msticpy.datamodel package

msticpy.datamodel.entities module

msticpy.datamodel.entities.account

Account Entity class.

class msticpy.datamodel.entities.account.Account(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role: str = 'subject', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Account Entity class.

Name

Account Name

Type

str

NTDomain

Account NTDomain

Type

str

UPNSuffix

Account UPNSuffix

Type

str

Host

Account Host

Type

Host

LogonId

Account LogonId (deprecated)

Type

str

Sid

Account Sid

Type

str

AadTenantId

Account AadTenantId

Type

str

AadUserId

Account AadUserId

Type

str

PUID

Account PUID

Type

str

IsDomainJoined

Account IsDomainJoined

Type

bool

DisplayName

Account DisplayName

Type

str

ObjectGuid

The object ID of the user account

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing Account entity or other mapping object that implements entity properties. (the default is None)

  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

  • role (str, optional) – ‘subject’ or ‘target’ - only relevant if the entity is being constructed from an event. (the default is ‘subject’)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['QualifiedName', 'Sid', 'AadUserId', 'PUID', 'ObjectGuid']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

property qualified_name: str

Windows qualified account name.

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.alert

Alert Entity class.

class msticpy.datamodel.entities.alert.Alert(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Alert Entity class.

AlertDisplayName

Alert DisplayName

Type

str

CompromisedEntity

Alert CompromisedEntity

Type

str

Count

Alert Count

Type

int

StartTimeUtc

Alert StartTime

Type

datetime

EndTimeUtc

Alert EndTime

Type

datetime

Severity

Alert Severity

Type

str

SystemAlertIds

Alert SystemAlertIds

Type

List[str]

AlertType

Alert AlertType

Type

str

VendorName

Alert VendorName

Type

str

ProviderName

Alert ProviderName

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['SystemAlertIds']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return the item as HTML string.

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.azure_resource

AzureResource Entity class.

class msticpy.datamodel.entities.azure_resource.AzureResource(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

AzureResource Entity class.

ResourceId

AzureResource ResourceId

Type

str

ResourceIdParts

AzureResource ResourceIdParts

Type

Dict[str, str]

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['ResourceId']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

property Provider

Return the Provider name or None.

property ResourceGroup

Return the ResourceGroup name or None.

property SubscriptionId

Return the subscription Id or None.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.cloud_application

CloudApplication Entity class.

class msticpy.datamodel.entities.cloud_application.CloudApplication(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

CloudApplication Entity class.

Name

CloudApplication Name

Type

str

AppId

The AppId of the cloud application

Type

str

InstanceName

The instance name of the application

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['Name']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.dns

Dns Entity class.

class msticpy.datamodel.entities.dns.Dns(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

DNS Resolve Entity class.

DomainName

DnsResolve DomainName

Type

str

IpAdresses

DnsResolve IpAdresses

Type

List[str]

DnsServerIp

DnsResolve DnsServerIp

Type

IPAddress

HostIpAddress

DnsResolve HostIpAddress

Type

IPAddress

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['DomainName']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.entity

Entity Entity class.

class msticpy.datamodel.entities.entity.ContextObject

Bases: object

Information object attached to entity but is not an Entity.

class msticpy.datamodel.entities.entity.Entity(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: abc.ABC, msticpy.datamodel.entities.entity_graph.Node

Entity abstract base class.

Implements common methods for Entity classes

Create a new instance of an entity.

Parameters
  • src_entity (Mapping[str, Any], optional) – If src_entity is supplied it attempts to extract common properties from the source entity and assign them to the new instance. (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = []
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

Returns

Entity description (optional). If not overridden by the Entity instance type, it will return the Type string.

Return type

str

classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Name Description.

Returns

Entity Name (optional). If not overridden by the Entity instance type, it will return the class name string.

Return type

str

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.entity.camelcase_property_names(input_ent: Dict[str, Any]) Dict[str, Any]

Change initial letter Microsoft Sentinel API entity properties to upper case.

msticpy.datamodel.entities.entity_enums

Entity enumerations.

class msticpy.datamodel.entities.entity_enums.Algorithm(value)

Bases: enum.Enum

FileHash Algorithm Enumeration.

