msticpy.datamodel package

msticpy.datamodel.entities module

msticpy.datamodel.entities.account

Account Entity class.

class msticpy.datamodel.entities.account.Account(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, role: str = 'subject', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Account Entity class.

Name

Account Name

Type:str
NTDomain

Account NTDomain

Type:str
UPNSuffix

Account UPNSuffix

Type:str
Host

Account Host

Type:Host
LogonId

Account LogonId (deprecated)

Type:str
Sid

Account Sid

Type:str
AadTenantId

Account AadTenantId

Type:str
AadUserId

Account AadUserId

Type:str
PUID

Account PUID

Type:str
IsDomainJoined

Account IsDomainJoined

Type:bool
DisplayName

Account DisplayName

Type:str

Create a new instance of the entity type.

Parameters:
  • src_entity (Mapping[str, Any], optional) – Create entity from existing Account entity or other mapping object that implements entity properties. (the default is None)
  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
  • role (str, optional) – ‘subject’ or ‘target’ - only relevant if the entity is being constructed from an event. (the default is ‘subject’)
Other Parameters:
 

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
qualified_name

Windows qualified account name.

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.alert

Alert Entity class.

class msticpy.datamodel.entities.alert.Alert(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Alert Entity class.

DisplayName

Alert DisplayName

Type:str
CompromisedEntity

Alert CompromisedEntity

Type:str
Count

Alert Count

Type:int
StartTimeUtc

Alert StartTimeUtc

Type:datetime
EndTimeUtc

Alert EndTimeUtc

Type:datetime
Severity

Alert Severity

Type:str
SystemAlertIds

Alert SystemAlertIds

Type:List[str]
AlertType

Alert AlertType

Type:str
VendorName

Alert VendorName

Type:str
ProviderName

Alert ProviderName

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.azure_resource

AzureResource Entity class.

class msticpy.datamodel.entities.azure_resource.AzureResource(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

AzureResource Entity class.

ResourceId

AzureResource ResourceId

Type:str
ResourceIdParts

AzureResource ResourceIdParts

Type:Dict[str, str]

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
Provider

Return the Provider name or None.

ResourceGroup

Return the ResourceGroup name or None.

SubscriptionId

Return the subscription Id or None.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.cloud_application

CloudApplication Entity class.

class msticpy.datamodel.entities.cloud_application.CloudApplication(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

CloudApplication Entity class.

Name

CloudApplication Name

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.dns

Dns Entity class.

class msticpy.datamodel.entities.dns.Dns(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

DNS Resolve Entity class.

DomainName

DnsResolve DomainName

Type:str
IpAdresses

DnsResolve IpAdresses

Type:List[str]
DnsServerIp

DnsResolve DnsServerIp

Type:IPAddress
HostIpAddress

DnsResolve HostIpAddress

Type:IPAddress

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.entity

Entity Entity class.

class msticpy.datamodel.entities.entity.ContextObject

Bases: object

Information object attached to entity but is not an Entity.

class msticpy.datamodel.entities.entity.Entity(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: abc.ABC, msticpy.datamodel.entities.entity_graph.Node

Entity abstract base class.

Implements common methods for Entity classes

Create a new instance of an entity.

Parameters:src_entity (Mapping[str, Any], optional) – If src_entity is supplied it attempts to extract common properties from the source entity and assign them to the new instance. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

Returns:Entity description (optional). If not overridden by the Entity instance type, it will return the Type string.
Return type:str
classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.entity_enums

Entity enumerations.

class msticpy.datamodel.entities.entity_enums.Algorithm

Bases: enum.Enum

FileHash Algorithm Enumeration.

MD5 = 1
SHA1 = 2
SHA256 = 3
SHA256AC = 4
Unknown = 0
class msticpy.datamodel.entities.entity_enums.ElevationToken

Bases: enum.Enum

ElevationToken enumeration.

Default = 0
Full = 1
Limited = 2
class msticpy.datamodel.entities.entity_enums.OSFamily

Bases: enum.Enum

OSFamily enumeration.

