search
The events search command is used to search for aggregated events.
Usage
parameters
argus-cli events search START END TEMPLATE_FOLDER
- START
Start date/time of the search window
Uses the flexible date format
- END
End date/time of the search window
Uses the flexible date format
options
general options
- --no-exact-match-property
flag. Turns of exact matching of properties, which is on by default.
- --min-severity <severity>
Minimum severity of events.
valid values are defined in
SEVERITIES
- --min-count <count>
Minimum aggregated count of events.
- --enrich <enrichment1> [<enrichment2>, <...>]
One or more enrichment(s) to perform on the event data.
see Using enrichments for more details.
- --limit <limit>
Amount of items to fetch per request (“page size”).
Defaults to
500.Note
a high value can negatively impact the service and cause timeouts.
Note
to stop after fetching the number of items specified, use the
--no-paginateoption.
- --no-paginate
flag. If set, pagination will be disabled and only the amount of results specified by
--limitwill be fetched.
- --progress
flag. If set, a progress bar will be displayed while fetching events.
filtering options
These options allow filtering the search results by including or excluding certain field values.
Caution
these are all multiple-value options, see : multiple-value option caveats
- --[include|exclude]-customer <customer1> [<customer2>, ...]
Customer(s) to include/exclude.
- --[include|exclude]-flag <flag1> [<flag2>, ...]
Flag(s) to include/exclude.
valid values are defined in
FLAGS
- --[include|exclude]-alarm <alarm_id1> [<alarm_id2>, ...]
Alarm ID(s) to include/exclude.
- --[include|exclude]-ip <ip1> [<ip2>, <...>]
IP Address(es) to include/exclude.
- --[include|exclude]-[source|destination]-ip <ip1> [<ip2>, ...]
Source/Destination IP Address(es) to include/exclude.
- --[source|destination]-ip-min-bits <mask>
Subnet mask to filter source/destination IP addresses on.
- --[include|exclude]-signature <signature1> [<signature2>, ...]
Signature(s) to include/exclude.
- --[include|exclude]-properties <property1> [<property2>, ...]
Propertie(s) to include/exclude.
- --[include|exclude]-attack-category-id <attack_category_id1> [<attack_category_id2>, ...]
Attack category ID(s) to include/exclude.
Using enrichments
The search command supports enriching event data from sources other than the
events API through enrichments. Those enrichments are controlled by the argus-cli events search --enrich option.
Multiple enrichments can be specified :
argus-cli events search --enrich ENRICHMENT1 ENRICHMENT2 [...]
Caution
--enrich is a multiple-value option, make sure you understand the Multiple-Value options Caveats
Note
the autocreate command also provides the --enrich option.
When running an autocreate script, enrichments need only be used once (either in the events search providing the events or cases autocreate),
there is no need to use the option in both commands.
All enrichments add data to the selected events under the "_enrichments_"
key. To know precisely where each enrichment add data, refer to the table below.
Available enrichments
Currently, these enrichments can be used with the autocreate script:
name |
key |
description |
|---|---|---|
|
|
Adds the results of a search of the customer networks API for the source address of the event. The results are a list of dictionaries, as returned by the customer networks API and defined in API documentation : customer networks service (see models → CustomerNetwork). Results are sorted by netmask descending, so that the first result will be the most specific and the last one will be the least specific (for example, a /24 network will be listed before a /8 network) |
|
|
Adds the results of a search of the customer networks API for the destination address of the event. The results are a list of dictionaries, as returned by the customer networks API and defined in API documentation : customer networks service (see models → CustomerNetwork). Results are sorted by netmask descending, so that the first result will be the most specific and the last one will be the least specific (for example, a /24 network will be listed before a /8 network) |