msticpy.data.drivers.cybereason_driver module

Cybereason Driver class.

class msticpy.data.drivers.cybereason_driver.CybereasonDriver(*, timeout=None, max_results=1000, debug=False, **kwargs)

Bases: DriverBase

Class to interact with Cybereason.

Instantiate Cybereason driver.

Parameters:

  • timeout (int | None) – Query timeout in seconds. Defaults to None

  • max_results (int) – Number of total results to return. Defaults to 1000 Max is 10,000.

  • debug (bool) – Set to true to display debug logs. Default to False

CONFIG_NAME: ClassVar[str] = 'Cybereason'
add_query_filter(name, query_filter)

Add an expression to the query attach filter.

Parameters:

  • name (str)

  • query_filter (str | Iterable)

connect(connection_str=None, *, instance=None, **kwargs)

Connect to data source.

Parameters:

  • connection_str (Optional[str], optional) – Connect to a data source

  • instance (Optional[str], optional) – Optional name of configuration instance - this is added as a prefix to the driver configuration key name when searching for configuration in the msticpyconfig.yaml

  • kwargs – Extra parameters to connect.

  • self (Self)

Raises:
Return type:

None

Notes

Connection string fields:

instance client_id client_secret

property connected: bool

Return true if at least one connection has been made.

Returns:

True if a successful connection has been made.

Return type:

bool

Notes

This does not guarantee that the last data source connection was successful. It is a best effort to track whether the provider has made at least one successful authentication.

property driver_queries: Iterable[dict[str, Any]]

Return queries retrieved from the service after connecting.

Returns:

List of Dictionary of query_name, query_text. Name of container to add queries to.

Return type:

List[Dict[str, str]]

get_driver_property(name)

Return value or KeyError from driver properties.

Parameters:

name (str)

Return type:

Any

static get_http_timeout(**kwargs)

Get http timeout from settings or kwargs.

property instance: str | None

Return instance name, if one is set.

Returns:

The name of driver instance or None if the driver does not support multiple instances

Return type:

Optional[str]

property loaded: bool

Return true if the provider is loaded.

Returns:

True if the provider is loaded.

Return type:

bool

Notes

This is not relevant for some providers.

query(query, query_source=None, *, page_size=100, timeout=None, retry_on_error=False, progress=True, max_retry=3, **__)

Execute query string and return DataFrame of results.

Parameters:

  • query (str) – The query to execute

  • query_source (QuerySource) – The query definition object

  • page_size (int) – Number of results to return per page. Defaults to 100

  • timeout (float | None) – Number of seconds for HTTP requests to timeout. Defaults to None

  • retry_on_error (bool) – True if threaded queries should be tried again. Defaults to False

  • progress (bool) – True if progress bar should be displayed. Defaults to True

  • max_retry (int) – Number of retries to do. Defaults to 3

  • self (Self)

Returns:

A DataFrame (if successfull) or the underlying provider result if an error.

Return type:

Union[pd.DataFrame, Any]

property query_attach_spec: dict[str, set[str]]

Parameters that determine whether a query is relevant for the driver.

query_usable(query_source)

Return True if query should be exposed for this driver.

Parameters:

query_source (QuerySource)

Return type:

bool

query_with_results(query, **__)

Execute query string and return DataFrame of results.

Parameters:

  • query (str) – The kql query to execute

  • self (Self)

Return type:

tuple[DataFrame, Any]

property schema: dict[str, dict]

Return current data schema of connection.

Returns:

Data schema of current connection.

Return type:

Dict[str, Dict]

property service_queries: tuple[dict[str, str], str]

Return queries retrieved from the service after connecting.

Returns:

Dictionary of query_name, query_text. Name of container to add queries to.

Return type:

Tuple[Dict[str, str], str]

set_driver_property(name, value)

Set an item in driver properties.

Parameters:

  • name (str)

  • value (Any)