msticpy.datamodel package¶
msticpy.datamodel.entities module¶
msticpy.datamodel.entities.account¶
Account Entity class.
-
class
msticpy.datamodel.entities.account.
Account
(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, role: str = 'subject', **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
Account Entity class.
-
Name
¶ Account Name
Type: str
-
NTDomain
¶ Account NTDomain
Type: str
-
UPNSuffix
¶ Account UPNSuffix
Type: str
-
LogonId
¶ Account LogonId (deprecated)
Type: str
-
Sid
¶ Account Sid
Type: str
-
AadTenantId
¶ Account AadTenantId
Type: str
-
AadUserId
¶ Account AadUserId
Type: str
-
PUID
¶ Account PUID
Type: str
-
IsDomainJoined
¶ Account IsDomainJoined
Type: bool
-
DisplayName
¶ Account DisplayName
Type: str
-
ObjectGuid
¶ The object ID of the user account
Type: str
Create a new instance of the entity type.
Parameters: - src_entity (Mapping[str, Any], optional) – Create entity from existing Account entity or other mapping object that implements entity properties. (the default is None)
- src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
- role (str, optional) – ‘subject’ or ‘target’ - only relevant if the entity is being constructed from an event. (the default is ‘subject’)
Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
-
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['QualifiedName', 'Sid', 'AadUserId', 'PUID', 'ObjectGuid']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
qualified_name
¶ Windows qualified account name.
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.alert¶
Alert Entity class.
-
class
msticpy.datamodel.entities.alert.
Alert
(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
Alert Entity class.
-
DisplayName
¶ Alert DisplayName
Type: str
-
CompromisedEntity
¶ Alert CompromisedEntity
Type: str
-
Count
¶ Alert Count
Type: int
-
StartTime
¶ Alert StartTime
Type: datetime
-
EndTime
¶ Alert EndTime
Type: datetime
-
Severity
¶ Alert Severity
Type: str
-
SystemAlertIds
¶ Alert SystemAlertIds
Type: List[str]
-
AlertType
¶ Alert AlertType
Type: str
-
VendorName
¶ Alert VendorName
Type: str
-
ProviderName
¶ Alert ProviderName
Type: str
Create a new instance of the entity type.
Parameters: - src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
- src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
-
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['SystemAlertIds']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
(show_entities=False) → str¶ Return the item as HTML string.
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.azure_resource¶
AzureResource Entity class.
-
class
msticpy.datamodel.entities.azure_resource.
AzureResource
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
AzureResource Entity class.
-
ResourceId
¶ AzureResource ResourceId
Type: str
-
ResourceIdParts
¶ AzureResource ResourceIdParts
Type: Dict[str, str]
Create a new instance of the entity type.
Parameters: src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments. -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['ResourceId']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
Provider
¶ Return the Provider name or None.
-
ResourceGroup
¶ Return the ResourceGroup name or None.
-
SubscriptionId
¶ Return the subscription Id or None.
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.cloud_application¶
CloudApplication Entity class.
-
class
msticpy.datamodel.entities.cloud_application.
CloudApplication
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
CloudApplication Entity class.
-
Name
¶ CloudApplication Name
Type: str
-
AppId
¶ The AppId of the cloud application
Type: str
-
InstanceName
¶ The instance name of the application
Type: str
Create a new instance of the entity type.
Parameters: src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments. -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['Name']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.dns¶
Dns Entity class.
-
class
msticpy.datamodel.entities.dns.
Dns
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
DNS Resolve Entity class.
-
DomainName
¶ DnsResolve DomainName
Type: str
-
IpAdresses
¶ DnsResolve IpAdresses
Type: List[str]
-
DnsServerIp
¶ DnsResolve DnsServerIp
Type: IPAddress
-
HostIpAddress
¶ DnsResolve HostIpAddress
Type: IPAddress
Create a new instance of the entity type.
Parameters: src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments. -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['DomainName']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.entity¶
Entity Entity class.
-
class
msticpy.datamodel.entities.entity.
ContextObject
¶ Bases:
object
Information object attached to entity but is not an Entity.
-
class
msticpy.datamodel.entities.entity.
Entity
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
abc.ABC
,msticpy.datamodel.entities.entity_graph.Node
Entity abstract base class.
Implements common methods for Entity classes
Create a new instance of an entity.
Parameters: src_entity (Mapping[str, Any], optional) – If src_entity is supplied it attempts to extract common properties from the source entity and assign them to the new instance. (the default is None) Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments. -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= []¶
-
JSONEncoder
¶ alias of
_EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
Returns: Entity description (optional). If not overridden by the Entity instance type, it will return the Type string. Return type: str
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Name Description.
Returns: Entity Name (optional). If not overridden by the Entity instance type, it will return the class name string. Return type: str
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
-
msticpy.datamodel.entities.entity.
camelcase_property_names
(input_ent: Dict[str, Any]) → Dict[str, Any]¶ Change initial letter Microsoft Sentinel API entity properties to upper case.
msticpy.datamodel.entities.entity_enums¶
Entity enumerations.
-
class
msticpy.datamodel.entities.entity_enums.
Algorithm
¶ Bases:
enum.Enum
FileHash Algorithm Enumeration.
