Shared Query Filters¶
-
class
py42.sdk.queries.query_filter.
FilterGroup
(filter_list, filter_clause='AND')¶ Bases:
object
Class for constructing a logical sub-group of related filters from a list of
QueryFilter
objects. Takes a list ofQueryFilter
objects and combines them logically using the passed in filter clause (AND
orOR
).When
str()
is called on aFilterGroup
instance, the combined filter items are transformed into a JSON string to be used as part of a Forensic Search or Alert query.When
dict()
is called on aFilterGroup
instance, the combined filter items are transformed into the Python dict equivalent of their JSON representation. This can be useful for programmatically manipulating aFilterGroup
after it’s been created.-
filter_clause
¶ The clause joining the filters, such as
AND
orOR
.
-
filter_list
¶ The list of
QueryFilter
objects in this group.
-
classmethod
from_dict
(_dict)¶ Creates an instance of
FilterGroup
from the values found in_dict
._dict
must contain keysfilters
andfilterClause
.Parameters: _dict (dict) – A dictionary containing keys term
,operator
, andvalue
.Returns: FilterGroup
-
-
class
py42.sdk.queries.query_filter.
QueryFilter
(term, operator, value=None)¶ Bases:
object
Class for constructing a single filter object for use in a search query.
When
str()
is called on aQueryFilter
instance, the (term
,operator
,value
) attribute combination is transformed into a JSON string to be used as part of a Forensic Search or Alert query.When
dict()
is called on aQueryFilter
instance, the (term
,operator
,value
) attribute combination is transformed into the Python dict equivalent of their JSON representation. This can be useful for programmatically manipulating aQueryFilter
after it’s been created.-
classmethod
from_dict
(_dict)¶ Creates an instance of
QueryFilter
from the values found in_dict
._dict
must contain keysterm
,operator
, andvalue
.Parameters: _dict (dict) – A dictionary containing keys term
,operator
, andvalue
.Returns: QueryFilter
-
operator
¶ The operator between
term
andvalue
, such asIS
or IS_NOT.
-
term
¶ The term of the filter, such as
actor
orsharedWith
.
-
value
¶ The value used to filter results.
-
classmethod
-
class
py42.sdk.queries.query_filter.
QueryFilterBooleanField
¶ Bases:
object
Helper class for creating filters where the search value is a boolean.
-
classmethod
is_false
()¶ Returns a
FilterGroup
that is useful for finding results where the value with keyself._term
is False.Returns: FilterGroup
-
classmethod
is_true
()¶ Returns a
FilterGroup
that is useful for finding results where the value with keyself._term
is True.Returns: FilterGroup
-
classmethod
-
class
py42.sdk.queries.query_filter.
QueryFilterStringField
¶ Bases:
object
Helper class for creating filters where the search value is a string.
-
classmethod
eq
(value)¶ Returns a
FilterGroup
that is useful for finding results where the value with keyself._term
equals the providedvalue
.Parameters: value (str) – The value to match on. Returns: FilterGroup
-
classmethod
is_in
(value_list)¶ Returns a
FilterGroup
that is useful for finding results where the value with the keyself._term
is in the providedvalue_list
.Parameters: value_list (list) – The list of values to match on. Returns: FilterGroup
-
classmethod
not_eq
(value)¶ Returns a
FilterGroup
that is useful for finding results where the value with keyself._term
does not equal the providedvalue
.Parameters: value (str) – The value to exclude on. Returns: FilterGroup
-
classmethod
not_in
(value_list)¶ Returns a
FilterGroup
that is useful for finding results where the value with the keyself._term
is not in the providedvalue_list
.Parameters: value_list (list) – The list of values to exclude on. Returns: FilterGroup
-
classmethod
-
class
py42.sdk.queries.query_filter.
QueryFilterTimestampField
¶ Bases:
object
Helper class for creating filters where the search value is a timestamp.
-
classmethod
in_range
(start_value, end_value)¶ Returns a
FilterGroup
that is useful for finding results where the value with keyself._term
is in range between the providedstart_value
andend_value
.Parameters: - start_value (str or int) – The start value used to filter results.
- end_value (str or int) – The end value used to filter results.
Returns:
-
classmethod
on_or_after
(value)¶ Returns a
FilterGroup
that is useful for finding results where the value with keyself._term` is on or after the provided ``value
.Parameters: value (str or int) – The value used to filter results. Returns: FilterGroup
-
classmethod
on_or_before
(value)¶ Returns a
FilterGroup
that is useful for finding results where the value with keyself._term
is on or before the providedvalue
.Parameters: value (str or int) – The value used to filter results. Returns: FilterGroup
-
classmethod
on_same_day
(value)¶ Returns a
FilterGroup
that is useful for finding results where the value with keyself._term
is within the same calendar day as the providedvalue
.Parameters: value (str or int) – The value used to filter results. Returns: FilterGroup
-
classmethod
within_the_last
(value)¶ Returns a
FilterGroup
that is useful for finding results where the keyself._term
is anEventTimestamp._term
and the value is one of theEventTimestamp
attributes asvalue
.Parameters: value (str) – EventTimestamp attribute. Returns: FilterGroup
-
classmethod
-
py42.sdk.queries.query_filter.
create_eq_filter_group
(term, value)¶ “Creates a
FilterGroup
for filtering results where the value with keyterm
equals the given value. Useful for creatingIS
filters that are not yet supported in py42 or programmatically crafting filter groups.Parameters: - term – (str): The term of the filter, such as
actor
orsharedWith
. - value (str) – The value used to match on.
