How to use the FncMetastreamClient
Overview
FortiNDR Cloud Service collects multiple Information and there are many different types of events stored in AWS S3 Buckets. The Metastream Client Library allows for the pulling of events from those buckets. However, the latest version (v1.0.0) of the library only supports the following event types:
- Suricata: A match for a single Suricata with details.
- Observation: Observations are a result of multi-stage data pipelines that go across multiple events, do historical data lookups, draw correlations, compute several statistics and in some cases use machine learning algorithms to classify and predict outcomes.
Using the Metastream Client Library, we can import any of these types of events. The structure of these event types can be found in the Appendix.
FncMetstreamClient
As mentioned the Getting the client, the FncMetastreamClient instance can be created by calling the get_metastream_client method of the FncClient class. The FncMetastreamClientcan be used to access AWS S3 bucket to retrieve raw events stored by the FortiNDR Cloud Services.
Below are the main methods exposed by this client:
|
Attribute |
Description |
|---|---|
|
fetch_event_types(…) |
Returns a list of all the event types that can be retrieved using this client. Current version only supports Suricata and Observation. |
|
poll_history(…) |
Allows you to pull historical data in chunks smaller than a day. This is useful when the amount of information being pulled is too big and would take too much time to be pulled completely. |
|
fetch_events_by_day(…) |
Fetch all raw events observed during a specified day. The specified day must be within the last seven days. |
|
fetch_events(…) |
Fetch all raw events that were observed since the specified timestamp up to the current timestamp. This interval must be less than 24 hours. |
In the next sections we describe each of these methods in more details.