From 7295768c19cedeeaf2efbc433a36afcf7a6093a1 Mon Sep 17 00:00:00 2001
From: johnnyutahio <ciaran@johnnyutah.io>
Date: Thu, 6 Jun 2019 15:46:27 -0600
Subject: [PATCH 1/3] updated missing api endpoint argument

---
 scripts/search-job-messages.py | 18 ++++++++----------
 scripts/search-job.py          |  8 +++-----
 2 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/scripts/search-job-messages.py b/scripts/search-job-messages.py
index 82192e6..e27682c 100644
--- a/scripts/search-job-messages.py
+++ b/scripts/search-job-messages.py
@@ -1,16 +1,14 @@
 # Submits search job, waits for completion, then prints and emails _messages_
 # (as opposed to records).  Pass the query via stdin.
 #
-# cat query.sumoql | python search-job-messages.py <accessId> <accessKey> \
-# <fromDate> <toDate> <timeZone> <byReceiptTime>
+# cat query.sumoql | python search-job-messages.py <accessId> <accessKey> <fromDate> <toDate> <timeZone> <byReceiptTime>
 #
 # Note: fromDate and toDate must be either ISO 8601 date-times or epoch
 #       milliseconds
 #
 # Example:
 #
-# cat query.sumoql | python search-job-messages.py <accessId> <accessKey> \
-# 1408643380441 1408649380441 PST false
+# cat query.sumoql | python search-job-messages.py <accessId> <accessKey> 1408643380441 1408649380441 PST false
 
 import json
 import sys
@@ -18,14 +16,14 @@
 
 from sumologic import SumoLogic
 
-LIMIT = 42
+LIMIT = 1000000
 
 args = sys.argv
-sumo = SumoLogic(args[1], args[2])
-fromTime = args[3]
-toTime = args[4]
-timeZone = args[5]
-byReceiptTime = args[6]
+sumo = SumoLogic(args[1], args[2], args[3])
+fromTime = args[4]
+toTime = args[5]
+timeZone = args[6]
+byReceiptTime = args[7]
 
 delay = 5
 q = ' '.join(sys.stdin.readlines())
diff --git a/scripts/search-job.py b/scripts/search-job.py
index a610a3d..029cfea 100644
--- a/scripts/search-job.py
+++ b/scripts/search-job.py
@@ -1,16 +1,14 @@
 # Submits search job, waits for completion, then prints and emails results.
 # Pass the query via stdin.
 #
-# cat query.sumoql | python search-job.py <accessId> <accessKey> \
-# <endpoint> <fromDate> <toDate> <timeZone> <byReceiptTime>
+# cat query.sumoql | python search-job.py <accessId> <accessKey> <endpoint> <fromDate> <toDate> <timeZone> <byReceiptTime>
 #
 # Note: fromDate and toDate must be either ISO 8601 date-times or epoch
 #       milliseconds
 #
 # Example:
 #
-# cat query.sumoql | python search-job.py <accessId> <accessKey> \
-# https://api.us2.sumologic.com/api/v1 1408643380441 1408649380441 PST false
+# cat query.sumoql | python search-job.py <accessId> <accessKey> https://api.us2.sumologic.com/api/v1 1408643380441 1408649380441 PST false
 
 import json
 import sys
@@ -21,7 +19,7 @@
 
 from sumologic import SumoLogic
 
-LIMIT = 42
+LIMIT = 1000000
 
 args = sys.argv
 sumo = SumoLogic(args[1], args[2], args[3])

From 78c976aaa8759688cf848798e95732f30e4a1300 Mon Sep 17 00:00:00 2001
From: johnnyutahio <ciaran@johnnyutah.io>
Date: Thu, 6 Jun 2019 16:05:33 -0600
Subject: [PATCH 2/3] added search-job-messages-trend-antimalware.py

---
 search-job-messages-trend-antimalware.py | 48 ++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 search-job-messages-trend-antimalware.py

diff --git a/search-job-messages-trend-antimalware.py b/search-job-messages-trend-antimalware.py
new file mode 100644
index 0000000..c675957
--- /dev/null
+++ b/search-job-messages-trend-antimalware.py
@@ -0,0 +1,48 @@
+# Submits search job, waits for completion, then prints and emails _messages_
+# (as opposed to records).  Pass the query via stdin.
+#
+# python search-job-messages.py <accessId> <accessKey> <fromDate> <toDate> <timeZone> <byReceiptTime>
+#
+# Note: fromDate and toDate must be either ISO 8601 date-times or epoch
+#       milliseconds
+#
+# Example:
+#
+# cat python search-job-messages.py <accessId> <accessKey> 1408643380441 1408649380441 PST false
+
+import json
+import sys
+import time
+
+from sumologic import SumoLogic
+
+# limit may not be necessary (Ciaran)
+LIMIT = 1000000
+
+args = sys.argv
+sumo = SumoLogic(args[1], args[2], args[3])
+fromTime = args[4]
+toTime = args[5]
+timeZone = args[6]
+byReceiptTime = args[7]
+
+delay = 5
+
+q = '_sourceCategory = zeus/trend | where signature_id >= 4000000 AND signature_id <= 4999999 | timeslice 30m | count _timeslice, Action | transpose row _timeslice column Action'
+
+sj = sumo.search_job(q, fromTime, toTime, timeZone, byReceiptTime)
+
+status = sumo.search_job_status(sj)
+while status['state'] != 'DONE GATHERING RESULTS':
+    if status['state'] == 'CANCELLED':
+        break
+    time.sleep(delay)
+    status = sumo.search_job_status(sj)
+
+print(status['state'])
+
+if status['state'] == 'DONE GATHERING RESULTS':
+    count = status['messageCount']
+    limit = count if count < LIMIT and count != 0 else LIMIT # may not be necessary (Ciaran)
+    r = sumo.search_job_messages(sj, limit=limit)
+    print(r)

From e9e24c4a02dfa1a9bf4cf7c38bcfd183902985cd Mon Sep 17 00:00:00 2001
From: johnnyutahio <ciaran@johnnyutah.io>
Date: Thu, 6 Jun 2019 16:06:57 -0600
Subject: [PATCH 3/3] moved to scripts folder

---
 .../search-job-messages-trend-antimalware.py                      | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename search-job-messages-trend-antimalware.py => scripts/search-job-messages-trend-antimalware.py (100%)

diff --git a/search-job-messages-trend-antimalware.py b/scripts/search-job-messages-trend-antimalware.py
similarity index 100%
rename from search-job-messages-trend-antimalware.py
rename to scripts/search-job-messages-trend-antimalware.py