Linux = 0
Windows = 1
class msticpy.datamodel.entities.entity_enums.RegistryHive

Bases: enum.Enum

RegistryHive enumeration.

HKEY_A = 8
HKEY_CLASSES_ROOT = 1
HKEY_CURRENT_CONFIG = 2
HKEY_CURRENT_USER = 9
HKEY_CURRENT_USER_LOCAL_SETTINGS = 4
HKEY_LOCAL_MACHINE = 0
HKEY_PERFORMANCE_DATA = 5
HKEY_PERFORMANCE_NLSTEXT = 6
HKEY_PERFORMANCE_TEXT = 7
HKEY_USERS = 3

msticpy.datamodel.entities.entity_graph

Entity Graph classes.

class msticpy.datamodel.entities.entity_graph.Edge(source: msticpy.datamodel.entities.entity_graph.Node, target: msticpy.datamodel.entities.entity_graph.Node, attrs: Dict[str, Any] = None)

Bases: object

Entity edge class.

Create a new edge between source and target.

Parameters:
  • source (Node) – Source node.
  • target (Node) – Target node.
  • attrs (Dict[str, Any], optional) – Dictionary of name/value edge attributes, by default None
add_attr(name: str, value: Any)

Add an edge attribute.

class msticpy.datamodel.entities.entity_graph.Node

Bases: object

Entity node.

Initialize the node.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
has_edge(other)

Return True if node has an edge with other.

msticpy.datamodel.entities.file

File Entity class.

class msticpy.datamodel.entities.file.File(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, role: str = 'new', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

File Entity class.

FullPath

File FullPath

Type:str
Directory

File Directory

Type:str
Name

File Name

Type:str
Md5

File Md5

Type:str
Host

File Host

Type:str
Sha1

File Sha1

Type:str
Sha256

File Sha256

Type:str
Sha256Ac

File Sha256Ac

Type:str
FileHashes

File FileHashes

Type:List[FileHash]

Create a new instance of the entity type.

Parameters:
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
  • role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)
Other Parameters:
 

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

file_hash

Return the first defined file hash.

Returns:Returns first-defined file hash in order of SHA256, SHA1, MD5, SHA256AC (authenticode)
Return type:Optional[str]
classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
path_separator

Return the path separator used by the file.

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.file_hash

FileHash Entity class.

class msticpy.datamodel.entities.file_hash.FileHash(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

File Hash class.

Algorithm

FileHash Algorithm

Type:Algorithm
Value

FileHash Value

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.geo_location

GeoLocation Entity class.

class msticpy.datamodel.entities.geo_location.GeoLocation(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity, msticpy.datamodel.entities.entity.ContextObject

GeoLocation class.

CountryCode

GeoLocation CountryCode

Type:str
CountryName

GeoLocation CountryName

Type:str
State

GeoLocation State

Type:str
City

GeoLocation City

Type:str
Longitude

GeoLocation Longitude

Type:float
Latitude

GeoLocation Latitude

Type:float
Asn

GeoLocation Asn

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.host

Host Entity class.

class msticpy.datamodel.entities.host.Host(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Host Entity class.

DnsDomain

Host DnsDomain

Type:str
NTDomain

Host NTDomain

Type:str
HostName

Host HostName

Type:str
NetBiosName

Host NetBiosName

Type:str
AzureID

Host AzureID

Type:str
OMSAgentID

Host OMSAgentID

Type:str
OSFamily

Host OSFamily

Type:str
IsDomainJoined

Host IsDomainJoined

Type:bool

Create a new instance of the entity type.

Parameters:
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
Other Parameters:
 

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
computer

Return computer from source event.

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

fqdn

Construct FQDN from host + dns.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.host_logon_session

HostLogonSession Entity class.

class msticpy.datamodel.entities.host_logon_session.HostLogonSession(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

HostLogonSession Entity class.

Account

HostLogonSession Account

Type:Account
StartTimeUtc

HostLogonSession StartTimeUtc

Type:datetime
EndTimeUtc

HostLogonSession EndTimeUtc

Type:datetime
Host

HostLogonSession Host

Type:Host
SessionId

HostLogonSession SessionId

Type:str

Create a new instance of the entity type.

