msticpy.datamodel package

msticpy.datamodel.entities module

msticpy.datamodel.entities.account

Account Entity class.

class msticpy.datamodel.entities.account.Account(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, role: str = 'subject', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Account Entity class.

Name

Account Name

Type:str

NTDomain

Account NTDomain

Type:str

UPNSuffix

Account UPNSuffix

Type:str

Host

Account Host

Type:Host

LogonId

Account LogonId (deprecated)

Type:str

Sid

Account Sid

Type:str

AadTenantId

Account AadTenantId

Type:str

AadUserId

Account AadUserId

Type:str

PUID

Account PUID

Type:str

IsDomainJoined

Account IsDomainJoined

Type:bool

DisplayName

Account DisplayName

Type:str

ObjectGuid

The object ID of the user account

Type:str

Create a new instance of the entity type.

Parameters:

• src_entity (Mapping[str, Any], optional) – Create entity from existing Account entity or other mapping object that implements entity properties. (the default is None)
• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
• role (str, optional) – ‘subject’ or ‘target’ - only relevant if the entity is being constructed from an event. (the default is ‘subject’)

Other Parameters:  

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['QualifiedName', 'Sid', 'AadUserId', 'PUID', 'ObjectGuid']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

qualified_name

Windows qualified account name.

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.alert

Alert Entity class.

class msticpy.datamodel.entities.alert.Alert(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Alert Entity class.

DisplayName

Alert DisplayName

Type:str

CompromisedEntity

Alert CompromisedEntity

Type:str

Count

Alert Count

Type:int

StartTime

Alert StartTime

Type:datetime

EndTime

Alert EndTime

Type:datetime

Severity

Alert Severity

Type:str

SystemAlertIds

Alert SystemAlertIds

Type:List[str]

AlertType

Alert AlertType

Type:str

VendorName

Alert VendorName

Type:str

ProviderName

Alert ProviderName

Type:str

Create a new instance of the entity type.

Parameters:

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

Other Parameters:  

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['SystemAlertIds']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html(show_entities=False) → str

Return the item as HTML string.

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.azure_resource

AzureResource Entity class.

class msticpy.datamodel.entities.azure_resource.AzureResource(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

AzureResource Entity class.

ResourceId

AzureResource ResourceId

Type:str

ResourceIdParts

AzureResource ResourceIdParts

Type:Dict[str, str]

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters:  kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['ResourceId']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

Provider

Return the Provider name or None.

ResourceGroup

Return the ResourceGroup name or None.

SubscriptionId

Return the subscription Id or None.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.cloud_application

CloudApplication Entity class.

class msticpy.datamodel.entities.cloud_application.CloudApplication(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

CloudApplication Entity class.

Name

CloudApplication Name

Type:str

AppId

The AppId of the cloud application

Type:str

InstanceName

The instance name of the application

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters:  kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['Name']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.dns

Dns Entity class.

class msticpy.datamodel.entities.dns.Dns(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

DNS Resolve Entity class.

DomainName

DnsResolve DomainName

Type:str

IpAdresses

DnsResolve IpAdresses

Type:List[str]

DnsServerIp

DnsResolve DnsServerIp

Type:IPAddress

HostIpAddress

DnsResolve HostIpAddress

Type:IPAddress

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters:  kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['DomainName']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.entity

Entity Entity class.

class msticpy.datamodel.entities.entity.ContextObject

Bases: object

Information object attached to entity but is not an Entity.

class msticpy.datamodel.entities.entity.Entity(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: abc.ABC, msticpy.datamodel.entities.entity_graph.Node

Entity abstract base class.

Implements common methods for Entity classes

Create a new instance of an entity.

Parameters:src_entity (Mapping[str, Any], optional) – If src_entity is supplied it attempts to extract common properties from the source entity and assign them to the new instance. (the default is None) Other Parameters:  kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = []

JSONEncoder

alias of _EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

Returns:Entity description (optional). If not overridden by the Entity instance type, it will return the Type string. Return type:str

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Name Description.

Returns:Entity Name (optional). If not overridden by the Entity instance type, it will return the class name string. Return type:str

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.entity.camelcase_property_names(input_ent: Dict[str, Any]) → Dict[str, Any]

Change initial letter Microsoft Sentinel API entity properties to upper case.

msticpy.datamodel.entities.entity_enums

Entity enumerations.

class msticpy.datamodel.entities.entity_enums.Algorithm

Bases: enum.Enum

FileHash Algorithm Enumeration.

MD5 = 1

SHA1 = 2

SHA256 = 3

SHA256AC = 4

Unknown = 0

class msticpy.datamodel.entities.entity_enums.ElevationToken

Bases: enum.Enum

ElevationToken enumeration.