-
MD5
= 1¶
-
SHA1
= 2¶
-
SHA256
= 3¶
-
SHA256AC
= 4¶
-
Unknown
= 0¶
-
-
class
msticpy.datamodel.entities.entity_enums.
ElevationToken
¶ Bases:
enum.Enum
ElevationToken enumeration.
-
Default
= 0¶
-
Full
= 1¶
-
Limited
= 2¶
-
-
class
msticpy.datamodel.entities.entity_enums.
OSFamily
¶ Bases:
enum.Enum
OSFamily enumeration.
-
Linux
= 0¶
-
Windows
= 1¶
-
-
class
msticpy.datamodel.entities.entity_enums.
RegistryHive
¶ Bases:
enum.Enum
RegistryHive enumeration.
-
HKEY_A
= 8¶
-
HKEY_CLASSES_ROOT
= 1¶
-
HKEY_CURRENT_CONFIG
= 2¶
-
HKEY_CURRENT_USER
= 9¶
-
HKEY_CURRENT_USER_LOCAL_SETTINGS
= 4¶
-
HKEY_LOCAL_MACHINE
= 0¶
-
HKEY_PERFORMANCE_DATA
= 5¶
-
HKEY_PERFORMANCE_NLSTEXT
= 6¶
-
HKEY_PERFORMANCE_TEXT
= 7¶
-
HKEY_USERS
= 3¶
-
short_name
¶ Return the key shortname.
-
msticpy.datamodel.entities.entity_graph¶
Entity Graph classes.
-
class
msticpy.datamodel.entities.entity_graph.
Edge
(source: msticpy.datamodel.entities.entity_graph.Node, target: msticpy.datamodel.entities.entity_graph.Node, attrs: Dict[str, Any] = None)¶ Bases:
object
Entity edge class.
Create a new edge between source and target.
Parameters: -
add_attr
(name: str, value: Any)¶ Add an edge attribute.
-
-
class
msticpy.datamodel.entities.entity_graph.
Node
¶ Bases:
object
Entity node.
Initialize the node.
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
has_edge
(other)¶ Return True if node has an edge with other.
-
msticpy.datamodel.entities.file¶
File Entity class.
-
class
msticpy.datamodel.entities.file.
File
(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, role: str = 'new', **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
File Entity class.
-
FullPath
¶ File FullPath
Type: str
-
Directory
¶ File Directory
Type: str
-
Name
¶ File Name
Type: str
-
Md5
¶ File Md5
Type: str
-
Host
¶ File Host
Type: str
-
Sha1
¶ File Sha1
Type: str
-
Sha256
¶ File Sha256
Type: str
-
Sha256Ac
¶ File Sha256Ac
Type: str
Create a new instance of the entity type.
Parameters: - src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
- src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
- role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)
Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
-
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['FullPath', 'Sha1', 'Sha256', 'Sha256ac', 'Md5']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
file_hash
¶ Return the first defined file hash.
Returns: Returns first-defined file hash in order of SHA256, SHA1, MD5, SHA256AC (authenticode) Return type: Optional[str]
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
path_separator
¶ Return the path separator used by the file.
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.file_hash¶
FileHash Entity class.
-
class
msticpy.datamodel.entities.file_hash.
FileHash
(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
File Hash class.
-
Value
¶ FileHash Value
Type: str
Create a new instance of the entity type.
Parameters: - src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
- src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
-
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['Value']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.geo_location¶
GeoLocation Entity class.
-
class
msticpy.datamodel.entities.geo_location.
GeoLocation
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
,msticpy.datamodel.entities.entity.ContextObject
GeoLocation class.
-
CountryCode
¶ GeoLocation CountryCode
Type: str
-
CountryName
¶ GeoLocation CountryName
Type: str
-
State
¶ GeoLocation State
Type: str
-
City
¶ GeoLocation City
Type: str
-
Longitude
¶ GeoLocation Longitude
Type: float
-
Latitude
¶ GeoLocation Latitude
Type: float
-
Asn
¶ GeoLocation Asn
Type: str
Create a new instance of the entity type.
Parameters: src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments. -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['Longitude', 'Latitude', 'City', 'State', 'CountryCode']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.host¶
Host Entity class.
-
class
msticpy.datamodel.entities.host.
Host
(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
Host Entity class.
-
DnsDomain
¶ Host DnsDomain
Type: str
-
NTDomain
¶ Host NTDomain
Type: str
-
HostName
¶ Host HostName
Type: str
-
NetBiosName
¶ Host NetBiosName
Type: str
-
AzureID
¶ Host AzureID
Type: str
-
OMSAgentID
¶ Host OMSAgentID
Type: str
-
OSFamily
¶ Host OSFamily
Type: str
-
OSVersion
¶ Host OSVersion
Type: str
-
IsDomainJoined
¶ Host IsDomainJoined
Type: bool
Create a new instance of the entity type.
Parameters: - src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
- src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
-
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
FullName
¶ Return the full name of the host - either FQDN or Netbiosname.
-
ID_PROPERTIES
= ['fqdn', 'AzureID', 'OMSAgentID']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
computer
¶ Return computer from source event.
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
fqdn
¶ Construct FQDN from host + dns.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.host_logon_session¶
HostLogonSession Entity class.