MD5 = 1
SHA1 = 2
SHA256 = 3
SHA256AC = 4
Unknown = 0
class msticpy.datamodel.entities.entity_enums.ElevationToken(value)

Bases: enum.Enum

ElevationToken enumeration.

Default = 0
Full = 1
Limited = 2
class msticpy.datamodel.entities.entity_enums.OSFamily(value)

Bases: enum.Enum

OSFamily enumeration.

Linux = 0
Windows = 1
class msticpy.datamodel.entities.entity_enums.RegistryHive(value)

Bases: enum.Enum

RegistryHive enumeration.

HKEY_A = 8
HKEY_CLASSES_ROOT = 1
HKEY_CURRENT_CONFIG = 2
HKEY_CURRENT_USER = 9
HKEY_CURRENT_USER_LOCAL_SETTINGS = 4
HKEY_LOCAL_MACHINE = 0
HKEY_PERFORMANCE_DATA = 5
HKEY_PERFORMANCE_NLSTEXT = 6
HKEY_PERFORMANCE_TEXT = 7
HKEY_USERS = 3
property short_name: str

Return the key shortname.

msticpy.datamodel.entities.entity_graph

Entity Graph classes.

class msticpy.datamodel.entities.entity_graph.Edge(source: msticpy.datamodel.entities.entity_graph.Node, target: msticpy.datamodel.entities.entity_graph.Node, attrs: Optional[Dict[str, Any]] = None)

Bases: object

Entity edge class.

Create a new edge between source and target.

Parameters
  • source (Node) – Source node.

  • target (Node) – Target node.

  • attrs (Dict[str, Any], optional) – Dictionary of name/value edge attributes, by default None

add_attr(name: str, value: Any)

Add an edge attribute.

class msticpy.datamodel.entities.entity_graph.Node

Bases: object

Entity node.

Initialize the node.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

has_edge(other)

Return True if node has an edge with other.

msticpy.datamodel.entities.file

File Entity class.

class msticpy.datamodel.entities.file.File(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role: str = 'new', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

File Entity class.

FullPath

File FullPath

Type

str

Directory

File Directory

Type

str

Name

File Name

Type

str

Md5

File Md5

Type

str

Host

File Host

Type

str

Sha1

File Sha1

Type

str

Sha256

File Sha256

Type

str

Sha256Ac

File Sha256Ac

Type

str

FileHashes

File FileHashes

Type

List[FileHash]

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

  • role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['FullPath', 'Sha1', 'Sha256', 'Sha256ac', 'Md5']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
property file_hash: Optional[str]

Return the first defined file hash.

Returns

Returns first-defined file hash in order of SHA256, SHA1, MD5, SHA256AC (authenticode)

Return type

Optional[str]

classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

property path_separator

Return the path separator used by the file.

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.file_hash

FileHash Entity class.

class msticpy.datamodel.entities.file_hash.FileHash(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

File Hash class.

Algorithm

FileHash Algorithm

Type

Algorithm

Value

FileHash Value

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['Value']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.geo_location

GeoLocation Entity class.

class msticpy.datamodel.entities.geo_location.GeoLocation(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity, msticpy.datamodel.entities.entity.ContextObject

GeoLocation class.

CountryCode

GeoLocation CountryCode

Type

str

CountryName

GeoLocation CountryName

Type

str

State

GeoLocation State

Type

str

City

GeoLocation City

Type

str

Longitude

GeoLocation Longitude

Type

float

Latitude

GeoLocation Latitude

Type

float

Asn

GeoLocation Asn

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['Longitude', 'Latitude', 'City', 'State', 'CountryCode']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

property coordinates: Tuple[float, float]

Return Latitude/Longitude as a tuple of floats.

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.host

Host Entity class.

class msticpy.datamodel.entities.host.Host(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Host Entity class.

DnsDomain

Host DnsDomain

Type

str

NTDomain

Host NTDomain

Type

str

HostName

Host HostName

Type

str

NetBiosName

Host NetBiosName

Type

str

AzureID

Host AzureID

Type

str

OMSAgentID

Host OMSAgentID

Type

str

OSFamily

Host OSFamily

Type

str

OSVersion

Host OSVersion

Type

str

IsDomainJoined

Host IsDomainJoined

Type

bool

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
property FullName: Optional[str]

Return the full name of the host - either FQDN or Netbiosname.

