msticpy.datamodel package
msticpy.datamodel.entities module
msticpy.datamodel.entities.account
Account Entity class.
- class msticpy.datamodel.entities.account.Account(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role: str = 'subject', **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Account Entity class.
- Name
Account Name
- Type
str
- NTDomain
Account NTDomain
- Type
str
- UPNSuffix
Account UPNSuffix
- Type
str
- LogonId
Account LogonId (deprecated)
- Type
str
- Sid
Account Sid
- Type
str
- AadTenantId
Account AadTenantId
- Type
str
- AadUserId
Account AadUserId
- Type
str
- PUID
Account PUID
- Type
str
- IsDomainJoined
Account IsDomainJoined
- Type
bool
- DisplayName
Account DisplayName
- Type
str
- ObjectGuid
The object ID of the user account
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing Account entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
role (str, optional) – ‘subject’ or ‘target’ - only relevant if the entity is being constructed from an event. (the default is ‘subject’)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['QualifiedName', 'Sid', 'AadUserId', 'PUID', 'ObjectGuid']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- property qualified_name: str
Windows qualified account name.
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.alert
Alert Entity class.
- class msticpy.datamodel.entities.alert.Alert(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Alert Entity class.
- AlertDisplayName
Alert DisplayName
- Type
str
- CompromisedEntity
Alert CompromisedEntity
- Type
str
- Count
Alert Count
- Type
int
- StartTimeUtc
Alert StartTime
- Type
datetime
- EndTimeUtc
Alert EndTime
- Type
datetime
- Severity
Alert Severity
- Type
str
- SystemAlertIds
Alert SystemAlertIds
- Type
List[str]
- AlertType
Alert AlertType
- Type
str
- VendorName
Alert VendorName
- Type
str
- ProviderName
Alert ProviderName
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['SystemAlertIds']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return the item as HTML string.
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.azure_resource
AzureResource Entity class.
- class msticpy.datamodel.entities.azure_resource.AzureResource(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
AzureResource Entity class.
- ResourceId
AzureResource ResourceId
- Type
str
- ResourceIdParts
AzureResource ResourceIdParts
- Type
Dict[str, str]
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['ResourceId']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- property Provider
Return the Provider name or None.
- property ResourceGroup
Return the ResourceGroup name or None.
- property SubscriptionId
Return the subscription Id or None.
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.cloud_application
CloudApplication Entity class.
- class msticpy.datamodel.entities.cloud_application.CloudApplication(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
CloudApplication Entity class.
- Name
CloudApplication Name
- Type
str
- AppId
The AppId of the cloud application
- Type
str
- InstanceName
The instance name of the application
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Name']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.dns
Dns Entity class.
- class msticpy.datamodel.entities.dns.Dns(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
DNS Resolve Entity class.
- DomainName
DnsResolve DomainName
- Type
str
- IpAdresses
DnsResolve IpAdresses
- Type
List[str]
- DnsServerIp
DnsResolve DnsServerIp
- Type
IPAddress
- HostIpAddress
DnsResolve HostIpAddress
- Type
IPAddress
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['DomainName']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.entity
Entity Entity class.
- class msticpy.datamodel.entities.entity.ContextObject
Bases:
object
Information object attached to entity but is not an Entity.
- class msticpy.datamodel.entities.entity.Entity(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
abc.ABC
,msticpy.datamodel.entities.entity_graph.Node
Entity abstract base class.
Implements common methods for Entity classes
Create a new instance of an entity.
- Parameters
src_entity (Mapping[str, Any], optional) – If src_entity is supplied it attempts to extract common properties from the source entity and assign them to the new instance. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = []
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- Returns
Entity description (optional). If not overridden by the Entity instance type, it will return the Type string.
- Return type
str
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Name Description.
- Returns
Entity Name (optional). If not overridden by the Entity instance type, it will return the class name string.
- Return type
str
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
- msticpy.datamodel.entities.entity.camelcase_property_names(input_ent: Dict[str, Any]) Dict[str, Any]
Change initial letter Microsoft Sentinel API entity properties to upper case.
msticpy.datamodel.entities.entity_enums
Entity enumerations.
- class msticpy.datamodel.entities.entity_enums.Algorithm(value)
Bases:
enum.Enum
FileHash Algorithm Enumeration.
- MD5 = 1
- SHA1 = 2
- SHA256 = 3
- SHA256AC = 4
- Unknown = 0
- class msticpy.datamodel.entities.entity_enums.ElevationToken(value)
Bases:
enum.Enum
ElevationToken enumeration.