Parameters:
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
Other Parameters:
 

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.ip_address

IpAddress Entity class.

msticpy.datamodel.entities.ip_address.Ip

alias of msticpy.datamodel.entities.ip_address.IpAddress

class msticpy.datamodel.entities.ip_address.IpAddress(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

IPAddress Entity class.

Address

IpAddress Address

Type:str
Location

IpAddress Location

Type:GeoLocation
ThreatIntelligence

IpAddress ThreatIntelligence

Type:List[Threatintelligence]

Create a new instance of the entity type.

Parameters:
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
Other Parameters:
 

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

ip_address

Return a python IP address object from the entity property.

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.malware

Malware Entity class.

class msticpy.datamodel.entities.malware.Malware(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Malware Entity class.

Name

Malware Name

Type:str
Category

Malware Category

Type:str
File

Malware File

Type:File
Files

Malware Files

Type:List[File]
Processes

Malware Processes

Type:List[Process]

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.network_connection

NetworkConnection Entity class.

class msticpy.datamodel.entities.network_connection.NetworkConnection(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

NetworkConnection Entity class.

SourceAddress

NetworkConnection SourceAddress

Type:IPAddress
SourcePort

NetworkConnection SourcePort

Type:int
DestinationAddress

NetworkConnection DestinationAddress

Type:IPAddress
DestinationPort

NetworkConnection DestinationPort

Type:int
Protocol

NetworkConnection Protocol

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.process

Process Entity class.

class msticpy.datamodel.entities.process.Process(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, role='new', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Process Entity class.

ProcessId

Process ProcessId

Type:str
CommandLine

Process CommandLine

Type:str
ElevationToken

Process ElevationToken

Type:str
CreationTimeUtc

Process CreationTimeUtc

Type:datetime
ImageFile

Process ImageFile

Type:File
Account

Process Account

Type:Account
ParentProcess

Process ParentProcess

Type:Process
Host

Process Host

Type:Host
LogonSession

Process LogonSession

Type:HostLogonSession

Create a new instance of the entity type.

Parameters:
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
  • role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)
Other Parameters:
 

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ProcessFilePath

Return the name of the process file path.

ProcessName

Return the name of the process file.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.registry_key

RegistryValue Entity class.

class msticpy.datamodel.entities.registry_key.RegistryKey(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

RegistryKey Entity class.

Hive

RegistryKey Hive

Type:RegistryHive
Key

RegistryKey Key

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.registry_value

RegistryValue Entity class.

class msticpy.datamodel.entities.registry_value.RegistryValue(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

RegistryValue Entity class.

Key

RegistryValue Key

Type:str
Name

RegistryValue Name

Type:str
Value

RegistryValue Value

Type:str
ValueType

RegistryValue ValueType

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.security_group

SecurityGroup Entity class.

class msticpy.datamodel.entities.security_group.SecurityGroup(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

SecurityGroup Entity class.

DistinguishedName

SecurityGroup DistinguishedName

Type:str
SID

SecurityGroup SID

Type:str
ObjectGuid

SecurityGroup ObjectGuid

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
Other Parameters:
 kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.threat_intelligence

Threatintelligence Entity class.

class msticpy.datamodel.entities.threat_intelligence.Threatintelligence(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Threatintelligence Entity class.

ProviderName

Threatintelligence ProviderName

Type:str
ThreatType

Threatintelligence ThreatType

Type:str
ThreatName

Threatintelligence ThreatName

Type:str
Confidence

Threatintelligence Confidence

Type:str

Threatintelligence ReportLink

Type:str
ThreatDescription

Threatintelligence ThreatDescription

Type:str

Create a new instance of the entity type.

param src_entity:
 instantiate entity using properties of src entity
param kwargs:key-value pair representation of entity
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.unknown_entity

Threatintelligence Entity class.

class msticpy.datamodel.entities.unknown_entity.UnknownEntity(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Generic Entity class.

