msticpy.context.preprocess_observable module

Module for TILookup classes.

Input can be a single IoC observable or a pandas DataFrame containing multiple observables. Processing may require a an API key and processing performance may be limited to a specific number of requests per minute for the account type that you have.

class msticpy.context.preprocess_observable.PreProcessor

Bases: object

Observable pre-processing class.

Initialize the processor dictionary.

add_check(value_type, checker)

Add a new checker to the processors.

Parameters:
Return type:

None

check(value, value_type, *, require_url_encoding=False)

Apply processing checks to the input value.

Parameters:

  • value (str) – The value to be checked.

  • value_type (str) – The type of value to be checked.

  • require_url_encoding (bool, Optional) – If true, apply URL encoding. Only applicable for URL observables.* Defaults to False.

  • self (Self)

Returns:

Named tuple with two members:

  1. observable - with the pre-processed result, This is set to None if a check fails.

  2. status - this is set to “ok” if the checks completed. Otherwise, it has an error message.

Return type:

SanitizedObservable

property processors: dict[str, list[str | Callable[[...], SanitizedObservable]]]

Return _processors value.

msticpy.context.preprocess_observable.get_schema_and_host(url, *, require_url_encoding=False)

Return URL scheme and host and cleaned URL.

Parameters:

  • url (str) – Input URL

  • require_url_encoding (bool) – Set to True if url needs encoding. Default is False.

Returns:

tuple of URL, scheme, host

Return type:

tuple[Optional[str], Optional[str], Optional[str]

msticpy.context.preprocess_observable.preprocess_observable(observable, ioc_type, *, require_url_encoding=False)

Preprocess and check validity of observable against declared IoC type.

Parameters:

  • observable (_type_) – the value of the observable

  • ioc_type (_type_) – The type of observable

  • require_url_encoding (bool, optional) – If the observable needs URL-encoding (URL types only), by default False

Returns:

Named tuple with two members:

  1. observable - with the pre-processed result,

    This is set to None if a check fails.

  2. status - this is set to “ok” if the checks completed.

    Otherwise, it has an error message.

Return type:

SanitizedObservable