Automatic Loading of Query Providers and Components

The mp_user_session.py module is designed to load and initialize query providers and other components based on configuration provided in a YAML file.

This allows you to load multiple providers and components in a single step avoiding having to write a lot of repetitive code in your notebooks.

The user is expected to supply the path to the YAML file to the load_user_config function. Each key in the QueryProviders and Components sections of the YAML file will be the name of the component variable in the local namespace.

Example YAML Configuration

Here is an example of a YAML configuration file that defines query providers and components:

QueryProviders:
    qry_prov_sent:
        DataEnvironment: MSSentinel
        InitArgs:
            debug: True
        Connect: True
        ConnectArgs:
            workspace: CyberSecuritySoc
            auth_methods: ['cli', 'device_code']
    qry_prov_md:
        DataEnvironment: M365D
    qry_kusto_mde:
        DataEnvironment: Kusto
        Connect: True
        ConnectArgs:
            cluster: MDE-Scrubbed
Components:
    mssentinel:
        Module: msticpy.context.azure
        Class: MicrosoftSentinel
        InitArgs:
        Connect: True
        ConnectArgs:
            workspace: CyberSecuritySoc
            auth_methods: ['cli', 'device_code']

Each key in the QueryProviders and Components sections is the name of the instance of the component created in your notebook environment. For example, the qry_prov_md entry is equivalent to the code:

import msticpy as mp
qry_prov_md = mp.QueryProvider("M365D")

You can also specify initialization arguments using the InitArgs property. This should be a dictionary of <parameter name>: <param value>. The qry_prov_sent entry in the above example adds debug=True to the parameters given to the QueryProvider class when it is initialized.

You can also ask the user session manager to call the connect method for the provider with the Connect property, and supply parameters to the connect call with the ConnectArgs property. This is a dictionary of <parameter name>: <param value> similar to the InitArgs property.

The Components section allows you to define non-query components and works in a similar way to the QueryProviders section. The main difference here is that you need to specify the module and class of the component that you want to load. In the example above, we are loading the MicrosoftSentinel class from the msticpy.context.azure module and requesting that the connect method is called with the parameters specified in the ConnectArgs property.