- Default = 0
- Full = 1
- Limited = 2
- class msticpy.datamodel.entities.entity_enums.OSFamily(value)
Bases:
enum.Enum
OSFamily enumeration.
- Linux = 0
- Windows = 1
- class msticpy.datamodel.entities.entity_enums.RegistryHive(value)
Bases:
enum.Enum
RegistryHive enumeration.
- HKEY_A = 8
- HKEY_CLASSES_ROOT = 1
- HKEY_CURRENT_CONFIG = 2
- HKEY_CURRENT_USER = 9
- HKEY_CURRENT_USER_LOCAL_SETTINGS = 4
- HKEY_LOCAL_MACHINE = 0
- HKEY_PERFORMANCE_DATA = 5
- HKEY_PERFORMANCE_NLSTEXT = 6
- HKEY_PERFORMANCE_TEXT = 7
- HKEY_USERS = 3
- property short_name: str
Return the key shortname.
msticpy.datamodel.entities.entity_graph
Entity Graph classes.
- class msticpy.datamodel.entities.entity_graph.Edge(source: msticpy.datamodel.entities.entity_graph.Node, target: msticpy.datamodel.entities.entity_graph.Node, attrs: Optional[Dict[str, Any]] = None)
Bases:
object
Entity edge class.
Create a new edge between source and target.
- Parameters
- add_attr(name: str, value: Any)
Add an edge attribute.
- class msticpy.datamodel.entities.entity_graph.Node
Bases:
object
Entity node.
Initialize the node.
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- has_edge(other)
Return True if node has an edge with other.
msticpy.datamodel.entities.file
File Entity class.
- class msticpy.datamodel.entities.file.File(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role: str = 'new', **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
File Entity class.
- FullPath
File FullPath
- Type
str
- Directory
File Directory
- Type
str
- Name
File Name
- Type
str
- Md5
File Md5
- Type
str
- Host
File Host
- Type
str
- Sha1
File Sha1
- Type
str
- Sha256
File Sha256
- Type
str
- Sha256Ac
File Sha256Ac
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['FullPath', 'Sha1', 'Sha256', 'Sha256ac', 'Md5']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- property file_hash: Optional[str]
Return the first defined file hash.
- Returns
Returns first-defined file hash in order of SHA256, SHA1, MD5, SHA256AC (authenticode)
- Return type
Optional[str]
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- property path_separator
Return the path separator used by the file.
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.file_hash
FileHash Entity class.
- class msticpy.datamodel.entities.file_hash.FileHash(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
File Hash class.
- Value
FileHash Value
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Value']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.geo_location
GeoLocation Entity class.
- class msticpy.datamodel.entities.geo_location.GeoLocation(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
,msticpy.datamodel.entities.entity.ContextObject
GeoLocation class.
- CountryCode
GeoLocation CountryCode
- Type
str
- CountryName
GeoLocation CountryName
- Type
str
- State
GeoLocation State
- Type
str
- City
GeoLocation City
- Type
str
- Longitude
GeoLocation Longitude
- Type
float
- Latitude
GeoLocation Latitude
- Type
float
- Asn
GeoLocation Asn
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Longitude', 'Latitude', 'City', 'State', 'CountryCode']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- property coordinates: Tuple[float, float]
Return Latitude/Longitude as a tuple of floats.
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.host
Host Entity class.
- class msticpy.datamodel.entities.host.Host(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Host Entity class.
- DnsDomain
Host DnsDomain
- Type
str
- NTDomain
Host NTDomain
- Type
str
- HostName
Host HostName
- Type
str
- NetBiosName
Host NetBiosName
- Type
str
- AzureID
Host AzureID
- Type
str
- OMSAgentID
Host OMSAgentID
- Type
str
- OSFamily
Host OSFamily
- Type
str
- OSVersion
Host OSVersion
- Type
str
- IsDomainJoined
Host IsDomainJoined
- Type
bool
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- property FullName: Optional[str]
Return the full name of the host - either FQDN or Netbiosname.
- ID_PROPERTIES: List[str] = ['fqdn', 'AzureID', 'OMSAgentID']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- property computer: Optional[str]
Return computer from source event.
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- property fqdn: Optional[str]
Construct FQDN from host + dns.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.host_logon_session
HostLogonSession Entity class.
- class msticpy.datamodel.entities.host_logon_session.HostLogonSession(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
HostLogonSession Entity class.