Default = 0

Full = 1

Limited = 2

class msticpy.datamodel.entities.entity_enums.OSFamily

Bases: enum.Enum

OSFamily enumeration.

Linux = 0

Windows = 1

class msticpy.datamodel.entities.entity_enums.RegistryHive

Bases: enum.Enum

RegistryHive enumeration.

HKEY_A = 8

HKEY_CLASSES_ROOT = 1

HKEY_CURRENT_CONFIG = 2

HKEY_CURRENT_USER = 9

HKEY_CURRENT_USER_LOCAL_SETTINGS = 4

HKEY_LOCAL_MACHINE = 0

HKEY_PERFORMANCE_DATA = 5

HKEY_PERFORMANCE_NLSTEXT = 6

HKEY_PERFORMANCE_TEXT = 7

HKEY_USERS = 3

short_name

Return the key shortname.

msticpy.datamodel.entities.entity_graph

Entity Graph classes.

class msticpy.datamodel.entities.entity_graph.Edge(source: msticpy.datamodel.entities.entity_graph.Node, target: msticpy.datamodel.entities.entity_graph.Node, attrs: Dict[str, Any] = None)

Bases: object

Entity edge class.

Create a new edge between source and target.

Parameters:

• source (Node) – Source node.
• target (Node) – Target node.
• attrs (Dict[str, Any], optional) – Dictionary of name/value edge attributes, by default None

add_attr(name: str, value: Any)

Add an edge attribute.

class msticpy.datamodel.entities.entity_graph.Node

Bases: object

Entity node.

Initialize the node.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

has_edge(other)

Return True if node has an edge with other.

msticpy.datamodel.entities.file

File Entity class.

class msticpy.datamodel.entities.file.File(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, role: str = 'new', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

File Entity class.

FullPath

File FullPath

Type:str

Directory

File Directory

Type:str

Name

File Name

Type:str

Md5

File Md5

Type:str

Host

File Host

Type:str

Sha1

File Sha1

Type:str

Sha256

File Sha256

Type:str

Sha256Ac

File Sha256Ac

Type:str

FileHashes

File FileHashes

Type:List[FileHash]

Create a new instance of the entity type.

Parameters:

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
• role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)

Other Parameters:  

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['FullPath', 'Sha1', 'Sha256', 'Sha256ac', 'Md5']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

file_hash

Return the first defined file hash.

Returns:Returns first-defined file hash in order of SHA256, SHA1, MD5, SHA256AC (authenticode) Return type:Optional[str]

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

path_separator

Return the path separator used by the file.

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.file_hash

FileHash Entity class.

class msticpy.datamodel.entities.file_hash.FileHash(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

File Hash class.

Algorithm

FileHash Algorithm

Type:Algorithm

Value

FileHash Value

Type:str

Create a new instance of the entity type.

Parameters:

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

Other Parameters:  

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['Value']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.geo_location

GeoLocation Entity class.

class msticpy.datamodel.entities.geo_location.GeoLocation(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity, msticpy.datamodel.entities.entity.ContextObject

GeoLocation class.

CountryCode

GeoLocation CountryCode

Type:str

CountryName

GeoLocation CountryName

Type:str

State

GeoLocation State

Type:str

City

GeoLocation City

Type:str

Longitude

GeoLocation Longitude

Type:float

Latitude

GeoLocation Latitude

Type:float

Asn

GeoLocation Asn

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters:  kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['Longitude', 'Latitude', 'City', 'State', 'CountryCode']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.host

Host Entity class.

class msticpy.datamodel.entities.host.Host(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Host Entity class.

DnsDomain

Host DnsDomain

Type:str

NTDomain

Host NTDomain

Type:str

HostName

Host HostName

Type:str

NetBiosName

Host NetBiosName

Type:str

AzureID

Host AzureID

Type:str

OMSAgentID

Host OMSAgentID

Type:str

OSFamily

Host OSFamily

Type:str

OSVersion

Host OSVersion

Type:str

IsDomainJoined

Host IsDomainJoined

Type:bool

Create a new instance of the entity type.

Parameters:

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

Other Parameters:  

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

FullName

Return the full name of the host - either FQDN or Netbiosname.

ID_PROPERTIES = ['fqdn', 'AzureID', 'OMSAgentID']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

computer

Return computer from source event.

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

fqdn

Construct FQDN from host + dns.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.host_logon_session

HostLogonSession Entity class.

class msticpy.datamodel.entities.host_logon_session.HostLogonSession(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

HostLogonSession Entity class.