-
class
msticpy.datamodel.entities.host_logon_session.
HostLogonSession
(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
HostLogonSession Entity class.
-
StartTimeUtc
¶ HostLogonSession StartTimeUtc
Type: datetime
-
EndTimeUtc
¶ HostLogonSession EndTimeUtc
Type: datetime
-
SessionId
¶ HostLogonSession SessionId
Type: str
Create a new instance of the entity type.
Parameters: - src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
- src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
-
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['Account', 'Host', 'SessionId']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.ip_address¶
IpAddress Entity class.
-
msticpy.datamodel.entities.ip_address.
Ip
¶
-
class
msticpy.datamodel.entities.ip_address.
IpAddress
(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
IPAddress Entity class.
-
Address
¶ IpAddress Address
Type: str
-
Location
¶ IpAddress Location
Type: GeoLocation
-
ThreatIntelligence
¶ IpAddress ThreatIntelligence
Type: List[Threatintelligence]
Create a new instance of the entity type.
Parameters: - src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
- src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
-
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['Address']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
ip_address
¶ Return a python IP address object from the entity property.
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.malware¶
Malware Entity class.
-
class
msticpy.datamodel.entities.malware.
Malware
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
Malware Entity class.
-
Name
¶ Malware Name
Type: str
-
Category
¶ Malware Category
Type: str
Create a new instance of the entity type.
Parameters: src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments. -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['Name']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.network_connection¶
NetworkConnection Entity class.
-
class
msticpy.datamodel.entities.network_connection.
NetworkConnection
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
NetworkConnection Entity class.
-
SourceAddress
¶ NetworkConnection SourceAddress
Type: IPAddress
-
SourcePort
¶ NetworkConnection SourcePort
Type: int
-
DestinationAddress
¶ NetworkConnection DestinationAddress
Type: IPAddress
-
DestinationPort
¶ NetworkConnection DestinationPort
Type: int
-
Protocol
¶ NetworkConnection Protocol
Type: str
Create a new instance of the entity type.
Parameters: src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments. -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['SourceAddress', 'SourcePort', 'DestinationAddress', 'DestinationPort']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.process¶
Process Entity class.
-
class
msticpy.datamodel.entities.process.
Process
(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, role='new', **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
Process Entity class.
-
ProcessId
¶ Process ProcessId
Type: str
-
CommandLine
¶ Process CommandLine
Type: str
-
ElevationToken
¶ Process ElevationToken
Type: str
-
CreationTimeUtc
¶ Process CreationTimeUtc
Type: datetime
-
LogonSession
¶ Process LogonSession
Type: HostLogonSession
Create a new instance of the entity type.
Parameters: - src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
- src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
- role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)
Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
-
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['ProcessId', 'ImageFile', 'CreationTimeUtc', 'CommandLine']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
ProcessFilePath
¶ Return the name of the process file path.
-
ProcessName
¶ Return the name of the process file.
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.registry_key¶
RegistryValue Entity class.
-
class
msticpy.datamodel.entities.registry_key.
RegistryKey
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
RegistryKey Entity class.
-
Hive
¶ RegistryKey Hive
Type: RegistryHive
-
Key
¶ RegistryKey Key
Type: str
Create a new instance of the entity type.
Parameters: src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments. -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['Hive', 'Key']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.registry_value¶
RegistryValue Entity class.
-
class
msticpy.datamodel.entities.registry_value.
RegistryValue
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
RegistryValue Entity class.
-
Key
¶ RegistryValue Key
Type: str
-
Name
¶ RegistryValue Name
Type: str
-
Value
¶ RegistryValue Value
Type: str
-
ValueType
¶ RegistryValue ValueType
Type: str
Create a new instance of the entity type.
Parameters: src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments. -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['Key', 'Name', 'Value']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.security_group¶
SecurityGroup Entity class.
-
class
msticpy.datamodel.entities.security_group.
SecurityGroup
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
SecurityGroup Entity class.
-
DistinguishedName
¶ SecurityGroup DistinguishedName
Type: str
-
SID
¶ SecurityGroup SID
Type: str
-
ObjectGuid
¶ SecurityGroup ObjectGuid
Type: str
Create a new instance of the entity type.
Parameters: src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None) Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments. -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['DistinguishedName', 'SID', 'ObjectGuid']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.threat_intelligence¶
Threatintelligence Entity class.
-
class
msticpy.datamodel.entities.threat_intelligence.
Threatintelligence
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
Threatintelligence Entity class.
-
ProviderName
¶ Threatintelligence ProviderName
Type: str
-
ThreatType
¶ Threatintelligence ThreatType
Type: str
-
ThreatName
¶ Threatintelligence ThreatName
Type: str
-
Confidence
¶ Threatintelligence Confidence
Type: str
-
ReportLink
¶ Threatintelligence ReportLink
Type: str
-
ThreatDescription
¶ Threatintelligence ThreatDescription
Type: str
Create a new instance of the entity type.
param src_entity: instantiate entity using properties of src entity param kwargs: key-value pair representation of entity -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['ProviderName', 'ThreatName', 'ReportLink']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.unknown_entity¶
Threatintelligence Entity class.
-
class
msticpy.datamodel.entities.unknown_entity.