ID_PROPERTIES: List[str] = ['fqdn', 'AzureID', 'OMSAgentID']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

property computer: Optional[str]

Return computer from source event.

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
property fqdn: Optional[str]

Construct FQDN from host + dns.

classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.host_logon_session

HostLogonSession Entity class.

class msticpy.datamodel.entities.host_logon_session.HostLogonSession(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

HostLogonSession Entity class.

Account

HostLogonSession Account

Type

Account

StartTimeUtc

HostLogonSession StartTimeUtc

Type

datetime

EndTimeUtc

HostLogonSession EndTimeUtc

Type

datetime

Host

HostLogonSession Host

Type

Host

SessionId

HostLogonSession SessionId

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['Account', 'Host', 'SessionId']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.ip_address

IpAddress Entity class.

msticpy.datamodel.entities.ip_address.Ip

alias of msticpy.datamodel.entities.ip_address.IpAddress

class msticpy.datamodel.entities.ip_address.IpAddress(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

IPAddress Entity class.

Address

IpAddress Address

Type

str

Location

IpAddress Location

Type

GeoLocation

ThreatIntelligence

IpAddress ThreatIntelligence

Type

List[Threatintelligence]

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['Address']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

property ip_address: Optional[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]

Return a python IP address object from the entity property.

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.malware

Malware Entity class.

class msticpy.datamodel.entities.malware.Malware(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Malware Entity class.

Name

Malware Name

Type

str

Category

Malware Category

Type

str

File

Malware File

Type

File

Files

Malware Files

Type

List[File]

Processes

Malware Processes

Type

List[Process]

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['Name']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.network_connection

NetworkConnection Entity class.

class msticpy.datamodel.entities.network_connection.NetworkConnection(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

NetworkConnection Entity class.

SourceAddress

NetworkConnection SourceAddress

Type

IPAddress

SourcePort

NetworkConnection SourcePort

Type

int

DestinationAddress

NetworkConnection DestinationAddress

Type

IPAddress

DestinationPort

NetworkConnection DestinationPort

Type

int

Protocol

NetworkConnection Protocol

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['SourceAddress', 'SourcePort', 'DestinationAddress', 'DestinationPort']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.process

Process Entity class.

class msticpy.datamodel.entities.process.Process(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role='new', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Process Entity class.

ProcessId

Process ProcessId

Type

str

CommandLine

Process CommandLine

Type

str

ElevationToken

Process ElevationToken

Type

str

CreationTimeUtc

Process CreationTimeUtc

Type

datetime

ImageFile

Process ImageFile

Type

File

Account

Process Account

Type

Account

ParentProcess

Process ParentProcess

Type

Process

Host

Process Host

Type

Host

LogonSession

Process LogonSession

Type

HostLogonSession

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

  • role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['ProcessId', 'ImageFile', 'CreationTimeUtc', 'CommandLine']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

property ProcessFilePath: Optional[str]

Return the name of the process file path.

property ProcessName: Optional[str]

Return the name of the process file.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.registry_key

RegistryValue Entity class.

class msticpy.datamodel.entities.registry_key.RegistryKey(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

RegistryKey Entity class.

Hive

RegistryKey Hive

Type

RegistryHive

Key

RegistryKey Key

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['Hive', 'Key']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.registry_value

RegistryValue Entity class.

class msticpy.datamodel.entities.registry_value.RegistryValue(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

RegistryValue Entity class.

Key

RegistryValue Key

Type

str

Name

RegistryValue Name

Type

str

Value

RegistryValue Value

Type

str

ValueType

RegistryValue ValueType

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['Key', 'Name', 'Value']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.security_group

SecurityGroup Entity class.

class msticpy.datamodel.entities.security_group.SecurityGroup(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

SecurityGroup Entity class.