- StartTimeUtc
HostLogonSession StartTimeUtc
- Type
datetime
- EndTimeUtc
HostLogonSession EndTimeUtc
- Type
datetime
- SessionId
HostLogonSession SessionId
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Account', 'Host', 'SessionId']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.ip_address
IpAddress Entity class.
- msticpy.datamodel.entities.ip_address.Ip
- class msticpy.datamodel.entities.ip_address.IpAddress(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
IPAddress Entity class.
- Address
IpAddress Address
- Type
str
- Location
IpAddress Location
- Type
- ThreatIntelligence
IpAddress ThreatIntelligence
- Type
List[Threatintelligence]
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Address']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- property ip_address: Optional[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]
Return a python IP address object from the entity property.
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.malware
Malware Entity class.
- class msticpy.datamodel.entities.malware.Malware(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Malware Entity class.
- Name
Malware Name
- Type
str
- Category
Malware Category
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Name']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.network_connection
NetworkConnection Entity class.
- class msticpy.datamodel.entities.network_connection.NetworkConnection(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
NetworkConnection Entity class.
- SourceAddress
NetworkConnection SourceAddress
- Type
IPAddress
- SourcePort
NetworkConnection SourcePort
- Type
int
- DestinationAddress
NetworkConnection DestinationAddress
- Type
IPAddress
- DestinationPort
NetworkConnection DestinationPort
- Type
int
- Protocol
NetworkConnection Protocol
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['SourceAddress', 'SourcePort', 'DestinationAddress', 'DestinationPort']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.process
Process Entity class.
- class msticpy.datamodel.entities.process.Process(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role='new', **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Process Entity class.
- ProcessId
Process ProcessId
- Type
str
- CommandLine
Process CommandLine
- Type
str
- ElevationToken
Process ElevationToken
- Type
str
- CreationTimeUtc
Process CreationTimeUtc
- Type
datetime
- LogonSession
Process LogonSession
- Type
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['ProcessId', 'ImageFile', 'CreationTimeUtc', 'CommandLine']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- property ProcessFilePath: Optional[str]
Return the name of the process file path.
- property ProcessName: Optional[str]
Return the name of the process file.
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.registry_key
RegistryValue Entity class.
- class msticpy.datamodel.entities.registry_key.RegistryKey(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
RegistryKey Entity class.
- Hive
RegistryKey Hive
- Type
- Key
RegistryKey Key
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Hive', 'Key']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.registry_value
RegistryValue Entity class.
- class msticpy.datamodel.entities.registry_value.RegistryValue(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
RegistryValue Entity class.
- Key
RegistryValue Key
- Type
str
- Name
RegistryValue Name
- Type
str
- Value
RegistryValue Value
- Type
str
- ValueType
RegistryValue ValueType
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Key', 'Name', 'Value']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.security_group
SecurityGroup Entity class.
- class msticpy.datamodel.entities.security_group.SecurityGroup(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
SecurityGroup Entity class.
- DistinguishedName
SecurityGroup DistinguishedName
- Type
str
- SID
SecurityGroup SID
- Type
str
- ObjectGuid
SecurityGroup ObjectGuid
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['DistinguishedName', 'SID', 'ObjectGuid']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.threat_intelligence
Threatintelligence Entity class.
- class msticpy.datamodel.entities.threat_intelligence.Threatintelligence(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Threatintelligence Entity class.
- ProviderName
Threatintelligence ProviderName
- Type
str
- ThreatType
Threatintelligence ThreatType
- Type
str
- ThreatName
Threatintelligence ThreatName
- Type
str
- Confidence
Threatintelligence Confidence
- Type
str
- ReportLink
Threatintelligence ReportLink
- Type
str
- ThreatDescription
Threatintelligence ThreatDescription
- Type
str
Create a new instance of the entity type.
- param src_entity
instantiate entity using properties of src entity
- param kwargs
key-value pair representation of entity
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['ProviderName', 'ThreatName', 'ReportLink']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.unknown_entity
Threatintelligence Entity class.
- class msticpy.datamodel.entities.unknown_entity.UnknownEntity(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Generic Entity class.
Create a new instance of the entity type.
- param src_entity
instantiate entity using properties of src entity
- param kwargs
key-value pair representation of entity
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = []
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.url
Url Entity class.
- class msticpy.datamodel.entities.url.Url(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
URL Entity.
- Url
The URL
- Type
str
- DetonationVerdict
The verdict of the URL detection
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Url']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.pivot
Pivot functions main module.