Account

HostLogonSession Account

Type:Account

StartTimeUtc

HostLogonSession StartTimeUtc

Type:datetime

EndTimeUtc

HostLogonSession EndTimeUtc

Type:datetime

Host

HostLogonSession Host

Type:Host

SessionId

HostLogonSession SessionId

Type:str

Create a new instance of the entity type.

Parameters:

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

Other Parameters:  

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['Account', 'Host', 'SessionId']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.ip_address

IpAddress Entity class.

msticpy.datamodel.entities.ip_address.Ip

alias of msticpy.datamodel.entities.ip_address.IpAddress

class msticpy.datamodel.entities.ip_address.IpAddress(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

IPAddress Entity class.

Address

IpAddress Address

Type:str

Location

IpAddress Location

Type:GeoLocation

ThreatIntelligence

IpAddress ThreatIntelligence

Type:List[Threatintelligence]

Create a new instance of the entity type.

Parameters:

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

Other Parameters:  

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['Address']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

ip_address

Return a python IP address object from the entity property.

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.malware

Malware Entity class.

class msticpy.datamodel.entities.malware.Malware(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Malware Entity class.

Name

Malware Name

Type:str

Category

Malware Category

Type:str

File

Malware File

Type:File

Files

Malware Files

Type:List[File]

Processes

Malware Processes

Type:List[Process]

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters:  kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['Name']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.network_connection

NetworkConnection Entity class.

class msticpy.datamodel.entities.network_connection.NetworkConnection(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

NetworkConnection Entity class.

SourceAddress

NetworkConnection SourceAddress

Type:IPAddress

SourcePort

NetworkConnection SourcePort

Type:int

DestinationAddress

NetworkConnection DestinationAddress

Type:IPAddress

DestinationPort

NetworkConnection DestinationPort

Type:int

Protocol

NetworkConnection Protocol

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters:  kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['SourceAddress', 'SourcePort', 'DestinationAddress', 'DestinationPort']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.process

Process Entity class.

class msticpy.datamodel.entities.process.Process(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, role='new', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Process Entity class.

ProcessId

Process ProcessId

Type:str

CommandLine

Process CommandLine

Type:str

ElevationToken

Process ElevationToken

Type:str

CreationTimeUtc

Process CreationTimeUtc

Type:datetime

ImageFile

Process ImageFile

Type:File

Account

Process Account

Type:Account

ParentProcess

Process ParentProcess

Type:Process

Host

Process Host

Type:Host

LogonSession

Process LogonSession

Type:HostLogonSession

Create a new instance of the entity type.

Parameters:

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
• role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)

Other Parameters:  

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['ProcessId', 'ImageFile', 'CreationTimeUtc', 'CommandLine']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

ProcessFilePath

Return the name of the process file path.

ProcessName

Return the name of the process file.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.registry_key

RegistryValue Entity class.

class msticpy.datamodel.entities.registry_key.RegistryKey(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

RegistryKey Entity class.

Hive

RegistryKey Hive

Type:RegistryHive

Key

RegistryKey Key

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters:  kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['Hive', 'Key']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.registry_value

RegistryValue Entity class.

class msticpy.datamodel.entities.registry_value.RegistryValue(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

RegistryValue Entity class.

Key

RegistryValue Key

Type:str

Name

RegistryValue Name

Type:str

Value

RegistryValue Value

Type:str

ValueType

RegistryValue ValueType

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters:  kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['Key', 'Name', 'Value']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.security_group

SecurityGroup Entity class.

class msticpy.datamodel.entities.security_group.SecurityGroup(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

SecurityGroup Entity class.

DistinguishedName

SecurityGroup DistinguishedName

Type:str

SID

SecurityGroup SID

Type:str

ObjectGuid

SecurityGroup ObjectGuid

Type:str

Create a new instance of the entity type.

Parameters:src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters:  kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['DistinguishedName', 'SID', 'ObjectGuid']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.threat_intelligence

Threatintelligence Entity class.

class msticpy.datamodel.entities.threat_intelligence.Threatintelligence(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Threatintelligence Entity class.

ProviderName

Threatintelligence ProviderName

Type:str

ThreatType

Threatintelligence ThreatType

Type:str

ThreatName

Threatintelligence ThreatName

Type:str

Confidence

Threatintelligence Confidence

Type:str

ReportLink

Threatintelligence ReportLink

Type:str

ThreatDescription

Threatintelligence ThreatDescription

Type:str

Create a new instance of the entity type.

param src_entity:  instantiate entity using properties of src entity param kwargs:key-value pair representation of entity

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['ProviderName', 'ThreatName', 'ReportLink']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.unknown_entity

Threatintelligence Entity class.

class msticpy.datamodel.entities.unknown_entity.UnknownEntity(src_entity: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Generic Entity class.

