aggregated#

Autogenerated API

argus_api.lib.events.v1.aggregated.find_aggregated_event_stats(signature: str = None, destinationIP: str = None, sourceIP: str = None, ip: str = None, destinationPort: str = None, sourcePort: str = None, port: str = None, minSeverity: str = None, maxSeverity: str = None, includeDeleted: bool = None, customerID: int = None, exclude: bool = None, required: bool = None, eventIdentifier: dict = None, locationID: int = None, severity: str = None, customer: str = None, alarmID: int = None, attackCategoryID: int = None, sourceGeoCountry: str = None, destinationGeoCountry: str = None, geoCountry: str = None, domain: str = None, properties: dict = None, productionCustomers: bool = None, multivaluePropertySeparator: str = None, minCount: int = None, associatedCaseID: int = None, sourceIPMinBits: int = None, destinationIPMinBits: int = None, subCriteria: dict = None, timeFieldStrategy: str = None, resolution: int = None, resolutionUnit: str = None, groupBy: str = None, countRawEvents: bool = None, cutoff: int = None, includeOthers: bool = None, timeFrameStrategy: str = None, startTimestamp: int = None, endTimestamp: int = None, includeFlags: str = None, excludeFlags: str = None, lastUpdatedTimestamp: int = None, indexStartTime: int = None, indexEndTime: int = None, skipFutureEvents: bool = None, exactMatchProperties: bool = True, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) dict#

Fetch aggregated event stats (PUBLIC)

Parameters
  • signature (list) –

  • destinationIP (list) –

  • sourceIP (list) –

  • ip (list) –

  • destinationPort (list) –

  • sourcePort (list) –

  • port (list) –

  • minSeverity (str) –

  • maxSeverity (str) –

  • includeDeleted (bool) – Also include deleted objects (where implemented)

  • customerID (list) – DEPRECATED! Use customer instead

  • exclude (bool) – Exclude these criteria from the parent criteria.

  • required (bool) – Only relevant for subcriteria. If set to true, objects matching this subcriteria are required (AND-ed together with parent criteria).

  • eventIdentifier (list) – Search for events specified by full ID (type/timestamp/customerID/eventID).

  • locationID (list) – Search for events having these locations.

  • severity (list) – Search events with specified severity. Can’t be used together with minSeverity/maxSeverity.

  • customer (list) – Search for events by customer (id or shortname).

  • alarmID (list) – Search for events having an attack identifier (signature) mapped to any of these alarms.

  • attackCategoryID (list) – Search for events having an attack identifier (signature) mapped to any of these categories.

  • sourceGeoCountry (list) – Search for events where source IP is registered in any of these countries.

  • destinationGeoCountry (list) – Search for events where destination IP is registered in any of these countries.

  • geoCountry (list) – Search for events where source or destination IP is registered in any of these countries.

  • domain (list) – Search for events having one of these domains. The domains are not validated

  • properties (dict) – Search for events having these properties (logical AND).

  • productionCustomers (bool) – If set, apply a customer filter for customers marked as ‘not in production’. If true, EXCLUDE customers ‘not in production’. If false, REQUIRE customers ‘not in production’. Default is unset (no filter on production customers).

  • multivaluePropertySeparator (str) – Separator that is going to be used when formatting the multi-value properties of the found events. (default comma)

  • minCount (int) – Search for events with aggregated count at least this high

  • associatedCaseID (list) – Search for events associated to one of these cases, 0 will match events NOT associated with any case

  • sourceIPMinBits (int) – Do not include source CIDR-networks with wider mask than this

  • destinationIPMinBits (int) – Do not include destination CIDR-networks with wider mask than this

  • subCriteria (list) – Allow subcriteria (include or exclude), to refine search arbitrarily

  • timeFieldStrategy (list) – Defines which timestamps will be included in the search, will default to startTimestamp/endTimestamp.This field cannot be used alongside the lastUpdateTime field due to backwards compatibility.

  • resolution (int) – Divide results into timeframes with this size (in milliseconds)

  • resolutionUnit (str) – For use with date histogram, this will bind the intervals to the unit given.Calendar units, such as weeks, months, and years, can only be used with a resolution of 1. Default is milliseconds

  • groupBy (list) – Group results by these fields

  • countRawEvents (bool) – Return the number of raw events (not the number of aggregated events)

  • cutoff (int) – If set, keep the <cutoff> biggest records, and cut off the rest.