- class msticpy.datamodel.pivot.Pivot(namespace: Optional[Dict[str, Any]] = None, providers: Optional[Iterable[Any]] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None)
Bases:
object
Pivot environment loader.
Instantiate a Pivot environment.
- Parameters
namespace (Dict[str, Any], optional) – To search for and use any current providers, specify namespace=globals(), by default None
providers (Iterable[Any], optional) – A list of query providers, TILookup or other providers to use (these will override providers of the same type read from namespace), by default None
timespan (Optional[TimeSpan], optional) – The default timespan used by providers that require start and end times. By default the time range is initialized to be 24 hours prior to the load time.
- static add_pivot_function(func: Callable[[Any], Any], pivot_reg: Optional[msticpy.datamodel.pivot_register.PivotRegistration] = None, container: Optional[str] = None, **kwargs)
Add a pivot function to entities.
- Parameters
func (Callable[[Any], Any]) – The function to add
pivot_reg (PivotRegistration, optional) – Pivot registration object, by default None
container (str, optional) – The name of the container into which the function should be added, by default “other”
kwargs – If pivot_reg is not supplied you can specify required pivot registration parameters via keyword arguments. You must specify input_type (str) and entity_map (dict of entity_name, entity_attribute pairs)
See also
PivotRegistration
- add_query_provider(prov: msticpy.data.data_providers.QueryProvider)
Add pivot functions from provider.
- Parameters
prov (QueryProvider) – Query provider.
- static browse()
Return PivotBrowser.
- current: Optional[msticpy.datamodel.pivot.Pivot] = None
- edit_query_time(timespan: Optional[msticpy.common.timespan.TimeSpan] = None)
Display a QueryTime widget to get the timespan.
- Parameters
timespan (Optional[TimeSpan], optional) – Pre-populate the timespan shown by the QueryTime editor, by default None
- property end
Return current end time for queries.
- get_provider(name: str) Any
Get a provider by type name.
- Parameters
name (str) – The name of the provider type.
- Returns
An instance of the provider or None if the Pivot environment does not have one.
- Return type
Any
- get_timespan() msticpy.common.timespan.TimeSpan
Return the timespan as a TimeSpan object.
- property providers: Dict[str, Any]
Return the current set of loaded providers.
- Returns
provider_name, provider_instance
- Return type
Dict[str, Any]
- static register_pivot_providers(pivot_reg_path: str, namespace: Optional[Dict[str, Any]] = None, def_container: str = 'custom', force_container: bool = False)
Register pivot functions from configuration file.
- Parameters
pivot_reg_path (str) – Path to config yaml file
namespace (Dict[str, Any], optional) – Namespace to search for existing instances of classes, by default None
def_container (str, optional) – Container name to use for entity pivot functions, by default “other”
force_container (bool, optional) – Force container value to be used even if entity definitions have specific setting for a container name, by default False
- Raises
ValueError – An entity specified in the config file is not recognized.
- reload_pivots(namespace: Optional[Dict[str, Any]] = None, providers: Optional[Iterable[Any]] = None, clear_existing: bool = True)
Load or reload Pivot functions from environment and/or providers list.
- Parameters
namespace (Dict[str, Any], optional) – To search for and use any current providers, specify namespace=globals(), by default None
providers (Iterable[Any], optional) – A list of query providers, TILookup or other providers to use (these will override providers of the same type read from namespace), by default None
clear_existing (bool) – Reloads pivot functions without clearing existing pivot assignments. Any pivot functions with conflicting names will be overwritten by the reload operation. The default is True.
- static remove_pivot_funcs(entity: str)
Remove pivot functions from one or all entities.
- Parameters
entity (str) – entity class name or “all” to remove all pivot functions.
- Raises
ValueError – If entity is not a recognized entity class.
- set_timespan(value: Optional[Any] = None, **kwargs)
Set the pivot timespan.
- Parameters
value (Optional[Any], optional) – Timespan object or something convertible to a TimeSpan, by default None
kwargs – Key/value arguments passed to Timespan constructor.
- property start
Return current start time for queries.
- property timespan: msticpy.common.timespan.TimeSpan
Return the current timespan.
- Returns
The current timespan
- Return type
msticpy.datamodel.pivot_data_queries
Pivot query functions class.
- class msticpy.datamodel.pivot_data_queries.ParamAttrs(type, query, family, required)
Bases:
tuple
Create new instance of ParamAttrs(type, query, family, required)
- count(value, /)
Return number of occurrences of value.
- property family
Alias for field number 2
- index(value, start=0, stop=9223372036854775807, /)
Return first index of value.
