b384e38'},
 'endpoint': 'logstash',
 'customendpoint': True}

# CONFIDENTIALITY

In [15]:
raw_data_con = client.search(index=index, body=query('confidentiality'))

In [16]:
raw_data_con['hits']['hits'][0]['_source']['details'].keys()

dict_keys(['message', 'event', 'service', 'user', 'process', 'ecs', 'agent', 'related', 'endpoint', 'customendpoint'])

In [17]:
raw_data_con['hits']['hits'][0]['_source']['details']

{'message': 'Failed login by user root (UID: 0) on  (PID: 101625) from  (IP: 0.0.0.0)',
 'event': {'outcome': 'failure',
  'category': ['authentication'],
  'type': ['start', 'authentication_failure'],
  'action': 'user_login',
  'module': 'system',
  'origin': '/host/var/log/btmp',
  'dataset': 'login',
  'kind': 'event'},
 'service': {'type': 'system'},
 'user': {'id': 0, 'name': 'root'},
 'process': {'pid': 101625},
 'ecs': {'version': '1.5.0'},
 'agent': {'id': '86dba4c3-a315-42df-b4d3-67e14c81f3d0',
  'type': 'auditbeat',
  'version': '7.8.1',
  'hostname': 'VM1',
  'name': 'VM1',
  'ephemeral_id': '1b5e725d-d951-444e-9a7a-a77a1b82ac53'},
 'related': {'user': ['root'], 'ip': ['0.0.0.0']},
 'endpoint': 'logstash',
 'customendpoint': True}

In [18]:
availibilty = ['metricset',  'system']
traceability = [ 'hostname', 'url', 'summary', 'icmp', 'monitor' ]
integrity = ['hash',  'file']
confidentiality = ['message',  'user', 'process', 'related']