  • includeOthers (bool) – If true (default), records which are cut off are collected into a common “other” record

  • timeFrameStrategy (str) – Configures the aggregation search to use start/end timestamp or just event timestamp for the timeframe of the search. (default startEndTimestamp)

  • startTimestamp (int) – Search objects from this timestamp

  • endTimestamp (int) – Search objects until this timestamp

  • includeFlags (list) – Search objects with these flags set

  • excludeFlags (list) – Exclude objects with these flags set

  • lastUpdatedTimestamp (int) – Match only with events marked with a last updated time greater or equal to this.

  • indexStartTime (int) – Earliest created time of the indices searched.

  • indexEndTime (int) – Last created time of the indices searched.

  • skipFutureEvents (bool) – Whether service should generate endTimestamp by current timestamp. (default false)

  • exactMatchProperties (bool) – If set to true, will execute in-memory filtering to only match events that have exact match of properties specified at top level “properties” field of search request. WARN: The count of response would not be reliable, as the filtering is applied in-memory of application server, but the count was done by search engine. (default true)

  • json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

  • verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

  • apiKey – Argus API key.

  • authentication – authentication override

  • server_url – API base URL override

  • body – body of the request. other parameters will override keys defined in the body.

  • api_session – session to use for this request. If not set, the global session will be used.

Raises
Returns

dictionary translated from JSON

argus_api.lib.events.v1.aggregated.find_aggregated_events(signature: str = None, destinationIP: str = None, sourceIP: str = None, ip: str = None, destinationPort: str = None, sourcePort: str = None, port: str = None, minSeverity: str = None, maxSeverity: str = None, limit: int = None, offset: int = None, includeDeleted: bool = None, customerID: int = None, exclude: bool = None, required: bool = None, eventIdentifier: dict = None, locationID: int = None, severity: str = None, customer: str = None, alarmID: int = None, attackCategoryID: int = None, sourceGeoCountry: str = None, destinationGeoCountry: str = None, geoCountry: str = None, domain: str = None, properties: dict = None, productionCustomers: bool = None, multivaluePropertySeparator: str = None, minCount: int = None, associatedCaseID: int = None, sourceIPMinBits: int = None, destinationIPMinBits: int = None, subCriteria: dict = None, timeFieldStrategy: str = None, startTimestamp: int = None, endTimestamp: int = None, sortBy: str = None, includeFlags: str = None, excludeFlags: str = None, lastUpdatedTimestamp: int = None, indexStartTime: int = None, indexEndTime: int = None, skipFutureEvents: bool = None, exactMatchProperties: bool = True, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) dict#

Search for aggregated events (PUBLIC)

Parameters
  • signature (list) –

  • destinationIP (list) –

  • sourceIP (list) –

  • ip (list) –

  • destinationPort (list) –

  • sourcePort (list) –

  • port (list) –

  • minSeverity (str) –

  • maxSeverity (str) –

  • limit (int) – Limit results

  • offset (int) – Offset results

  • includeDeleted (bool) – Also include deleted objects (where implemented)

  • customerID (list) – DEPRECATED! Use customer instead

  • exclude (bool) – Exclude these criteria from the parent criteria.

  • required (bool) – Only relevant for subcriteria. If set to true, objects matching this subcriteria are required (AND-ed together with parent criteria).

  • eventIdentifier (list) – Search for events specified by full ID (type/timestamp/customerID/eventID).

  • locationID (list) – Search for events having these locations.

  • severity (list) – Search events with specified severity. Can’t be used together with minSeverity/maxSeverity.

  • customer (list) – Search for events by customer (id or shortname).

  • alarmID (list) – Search for events having an attack identifier (signature) mapped to any of these alarms.

  • attackCategoryID (list) – Search for events having an attack identifier (signature) mapped to any of these categories.

  • sourceGeoCountry (list) – Search for events where source IP is registered in any of these countries.

  • destinationGeoCountry (list) – Search for events where destination IP is registered in any of these countries.

  • geoCountry (list) – Search for events where source or destination IP is registered in any of these countries.

  • domain (list) – Search for events having one of these domains. The domains are not validated

  • properties (dict) – Search for events having these properties (logical AND).