DistinguishedName

SecurityGroup DistinguishedName

Type

str

SID

SecurityGroup SID

Type

str

ObjectGuid

SecurityGroup ObjectGuid

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['DistinguishedName', 'SID', 'ObjectGuid']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.threat_intelligence

Threatintelligence Entity class.

class msticpy.datamodel.entities.threat_intelligence.Threatintelligence(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Threatintelligence Entity class.

ProviderName

Threatintelligence ProviderName

Type

str

ThreatType

Threatintelligence ThreatType

Type

str

ThreatName

Threatintelligence ThreatName

Type

str

Confidence

Threatintelligence Confidence

Type

str

Threatintelligence ReportLink

Type

str

ThreatDescription

Threatintelligence ThreatDescription

Type

str

Create a new instance of the entity type.

param src_entity

instantiate entity using properties of src entity

param kwargs

key-value pair representation of entity

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['ProviderName', 'ThreatName', 'ReportLink']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.unknown_entity

Threatintelligence Entity class.

class msticpy.datamodel.entities.unknown_entity.UnknownEntity(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Generic Entity class.

Create a new instance of the entity type.

param src_entity

instantiate entity using properties of src entity

param kwargs

key-value pair representation of entity

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = []
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.url

Url Entity class.

class msticpy.datamodel.entities.url.Url(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

URL Entity.

Url

The URL

Type

str

DetonationVerdict

The verdict of the URL detection

Type

str

Create a new instance of the entity type.

Parameters
  • src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

  • src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

  • kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
ID_PROPERTIES: List[str] = ['Url']
JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters
  • target (Node) – Target node.

  • edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises
  • AttributeError – The class does not have an attribute func_name

  • TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']
classmethod get_pivot_list() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters
  • raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

  • entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters
  • func_name (str) – The name of source pivot function.

  • target (str) – The shortcut name (this will be a member function of the class)

  • overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises
  • AttributeError – The source function does not exist

  • TypeError – The source function is not a pivot function.

  • TypeError – The target attribute exists and is not a pivot function

  • AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.pivot

Pivot functions main module.

class msticpy.datamodel.pivot.Pivot(namespace: Optional[Dict[str, Any]] = None, providers: Optional[Iterable[Any]] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None)

Bases: object

Pivot environment loader.

Instantiate a Pivot environment.

Parameters
  • namespace (Dict[str, Any], optional) – To search for and use any current providers, specify namespace=globals(), by default None

  • providers (Iterable[Any], optional) – A list of query providers, TILookup or other providers to use (these will override providers of the same type read from namespace), by default None

  • timespan (Optional[TimeSpan], optional) – The default timespan used by providers that require start and end times. By default the time range is initialized to be 24 hours prior to the load time.

static add_pivot_function(func: Callable[[Any], Any], pivot_reg: Optional[msticpy.datamodel.pivot_register.PivotRegistration] = None, container: Optional[str] = None, **kwargs)

Add a pivot function to entities.

Parameters
  • func (Callable[[Any], Any]) – The function to add

  • pivot_reg (PivotRegistration, optional) – Pivot registration object, by default None

  • container (str, optional) – The name of the container into which the function should be added, by default “other”

  • kwargs – If pivot_reg is not supplied you can specify required pivot registration parameters via keyword arguments. You must specify input_type (str) and entity_map (dict of entity_name, entity_attribute pairs)

See also

PivotRegistration

add_query_provider(prov: msticpy.data.data_providers.QueryProvider)

Add pivot functions from provider.

Parameters

prov (QueryProvider) – Query provider.

static browse()

Return PivotBrowser.

current: Optional[msticpy.datamodel.pivot.Pivot] = None
edit_query_time(timespan: Optional[msticpy.common.timespan.TimeSpan] = None)

Display a QueryTime widget to get the timespan.

Parameters

timespan (Optional[TimeSpan], optional) – Pre-populate the timespan shown by the QueryTime editor, by default None

property end

Return current end time for queries.

get_provider(name: str) Any

Get a provider by type name.

Parameters

name (str) – The name of the provider type.

Returns

An instance of the provider or None if the Pivot environment does not have one.

Return type

Any

get_timespan() msticpy.common.timespan.TimeSpan

Return the timespan as a TimeSpan object.

property providers: Dict[str, Any]

Return the current set of loaded providers.