UnknownEntity
(src_entity: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
Generic Entity class.
Create a new instance of the entity type.
param src_entity: instantiate entity using properties of src entity param kwargs: key-value pair representation of entity -
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= []¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.entities.url¶
Url Entity class.
-
class
msticpy.datamodel.entities.url.
Url
(src_entity: Mapping[str, Any] = None, src_event: Mapping[str, Any] = None, **kwargs)¶ Bases:
msticpy.datamodel.entities.entity.Entity
URL Entity.
-
Url
¶ The URL
Type: str
-
DetonationVerdict
¶ The verdict of the URL detection
Type: str
Create a new instance of the entity type.
Parameters: - src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
- src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
Other Parameters: kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
-
ENTITY_NAME_MAP
= {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}¶
-
ID_PROPERTIES
= ['Url']¶
-
JSONEncoder
¶ alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
-
add_edge
(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)¶ Add an edge between self and target.
Parameters: - target (Node) – Target node.
- edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
-
can_merge
(other: Any) → bool¶ Return True if the entities can be merged.
Parameters: other (Any) – The other entity (object) to check Returns: True if other has no conflicting properties. Return type: bool
-
classmethod
create
(src_entity: Mapping[str, Any] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity¶ Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
Returns: Instantiated entity Return type: Entity Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
-
classmethod
del_pivot_shortcut
(func_name: str)¶ Remove a pivot shortcut.
Parameters: func_name (str) – The name of the shortcut function.
Raises: AttributeError
– The class does not have an attribute func_nameTypeError
– The attribute to delete is not a pivot shortcut.
-
description_str
¶ Return Entity Description.
-
classmethod
get_pivot_list
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
has_edge
(other)¶ Return True if node has an edge with other.
-
classmethod
instantiate_entity
(raw_entity: Mapping[str, Any], entity_type: Optional[Type[CT_co]] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]¶ Class factory to return entity from raw dictionary representation.
Parameters: - raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
- entity_type (Optional[Type]) – The entity type to create, by default None.
Returns: The instantiated entity
Return type:
-
is_equivalent
(other: Any) → bool¶ Return True if the entities are equivalent.
Parameters: other (Any) – The entity to check Returns: True if equivalent. Return type: bool Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
-
list_pivot_funcs
()¶ Print list of pivot functions assigned to entity.
-
classmethod
make_pivot_shortcut
(func_name: str, target: str, overwrite: bool = False)¶ Add a shortcut to a pivot function to the class.
Parameters: - func_name (str) – The name of source pivot function.
- target (str) – The shortcut name (this will be a member function of the class)
- overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
Raises: AttributeError
– The source function does not existTypeError
– The source function is not a pivot function.TypeError
– The target attribute exists and is not a pivot functionAttributeError
– The target function exists and ‘overwrite=True’ was not specified.
-
merge
(other: Any) → msticpy.datamodel.entities.entity.Entity¶ Merge with other entity to create new entity.
Returns: Merged entity. Return type: Entity Raises: AttributeError
– If the entities cannot be merged.
-
name_str
¶ Return Entity Name.
-
node_properties
¶ Return all public properties that are not entities.
Returns: Dictionary of name, value properties. Return type: Dict[str, Any]
-
classmethod
pivots
() → List[str]¶ Return list of current pivot functions.
Returns: List of pivot functions assigned to entity. Return type: List[str]
-
properties
¶ Return dictionary properties of entity.
Returns: Entity properties. Return type: dict
-
to_html
() → str¶ Return HTML representation of entity.
Returns: HTML representation of entity Return type: str
-
to_json
()¶ Return object as a JSON string.
-
to_networkx
(graph: networkx.classes.graph.Graph = None) → networkx.classes.graph.Graph¶ Return networkx graph of entities.
Parameters: graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None Returns: Graph with entity and any connected entities. Return type: nx.Graph
-
msticpy.datamodel.pivot¶
Pivot functions main module.
-
class
msticpy.datamodel.pivot.
Pivot
(namespace: Dict[str, Any] = None, providers: Iterable[Any] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None)¶ Bases:
object
Pivot environment loader.
Instantiate a Pivot environment.
Parameters: - namespace (Dict[str, Any], optional) – To search for and use any current providers, specify namespace=globals(), by default None
- providers (Iterable[Any], optional) – A list of query providers, TILookup or other providers to use (these will override providers of the same type read from namespace), by default None
- timespan (Optional[TimeSpan], optional) – The default timespan used by providers that require start and end times. By default the time range is initialized to be 24 hours prior to the load time.
-
static
add_pivot_function
(func: Callable[[Any], Any], pivot_reg: Optional[msticpy.datamodel.pivot_register.PivotRegistration] = None, container: Optional[str] = None, **kwargs)¶ Add a pivot function to entities.
Parameters: - func (Callable[[Any], Any]) – The function to add
- pivot_reg (PivotRegistration, optional) – Pivot registration object, by default None
- container (str, optional) – The name of the container into which the function should be added, by default “other”
Other Parameters: kwargs – If pivot_reg is not supplied you can specify required pivot registration parameters via keyword arguments. You must specify input_type (str) and entity_map (dict of entity_name, entity_attribute pairs)
See also
PivotRegistration()
-
add_query_provider
(prov: msticpy.data.data_providers.QueryProvider)¶ Add pivot functions from provider.
