help
db.help() help on db methods
db.mycoll.help() help on collection methods
sh.help() sharding helpers
rs.help() replica set helpers
help admin administrative help
help connect connecting to a db help
help keys key shortcuts
help misc misc things to know
help mr mapreduce
show dbs show database names
show collections show collections in current
database
show users show users in current
database
show profile show most recent
system.profile entries with time >= 1ms
show logs show the accessible logger
names
show log [name] prints out the last segment of
log in memory, 'global' is default
use <db_name> set current database
db.foo.find() list objects in collection foo
db.foo.find( { a : 1 } ) list objects in foo where a == 1
it result of the last
line evaluated; use to further iterate
DBQuery.shellBatchSize = x set default number of items to display on
shell
db.indicators.find({"bucket_list" : "MD5" }) List all indicators that have
"MD5" as a bucket list tag
|
db.indicators.update({"bucket_list"
: "MD5"}, {$set:{"type":"MD5"}},
{"multi": 1})
|
Update any
indicator with a bucket list tag of "MD5" and set the indicator
type to "MD5"
|
|
db.indicators.update({"bucket_list"
: "SHA1"}, {$set:{"type":"SHA1"}},
{"multi": 1})
|
|
|
db.indicators.update({"bucket_list"
: "File"}, {$set:{"type":"File Name"}},
{"multi": 1})
|
|
|
db.indicators.update({"bucket_list"
: "C2 URL"}, {$set:{"type":"URI"}},
{"multi": 1})
|
|
|
db.indicators.update({"bucket_list"
: "C2 Domain"}, {$set:{"type":"Domain"}},
{"multi": 1})
|
|
|
db.indicators.update({'type': 'URI - URL'},
{$set: {'type': 'URI'}}, {'multi': 1})
|
|
|
db.indicators.update({'type':
'URI - Domain Name'}, {$set: {'type': 'Domain'}}, {'multi': 1})
|
|
|
db.indicators.update({"bucket_list"
: "File Path with File"}, {$set:{"type":"File
Path"}}, {"multi": 1})
|
|
exit quit the mongo shell
Mongo database
command to change schema 1 to 1 field name:
Mongo shell type:
mongo db
Then switch to the
CRITS database: use crits
To query the
database for types of indicators:
db.indicators.find(
{ "type" : "Account" } )
db.indicators.find(
{ "type" : "IPv4 Address" } )
To change the name
of the field in CRITS 3 to be compatible with CRITS 4, I ran the following
command in Mongo Shell:
db.indicators.update({'type': 'Address -
ipv4-addr'}, {$set: {'type': 'IPv4 Address'}}, {'multi': 1})
Output from that
command: Cannot use commands write
mode, degrading to compatibility mode
WriteResult({
"nMatched" : 20773, "nUpserted" : 0 })
I took that as an
error so I re-ran the command to see if there would be a different result:
This time the output
was: WriteResult({ "nMatched"
: 0, "nUpserted" : 0 })
I asked Moss to log
in to the GUI and he verified that the IPv4-addr did change to IPv4
Address. Success!
Next
conversion:
db.indicators.update({'type': 'Account'}, {$set: {'type': 'User ID'}},
{'multi': 1})
>
db.indicators.distinct("type")
[
"Address - ipv4-addr",
"Win File",
"Address - e-mail",
"URI - URL",
"URI - Domain Name",
"Mutex",
"String",
"Win Registry Key",
"System",
"Win Service",
"Win Mutex",
"UNIX File - regularfile",
"Win Executable File"
Update: I have since updated the following types in
the CRITS 4 instance
"Address -
ipv4-addr", - "IPv4 Address"
"Win File", -
"
"Address - e-mail", -
"Email Address"
"URI - URL",
"URI - Domain Name",
"Mutex",
"String", -
"Email Subject"
"Win Registry Key",
"System",
"Win Service",
"Win Mutex",
"UNIX File - regularfile",
"Win Executable File"
No comments:
Post a Comment