-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathElasticSearch.ps1
More file actions
121 lines (103 loc) · 4.25 KB
/
Copy pathElasticSearch.ps1
File metadata and controls
121 lines (103 loc) · 4.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
####Start Elastic Search Functions####
function OnTabElasticSearch_GotFocus {
$subDirectoryPath = Join-Path $global:currentcasedirectory "Elastic"
$global:elasticIOCFilePath = Join-Path $subDirectoryPath "CustomIOCs.txt"
if (!(Test-Path $subDirectoryPath)) {
New-Item -ItemType Directory -Path $subDirectoryPath | Out-Null
Update-Log "Subdirectory 'Elastic' created successfully." "ElasticSearchTextBox"
}
foreach ($path in @($elasticIOCFilePath)) {
if (!(Test-Path $path)) {
New-Item -ItemType File -Path $path | Out-Null
Update-Log "File '$(Split-Path $path -Leaf)' created successfully." "ElasticSearchTextBox"
}
}
}
function ElasticSearchButton_Click {
if (Get-Command -Name Ensure-ElasticLookupDataLoaded -ErrorAction SilentlyContinue) {
Ensure-ElasticLookupDataLoaded
}
$baseKibanaUrl = $ElasticURLPathTextBox.Text.Trim().TrimEnd('/')
# Ensure the URL starts with http:// or https://
if (-not $baseKibanaUrl.StartsWith("http://") -and -not $baseKibanaUrl.StartsWith("https://")) {
[System.Windows.MessageBox]::Show("Please enter a valid URL starting with http:// or https://")
return
}
$IndexPattern = $ElasticIndexIDTextBox.Text.trim()
$selectedItem = $ElasticCheckBoxListBox.SelectedItem
if ($selectedItem -eq $null) {
[System.Windows.MessageBox]::Show("Please select a query from the list.")
return
}
$selectedQueryKey = $selectedItem.ToString()
$selectedItemDetails = $script:queryMapping[$selectedQueryKey]
if ($selectedItemDetails -eq $null) {
[System.Windows.MessageBox]::Show("Selected query not found in query mapping.")
return
}
$selectedQuery = $selectedItemDetails["Query"]
$selectedColumns = $selectedItemDetails["Columns"] -join ','
# Initialize an array to hold IOCs and custom search strings
$iocs = @()
# Process the selected IOC item
$selectedIOCItem = $ElasticCustomIOCComboBox.SelectedItem.Content
if ($selectedIOCItem -eq "CustomIOCs.txt") {
try {
$iocs = Get-Content -Path $global:elasticIOCFilePath -ErrorAction Stop
} catch {
[System.Windows.MessageBox]::Show("Error reading CustomIOCs.txt")
return
}
}
# Add the custom search string to the IOC list
$customQuery = $ElasticSearchIOCTextBox.Text.Trim()
if (-not [string]::IsNullOrWhiteSpace($customQuery)) {
$iocs += $customQuery
}
# Build the IOC query part with wildcards
$iocQueryPart = ""
if ($iocs.Count -gt 0) {
$formattedIOCs = $iocs | ForEach-Object {
if (ShouldQuote $_) {
"`"$_`""
} else {
$_
}
}
$iocQueryPart = $formattedIOCs -join " or "
$iocQueryPart = " and ($iocQueryPart)"
}
# Combine the selected query with the IOC query part
$combinedQuery = $selectedQuery + $iocQueryPart
$discoverAppPath = "/app/kibana#/discover/"
$encodedQuery = [uri]::EscapeDataString($combinedQuery)
$appStateColumns = "!($selectedColumns)"
$globalState = "(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-1y%2Fd,to:now))" # Added time filters
$appState = "(columns:$appStateColumns,filters:!(),index:'$IndexPattern',interval:auto,query:(language:kuery,query:'$encodedQuery'),sort:!(!(timestamp,desc)))"
if ($combinedQuery.StartsWith("=")) {
[System.Windows.MessageBox]::Show("Invalid query format.")
return
}
$fullUrl = "$($baseKibanaUrl)$($discoverAppPath)?_g=$($globalState)&_a=$($appState)"
Write-Host "Elastic URL: $baseKibanaUrl"
Update-Log "Elastic URL: $baseKibanaUrl" "ElasticSearchTextBox"
Write-Host "URL: $fullUrl"
Update-Log "URL: $fullUrl" "ElasticSearchTextBox"
Start-Process $fullUrl
}
function ShouldQuote($term) {
# Add more special characters if needed
$specialChars = ' ', ',', '/', ':', ';'
foreach ($char in $specialChars) {
if ($term.Contains($char)) {
return $true
}
}
return $false
}
function UpdateElasticSearchButtonState {
$isURLPathValid = -not [string]::IsNullOrWhiteSpace($ElasticURLPathTextBox.Text)
$isIndexIDValid = -not [string]::IsNullOrWhiteSpace($ElasticIndexIDTextBox.Text)
$ElasticSearchButton.IsEnabled = $isURLPathValid -and $isIndexIDValid
}
####End Elastic Search Functions####