Raises ValueError if the value is not present.
- property query
Alias for field number 1
- property required
Alias for field number 3
- property type
Alias for field number 0
- class msticpy.datamodel.pivot_data_queries.PivQuerySettings(short_name, direct_func_entities, assigned_entities)
Bases:
tuple
Create new instance of PivQuerySettings(short_name, direct_func_entities, assigned_entities)
- property assigned_entities
Alias for field number 2
- count(value, /)
Return number of occurrences of value.
- property direct_func_entities
Alias for field number 1
- index(value, start=0, stop=9223372036854775807, /)
Return first index of value.
Raises ValueError if the value is not present.
- property short_name
Alias for field number 0
- class msticpy.datamodel.pivot_data_queries.PivotQueryFunctions(query_provider: msticpy.data.data_providers.QueryProvider, ignore_reqd: Optional[List[str]] = None)
Bases:
object
Class to retrieve the queries and params from a provider.
Instantiate PivotQueryFunctions class.
- Parameters
query_provider ([type]) – The query provider to load
ignore_reqd (List[str], optional) – List of parameters to ignore when building the required parameters list (e.g. [‘start’, ‘end’]), by default None
- current = None
- get_param_attrs(param_name: str) List[msticpy.datamodel.pivot_data_queries.ParamAttrs]
Get the attributes for a parameter name.
- Parameters
param_name (str) – Parameter name
- Returns
List of ParamAttrs named tuples: (type, query, family, required)
- Return type
List[ParamAttrs]
Notes
Since parameters may be defined for multiple queries, the set of parameter attributes will be returned for each query.
- get_params(query_func_name: str) Optional[msticpy.datamodel.pivot_data_queries.QueryParams]
Get the parameters for a query function.
- Parameters
query_func_name (str) – Query name - the name must be fully-qualified (e.g. ‘WindowsSecurity.list_processes’)
- Returns
QueryParams named tuple (all, required, full_required, param_attrs, table)
- Return type
- get_queries_and_types_for_param(param: str) Iterable[Tuple[str, str, str, Callable[[Any], Any]]]
Get queries and parameter data types for param.
- Parameters
param (str) – The parameter name.
- Returns
Iterable of tuples listing: query_name, param_type, query_func
- Return type
Iterable[Tuple[str, str, Callable[[Any], Any]]]
- get_queries_for_param(param: str) Iterable[Tuple[str, str, Callable[[Any], Any]]]
Get the list of queries for a parameter.
- Parameters
param (str) – Parameter name
- Returns
Iterable of tuples listing: query_name, query_func
- Return type
Iterable[Tuple[str, str, Callable[[Any], Any]]]
- get_query_pivot_settings(family: str, query: str) msticpy.datamodel.pivot_data_queries.PivQuerySettings
Get Pivot settings metadata for a query.
- Parameters
family (str) – Data family
query (str) – Query name
- Returns
Named tuple:
short_name - short name for the query
direct_func_entities - the entities to add a top level function to
assigned_entities - entities to assign the query to (if parameter mapping is not applicable).
- Return type
- get_query_settings(family: str, query: str) msticpy.data.query_source.QuerySource
Get the QuerySource for the named family and query.
- Parameters
family (str) – Data family name
query (str) – Query name
- Returns
Query settings object
- Return type
- Raises
KeyError – If family.`query` could not be found.
- class msticpy.datamodel.pivot_data_queries.QueryParams(all, required, full_required, param_attrs, table)
Bases:
tuple
Create new instance of QueryParams(all, required, full_required, param_attrs, table)
- property all
Alias for field number 0
- count(value, /)
Return number of occurrences of value.
- property full_required
Alias for field number 2
- index(value, start=0, stop=9223372036854775807, /)
Return first index of value.
Raises ValueError if the value is not present.
- property param_attrs
Alias for field number 3
- property required
Alias for field number 1
- property table
Alias for field number 4
- msticpy.datamodel.pivot_data_queries.add_data_queries_to_entities(provider: msticpy.data.data_providers.QueryProvider, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])
Add data queries from provider to entities.
- Parameters
provider (QueryProvider) – Query provider
get_timespan (Callable[[], TimeSpan]) – Callback to get time span
- msticpy.datamodel.pivot_data_queries.add_queries_to_entities(prov_qry_funcs: msticpy.datamodel.pivot_data_queries.PivotQueryFunctions, container: str, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])
Add data queries to entities.