Parameters: prov (QueryProvider) – Query provider.
-
static
browse
()¶ Return PivotBrowser.
-
current
= None¶
-
edit_query_time
(timespan: Optional[msticpy.common.timespan.TimeSpan] = None)¶ Display a QueryTime widget to get the timespan.
Parameters: timespan (Optional[TimeSpan], optional) – Pre-populate the timespan shown by the QueryTime editor, by default None
-
end
¶ Return current end time for queries.
-
get_provider
(name: str) → Any¶ Get a provider by type name.
Parameters: name (str) – The name of the provider type. Returns: An instance of the provider or None if the Pivot environment does not have one. Return type: Any
-
get_timespan
() → msticpy.common.timespan.TimeSpan¶ Return the timespan as a TimeSpan object.
-
providers
¶ Return the current set of loaded providers.
Returns: provider_name, provider_instance Return type: Dict[str, Any]
-
static
register_pivot_providers
(pivot_reg_path: str, namespace: Dict[str, Any] = None, def_container: str = 'custom', force_container: bool = False)¶ Register pivot functions from configuration file.
Parameters: - pivot_reg_path (str) – Path to config yaml file
- namespace (Dict[str, Any], optional) – Namespace to search for existing instances of classes, by default None
- def_container (str, optional) – Container name to use for entity pivot functions, by default “other”
- force_container (bool, optional) – Force container value to be used even if entity definitions have specific setting for a container name, by default False
Raises: ValueError
– An entity specified in the config file is not recognized.
-
reload_pivots
(namespace: Dict[str, Any] = None, providers: Iterable[Any] = None, clear_existing: bool = True)¶ Load or reload Pivot functions from environment and/or providers list.
Parameters: - namespace (Dict[str, Any], optional) – To search for and use any current providers, specify namespace=globals(), by default None
- providers (Iterable[Any], optional) – A list of query providers, TILookup or other providers to use (these will override providers of the same type read from namespace), by default None
- clear_existing (bool) – Reloads pivot functions without clearing existing pivot assignments. Any pivot functions with conflicting names will be overwritten by the reload operation. The default is True.
-
static
remove_pivot_funcs
(entity: str)¶ Remove pivot functions from one or all entities.
Parameters: entity (str) – entity class name or “all” to remove all pivot functions. Raises: ValueError
– If entity is not a recognized entity class.
-
set_timespan
(value: Optional[Any] = None, **kwargs)¶ Set the pivot timespan.
Parameters: value (Optional[Any], optional) – Timespan object or something convertible to a TimeSpan, by default None Other Parameters: kwargs – Key/value arguments passed to Timespan constructor.
-
start
¶ Return current start time for queries.
msticpy.datamodel.pivot_data_queries¶
Pivot query functions class.
-
class
msticpy.datamodel.pivot_data_queries.
ParamAttrs
(type, query, family, required)¶ Bases:
tuple
Create new instance of ParamAttrs(type, query, family, required)
-
count
()¶ Return number of occurrences of value.
-
family
¶ Alias for field number 2
-
index
()¶ Return first index of value.
Raises ValueError if the value is not present.
-
query
¶ Alias for field number 1
-
required
¶ Alias for field number 3
-
type
¶ Alias for field number 0
-
-
class
msticpy.datamodel.pivot_data_queries.
PivQuerySettings
(short_name, direct_func_entities, assigned_entities)¶ Bases:
tuple
Create new instance of PivQuerySettings(short_name, direct_func_entities, assigned_entities)
-
assigned_entities
¶ Alias for field number 2
-
count
()¶ Return number of occurrences of value.
-
direct_func_entities
¶ Alias for field number 1
-
index
()¶ Return first index of value.
Raises ValueError if the value is not present.
-
short_name
¶ Alias for field number 0
-
-
class
msticpy.datamodel.pivot_data_queries.
PivotQueryFunctions
(query_provider: msticpy.data.data_providers.QueryProvider, ignore_reqd: List[str] = None)¶ Bases:
object
Class to retrieve the queries and params from a provider.
Instantiate PivotQueryFunctions class.
Parameters: - query_provider ([type]) – The query provider to load
- ignore_reqd (List[str], optional) – List of parameters to ignore when building the required parameters list (e.g. [‘start’, ‘end’]), by default None
-
current
= None¶
-
get_param_attrs
(param_name: str) → List[msticpy.datamodel.pivot_data_queries.ParamAttrs]¶ Get the attributes for a parameter name.
Parameters: param_name (str) – Parameter name Returns: List of ParamAttrs named tuples: (type, query, family, required) Return type: List[ParamAttrs] Notes
Since parameters may be defined for multiple queries, the set of parameter attributes will be returned for each query.
-
get_params
(query_func_name: str) → Optional[msticpy.datamodel.pivot_data_queries.QueryParams]¶ Get the parameters for a query function.
Parameters: query_func_name (str) – Query name - the name must be fully-qualified (e.g. ‘WindowsSecurity.list_processes’) Returns: QueryParams named tuple (all, required, full_required, param_attrs, table) Return type: QueryParams
-
get_queries_and_types_for_param
(param: str) → Iterable[Tuple[str, str, str, Callable[[Any], Any]]]¶ Get queries and parameter data types for param.