Create a new instance of the entity type.

param src_entity:
 instantiate entity using properties of src entity
param kwargs:key-value pair representation of entity
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.entities.url

Url Entity class.

class msticpy.datamodel.entities.url.Url(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

URL Entity.

Create a new instance of the entity type.

param src_entity:
 instantiate entity using properties of src entity
param kwargs:key-value pair representation of entity
ENTITY_NAME_MAP = {'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:
  • target (Node) – Target node.
  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check
Returns:True if other has no conflicting properties.
Return type:bool
classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity
Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
has_edge(other)

Return True if node has an edge with other.

id_properties = []
classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
  • entity_type (Optional[Type]) – The entity type to create, by default None.
Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check
Returns:True if equivalent.
Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity.
Return type:Entity
Raises:AttributeError – If the entities cannot be merged.
node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties.
Return type:Dict[str, Any]
classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity.
Return type:List[str]
properties

Return dictionary properties of entity.

Returns:Entity properties.
Return type:dict
to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity
Return type:str
to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
Returns:Graph with entity and any connected entities.
Return type:nx.Graph

msticpy.datamodel.pivot

Pivot functions main module.

class msticpy.datamodel.pivot.Pivot(namespace: Dict[str, Any] = None, providers: Iterable[Any] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None)

Bases: object

Pivot environment loader.

Instantiate a Pivot environment.

Parameters:
  • namespace (Dict[str, Any], optional) – To search for and use any current providers, specify namespace=globals(), by default None
  • providers (Iterable[Any], optional) – A list of query providers, TILookup or other providers to use (these will override providers of the same type read from namespace), by default None
  • timespan (Optional[TimeSpan], optional) – The default timespan used by providers that require start and end times. By default the time range is initialized to be 24 hours prior to the load time.
static add_pivot_function(func: Callable[[Any], Any], pivot_reg: Optional[msticpy.datamodel.pivot_register.PivotRegistration] = None, container: str = 'other', **kwargs)

Add a pivot function to entities.

Parameters:
  • func (Callable[[Any], Any]) – The function to add
  • pivot_reg (PivotRegistration, optional) – Pivot registration object, by default None
  • container (str, optional) – The name of the container into which the function should be added, by default “other”
Other Parameters:
 

kwargs – If pivot_reg is not supplied you can specify required pivot registration parameters via keyword arguments. You must specify input_type (str) and entity_map (dict of entity_name, entity_attribute pairs)

See also

PivotRegistration()

add_query_provider(prov: msticpy.data.data_providers.QueryProvider)

Add pivot functions from provider.

Parameters:prov (QueryProvider) – Query provider.
static browse()

Return PivotBrowser.

current = None
edit_query_time(timespan: Optional[msticpy.common.timespan.TimeSpan] = None)

Display a QueryTime widget to get the timespan.

Parameters:timespan (Optional[TimeSpan], optional) – Pre-populate the timespan shown by the QueryTime editor, by default None
end

Return current end time for queries.

get_provider(name: str) → Any

Get a provider by type name.

Parameters:name (str) – The name of the provider type.
Returns:An instance of the provider or None if the Pivot environment does not have one.
Return type:Any
get_timespan() → msticpy.common.timespan.TimeSpan

Return the timespan as a TimeSpan object.

providers

Return the current set of loaded providers.

Returns:provider_name, provider_instance
Return type:Dict[str, Any]
static register_pivot_providers(pivot_reg_path: str, namespace: Dict[str, Any] = None, def_container: str = 'custom', force_container: bool = False)

Register pivot functions from configuration file.

Parameters:
  • pivot_reg_path (str) – Path to config yaml file
  • namespace (Dict[str, Any], optional) – Namespace to search for existing instances of classes, by default None
  • def_container (str, optional) – Container name to use for entity pivot functions, by default “other”
  • force_container (bool, optional) – Force container value to be used even if entity definitions have specific setting for a container name, by default False
Raises:

ValueError – An entity specified in the config file is not recognized.

set_timespan(value: Optional[Any] = None, **kwargs)

Set the pivot timespan.

