Help request: Filtering on available_for_data_analytics value
jopbakker opened this issue · 3 comments
Hello,
I'm currently working on creating visibility maps from my data sources files but i'm running into a problem with the custom EQL filtering. The thing I want to do is create a techniques-administration file only containing values where "available_for_data_analytics" is "true" in my source data_sources file. This to create a better visibility map on only data that is available for us to query.
I have been able to do some filtering based on comments or the applicable_to field, but with my lacking EQL knowledge I am unable to properly filter on the available_for_data_analytics (boolean) field.
Could anyone help me figure out how to do this?
P.s. this might also be a good addition as a build in filter like the current -a (--applicable-to) option.
Hi @jopbakker
I think this EQL query will help you:
python dettect.py ds -fd sample-data/data-sources-endpoints.yaml -l --search "data_sources where available_for_data_analytics = true"
We have more examples available on:
https://github.com/rabobank-cdc/DeTTECT/wiki/EQL
Regards,
Ruben
O, btw. Within the datasource mode of the CLI there's an option to filter on applicable_to via the command line:
-a APPLICABLE_TO, --applicable-to APPLICABLE_TO
specify which data source objects to include by filtering on applicable to value(s) (used to define the type of system). You can provide multiple
applicable to values with extra '-a/--applicable-to' arguments
THX! There appears to be some error with my input file as I get 24 results with both true and false filters (I have 24 inputs). When creating a new source file with two inputs, one true one false, the filter does seem to work.
Thx for the link to the wiki.