Parameters: param (str) – The parameter name. Returns: Iterable of tuples listing: query_name, param_type, query_func Return type: Iterable[Tuple[str, str, Callable[[Any], Any]]]
-
get_queries_for_param
(param: str) → Iterable[Tuple[str, str, Callable[[Any], Any]]]¶ Get the list of queries for a parameter.
Parameters: param (str) – Parameter name Returns: Iterable of tuples listing: query_name, query_func Return type: Iterable[Tuple[str, str, Callable[[Any], Any]]]
-
get_query_pivot_settings
(family: str, query: str) → msticpy.datamodel.pivot_data_queries.PivQuerySettings¶ Get Pivot settings metadata for a query.
Parameters: - family (str) – Data family
- query (str) – Query name
Returns: Named tuple:
- short_name - short name for the query
- direct_func_entities - the entities to add a top level function to
- assigned_entities - entities to assign the query to (if parameter mapping is not applicable).
Return type:
-
get_query_settings
(family: str, query: str) → msticpy.data.query_source.QuerySource¶ Get the QuerySource for the named family and query.
Parameters: - family (str) – Data family name
- query (str) – Query name
Returns: Query settings object
Return type: Raises: KeyError
– If family.`query` could not be found.
-
class
msticpy.datamodel.pivot_data_queries.
QueryParams
(all, required, full_required, param_attrs, table)¶ Bases:
tuple
Create new instance of QueryParams(all, required, full_required, param_attrs, table)
-
all
¶ Alias for field number 0
-
count
()¶ Return number of occurrences of value.
-
full_required
¶ Alias for field number 2
-
index
()¶ Return first index of value.
Raises ValueError if the value is not present.
-
param_attrs
¶ Alias for field number 3
-
required
¶ Alias for field number 1
-
table
¶ Alias for field number 4
-
-
msticpy.datamodel.pivot_data_queries.
add_data_queries_to_entities
(provider: msticpy.data.data_providers.QueryProvider, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])¶ Add data queries from provider to entities.
Parameters: - provider (QueryProvider) – Query provider
- get_timespan (Callable[[], TimeSpan]) – Callback to get time span
-
msticpy.datamodel.pivot_data_queries.
add_queries_to_entities
(prov_qry_funcs: msticpy.datamodel.pivot_data_queries.PivotQueryFunctions, container: str, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])¶ Add data queries to entities.
Parameters: - prov_qry_funcs (PivotQueryFunctions) – Collection of wrapped query functions
- container (str) – The name of the container to add query functions to
- get_timespan (Callable[[], TimeSpan]) – Function to get the current timespan.
msticpy.datamodel.pivot_magic_core¶
Txt2df core code.
-
msticpy.datamodel.pivot_magic_core.
run_txt2df
(line, cell, local_ns) → pandas.core.frame.DataFrame¶ Convert cell text to pandas DataFrame.
msticpy.datamodel.pivot_register¶
Pivot helper functions .
-
class
msticpy.datamodel.pivot_register.
PivotRegistration
(input_type: str, entity_map: Dict[str, str], func_df_param_name: Optional[str] = None, func_out_column_name: Optional[str] = None, func_df_col_param_name: Optional[str] = None, func_new_name: Optional[str] = None, src_module: Optional[str] = None, src_class: Optional[str] = None, src_func_name: Optional[str] = None, can_iterate: bool = True, func_static_params: Optional[Dict[str, Any]] = None, func_input_value_arg: Optional[str] = None, src_config_path: Optional[str] = None, src_config_entry: Optional[str] = None, entity_container_name: Optional[str] = None, return_raw_output: bool = False, create_shortcut: bool = False)¶ Bases:
object
Pivot registration for function.
Notes
- src_module : str
- The src_module to import
- src_class : str, optional
- class to import and instantiate that contains the function/method (not needed if the target function is a pure Python function)
- src_func_name: Callable
- The function to wrap.
- func_new_name: str, optional
- Rename the function to this, defaults to src_func_name
- input_type : str
- The input data type that the function is expecting. One of ‘dataframe’, ‘iterable’, ‘value’
- can_iterate: bool, optional
- True if the function supports being called multiple times (for iterable input). Default is True
- entity_map: Dict[str, str]
- dict of entities supported (keys) and attribute to use from entity as input to the function
- func_df_param_name: str
- The name of the parameter that func takes the input value e.g. func(ip=my_address) => ‘ip’ == func_df_col_param_name. In the case of a DataFrame, this is usually ‘data’
- func_df_col_param_name: str
- The name that the target function uses to identify the column to use for input in the input DataFrame.
- func_out_column_name: str, optional
- The name of the column in the output DF to use as a key to join to the input. If None, use func_df_col_param_name
- func_static_params: Optional[Dict[str, Any]]
- static parameters (kwargs) that are always passed to the target function
- func_input_value_arg: Optional[str]
- The name of kwarg passed to the function that contain the input value. If function supports DF input, func_df_col_param_name will be used and this is not needed.
- src_config_path : Optional[str]
- The source path that the configuration was read from, default None.
- src_config_entry : Optional[str]
- The entry name in the configuration file, default None.