Create a new instance of the entity type.

param src_entity:  instantiate entity using properties of src entity param kwargs:key-value pair representation of entity

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = []

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.entities.url

Url Entity class.

class msticpy.datamodel.entities.url.Url(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

URL Entity.

Url

The URL

Type:str

DetonationVerdict

The verdict of the URL detection

Type:str

Create a new instance of the entity type.

Parameters:

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

Other Parameters:  

kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES = ['Url']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters:

• target (Node) – Target node.
• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters:other (Any) – The other entity (object) to check Returns:True if other has no conflicting properties. Return type:bool

classmethod create(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns:Instantiated entity Return type:Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters:

func_name (str) – The name of the shortcut function.

Raises:

• AttributeError – The class does not have an attribute func_name
• TypeError – The attribute to delete is not a pivot shortcut.

description_str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters:

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns:

The instantiated entity

Return type:

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters:other (Any) – The entity to check Returns:True if equivalent. Return type:bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters:

• func_name (str) – The name of source pivot function.
• target (str) – The shortcut name (this will be a member function of the class)
• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises:

• AttributeError – The source function does not exist
• TypeError – The source function is not a pivot function.
• TypeError – The target attribute exists and is not a pivot function
• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns:Merged entity. Return type:Entity Raises:AttributeError – If the entities cannot be merged.

name_str

Return Entity Name.

node_properties

Return all public properties that are not entities.

Returns:Dictionary of name, value properties. Return type:Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns:List of pivot functions assigned to entity. Return type:List[str]

properties

Return dictionary properties of entity.

Returns:Entity properties. Return type:dict

to_html() → str

Return HTML representation of entity.

Returns:HTML representation of entity Return type:str

to_json()

Return object as a JSON string.

to_networkx(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters:graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns:Graph with entity and any connected entities. Return type:nx.Graph

msticpy.datamodel.pivot

Pivot functions main module.

class msticpy.datamodel.pivot.Pivot(namespace: Dict[str, Any] = None, providers: Iterable[Any] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None)

Bases: object

Pivot environment loader.

Instantiate a Pivot environment.

Parameters:

• namespace (Dict[str, Any], optional) – To search for and use any current providers, specify namespace=globals(), by default None
• providers (Iterable[Any], optional) – A list of query providers, TILookup or other providers to use (these will override providers of the same type read from namespace), by default None
• timespan (Optional[TimeSpan], optional) – The default timespan used by providers that require start and end times. By default the time range is initialized to be 24 hours prior to the load time.

static add_pivot_function(func: Callable[[Any], Any], pivot_reg: Optional[msticpy.datamodel.pivot_register.PivotRegistration] = None, container: Optional[str] = None, **kwargs)

Add a pivot function to entities.

Parameters:

• func (Callable[[Any], Any]) – The function to add
• pivot_reg (PivotRegistration, optional) – Pivot registration object, by default None
• container (str, optional) – The name of the container into which the function should be added, by default “other”

Other Parameters:  

kwargs – If pivot_reg is not supplied you can specify required pivot registration parameters via keyword arguments. You must specify input_type (str) and entity_map (dict of entity_name, entity_attribute pairs)

See also

PivotRegistration()

add_query_provider(prov: msticpy.data.data_providers.QueryProvider)

Add pivot functions from provider.

Parameters:prov (QueryProvider) – Query provider.

static browse()

Return PivotBrowser.

current = None

edit_query_time(timespan: Optional[msticpy.common.timespan.TimeSpan] = None)

Display a QueryTime widget to get the timespan.

Parameters:timespan (Optional[TimeSpan], optional) – Pre-populate the timespan shown by the QueryTime editor, by default None

end

Return current end time for queries.

get_provider(name: str) → Any

Get a provider by type name.

Parameters:name (str) – The name of the provider type. Returns:An instance of the provider or None if the Pivot environment does not have one. Return type:Any

get_timespan() → msticpy.common.timespan.TimeSpan

Return the timespan as a TimeSpan object.

providers

Return the current set of loaded providers.

Returns:provider_name, provider_instance Return type:Dict[str, Any]

static register_pivot_providers(pivot_reg_path: str, namespace: Dict[str, Any] = None, def_container: str = 'custom', force_container: bool = False)

Register pivot functions from configuration file.

Parameters:

• pivot_reg_path (str) – Path to config yaml file
• namespace (Dict[str, Any], optional) – Namespace to search for existing instances of classes, by default None
• def_container (str, optional) – Container name to use for entity pivot functions, by default “other”
• force_container (bool, optional) – Force container value to be used even if entity definitions have specific setting for a container name, by default False

Raises:

ValueError – An entity specified in the config file is not recognized.

reload_pivots(namespace: Dict[str, Any] = None, providers: Iterable[Any] = None, clear_existing: bool = True)

Load or reload Pivot functions from environment and/or providers list.