Parameters:value (Optional[Any], optional) – Timespan object or something convertible to a TimeSpan, by default None
Other Parameters:
 kwargs – Key/value arguments passed to Timespan constructor.
start

Return current start time for queries.

timespan

Return the current timespan.

Returns:The current timespan
Return type:TimeSpan

msticpy.datamodel.pivot_data_queries

Pivot query functions class.

class msticpy.datamodel.pivot_data_queries.ParamAttrs(type, query, family, required)

Bases: tuple

Create new instance of ParamAttrs(type, query, family, required)

count()

Return number of occurrences of value.

family

Alias for field number 2

index()

Return first index of value.

Raises ValueError if the value is not present.

query

Alias for field number 1

required

Alias for field number 3

type

Alias for field number 0

class msticpy.datamodel.pivot_data_queries.PivotQueryFunctions(query_provider: msticpy.data.data_providers.QueryProvider, ignore_reqd: List[str] = None)

Bases: object

Class to retrieve the queries and params from a provider.

Instantiate PivotQueryFunctions class.

Parameters:
  • query_provider ([type]) – The query provider to load
  • ignore_reqd (List[str], optional) – List of parameters to ignore when building the required parameters list (e.g. [‘start’, ‘end’]), by default None
current = None
get_param_attrs(param_name: str) → List[msticpy.datamodel.pivot_data_queries.ParamAttrs]

Get the attributes for a parameter name.

Parameters:param_name (str) – Parameter name
Returns:List of ParamAttrs named tuples: (type, query, family, required)
Return type:List[ParamAttrs]

Notes

Since parameters may be defined for multiple queries, the set of parameter attributes will be returned for each query.

get_params(query_func_name: str) → Optional[msticpy.datamodel.pivot_data_queries.QueryParams]

Get the parameters for a query function.

Parameters:query_func_name (str) – Query name - the name must be fully-qualified (e.g. ‘WindowsSecurity.list_processes’)
Returns:QueryParams named tuple (all, required, full_required, param_attrs, table)
Return type:QueryParams
get_queries_and_types_for_param(param: str) → Iterable[Tuple[str, str, str, Callable[[Any], Any]]]

Get queries and parameter data types for param.

Parameters:param (str) – The parameter name.
Returns:Iterable of tuples listing: query_name, param_type, query_func
Return type:Iterable[Tuple[str, str, Callable[[Any], Any]]]
get_queries_for_param(param: str) → Iterable[Tuple[str, str, Callable[[Any], Any]]]

Get the list of queries for a parameter.

Parameters:param (str) – Parameter name
Returns:Iterable of tuples listing: query_name, query_func
Return type:Iterable[Tuple[str, str, Callable[[Any], Any]]]
class msticpy.datamodel.pivot_data_queries.QueryParams(all, required, full_required, param_attrs, table)

Bases: tuple

Create new instance of QueryParams(all, required, full_required, param_attrs, table)

all

Alias for field number 0

count()

Return number of occurrences of value.

full_required

Alias for field number 2

index()

Return first index of value.

Raises ValueError if the value is not present.

param_attrs

Alias for field number 3

required

Alias for field number 1

table

Alias for field number 4

msticpy.datamodel.pivot_data_queries.add_data_queries_to_entities(provider: msticpy.data.data_providers.QueryProvider, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])

Add data queries from provider to entities.

Parameters:
  • provider (QueryProvider) – Query provider
  • get_timespan (Callable[[], TimeSpan]) – Callback to get time span
msticpy.datamodel.pivot_data_queries.add_queries_to_entities(prov_qry_funcs: msticpy.datamodel.pivot_data_queries.PivotQueryFunctions, container: str, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])

Add data queries to entities.