Returns: - term – (str): The term of the filter, such as
-
py42.sdk.queries.query_filter.
create_filter_group
(query_filter_list, filter_clause)¶ Creates a
FilterGroup
object. Useful for programmatically crafting query filters, such as filters not yet defined in py42. Alternatively, if you want to create custom filter groups with already defined operators (such as IS or IS_IN), see the other methods in this module, such ascreate_eq_filter_group()
.Parameters: - query_filter_list (list) – a list of
QueryFilter
objects. - filter_clause (str) – The clause joining the filters, such as
AND
orOR
.
Returns: - query_filter_list (list) – a list of
-
py42.sdk.queries.query_filter.
create_in_range_filter_group
(term, start_value, end_value)¶ “Creates a
FilterGroup
for filtering results where the value with keyterm
is in the given range. Examples include values describing dates. Useful for creating a combination ofON_OR_AFTER
andON_OR_BEFORE
filters that are not yet supported in py42 or programmatically crafting filter groups.Parameters: - term – (str): The term of the filter, such as
eventTimestamp
. - start_value (str or int) – The start value used to filter results.
- end_value (str or int) – The end value used to filter results.
Returns: - term – (str): The term of the filter, such as
-
py42.sdk.queries.query_filter.
create_is_in_filter_group
(term, value_list)¶ “Creates a
FilterGroup
for filtering results where the value with keyterm
is one of several values. Useful for creatingIS_IN
filters that are not yet supported in py42 or programmatically crafting filter groups.Parameters: - term – (str): The term of the filter, such as
actor
orsharedWith
. - value_list (list) – The list of values to match on.
Returns: - term – (str): The term of the filter, such as
-
py42.sdk.queries.query_filter.
create_not_eq_filter_group
(term, value)¶ “Creates a
FilterGroup
for filtering results where the value with keyterm
does not equal the given value. Useful for creatingIS_NOT
filters that are not yet supported in py42 or programmatically crafting filter groups.Parameters: - term – (str): The term of the filter, such as
actor
orsharedWith
. - value (str) – The value used to exclude on.
Returns: - term – (str): The term of the filter, such as
-
py42.sdk.queries.query_filter.
create_not_in_filter_group
(term, value_list)¶ “Creates a
FilterGroup
for filtering results where the value with keyterm
is not one of several values. Useful for creatingNOT_IN
filters that are not yet supported in py42 or programmatically crafting filter groups.Parameters: - term – (str): The term of the filter, such as
actor
orsharedWith
. - value_list (list) – The list of values to exclude on.
Returns: - term – (str): The term of the filter, such as
-
py42.sdk.queries.query_filter.
create_on_or_after_filter_group
(term, value)¶ “Creates a
FilterGroup
for filtering results where the value with keyterm
is on or after the given value. Examples include values describing dates. Useful for creatingON_OR_AFTER
filters that are not yet supported in py42 or programmatically crafting filter groups.Parameters: - term – (str): The term of the filter, such as
eventTimestamp
. - value (str or int) – The value used to filter results.
Returns: - term – (str): The term of the filter, such as
-
py42.sdk.queries.query_filter.
create_on_or_before_filter_group
(term, value)¶ “Creates a
FilterGroup
for filtering results where the value with keyterm
is on or before the given value. Examples include values describing dates. Useful for creatingON_OR_BEFORE
filters that are not yet supported in py42 or programmatically crafting filter groups.Parameters: - term – (str): The term of the filter, such as
eventTimestamp
. - value (str or int) – The value used to filter results.
Returns: - term – (str): The term of the filter, such as
-
py42.sdk.queries.query_filter.
create_query_filter
(term, operator, value=None)¶ Creates a
QueryFilter
object. Useful for programmatically crafting query filters, such as filters not yet defined in py42.Parameters: - term (str) – The term of the filter, such as
actor
orsharedWith
. - operator (str) – The operator between
term
andvalue
, such asIS
or IS_NOT. - value (str) – The value used to filter results.
Returns: - term (str) – The term of the filter, such as
-
py42.sdk.queries.query_filter.
create_within_the_last_filter_group
(term, value)¶ Returns a
FilterGroup
that is useful for finding results where the keyterm
is anEventTimestamp._term
and the value is one of the EventTimestamp attributes as value.Parameters: value (str) – EventTimestamp attribute. Returns: FilterGroup