  • productionCustomers (bool) – If set, apply a customer filter for customers marked as ‘not in production’. If true, EXCLUDE customers ‘not in production’. If false, REQUIRE customers ‘not in production’. Default is unset (no filter on production customers).

  • multivaluePropertySeparator (str) – Separator that is going to be used when formatting the multi-value properties of the found events. (default comma)

  • minCount (int) – Search for events with aggregated count at least this high

  • associatedCaseID (list) – Search for events associated to one of these cases, 0 will match events NOT associated with any case

  • sourceIPMinBits (int) – Do not include source CIDR-networks with wider mask than this

  • destinationIPMinBits (int) – Do not include destination CIDR-networks with wider mask than this

  • subCriteria (list) – Allow subcriteria (include or exclude), to refine search arbitrarily

  • timeFieldStrategy (list) – Defines which timestamps will be included in the search, will default to startTimestamp/endTimestamp.This field cannot be used alongside the lastUpdateTime field due to backwards compatibility.

  • startTimestamp (int) – Search objects from this timestamp

  • endTimestamp (int) – Search objects until this timestamp

  • sortBy (list) – Order results by these properties (prefix with - to sort descending)

  • includeFlags (list) – Search objects with these flags set

  • excludeFlags (list) – Exclude objects with these flags set

  • lastUpdatedTimestamp (int) – Match only with events marked with a last updated time greater or equal to this.

  • indexStartTime (int) – Earliest created time of the indices searched.

  • indexEndTime (int) – Last created time of the indices searched.

  • skipFutureEvents (bool) – Whether service should generate endTimestamp by current timestamp. (default false)

  • exactMatchProperties (bool) – If set to true, will execute in-memory filtering to only match events that have exact match of properties specified at top level “properties” field of search request. WARN: The count of response would not be reliable, as the filtering is applied in-memory of application server, but the count was done by search engine. (default true)

  • json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

  • verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

  • apiKey – Argus API key.

  • authentication – authentication override

  • server_url – API base URL override

  • body – body of the request. other parameters will override keys defined in the body.

  • api_session – session to use for this request. If not set, the global session will be used.

Raises
Returns

requests.Response object or dictionary translated from JSON

argus_api.lib.events.v1.aggregated.list_aggregated_events(customerID: int = None, signature: str = None, ip: str = None, startTimestamp: str = '-24hours', endTimestamp: str = 'now', limit: int = 25, offset: int = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) dict#

Simple search for aggregated events (PUBLIC)

Parameters
  • customerID (list) – Limit to customerID

  • signature (list) – Limit to signature

  • ip (list) – Limit to ip/network

  • startTimestamp (str) – Limit to events after this timestamp (default is last 24 hours).

  • endTimestamp (str) – Limit to events before this timestamp. Defaults to now.

  • limit (int) – Limit results

  • offset (int) – Offset results

  • json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

  • verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

  • apiKey – Argus API key.

  • authentication – authentication override

  • server_url – API base URL override

  • body – body of the request. other parameters will override keys defined in the body.

  • api_session – session to use for this request. If not set, the global session will be used.

Raises
Returns

requests.Response object or dictionary translated from JSON

argus_api.lib.events.v1.aggregated.update_events(update: dict = None, eventIdentifiers: str = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) dict#

Add event assessments (INTERNAL)

Parameters
  • update (dict) –

  • eventIdentifiers (list) – Update events specified by full ID (type/timestamp/customerID/eventID)

  • json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

  • verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

  • apiKey – Argus API key.

  • authentication – authentication override

  • server_url – API base URL override

  • body – body of the request. other parameters will override keys defined in the body.

  • api_session – session to use for this request. If not set, the global session will be used.

Raises
Returns

dictionary translated from JSON

argus_api.lib.events.v1.aggregated.update_events_bulk(criteria: dict = None, update: dict = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) dict#

Assess events in bulk mode (INTERNAL)

Parameters
  • criteria (dict) –

  • update (dict) –

  • json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

  • verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

  • apiKey – Argus API key.

  • authentication – authentication override

  • server_url – API base URL override

  • body – body of the request. other parameters will override keys defined in the body.

  • api_session – session to use for this request. If not set, the global session will be used.

Raises
Returns

dictionary translated from JSON