- entity_container_name : Optional[str]
- The name of the container in the entity that will hold this pivot function.
- return_raw_output : bool
- Return raw output from the wrapped function, do not try to format into a DataFrame. Default is False.
- create_shortcut : bool
- If True, create a shortcut function directly on the entity.
Method generated by attrs for class PivotRegistration.
-
attr_for_entity
(entity: Union[msticpy.datamodel.entities.entity.Entity, str]) → Optional[str]¶ Return the attribute to use for the specified entity.
Parameters: entity (Union[entities.Entity, str]) – Entity instance or name Returns: Attribute name to use. Return type: Optional[str]
-
msticpy.datamodel.pivot_register.
create_pivot_func
(target_func: Callable[[Any], Any], pivot_reg: msticpy.datamodel.pivot_register.PivotRegistration) → Callable[[...], pandas.core.frame.DataFrame]¶ Create function wrapper for pivot function.
Parameters: - target_func (Callable) – The target function to wrap.
- pivot_reg (PivotRegistration) – The pivot function registration object.
Returns: The original target_func wrapped in pre-processing and post-processing code.
Return type: Callable[[Any], pd.DataFrame]
-
msticpy.datamodel.pivot_register.
get_join_params
(func_kwargs: Dict[str, Any]) → Tuple[Optional[str], Optional[str], Optional[str], bool]¶ Get join parameters from kwargs.
Parameters: func_kwargs (Dict[str, Any]) – Keyword arguments from caller Returns: join_type, left_on, right_on, join_ignore_case Return type: Tuple[str, str, str, bool]
-
msticpy.datamodel.pivot_register.
join_result
(input_df: pandas.core.frame.DataFrame, result_df: pandas.core.frame.DataFrame, how: str, left_on: str, right_on: str, ignore_case: bool) → pandas.core.frame.DataFrame¶ Join input and result DFs, optionally ignoring case.
Parameters: - input_df (pd.DataFrame) – Input DF
- result_df (pd.DataFrame) – Result DF
- how (str) – Join type - “inner”, “left”, “right”, “outer”
- left_on (str) – Column from input_df to use as join key
- right_on (str) – Column from result_df to use as join key
- ignore_case (bool) – If True and input_df column is a string
Returns: The merged DataFrame
Return type: pd.DataFrame
msticpy.datamodel.pivot_register_reader¶
Reads pivot registration config files.
-
msticpy.datamodel.pivot_register_reader.
add_unbound_pivot_function
(func: Callable[[Any], Any], pivot_reg: msticpy.datamodel.pivot_register.PivotRegistration = None, container: str = 'other', **kwargs)¶ Add a pivot function to entities.
Parameters: - func (Callable[[Any], Any]) – The function to add
- pivot_reg (PivotRegistration, optional) – Pivot registration object, by default None
- container (str, optional) – The name of the container into which the function should be added, by default “other”
Other Parameters: kwargs – If pivot_reg is not supplied you can specify required pivot registration parameters via keyword arguments. You must specify input_type (str) and entity_map (dict of entity_name, entity_attribute pairs)
See also
PivotRegistration()
-
msticpy.datamodel.pivot_register_reader.
register_pivots
(file_path: str, namespace: Dict[str, Any] = None, container: str = 'other', force_container: bool = False, **kwargs)¶ Register pivot functions from configuration file.
Parameters: - file_path (str) – Path to config yaml file
- namespace (Dict[str, Any], optional) – Namespace to search for existing instances of classes, by default None
- container (str, optional) – Container name to use for entity pivot functions, by default “other”
- force_container (bool, optional) – Force container value to be used even if entity definitions have specific setting for a container name, by default False
Raises: ValueError
– An entity specified in the config file is not recognized.
msticpy.datamodel.pivot_ti_provider¶
Pivot TI Provider helper functions.
-
msticpy.datamodel.pivot_ti_provider.
add_ioc_queries_to_entities
(ti_lookup: msticpy.sectools.tilookup.TILookup, container: str = 'ti', **kwargs)¶ Add TI functions to entities.
Parameters: - ti_lookup (TILookup) – TILookup instance.
- container (str) – The name of the container to add query functions to
-
msticpy.datamodel.pivot_ti_provider.
create_ti_pivot_funcs
(ti_lookup: msticpy.sectools.tilookup.TILookup)¶ Create the TI Pivot functions.
-
msticpy.datamodel.pivot_ti_provider.
register_ti_pivot_providers
(ti_lookup: msticpy.sectools.tilookup.TILookup, pivot: Pivot)¶ Register pivot functions from TI providers.
msticpy.datamodel.pivot_pd_accessor¶
Pandas DataFrame accessor for Pivot functions.
-
class
msticpy.datamodel.pivot_pd_accessor.
PivotAccessor
(pandas_obj)¶ Bases:
object
Pandas api extension for Pivot functions.
Instantiate pivot extension class.
-
display
(title: str = None, cols: Iterable[str] = None, query: str = None, head: int = None) → pandas.core.frame.DataFrame¶ Display the DataFrame in the middle of a pipeline.
Parameters: - title (str, optional) – Title to display for the DataFrame, by default None
- cols (Iterable[str], optional) – List of columns to display, by default None
- query (str, optional) – Query to filter the displayed data, by default None This should be a string executable by the DataFrame.query function
- head (int, optional) – Limit the displayed output to head rows, by default None
Returns: Passed through input DataFrame.