- Parameters
prov_qry_funcs (PivotQueryFunctions) – Collection of wrapped query functions
container (str) – The name of the container to add query functions to
get_timespan (Callable[[], TimeSpan]) – Function to get the current timespan.
msticpy.datamodel.pivot_magic_core
Txt2df core code.
- msticpy.datamodel.pivot_magic_core.run_txt2df(line, cell, local_ns) pandas.core.frame.DataFrame
Convert cell text to pandas DataFrame.
msticpy.datamodel.pivot_register
Pivot helper functions .
- class msticpy.datamodel.pivot_register.PivotRegistration(input_type: str, entity_map: Dict[str, str], func_df_param_name: Optional[str] = None, func_out_column_name: Optional[str] = None, func_df_col_param_name: Optional[str] = None, func_new_name: Optional[str] = None, src_module: Optional[str] = None, src_class: Optional[str] = None, src_func_name: Optional[str] = None, can_iterate: bool = True, func_static_params: Optional[Dict[str, Any]] = None, func_input_value_arg: Optional[str] = None, src_config_path: Optional[str] = None, src_config_entry: Optional[str] = None, entity_container_name: Optional[str] = None, return_raw_output: bool = False, create_shortcut: bool = False)
Bases:
object
Pivot registration for function.
Notes
- src_modulestr
The src_module to import
- src_classstr, optional
class to import and instantiate that contains the function/method (not needed if the target function is a pure Python function)
- src_func_name: Callable
The function to wrap.
- func_new_name: str, optional
Rename the function to this, defaults to src_func_name
- input_typestr
The input data type that the function is expecting. One of ‘dataframe’, ‘iterable’, ‘value’
- can_iterate: bool, optional
True if the function supports being called multiple times (for iterable input). Default is True
- entity_map: Dict[str, str]
dict of entities supported (keys) and attribute to use from entity as input to the function
- func_df_param_name: str
The name of the parameter that func takes the input value e.g. func(ip=my_address) => ‘ip’ == func_df_col_param_name. In the case of a DataFrame, this is usually ‘data’
- func_df_col_param_name: str
The name that the target function uses to identify the column to use for input in the input DataFrame.
- func_out_column_name: str, optional
The name of the column in the output DF to use as a key to join to the input. If None, use func_df_col_param_name
- func_static_params: Optional[Dict[str, Any]]
static parameters (kwargs) that are always passed to the target function
- func_input_value_arg: Optional[str]
The name of kwarg passed to the function that contain the input value. If function supports DF input, func_df_col_param_name will be used and this is not needed.
- src_config_pathOptional[str]
The source path that the configuration was read from, default None.
- src_config_entryOptional[str]
The entry name in the configuration file, default None.
- entity_container_nameOptional[str]
The name of the container in the entity that will hold this pivot function.
- return_raw_outputbool
Return raw output from the wrapped function, do not try to format into a DataFrame. Default is False.
- create_shortcutbool
If True, create a shortcut function directly on the entity.
Method generated by attrs for class PivotRegistration.
- attr_for_entity(entity: Union[msticpy.datamodel.entities.entity.Entity, str]) Optional[str]
Return the attribute to use for the specified entity.
- Parameters
entity (Union[entities.Entity, str]) – Entity instance or name
- Returns
Attribute name to use.
- Return type
Optional[str]
- can_iterate: bool
- create_shortcut: bool
- entity_container_name: Optional[str]
- entity_map: Dict[str, str]
- func_df_col_param_name: Optional[str]
- func_df_param_name: Optional[str]
- func_input_value_arg: Optional[str]
- func_new_name: Optional[str]
- func_out_column_name: Optional[str]
- func_static_params: Optional[Dict[str, Any]]
- input_type: str
- return_raw_output: bool
- src_class: Optional[str]
- src_config_entry: Optional[str]
- src_config_path: Optional[str]
- src_func_name: Optional[str]
- src_module: Optional[str]
- msticpy.datamodel.pivot_register.create_pivot_func(target_func: Callable[[Any], Any], pivot_reg: msticpy.datamodel.pivot_register.PivotRegistration) Callable[[...], pandas.core.frame.DataFrame]
Create function wrapper for pivot function.
- Parameters
target_func (Callable) – The target function to wrap.
pivot_reg (PivotRegistration) – The pivot function registration object.
- Returns
The original target_func wrapped in pre-processing and post-processing code.
- Return type
Callable[[Any], pd.DataFrame]
- msticpy.datamodel.pivot_register.get_join_params(func_kwargs: Dict[str, Any]) Tuple[Optional[str], Optional[str], Optional[str], bool]
Get join parameters from kwargs.