Returns

provider_name, provider_instance

Return type

Dict[str, Any]

static register_pivot_providers(pivot_reg_path: str, namespace: Optional[Dict[str, Any]] = None, def_container: str = 'custom', force_container: bool = False)

Register pivot functions from configuration file.

Parameters
  • pivot_reg_path (str) – Path to config yaml file

  • namespace (Dict[str, Any], optional) – Namespace to search for existing instances of classes, by default None

  • def_container (str, optional) – Container name to use for entity pivot functions, by default “other”

  • force_container (bool, optional) – Force container value to be used even if entity definitions have specific setting for a container name, by default False

Raises

ValueError – An entity specified in the config file is not recognized.

reload_pivots(namespace: Optional[Dict[str, Any]] = None, providers: Optional[Iterable[Any]] = None, clear_existing: bool = True)

Load or reload Pivot functions from environment and/or providers list.

Parameters
  • namespace (Dict[str, Any], optional) – To search for and use any current providers, specify namespace=globals(), by default None

  • providers (Iterable[Any], optional) – A list of query providers, TILookup or other providers to use (these will override providers of the same type read from namespace), by default None

  • clear_existing (bool) – Reloads pivot functions without clearing existing pivot assignments. Any pivot functions with conflicting names will be overwritten by the reload operation. The default is True.

static remove_pivot_funcs(entity: str)

Remove pivot functions from one or all entities.

Parameters

entity (str) – entity class name or “all” to remove all pivot functions.

Raises

ValueError – If entity is not a recognized entity class.

set_timespan(value: Optional[Any] = None, **kwargs)

Set the pivot timespan.

Parameters
  • value (Optional[Any], optional) – Timespan object or something convertible to a TimeSpan, by default None

  • kwargs – Key/value arguments passed to Timespan constructor.

property start

Return current start time for queries.

property timespan: msticpy.common.timespan.TimeSpan

Return the current timespan.

Returns

The current timespan

Return type

TimeSpan

msticpy.datamodel.pivot_data_queries

Pivot query functions class.

class msticpy.datamodel.pivot_data_queries.ParamAttrs(type, query, family, required)

Bases: tuple

Create new instance of ParamAttrs(type, query, family, required)

count(value, /)

Return number of occurrences of value.

property family

Alias for field number 2

index(value, start=0, stop=9223372036854775807, /)

Return first index of value.

Raises ValueError if the value is not present.

property query

Alias for field number 1

property required

Alias for field number 3

property type

Alias for field number 0

class msticpy.datamodel.pivot_data_queries.PivQuerySettings(short_name, direct_func_entities, assigned_entities)

Bases: tuple

Create new instance of PivQuerySettings(short_name, direct_func_entities, assigned_entities)

property assigned_entities

Alias for field number 2

count(value, /)

Return number of occurrences of value.

property direct_func_entities

Alias for field number 1

index(value, start=0, stop=9223372036854775807, /)

Return first index of value.

Raises ValueError if the value is not present.

property short_name

Alias for field number 0

class msticpy.datamodel.pivot_data_queries.PivotQueryFunctions(query_provider: msticpy.data.data_providers.QueryProvider, ignore_reqd: Optional[List[str]] = None)

Bases: object

Class to retrieve the queries and params from a provider.

Instantiate PivotQueryFunctions class.

Parameters
  • query_provider ([type]) – The query provider to load

  • ignore_reqd (List[str], optional) – List of parameters to ignore when building the required parameters list (e.g. [‘start’, ‘end’]), by default None

current = None
get_param_attrs(param_name: str) List[msticpy.datamodel.pivot_data_queries.ParamAttrs]

Get the attributes for a parameter name.

Parameters

param_name (str) – Parameter name

Returns

List of ParamAttrs named tuples: (type, query, family, required)

Return type

List[ParamAttrs]

Notes

Since parameters may be defined for multiple queries, the set of parameter attributes will be returned for each query.

get_params(query_func_name: str) Optional[msticpy.datamodel.pivot_data_queries.QueryParams]

Get the parameters for a query function.