Parameters:

• namespace (Dict[str, Any], optional) – To search for and use any current providers, specify namespace=globals(), by default None
• providers (Iterable[Any], optional) – A list of query providers, TILookup or other providers to use (these will override providers of the same type read from namespace), by default None
• clear_existing (bool) – Reloads pivot functions without clearing existing pivot assignments. Any pivot functions with conflicting names will be overwritten by the reload operation. The default is True.

static remove_pivot_funcs(entity: str)

Remove pivot functions from one or all entities.

Parameters:entity (str) – entity class name or “all” to remove all pivot functions. Raises:ValueError – If entity is not a recognized entity class.

set_timespan(value: Optional[Any] = None, **kwargs)

Set the pivot timespan.

Parameters:value (Optional[Any], optional) – Timespan object or something convertible to a TimeSpan, by default None Other Parameters:  kwargs – Key/value arguments passed to Timespan constructor.

start

Return current start time for queries.

timespan

Return the current timespan.

Returns:The current timespan Return type:TimeSpan

msticpy.datamodel.pivot_data_queries

Pivot query functions class.

class msticpy.datamodel.pivot_data_queries.ParamAttrs(type, query, family, required)

Bases: tuple

Create new instance of ParamAttrs(type, query, family, required)

count()

Return number of occurrences of value.

family

Alias for field number 2

index()

Return first index of value.

Raises ValueError if the value is not present.

query

Alias for field number 1

required

Alias for field number 3

type

Alias for field number 0

class msticpy.datamodel.pivot_data_queries.PivQuerySettings(short_name, direct_func_entities, assigned_entities)

Bases: tuple

Create new instance of PivQuerySettings(short_name, direct_func_entities, assigned_entities)

assigned_entities

Alias for field number 2

count()

Return number of occurrences of value.

direct_func_entities

Alias for field number 1

index()

Return first index of value.

Raises ValueError if the value is not present.

short_name

Alias for field number 0

class msticpy.datamodel.pivot_data_queries.PivotQueryFunctions(query_provider: msticpy.data.data_providers.QueryProvider, ignore_reqd: List[str] = None)

Bases: object

Class to retrieve the queries and params from a provider.

Instantiate PivotQueryFunctions class.

Parameters:

• query_provider ([type]) – The query provider to load
• ignore_reqd (List[str], optional) – List of parameters to ignore when building the required parameters list (e.g. [‘start’, ‘end’]), by default None

current = None

get_param_attrs(param_name: str) → List[msticpy.datamodel.pivot_data_queries.ParamAttrs]

Get the attributes for a parameter name.

Parameters:param_name (str) – Parameter name Returns:List of ParamAttrs named tuples: (type, query, family, required) Return type:List[ParamAttrs]

Notes

Since parameters may be defined for multiple queries, the set of parameter attributes will be returned for each query.

get_params(query_func_name: str) → Optional[msticpy.datamodel.pivot_data_queries.QueryParams]

Get the parameters for a query function.

Parameters:query_func_name (str) – Query name - the name must be fully-qualified (e.g. ‘WindowsSecurity.list_processes’) Returns:QueryParams named tuple (all, required, full_required, param_attrs, table) Return type:QueryParams

get_queries_and_types_for_param(param: str) → Iterable[Tuple[str, str, str, Callable[[Any], Any]]]

Get queries and parameter data types for param.

Parameters:param (str) – The parameter name. Returns:Iterable of tuples listing: query_name, param_type, query_func Return type:Iterable[Tuple[str, str, Callable[[Any], Any]]]

get_queries_for_param(param: str) → Iterable[Tuple[str, str, Callable[[Any], Any]]]

Get the list of queries for a parameter.

Parameters:param (str) – Parameter name Returns:Iterable of tuples listing: query_name, query_func Return type:Iterable[Tuple[str, str, Callable[[Any], Any]]]

get_query_pivot_settings(family: str, query: str) → msticpy.datamodel.pivot_data_queries.PivQuerySettings

Get Pivot settings metadata for a query.

Parameters:

• family (str) – Data family
• query (str) – Query name

Returns:

Named tuple:

• short_name - short name for the query
• direct_func_entities - the entities to add a top level function to
• assigned_entities - entities to assign the query to (if parameter mapping is not applicable).

Return type:

PivQuerySettings

get_query_settings(family: str, query: str) → msticpy.data.query_source.QuerySource

Get the QuerySource for the named family and query.