- Parameters
func_kwargs (Dict[str, Any]) – Keyword arguments from caller
- Returns
join_type, left_on, right_on, join_ignore_case
- Return type
Tuple[str, str, str, bool]
- msticpy.datamodel.pivot_register.join_result(input_df: pandas.core.frame.DataFrame, result_df: pandas.core.frame.DataFrame, how: str, left_on: str, right_on: str, ignore_case: bool) pandas.core.frame.DataFrame
Join input and result DFs, optionally ignoring case.
- Parameters
input_df (pd.DataFrame) – Input DF
result_df (pd.DataFrame) – Result DF
how (str) – Join type - “inner”, “left”, “right”, “outer”
left_on (str) – Column from input_df to use as join key
right_on (str) – Column from result_df to use as join key
ignore_case (bool) – If True and input_df column is a string
- Returns
The merged DataFrame
- Return type
pd.DataFrame
msticpy.datamodel.pivot_register_reader
Reads pivot registration config files.
- msticpy.datamodel.pivot_register_reader.add_unbound_pivot_function(func: Callable[[Any], Any], pivot_reg: Optional[msticpy.datamodel.pivot_register.PivotRegistration] = None, container: str = 'other', **kwargs)
Add a pivot function to entities.
- Parameters
func (Callable[[Any], Any]) – The function to add
pivot_reg (PivotRegistration, optional) – Pivot registration object, by default None
container (str, optional) – The name of the container into which the function should be added, by default “other”
kwargs – If pivot_reg is not supplied you can specify required pivot registration parameters via keyword arguments. You must specify input_type (str) and entity_map (dict of entity_name, entity_attribute pairs)
See also
PivotRegistration
- msticpy.datamodel.pivot_register_reader.register_pivots(file_path: str, namespace: Optional[Dict[str, Any]] = None, container: str = 'other', force_container: bool = False, **kwargs)
Register pivot functions from configuration file.
- Parameters
file_path (str) – Path to config yaml file
namespace (Dict[str, Any], optional) – Namespace to search for existing instances of classes, by default None
container (str, optional) – Container name to use for entity pivot functions, by default “other”
force_container (bool, optional) – Force container value to be used even if entity definitions have specific setting for a container name, by default False
- Raises
ValueError – An entity specified in the config file is not recognized.
msticpy.datamodel.pivot_ti_provider
Pivot TI Provider helper functions.
- msticpy.datamodel.pivot_ti_provider.add_ioc_queries_to_entities(ti_lookup: msticpy.sectools.tilookup.TILookup, container: str = 'ti', **kwargs)
Add TI functions to entities.
- Parameters
ti_lookup (TILookup) – TILookup instance.
container (str) – The name of the container to add query functions to
- msticpy.datamodel.pivot_ti_provider.create_ti_pivot_funcs(ti_lookup: msticpy.sectools.tilookup.TILookup)
Create the TI Pivot functions.
- msticpy.datamodel.pivot_ti_provider.register_ti_pivot_providers(ti_lookup: msticpy.sectools.tilookup.TILookup, pivot: Pivot)
Register pivot functions from TI providers.
msticpy.datamodel.pivot_pd_accessor
Pandas DataFrame accessor for Pivot functions.
- class msticpy.datamodel.pivot_pd_accessor.PivotAccessor(pandas_obj)
Bases:
object
Pandas api extension for Pivot functions.
Instantiate pivot extension class.
- display(title: Optional[str] = None, cols: Optional[Iterable[str]] = None, query: Optional[str] = None, head: Optional[int] = None) pandas.core.frame.DataFrame
Display the DataFrame in the middle of a pipeline.
- Parameters
title (str, optional) – Title to display for the DataFrame, by default None
cols (Iterable[str], optional) – List of columns to display, by default None
query (str, optional) – Query to filter the displayed data, by default None This should be a string executable by the DataFrame.query function
head (int, optional) – Limit the displayed output to head rows, by default None
- Returns
Passed through input DataFrame.
- Return type
pd.DataFrame
- filter(expr: Union[str, numbers.Number], match_case: bool = False, numeric_col: bool = False) pandas.core.frame.DataFrame
Filter all columns of DataFrame, return rows with any matches.