Return type: pd.DataFrame
-
filter
(expr: Union[str, numbers.Number], match_case: bool = False, numeric_col: bool = False) → pandas.core.frame.DataFrame¶ Filter all columns of DataFrame, return rows with any matches.
Parameters: - expr (Union[str, Number]) – String or regular expression to match or a (partial) number. If expr is a string it is matched against any string or object columns using pandas str.contains(..regex=True) If expr is a number or if numeric_col is True, expr is converted to a string and matched as a substring of any numeric columns.
- match_case (bool, optional) – The match is not case-sensitive by default. Set to True to force case-sensitive matches.
- numeric_col (bool, optional) – If expr is a numeric string or number this will force a match against only numeric columns, by default False
Returns: The filtered dataframe
Return type: pd.DataFrame
Raises: TypeError
– If expr is neither a string or number.
-
filter_cols
(cols: Union[str, Iterable[str]], match_case: bool = False, sort_cols: bool = False) → pandas.core.frame.DataFrame¶ Filter output columns matching names in cols expression(s).
Parameters: - cols (Union[str, Iterable[str]]) – Either a string or a list of strings with filter expressions. These can be exact matches for column names, wildcard patterns (“*” matches multiple chars and “?” matches a single char), or regular expressions.
- match_case (bool, optional) – Use case-sensitive matching, by default False
- sort_cols (bool, optional) – Alphabetically sort column names, by default False
Returns: The input DataFrame with only columns that match the filtering expressions.
Return type: pd.DataFrame
-
list_to_rows
(cols: Union[str, Iterable[str]]) → pandas.core.frame.DataFrame¶ Expand a list column to individual rows.
Parameters: cols (Union[str, Iterable[str]]) – The columns to be expanded. Returns: The expanded DataFrame Return type: pd.DataFrame
-
parse_json
(cols: Union[str, Iterable[str]]) → pandas.core.frame.DataFrame¶ Convert JSON string columns to Python types.
Parameters: cols (Union[str, Iterable[str]]) – Column or interable of columns to process Returns: Processed dataframe Return type: pd.DataFrame
-
run
(func: Callable[[...], pandas.core.frame.DataFrame], **kwargs) → pandas.core.frame.DataFrame¶ Run a pivot function on the current DataFrame.
Parameters: - func (Callable[.., pd.DataFrame]) – Pivot function to run
- kwargs – Keyword arguments to pass to func. A column specification (e.g. column=”src_col_name”) is usually the minimum needed. For data queries the column keyword must be the name of the the query parameter (e.g. host_name = “src_col_name”)
Returns: The output DataFrame from the function.
Return type: pd.DataFrame
Notes
You can pass the join keyword argument to most pivot functions. Values for join are “inner”, “left”, “right” or “outer”.
-
sort
(cols: Union[str, Iterable[str], Dict[str, str]], ascending: bool = None) → pandas.core.frame.DataFrame¶ Sort output by column expression.
Parameters: - cols (Union[str, Iterable[str], Dict[str, str]]) – If this is a string, then this should be a column name expression. A column name expression is either a column name, a case-insenstive column name or a regular expression to match one or more column names. Each column name expression can be of the format col_name_expr:desc to sort descending (col_name_expr:asc is the default). The col_name can also be a regular expression or partial column name. If this is a list, then each element should be a column name expression with an optional ‘:asc’ or ‘:desc’ suffix. If this is a dict, then the keys should be column name expressions and the values bools indication ‘ascending’ (True) or ‘descending’ (False) sort.
- ascending ([type], optional) – Overrides any ordering specified for individual columns and sorts ‘ascending’ if True or ‘descending’ if False. If not supplied and no column-specific ordering is supplied it sorts ascending.
Returns: The sorted DataFrame
Return type: pd.DataFrame
Raises: ValueError
– One or more column expressions matched no column name in the input.
-
tee
(var_name: str, clobber: bool = False) → pandas.core.frame.DataFrame¶ Save current dataframe to var_name in the IPython user namespace.
Parameters: - var_name (str) – The name of the DF variable to create.
- clobber (bool, optional) – Whether to overwrite an existing variable of the same name, by default False
Returns: Passed through input DataFrame.
Return type: pd.DataFrame
Notes
This function only works in an IPython/Jupyter notebook environment. It will attempt to create a variable in the user local namespace that references the current state of the DataFrame in the pipeline.
By default it will not overwrite an existing variable of the same name (specify clobber=True to overwrite)
-
tee_exec
(df_func: str, *args, **kwargs) → pandas.core.frame.DataFrame¶ Run a dataframe method on the dataframe without changing it.
Parameters: - df_func (str) – The name of the function to execute. Accessor methods must be of the form “accessor.method”.
- args (tuple) – Positional arguments to be passed to the function
- kwargs (dict) – Keyword arguments to be passed to the function.
Returns: Passed through input DataFrame.
Return type: pd.DataFrame
Notes
This function runs the DataFrame method or accessor function. It does not alter the DataFrame (unless the function does any kind of in-place modification). The function is run and the original input DataFrame is returned.
-