Parameters:

• family (str) – Data family name
• query (str) – Query name

Returns:

Query settings object

Return type:

QuerySource

Raises:

KeyError – If family.`query` could not be found.

class msticpy.datamodel.pivot_data_queries.QueryParams(all, required, full_required, param_attrs, table)

Bases: tuple

Create new instance of QueryParams(all, required, full_required, param_attrs, table)

all

Alias for field number 0

count()

Return number of occurrences of value.

full_required

Alias for field number 2

index()

Return first index of value.

Raises ValueError if the value is not present.

param_attrs

Alias for field number 3

required

Alias for field number 1

table

Alias for field number 4

msticpy.datamodel.pivot_data_queries.add_data_queries_to_entities(provider: msticpy.data.data_providers.QueryProvider, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])

Add data queries from provider to entities.

Parameters:

• provider (QueryProvider) – Query provider
• get_timespan (Callable[[], TimeSpan]) – Callback to get time span

msticpy.datamodel.pivot_data_queries.add_queries_to_entities(prov_qry_funcs: msticpy.datamodel.pivot_data_queries.PivotQueryFunctions, container: str, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])

Add data queries to entities.

Parameters:

• prov_qry_funcs (PivotQueryFunctions) – Collection of wrapped query functions
• container (str) – The name of the container to add query functions to
• get_timespan (Callable[[], TimeSpan]) – Function to get the current timespan.

msticpy.datamodel.pivot_magic_core

Txt2df core code.

msticpy.datamodel.pivot_magic_core.run_txt2df(line, cell, local_ns) → pandas.core.frame.DataFrame

Convert cell text to pandas DataFrame.

msticpy.datamodel.pivot_register

Pivot helper functions .

class msticpy.datamodel.pivot_register.PivotRegistration(input_type: str, entity_map: Dict[str, str], func_df_param_name: Optional[str] = None, func_out_column_name: Optional[str] = None, func_df_col_param_name: Optional[str] = None, func_new_name: Optional[str] = None, src_module: Optional[str] = None, src_class: Optional[str] = None, src_func_name: Optional[str] = None, can_iterate: bool = True, func_static_params: Optional[Dict[str, Any]] = None, func_input_value_arg: Optional[str] = None, src_config_path: Optional[str] = None, src_config_entry: Optional[str] = None, entity_container_name: Optional[str] = None, return_raw_output: bool = False, create_shortcut: bool = False)

Bases: object

Pivot registration for function.

Notes

src_module : str

The src_module to import

src_class : str, optional

class to import and instantiate that contains the function/method (not needed if the target function is a pure Python function)

src_func_name: Callable

The function to wrap.

func_new_name: str, optional

Rename the function to this, defaults to src_func_name

input_type : str

The input data type that the function is expecting. One of ‘dataframe’, ‘iterable’, ‘value’

can_iterate: bool, optional

True if the function supports being called multiple times (for iterable input). Default is True

entity_map: Dict[str, str]

dict of entities supported (keys) and attribute to use from entity as input to the function

func_df_param_name: str

The name of the parameter that func takes the input value e.g. func(ip=my_address) => ‘ip’ == func_df_col_param_name. In the case of a DataFrame, this is usually ‘data’

func_df_col_param_name: str

The name that the target function uses to identify the column to use for input in the input DataFrame.

func_out_column_name: str, optional

The name of the column in the output DF to use as a key to join to the input. If None, use func_df_col_param_name

func_static_params: Optional[Dict[str, Any]]

static parameters (kwargs) that are always passed to the target function

func_input_value_arg: Optional[str]

The name of kwarg passed to the function that contain the input value. If function supports DF input, func_df_col_param_name will be used and this is not needed.

src_config_path : Optional[str]

The source path that the configuration was read from, default None.

src_config_entry : Optional[str]

The entry name in the configuration file, default None.

entity_container_name : Optional[str]

The name of the container in the entity that will hold this pivot function.

return_raw_output : bool

Return raw output from the wrapped function, do not try to format into a DataFrame. Default is False.

create_shortcut : bool

If True, create a shortcut function directly on the entity.

Method generated by attrs for class PivotRegistration.

attr_for_entity(entity: Union[msticpy.datamodel.entities.entity.Entity, str]) → Optional[str]

Return the attribute to use for the specified entity.

Parameters:entity (Union[entities.Entity, str]) – Entity instance or name Returns:Attribute name to use. Return type:Optional[str]

msticpy.datamodel.pivot_register.create_pivot_func(target_func: Callable[[Any], Any], pivot_reg: msticpy.datamodel.pivot_register.PivotRegistration) → Callable[[...], pandas.core.frame.DataFrame]

Create function wrapper for pivot function.