Parameters

query_func_name (str) – Query name - the name must be fully-qualified (e.g. ‘WindowsSecurity.list_processes’)

Returns

QueryParams named tuple (all, required, full_required, param_attrs, table)

Return type

QueryParams

get_queries_and_types_for_param(param: str) Iterable[Tuple[str, str, str, Callable[[Any], Any]]]

Get queries and parameter data types for param.

Parameters

param (str) – The parameter name.

Returns

Iterable of tuples listing: query_name, param_type, query_func

Return type

Iterable[Tuple[str, str, Callable[[Any], Any]]]

get_queries_for_param(param: str) Iterable[Tuple[str, str, Callable[[Any], Any]]]

Get the list of queries for a parameter.

Parameters

param (str) – Parameter name

Returns

Iterable of tuples listing: query_name, query_func

Return type

Iterable[Tuple[str, str, Callable[[Any], Any]]]

get_query_pivot_settings(family: str, query: str) msticpy.datamodel.pivot_data_queries.PivQuerySettings

Get Pivot settings metadata for a query.

Parameters
  • family (str) – Data family

  • query (str) – Query name

Returns

Named tuple:

  • short_name - short name for the query

  • direct_func_entities - the entities to add a top level function to

  • assigned_entities - entities to assign the query to (if parameter mapping is not applicable).

Return type

PivQuerySettings

get_query_settings(family: str, query: str) msticpy.data.query_source.QuerySource

Get the QuerySource for the named family and query.

Parameters
  • family (str) – Data family name

  • query (str) – Query name

Returns

Query settings object

Return type

QuerySource

Raises

KeyError – If family.`query` could not be found.

class msticpy.datamodel.pivot_data_queries.QueryParams(all, required, full_required, param_attrs, table)

Bases: tuple

Create new instance of QueryParams(all, required, full_required, param_attrs, table)

property all

Alias for field number 0

count(value, /)

Return number of occurrences of value.

property full_required

Alias for field number 2

index(value, start=0, stop=9223372036854775807, /)

Return first index of value.

Raises ValueError if the value is not present.

property param_attrs

Alias for field number 3

property required

Alias for field number 1

property table

Alias for field number 4

msticpy.datamodel.pivot_data_queries.add_data_queries_to_entities(provider: msticpy.data.data_providers.QueryProvider, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])

Add data queries from provider to entities.

Parameters
  • provider (QueryProvider) – Query provider

  • get_timespan (Callable[[], TimeSpan]) – Callback to get time span

msticpy.datamodel.pivot_data_queries.add_queries_to_entities(prov_qry_funcs: msticpy.datamodel.pivot_data_queries.PivotQueryFunctions, container: str, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])

Add data queries to entities.

Parameters
  • prov_qry_funcs (PivotQueryFunctions) – Collection of wrapped query functions

  • container (str) – The name of the container to add query functions to

  • get_timespan (Callable[[], TimeSpan]) – Function to get the current timespan.

msticpy.datamodel.pivot_magic_core

Txt2df core code.

msticpy.datamodel.pivot_magic_core.run_txt2df(line, cell, local_ns) pandas.core.frame.DataFrame

Convert cell text to pandas DataFrame.

msticpy.datamodel.pivot_register

Pivot helper functions .

class msticpy.datamodel.pivot_register.PivotRegistration(input_type: str, entity_map: Dict[str, str], func_df_param_name: Optional[str] = None, func_out_column_name: Optional[str] = None, func_df_col_param_name: Optional[str] = None, func_new_name: Optional[str] = None, src_module: Optional[str] = None, src_class: Optional[str] = None, src_func_name: Optional[str] = None, can_iterate: bool = True, func_static_params: Optional[Dict[str, Any]] = None, func_input_value_arg: Optional[str] = None, src_config_path: Optional[str] = None, src_config_entry: Optional[str] = None, entity_container_name: Optional[str] = None, return_raw_output: bool = False, create_shortcut: bool = False)

Bases: object

Pivot registration for function.