Parameters:
  • prov_qry_funcs (PivotQueryFunctions) – Collection of wrapped query functions
  • container (str) – The name of the container to add query functions to
  • get_timespan (Callable[[], TimeSpan]) – Function to get the current timespan.

msticpy.datamodel.pivot_magic_core

Txt2df core code.

msticpy.datamodel.pivot_magic_core.run_txt2df(line, cell, local_ns) → pandas.core.frame.DataFrame

Convert cell text to pandas DataFrame.

msticpy.datamodel.pivot_register

Pivot helper functions .

class msticpy.datamodel.pivot_register.PivotRegistration(input_type: str, entity_map: Dict[str, str], func_df_param_name: Optional[str] = None, func_out_column_name: Optional[str] = None, func_df_col_param_name: Optional[str] = None, func_new_name: Optional[str] = None, src_module: Optional[str] = None, src_class: Optional[str] = None, src_func_name: Optional[str] = None, can_iterate: bool = True, func_static_params: Optional[Dict[str, Any]] = None, func_input_value_arg: Optional[str] = None, src_config_path: Optional[str] = None, src_config_entry: Optional[str] = None, entity_container_name: Optional[str] = None, return_raw_output: bool = False)

Bases: object

Pivot registration for function.

Notes

src_module : str
The src_module to import
src_class : str, optional
class to import and instantiate that contains the function/method (not needed if the target function is a pure Python function)
src_func_name: Callable
The function to wrap.
func_new_name: str, optional
Rename the function to this, defaults to src_func_name
input_type : str
The input data type that the function is expecting. One of ‘dataframe’, ‘iterable’, ‘value’
can_iterate: bool, optional
True if the function supports being called multiple times (for iterable input). Default is True
entity_map: Dict[str, str]
dict of entities supported (keys) and attribute to use from entity as input to the function
func_df_param_name: str
The name of the parameter that func takes the input value e.g. func(ip=my_address) => ‘ip’ == func_df_col_param_name. In the case of a DataFrame, this is usually ‘data’
func_df_col_param_name: str
The name that the target function uses to identify the column to use for input in the input DataFrame.
func_out_column_name: str, optional
The name of the column in the output DF to use as a key to join to the input. If None, use func_df_col_param_name
func_static_params: Optional[Dict[str, Any]]
static parameters (kwargs) that are always passed to the target function
func_input_value_arg: Optional[str]
The name of kwarg passed to the function that contain the input value. If function supports DF input, func_df_col_param_name will be used and this is not needed.
src_config_path : Optional[str]
The source path that the configuration was read from, default None.
src_config_entry : Optional[str]
The entry name in the configuration file, default None.
entity_container_name : Optional[str]
The name of the container in the entity that will hold this pivot function.
return_raw_output : bool
Return raw output from the wrapped function, do not try to format into a DataFrame. Default is False.

Method generated by attrs for class PivotRegistration.

attr_for_entity(entity: Union[msticpy.datamodel.entities.entity.Entity, str]) → Optional[str]

Return the attribute to use for the specified entity.

Parameters:entity (Union[entities.Entity, str]) – Entity instance or name
Returns:Attribute name to use.
Return type:Optional[str]
msticpy.datamodel.pivot_register.create_pivot_func(target_func: Callable[[Any], Any], pivot_reg: msticpy.datamodel.pivot_register.PivotRegistration) → Callable[[...], pandas.core.frame.DataFrame]

Create function wrapper for pivot function.

Parameters:
  • target_func (Callable) – The target function to wrap.
  • pivot_reg (PivotRegistration) – The pivot function registration object.
Returns:

The original target_func wrapped in pre-processing and post-processing code.

Return type:

Callable[[Any], pd.DataFrame]

msticpy.datamodel.pivot_register_reader

Reads pivot registration config files.

msticpy.datamodel.pivot_register_reader.add_unbound_pivot_function(func: Callable[[Any], Any], pivot_reg: msticpy.datamodel.pivot_register.PivotRegistration = None, container: str = 'other', **kwargs)

Add a pivot function to entities.

Parameters:
  • func (Callable[[Any], Any]) – The function to add
  • pivot_reg (PivotRegistration, optional) – Pivot registration object, by default None
  • container (str, optional) – The name of the container into which the function should be added, by default “other”
Other Parameters:
 

kwargs – If pivot_reg is not supplied you can specify required pivot registration parameters via keyword arguments. You must specify input_type (str) and entity_map (dict of entity_name, entity_attribute pairs)

See also

PivotRegistration()

msticpy.datamodel.pivot_register_reader.register_pivots(file_path: str, namespace: Dict[str, Any] = None, container: str = 'other', force_container: bool = False, **kwargs)

Register pivot functions from configuration file.