Parameters:

• target_func (Callable) – The target function to wrap.
• pivot_reg (PivotRegistration) – The pivot function registration object.

Returns:

The original target_func wrapped in pre-processing and post-processing code.

Return type:

Callable[[Any], pd.DataFrame]

msticpy.datamodel.pivot_register.get_join_params(func_kwargs: Dict[str, Any]) → Tuple[Optional[str], Optional[str], Optional[str], bool]

Get join parameters from kwargs.

Parameters:func_kwargs (Dict[str, Any]) – Keyword arguments from caller Returns:join_type, left_on, right_on, join_ignore_case Return type:Tuple[str, str, str, bool]

msticpy.datamodel.pivot_register.join_result(input_df: pandas.core.frame.DataFrame, result_df: pandas.core.frame.DataFrame, how: str, left_on: str, right_on: str, ignore_case: bool) → pandas.core.frame.DataFrame

Join input and result DFs, optionally ignoring case.

Parameters:

• input_df (pd.DataFrame) – Input DF
• result_df (pd.DataFrame) – Result DF
• how (str) – Join type - “inner”, “left”, “right”, “outer”
• left_on (str) – Column from input_df to use as join key
• right_on (str) – Column from result_df to use as join key
• ignore_case (bool) – If True and input_df column is a string

Returns:

The merged DataFrame

Return type:

pd.DataFrame

msticpy.datamodel.pivot_register_reader

Reads pivot registration config files.

msticpy.datamodel.pivot_register_reader.add_unbound_pivot_function(func: Callable[[Any], Any], pivot_reg: msticpy.datamodel.pivot_register.PivotRegistration = None, container: str = 'other', **kwargs)

Add a pivot function to entities.

Parameters:

• func (Callable[[Any], Any]) – The function to add
• pivot_reg (PivotRegistration, optional) – Pivot registration object, by default None
• container (str, optional) – The name of the container into which the function should be added, by default “other”

Other Parameters:  

kwargs – If pivot_reg is not supplied you can specify required pivot registration parameters via keyword arguments. You must specify input_type (str) and entity_map (dict of entity_name, entity_attribute pairs)

See also

PivotRegistration()

msticpy.datamodel.pivot_register_reader.register_pivots(file_path: str, namespace: Dict[str, Any] = None, container: str = 'other', force_container: bool = False, **kwargs)

Register pivot functions from configuration file.

Parameters:

• file_path (str) – Path to config yaml file
• namespace (Dict[str, Any], optional) – Namespace to search for existing instances of classes, by default None
• container (str, optional) – Container name to use for entity pivot functions, by default “other”
• force_container (bool, optional) – Force container value to be used even if entity definitions have specific setting for a container name, by default False

Raises:

ValueError – An entity specified in the config file is not recognized.

msticpy.datamodel.pivot_ti_provider

Pivot TI Provider helper functions.

msticpy.datamodel.pivot_ti_provider.add_ioc_queries_to_entities(ti_lookup: msticpy.sectools.tilookup.TILookup, container: str = 'ti', **kwargs)

Add TI functions to entities.

Parameters:

• ti_lookup (TILookup) – TILookup instance.
• container (str) – The name of the container to add query functions to

msticpy.datamodel.pivot_ti_provider.create_ti_pivot_funcs(ti_lookup: msticpy.sectools.tilookup.TILookup)

Create the TI Pivot functions.

msticpy.datamodel.pivot_ti_provider.register_ti_pivot_providers(ti_lookup: msticpy.sectools.tilookup.TILookup, pivot: Pivot)

Register pivot functions from TI providers.

msticpy.datamodel.pivot_pd_accessor

Pandas DataFrame accessor for Pivot functions.

class msticpy.datamodel.pivot_pd_accessor.PivotAccessor(pandas_obj)

Bases: object

Pandas api extension for Pivot functions.

Instantiate pivot extension class.

display(title: str = None, cols: Iterable[str] = None, query: str = None, head: int = None) → pandas.core.frame.DataFrame

Display the DataFrame in the middle of a pipeline.

Parameters:

• title (str, optional) – Title to display for the DataFrame, by default None
• cols (Iterable[str], optional) – List of columns to display, by default None
• query (str, optional) – Query to filter the displayed data, by default None This should be a string executable by the DataFrame.query function
• head (int, optional) – Limit the displayed output to head rows, by default None

Returns:

Passed through input DataFrame.

Return type:

pd.DataFrame

filter(expr: Union[str, numbers.Number], match_case: bool = False, numeric_col: bool = False) → pandas.core.frame.DataFrame

Filter all columns of DataFrame, return rows with any matches.

