Merge pull request #488 from opencybersecurityalliance/diag_timeframe

Diag timeframe
opencybersecurityalliance · Mar 11, 2024 · d842518 · d842518
2 parents 2a6208e + 72cae87
commit d842518
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 10 deletions.
diff --git a/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py b/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py
@@ -1,18 +1,22 @@
 import argparse
 import datetime
 import logging
+import sys
 from kestrel_datasource_stixshifter.diagnosis import Diagnosis
 from kestrel_datasource_stixshifter.connector import setup_connector_module
 from firepit.timestamp import timefmt
 
 
-def default_patterns(use_now_as_stop_time: bool):
-    start_time = "START t'2000-01-01T00:00:00.000Z'"
-    stop_time = (
-        f"STOP t'{timefmt(datetime.datetime.utcnow())}'"
-        if use_now_as_stop_time
-        else "STOP t'3000-01-01T00:00:00.000Z'"
-    )
+def default_patterns(start=None, stop=None, last_minutes=0):
+    if start:
+        start_time = f"START t'{start}'"
+        stop_time = f"STOP t'{stop}'"
+    else:
+        to_time = datetime.datetime.utcnow()
+        from_time = timefmt(to_time - datetime.timedelta(minutes=last_minutes))
+        to_time = timefmt(to_time)
+        start_time = f"START t'{from_time}'"
+        stop_time = f"STOP t'{to_time}'"
     patterns = [
         "[ipv4-addr:value != '255.255.255.255']",
         "[process:pid > 0]",
@@ -45,9 +49,23 @@ def stix_shifter_diag():
     )
     parser.add_argument(
         "--stop-at-now",
-        help="use the current timestamp as the STOP time instead of default year 3000 for default patterns",
+        help="ignored (retained for backwards compatibility)",
         action="store_true",
     )
+    parser.add_argument(
+        "--start",
+        help="start time for default pattern search (%Y-%m-%dT%H:%M:%S.%fZ)",
+    )
+    parser.add_argument(
+        "--stop",
+        help="stop time for default pattern search (%Y-%m-%dT%H:%M:%S.%fZ)",
+    )
+    parser.add_argument(
+        "--last-minutes",
+        help="relative timespan for default pattern searches in minutes",
+        default=5,
+        type=int,
+    )
     parser.add_argument(
         "-t",
         "--translate-only",
@@ -68,13 +86,21 @@ def stix_shifter_diag():
         ch.setFormatter(formatter)
         logger.addHandler(ch)
 
+    if (args.start and not args.stop) or (args.stop and not args.start):
+        print(
+            "Must specify both --start and --stop for absolute time range; else use --last-minutes",
+            file=sys.stderr,
+        )
+        parser.print_usage(sys.stderr)
+        sys.exit(1)
+
     if args.stix_pattern:
         patterns = [args.stix_pattern]
     elif args.pattern_file:
         with open(args.pattern_file) as pf:
             patterns = [pf.read()]
     else:
-        patterns = default_patterns(args.stop_at_now)
+        patterns = default_patterns(args.start, args.stop, args.last_minutes)
 
     diag = Diagnosis(args.datasource)
 

diff --git a/packages/kestrel_datasource_stixshifter/tests/test_stixshifter_diagnosis.py b/packages/kestrel_datasource_stixshifter/tests/test_stixshifter_diagnosis.py
@@ -78,7 +78,7 @@ def test_cli(stixshifter_profile_lab101):
 """
 
     result = subprocess.run(
-        args=[STIX_SHIFTER_DIAG, "lab101"],
+        args=[STIX_SHIFTER_DIAG, "--start=2000-01-01T00:00:00.000Z", "--stop=3000-01-01T00:00:00.000Z", "lab101"],
         universal_newlines=True,
         stdout=subprocess.PIPE,
     )