msticpy.context.contextproviders.http_context_provider module

HTTP Context Provider base.

HTTP implementation of a ContextProvider. It is used to interface with HTTP API providing additional contexts. It inherits from ContextProvider and HttpProvider

class msticpy.context.contextproviders.http_context_provider.HttpContextProvider(timeout: int | None = None, ApiID: str | None = None, AuthKey: str | None = None, Instance: str | None = None)

Bases: ContextProvider, HttpProvider

HTTP Context Provider base class.

Init HttpContextProvider.

classmethod is_known_type(item_type: str) bool

Return True if this a known IoC Type.

Parameters:

item_type (str) – IoCType string to test

Returns:

True if known type.

Return type:

bool

is_supported_type(item_type: str | IoCType) bool

Return True if the passed type is supported.

Parameters:

item_type (Union[str, IoCType]) – type name or instance

Returns:

True if supported.

Return type:

bool

property item_query_defs: dict[str, Any]

Return current dictionary of IoC query/request definitions.

Returns:

IoC query/request definitions keyed by IoCType

Return type:

dict[str, Any]

lookup_item(item: str, item_type: str | None = None, query_type: str | None = None) pd.DataFrame

Lookup from a value.

Parameters:
  • item (str) – item to lookup

  • item_type (str, optional) – The Type of the item to lookup, by default None (type will be inferred)

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the item_value will be returned.

Returns:

The lookup result: result - Positive/Negative, details - Lookup Details (or status if failure), raw_result - Raw Response reference - URL of the item

Return type:

pd.DataFrame

Raises:

NotImplementedError – If attempting to use an HTTP method or authentication protocol that is not supported.

Notes

Note: this method uses memoization (lru_cache) to cache results for a particular observable to try avoid repeated network calls for the same item.

lookup_items(data: pd.DataFrame | dict[str, str] | Iterable[str], item_col: str | None = None, item_type_col: str | None = None, query_type: str | None = None) pd.DataFrame

Lookup collection of items.

Parameters:
  • data (Union[pd.DataFrame, dict[str, str], Iterable[str]]) – Data input in one of three formats: 1. Pandas dataframe (you must supply the column name in item_col parameter) 2. Dict of items 3. Iterable of items

  • item_col (str, optional) – DataFrame column to use for items, by default None

  • item_type_col (str, optional) – DataFrame column to use for types, by default None

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the type will be returned.

Returns:

DataFrame of results.

Return type:

pd.DataFrame

async lookup_items_async(data: pd.DataFrame | dict[str, str] | Iterable[str], item_col: str | None = None, item_type_col: str | None = None, query_type: str | None = None, *, prog_counter: ProgressCounter | None = None, item_type: str | None = None) pd.DataFrame

Lookup collection of items.

Parameters:
  • data (Union[pd.DataFrame, dict[str, str], Iterable[str]]) – Data input in one of three formats: 1. Pandas dataframe (you must supply the column name in item_col parameter) 2. Dict of items, Type 3. Iterable of items - Types will be inferred

  • item_col (str, optional) – DataFrame column to use for items, by default None

  • item_type_col (str, optional) – DataFrame column to use for Types, by default None

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the item will be returned.

  • prog_counter (ProgressCounter, Optional) – Progress Counter to display progess of IOC searches.

  • item_type (str, Optional) – Type of item

Returns:

DataFrame of results.

Return type:

pd.DataFrame

lookup_observable(observable: str, observable_type: str | None = None, query_type: str | None = None, *, provider_name: str | None = None, timeout: int | None = None) pd.DataFrame

Lookup from a value.

Parameters:
  • observable (str) – observable to lookup

  • observable_type (str, optional) – The Type of the observable to lookup, by default None (type will be inferred)

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the item_value will be returned.

  • provider_name (str, optional) – Name of the provider to use for the lookup

  • timeout (int, optional) – Timeout to use for lookups

Returns:

The lookup result: result - Positive/Negative, details - Lookup Details (or status if failure), raw_result - Raw Response reference - URL of the item

Return type:

pd.DataFrame

Raises:

NotImplementedError – If attempting to use an HTTP method or authentication protocol that is not supported.

Notes

Note: this method uses memoization (lru_cache) to cache results for a particular item to try avoid repeated network calls for the same item.

lookup_observables(data: pd.DataFrame | dict[str, str] | Iterable[str], obs_col: str | None = None, obs_type_col: str | None = None, query_type: str | None = None) pd.DataFrame

Lookup collection of observables.

Parameters:
  • data (pd.DataFrame | dict[str, str] | Iterable[str]) – Data input in one of three formats: 1. Pandas dataframe (you must supply the column name in obs_col parameter) 2. Dict of observables 3. Iterable of observables

  • obs_col (str, optional) – DataFrame column to use for observables, by default None

  • obs_type_col (str, optional) – DataFrame column to use for observables types, by default None

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the type will be returned.

Returns:

DataFrame of results.

Return type:

pd.DataFrame

async lookup_observables_async(data: pd.DataFrame | dict[str, str] | list[str], obs_col: str | None = None, obs_type_col: str | None = None, query_type: str | None = None) pd.DataFrame

Call base async wrapper.

property name: str

Return the name of the provider.

abstract parse_results(response: dict) tuple[bool, Any]

Return the details of the response.

Parameters:

response (dict) – The returned data response

Returns:

bool = positive or negative hit ResultSeverity = enumeration of severity Object with match details

Return type:

tuple[bool, ResultSeverity, Any]

static resolve_item_type(item: str) str

Return IoCType determined by ItemExtract.

Parameters:

item (str) – Item string

Returns:

IoCType (or unknown if type could not be determined)

Return type:

str

property supported_types: list[str]

Return list of supported types for this provider.

Returns:

List of supported type names

Return type:

list[str]

classmethod usage() None

Print usage of provider.