Parameters:

• expr (Union[str, Number]) – String or regular expression to match or a (partial) number. If expr is a string it is matched against any string or object columns using pandas str.contains(..regex=True) If expr is a number or if numeric_col is True, expr is converted to a string and matched as a substring of any numeric columns.
• match_case (bool, optional) – The match is not case-sensitive by default. Set to True to force case-sensitive matches.
• numeric_col (bool, optional) – If expr is a numeric string or number this will force a match against only numeric columns, by default False

Returns:

The filtered dataframe

Return type:

pd.DataFrame

Raises:

TypeError – If expr is neither a string or number.

filter_cols(cols: Union[str, Iterable[str]], match_case: bool = False, sort_cols: bool = False) → pandas.core.frame.DataFrame

Filter output columns matching names in cols expression(s).

Parameters:

• cols (Union[str, Iterable[str]]) – Either a string or a list of strings with filter expressions. These can be exact matches for column names, wildcard patterns (“*” matches multiple chars and “?” matches a single char), or regular expressions.
• match_case (bool, optional) – Use case-sensitive matching, by default False
• sort_cols (bool, optional) – Alphabetically sort column names, by default False

Returns:

The input DataFrame with only columns that match the filtering expressions.

Return type:

pd.DataFrame

list_to_rows(cols: Union[str, Iterable[str]]) → pandas.core.frame.DataFrame

Expand a list column to individual rows.

Parameters:cols (Union[str, Iterable[str]]) – The columns to be expanded. Returns:The expanded DataFrame Return type:pd.DataFrame

parse_json(cols: Union[str, Iterable[str]]) → pandas.core.frame.DataFrame

Convert JSON string columns to Python types.

Parameters:cols (Union[str, Iterable[str]]) – Column or interable of columns to process Returns:Processed dataframe Return type:pd.DataFrame

run(func: Callable[[...], pandas.core.frame.DataFrame], **kwargs) → pandas.core.frame.DataFrame

Run a pivot function on the current DataFrame.

Parameters:

• func (Callable[.., pd.DataFrame]) – Pivot function to run
• kwargs – Keyword arguments to pass to func. A column specification (e.g. column=”src_col_name”) is usually the minimum needed. For data queries the column keyword must be the name of the the query parameter (e.g. host_name = “src_col_name”)

Returns:

The output DataFrame from the function.

Return type:

pd.DataFrame

Notes

You can pass the join keyword argument to most pivot functions. Values for join are “inner”, “left”, “right” or “outer”.

sort(cols: Union[str, Iterable[str], Dict[str, str]], ascending: bool = None) → pandas.core.frame.DataFrame

Sort output by column expression.

Parameters:

• cols (Union[str, Iterable[str], Dict[str, str]]) – If this is a string, then this should be a column name expression. A column name expression is either a column name, a case-insenstive column name or a regular expression to match one or more column names. Each column name expression can be of the format col_name_expr:desc to sort descending (col_name_expr:asc is the default). The col_name can also be a regular expression or partial column name. If this is a list, then each element should be a column name expression with an optional ‘:asc’ or ‘:desc’ suffix. If this is a dict, then the keys should be column name expressions and the values bools indication ‘ascending’ (True) or ‘descending’ (False) sort.
• ascending ([type], optional) – Overrides any ordering specified for individual columns and sorts ‘ascending’ if True or ‘descending’ if False. If not supplied and no column-specific ordering is supplied it sorts ascending.

Returns:

The sorted DataFrame

Return type:

pd.DataFrame

Raises:

ValueError – One or more column expressions matched no column name in the input.

tee(var_name: str, clobber: bool = False) → pandas.core.frame.DataFrame

Save current dataframe to var_name in the IPython user namespace.

Parameters:

• var_name (str) – The name of the DF variable to create.
• clobber (bool, optional) – Whether to overwrite an existing variable of the same name, by default False

Returns:

Passed through input DataFrame.

Return type:

pd.DataFrame

Notes

This function only works in an IPython/Jupyter notebook environment. It will attempt to create a variable in the user local namespace that references the current state of the DataFrame in the pipeline.

By default it will not overwrite an existing variable of the same name (specify clobber=True to overwrite)

tee_exec(df_func: str, *args, **kwargs) → pandas.core.frame.DataFrame

Run a dataframe method on the dataframe without changing it.

Parameters:

• df_func (str) – The name of the function to execute. Accessor methods must be of the form “accessor.method”.
• args (tuple) – Positional arguments to be passed to the function
• kwargs (dict) – Keyword arguments to be passed to the function.

Returns:

Passed through input DataFrame.

Return type:

pd.DataFrame

Notes

This function runs the DataFrame method or accessor function. It does not alter the DataFrame (unless the function does any kind of in-place modification). The function is run and the original input DataFrame is returned.