Parameters:
  • file_path (str) – Path to config yaml file
  • namespace (Dict[str, Any], optional) – Namespace to search for existing instances of classes, by default None
  • container (str, optional) – Container name to use for entity pivot functions, by default “other”
  • force_container (bool, optional) – Force container value to be used even if entity definitions have specific setting for a container name, by default False
Raises:

ValueError – An entity specified in the config file is not recognized.

msticpy.datamodel.pivot_ti_provider

Pivot TI Provider helper functions.

msticpy.datamodel.pivot_ti_provider.add_ioc_queries_to_entities(ti_lookup: msticpy.sectools.tilookup.TILookup, container: str = 'ti', **kwargs)

Add TI functions to entities.

Parameters:
  • ti_lookup (TILookup) – TILookup instance.
  • container (str) – The name of the container to add query functions to
msticpy.datamodel.pivot_ti_provider.create_ti_pivot_funcs(ti_lookup: msticpy.sectools.tilookup.TILookup)

Create the TI Pivot functions.

msticpy.datamodel.pivot_pd_accessor

Pandas DataFrame accessor for Pivot functions.

class msticpy.datamodel.pivot_pd_accessor.PivotAccessor(pandas_obj)

Bases: object

Pandas api extension for Pivot functions.

Instantiate pivot extension class.

display(title: str = None, cols: Iterable[str] = None, query: str = None, head: int = None) → pandas.core.frame.DataFrame

Display the DataFrame in the middle of a pipeline.

Parameters:
  • title (str, optional) – Title to display for the DataFrame, by default None
  • cols (Iterable[str], optional) – List of columns to display, by default None
  • query (str, optional) – Query to filter the displayed data, by default None This should be a string executable by the DataFrame.query function
  • head (int, optional) – Limit the displayed output to head rows, by default None
Returns:

Passed through input DataFrame.

Return type:

pd.DataFrame

run(func: Callable[[...], pandas.core.frame.DataFrame], **kwargs) → pandas.core.frame.DataFrame

Run a pivot function on the current DataFrame.

Parameters:
  • func (Callable[.., pd.DataFrame]) – Pivot function to run
  • kwargs – Keyword arguments to pass to func. A column specification (e.g. column=”src_col_name”) is usually the minimum needed. For data queries the column keyword must be the name of the the query parameter (e.g. host_name = “src_col_name”)
Returns:

The output DataFrame from the function.

Return type:

pd.DataFrame

Notes

You can pass the join keyword argument to most pivot functions. Values for join are “inner”, “left”, “right” or “outer”.

tee(var_name: str, clobber: bool = False) → pandas.core.frame.DataFrame

Save current dataframe to var_name in the IPython user namespace.

Parameters:
  • var_name (str) – The name of the DF variable to create.
  • clobber (bool, optional) – Whether to overwrite an existing variable of the same name, by default False
Returns:

Passed through input DataFrame.

Return type:

pd.DataFrame

Notes

This function only works in an IPython/Jupyter notebook environment. It will attempt to create a variable in the user local namespace that references the current state of the DataFrame in the pipeline.

By default it will not overwrite an existing variable of the same name (specify clobber=True to overwrite)

tee_exec(df_func: str, *args, **kwargs) → pandas.core.frame.DataFrame

Run the dataframe method or accessor function on the dataframe.

Parameters:
  • df_func (str) – The name of the function to execute. Accessor methods must be of the form “accessor.method”.
  • args (tuple) – Positional arguments to be passed to the function
  • kwargs (dict) – Keyword arguments to be passed to the function.
Returns:

Passed through input DataFrame.

Return type:

pd.DataFrame

Notes

This function runs the DataFrame method or accessor function. It does not alter the DataFrame (unless the function does any kind of in-place modification). The function is run and the original input DataFrame is returned.