Notes

src_modulestr

The src_module to import

src_classstr, optional

class to import and instantiate that contains the function/method (not needed if the target function is a pure Python function)

src_func_name: Callable

The function to wrap.

func_new_name: str, optional

Rename the function to this, defaults to src_func_name

input_typestr

The input data type that the function is expecting. One of ‘dataframe’, ‘iterable’, ‘value’

can_iterate: bool, optional

True if the function supports being called multiple times (for iterable input). Default is True

entity_map: Dict[str, str]

dict of entities supported (keys) and attribute to use from entity as input to the function

func_df_param_name: str

The name of the parameter that func takes the input value e.g. func(ip=my_address) => ‘ip’ == func_df_col_param_name. In the case of a DataFrame, this is usually ‘data’

func_df_col_param_name: str

The name that the target function uses to identify the column to use for input in the input DataFrame.

func_out_column_name: str, optional

The name of the column in the output DF to use as a key to join to the input. If None, use func_df_col_param_name

func_static_params: Optional[Dict[str, Any]]

static parameters (kwargs) that are always passed to the target function

func_input_value_arg: Optional[str]

The name of kwarg passed to the function that contain the input value. If function supports DF input, func_df_col_param_name will be used and this is not needed.

src_config_pathOptional[str]

The source path that the configuration was read from, default None.

src_config_entryOptional[str]

The entry name in the configuration file, default None.

entity_container_nameOptional[str]

The name of the container in the entity that will hold this pivot function.

return_raw_outputbool

Return raw output from the wrapped function, do not try to format into a DataFrame. Default is False.

create_shortcutbool

If True, create a shortcut function directly on the entity.

Method generated by attrs for class PivotRegistration.

attr_for_entity(entity: Union[msticpy.datamodel.entities.entity.Entity, str]) Optional[str]

Return the attribute to use for the specified entity.

Parameters

entity (Union[entities.Entity, str]) – Entity instance or name

Returns

Attribute name to use.

Return type

Optional[str]

can_iterate: bool
create_shortcut: bool
entity_container_name: Optional[str]
entity_map: Dict[str, str]
func_df_col_param_name: Optional[str]
func_df_param_name: Optional[str]
func_input_value_arg: Optional[str]
func_new_name: Optional[str]
func_out_column_name: Optional[str]
func_static_params: Optional[Dict[str, Any]]
input_type: str
return_raw_output: bool
src_class: Optional[str]
src_config_entry: Optional[str]
src_config_path: Optional[str]
src_func_name: Optional[str]
src_module: Optional[str]
msticpy.datamodel.pivot_register.create_pivot_func(target_func: Callable[[Any], Any], pivot_reg: msticpy.datamodel.pivot_register.PivotRegistration) Callable[[...], pandas.core.frame.DataFrame]

Create function wrapper for pivot function.

Parameters
  • target_func (Callable) – The target function to wrap.

  • pivot_reg (PivotRegistration) – The pivot function registration object.

Returns

The original target_func wrapped in pre-processing and post-processing code.

Return type

Callable[[Any], pd.DataFrame]

msticpy.datamodel.pivot_register.get_join_params(func_kwargs: Dict[str, Any]) Tuple[Optional[str], Optional[str], Optional[str], bool]

Get join parameters from kwargs.

Parameters

func_kwargs (Dict[str, Any]) – Keyword arguments from caller

Returns

join_type, left_on, right_on, join_ignore_case

Return type

Tuple[str, str, str, bool]

msticpy.datamodel.pivot_register.join_result(input_df: pandas.core.frame.DataFrame, result_df: pandas.core.frame.DataFrame, how: str, left_on: str, right_on: str, ignore_case: bool) pandas.core.frame.DataFrame

Join input and result DFs, optionally ignoring case.

Parameters
  • input_df (pd.DataFrame) – Input DF

  • result_df (pd.DataFrame) – Result DF

  • how (str) – Join type - “inner”, “left”, “right”, “outer”

  • left_on (str) – Column from input_df to use as join key

  • right_on (str) – Column from result_df to use as join key

  • ignore_case (bool) – If True and input_df column is a string

Returns

The merged DataFrame

Return type

pd.DataFrame

msticpy.datamodel.pivot_register_reader

Reads pivot registration config files.

msticpy.datamodel.pivot_register_reader.add_unbound_pivot_function(func: Callable[[Any], Any], pivot_reg: Optional[msticpy.datamodel.pivot_register.PivotRegistration] = None, container: str = 'other', **kwargs)

Add a pivot function to entities.

