Reading from and writing to Azure Blob AzureBlobStorage

Description

Azure Blob Storage provides a simple and flexible way to store and access data of any kind. This makes it ideal for storing a range of data relating to security investigations, whether it be raw data to analyze or to store outputs and findings.

This class wraps the Azure Python SDK and integrates it with other MSTICpy features.

Import the module

from msticpy.data.storage import AzureBlobStorage

See azure_blob_storage for API details.

Initialize the class and connect

Azure Blob Storage works on the basis of accounts, these are top level objects under which everything sits. When initializing AzureBlobStorage you need to provide the name of the account you wish to interact with. You then need to authenticate with the connect function. Authentication uses the az_connect feature of MSTICpy and the authentication methods can be customized by passing them to connect with the auth_methods keyword.

abs = AzureBlobStorage("MyABSAccount")
abs.connect(auth_methods=["cli"])

For more details on Azure authentication see Azure Authentication in MSTICPy.

List Containers

Containers returns details on all the containers within an account.

abs.containers()
namelast_modifiedetagpublic_accesshas_immutability_policydeletedversionhas_legal_holdmetadata
0papermill2020-11-06 21:53:33+00:00"0x8D8829E684FCAA2"NoneFalseNoneNoneFalseNone
1testcontainer2020-11-19 15:22:38+00:00"0x8D88C9EF3328E1F"NoneFalseNoneNoneFalseNone

See containers for API details.

Create a Container

create_container creates a new container within the account.

abs.create_container(conatiner_name="MyNewContainer")
namelast_modifiedetagpublic_accesshas_immutability_policydeletedversionhas_legal_hold
0MyNewContainer2020-11-25 16:28:54+00:00"0x8D8915F336764B3"NoneFalseNoneNoneFalse

See create_container for API details.

List Blobs

blobs returns details on all the blobs in a container, due to the container scope it is required that you pass this function the name of the container you want to list blobs from.

blobs = abs.blobs(container_name="MyNewContainer")
display(blobs[['name', 'container', 'snapshot', 'blob_type', 'last_modified']])
namecontainersnapshotblob_typelast_modified
0test-blobMyNewContainerNoneBlobType.BlockBlob2020-11-25 17:26:44+00:00

See blobs for API details.

Write to a Blob

upload_to_blob writes data to a blob as specified. By default this will overwrite anything in the blob but you can set overwrite=False to stop an overwrite if the blob already has contents. The function returns True if the upload was successful.

>abs.upload_to_blob(blob="Here is some test data", container_name="MyNewContainer", blob_name="test-blob")
True

See upload_to_blob for API details.

Read from a Blob

get_blob returns the contents of the specified blob.

> blob_contents = abs.get_blob(container_name="MyNewContainer", blob_name="test-blob")
> print(blob_contents)
b"Here is some test data"

See get_blob for API details.

Delete a Blob

delete_blob deletes a blob. By default this will also delete any blob snapshots. Returns True if blob is successfully deleted.

>abs.delete_blob(container_name="MyNewContainer", blob_name="test-blob")
True

See delete_blob for API details.

Generate a SAS Token for a Blob

get_sas_token generates a SAS token for the specified blob. By default the token generated is valid for read access for 7 days but permissions can be modified with the permission keyword, and validity time-frame with the start and end keywords. The returned string is a full URI for the blob, with the SAS token appended.

>abs.get_sas_token(container_name="MyNewContainer", blob_name="test-blob")
"https://myabsaccount.blob.core.windows.net/MyNewContainer/test-blob?SASTOKENSTRING

See get_sas_token for API details.