- Parameters
expr (Union[str, Number]) – String or regular expression to match or a (partial) number. If expr is a string it is matched against any string or object columns using pandas str.contains(..regex=True) If expr is a number or if numeric_col is True, expr is converted to a string and matched as a substring of any numeric columns.
match_case (bool, optional) – The match is not case-sensitive by default. Set to True to force case-sensitive matches.
numeric_col (bool, optional) – If expr is a numeric string or number this will force a match against only numeric columns, by default False
- Returns
The filtered dataframe
- Return type
pd.DataFrame
- Raises
TypeError – If expr is neither a string or number.
- filter_cols(cols: Union[str, Iterable[str]], match_case: bool = False, sort_cols: bool = False) pandas.core.frame.DataFrame
Filter output columns matching names in cols expression(s).
- Parameters
cols (Union[str, Iterable[str]]) – Either a string or a list of strings with filter expressions. These can be exact matches for column names, wildcard patterns (“*” matches multiple chars and “?” matches a single char), or regular expressions.
match_case (bool, optional) – Use case-sensitive matching, by default False
sort_cols (bool, optional) – Alphabetically sort column names, by default False
- Returns
The input DataFrame with only columns that match the filtering expressions.
- Return type
pd.DataFrame
- list_to_rows(cols: Union[str, Iterable[str]]) pandas.core.frame.DataFrame
Expand a list column to individual rows.
- Parameters
cols (Union[str, Iterable[str]]) – The columns to be expanded.
- Returns
The expanded DataFrame
- Return type
pd.DataFrame
- parse_json(cols: Union[str, Iterable[str]]) pandas.core.frame.DataFrame
Convert JSON string columns to Python types.
- Parameters
cols (Union[str, Iterable[str]]) – Column or interable of columns to process
- Returns
Processed dataframe
- Return type
pd.DataFrame
- run(func: Callable[[...], pandas.core.frame.DataFrame], **kwargs) pandas.core.frame.DataFrame
Run a pivot function on the current DataFrame.
- Parameters
func (Callable[..., pd.DataFrame]) – Pivot function to run
kwargs – Keyword arguments to pass to func. A column specification (e.g. column=”src_col_name”) is usually the minimum needed. For data queries the column keyword must be the name of the the query parameter (e.g. host_name = “src_col_name”)
- Returns
The output DataFrame from the function.
- Return type
pd.DataFrame
Notes
You can pass the join keyword argument to most pivot functions. Values for join are “inner”, “left”, “right” or “outer”.
- sort(cols: Union[str, Iterable[str], Dict[str, str]], ascending: Optional[bool] = None) pandas.core.frame.DataFrame
Sort output by column expression.
- Parameters
cols (Union[str, Iterable[str], Dict[str, str]]) – If this is a string, then this should be a column name expression. A column name expression is either a column name, a case-insenstive column name or a regular expression to match one or more column names. Each column name expression can be of the format col_name_expr:desc to sort descending (col_name_expr:asc is the default). The col_name can also be a regular expression or partial column name. If this is a list, then each element should be a column name expression with an optional ‘:asc’ or ‘:desc’ suffix. If this is a dict, then the keys should be column name expressions and the values bools indication ‘ascending’ (True) or ‘descending’ (False) sort.
ascending ([type], optional) – Overrides any ordering specified for individual columns and sorts ‘ascending’ if True or ‘descending’ if False. If not supplied and no column-specific ordering is supplied it sorts ascending.
- Returns
The sorted DataFrame
- Return type
pd.DataFrame
- Raises
ValueError – One or more column expressions matched no column name in the input.
- tee(var_name: str, clobber: bool = False) pandas.core.frame.DataFrame
Save current dataframe to var_name in the IPython user namespace.
- Parameters
var_name (str) – The name of the DF variable to create.
clobber (bool, optional) – Whether to overwrite an existing variable of the same name, by default False
- Returns
Passed through input DataFrame.
- Return type
pd.DataFrame
Notes
This function only works in an IPython/Jupyter notebook environment. It will attempt to create a variable in the user local namespace that references the current state of the DataFrame in the pipeline.
By default it will not overwrite an existing variable of the same name (specify clobber=True to overwrite)
- tee_exec(df_func: str, *args, **kwargs) pandas.core.frame.DataFrame
Run a dataframe method on the dataframe without changing it.
- Parameters
df_func (str) – The name of the function to execute. Accessor methods must be of the form “accessor.method”.
args (tuple) – Positional arguments to be passed to the function
kwargs (dict) – Keyword arguments to be passed to the function.
- Returns
Passed through input DataFrame.
- Return type
pd.DataFrame
Notes
This function runs the DataFrame method or accessor function. It does not alter the DataFrame (unless the function does any kind of in-place modification). The function is run and the original input DataFrame is returned.