Parameters
  • func (Callable[[Any], Any]) – The function to add

  • pivot_reg (PivotRegistration, optional) – Pivot registration object, by default None

  • container (str, optional) – The name of the container into which the function should be added, by default “other”

  • kwargs – If pivot_reg is not supplied you can specify required pivot registration parameters via keyword arguments. You must specify input_type (str) and entity_map (dict of entity_name, entity_attribute pairs)

See also

PivotRegistration

msticpy.datamodel.pivot_register_reader.register_pivots(file_path: str, namespace: Optional[Dict[str, Any]] = None, container: str = 'other', force_container: bool = False, **kwargs)

Register pivot functions from configuration file.

Parameters
  • file_path (str) – Path to config yaml file

  • namespace (Dict[str, Any], optional) – Namespace to search for existing instances of classes, by default None

  • container (str, optional) – Container name to use for entity pivot functions, by default “other”

  • force_container (bool, optional) – Force container value to be used even if entity definitions have specific setting for a container name, by default False

Raises

ValueError – An entity specified in the config file is not recognized.

msticpy.datamodel.pivot_ti_provider

Pivot TI Provider helper functions.

msticpy.datamodel.pivot_ti_provider.add_ioc_queries_to_entities(ti_lookup: msticpy.sectools.tilookup.TILookup, container: str = 'ti', **kwargs)

Add TI functions to entities.

Parameters
  • ti_lookup (TILookup) – TILookup instance.

  • container (str) – The name of the container to add query functions to

msticpy.datamodel.pivot_ti_provider.create_ti_pivot_funcs(ti_lookup: msticpy.sectools.tilookup.TILookup)

Create the TI Pivot functions.

msticpy.datamodel.pivot_ti_provider.register_ti_pivot_providers(ti_lookup: msticpy.sectools.tilookup.TILookup, pivot: Pivot)

Register pivot functions from TI providers.

msticpy.datamodel.pivot_pd_accessor

Pandas DataFrame accessor for Pivot functions.

class msticpy.datamodel.pivot_pd_accessor.PivotAccessor(pandas_obj)

Bases: object

Pandas api extension for Pivot functions.

Instantiate pivot extension class.

display(title: Optional[str] = None, cols: Optional[Iterable[str]] = None, query: Optional[str] = None, head: Optional[int] = None) pandas.core.frame.DataFrame

Display the DataFrame in the middle of a pipeline.

Parameters
  • title (str, optional) – Title to display for the DataFrame, by default None

  • cols (Iterable[str], optional) – List of columns to display, by default None

  • query (str, optional) – Query to filter the displayed data, by default None This should be a string executable by the DataFrame.query function

  • head (int, optional) – Limit the displayed output to head rows, by default None

Returns

Passed through input DataFrame.

Return type

pd.DataFrame

filter(expr: Union[str, numbers.Number], match_case: bool = False, numeric_col: bool = False) pandas.core.frame.DataFrame

Filter all columns of DataFrame, return rows with any matches.

Parameters
  • expr (Union[str, Number]) – String or regular expression to match or a (partial) number. If expr is a string it is matched against any string or object columns using pandas str.contains(..regex=True) If expr is a number or if numeric_col is True, expr is converted to a string and matched as a substring of any numeric columns.

  • match_case (bool, optional) – The match is not case-sensitive by default. Set to True to force case-sensitive matches.

  • numeric_col (bool, optional) – If expr is a numeric string or number this will force a match against only numeric columns, by default False

Returns

The filtered dataframe

Return type

pd.DataFrame

Raises

TypeError – If expr is neither a string or number.

filter_cols(cols: Union[str, Iterable[str]], match_case: bool = False, sort_cols: bool = False) pandas.core.frame.DataFrame

Filter output columns matching names in cols expression(s).

Parameters
  • cols (Union[str, Iterable[str]]) – Either a string or a list of strings with filter expressions. These can be exact matches for column names, wildcard patterns (“*” matches multiple chars and “?” matches a single char), or regular expressions.

  • match_case (bool, optional) – Use case-sensitive matching, by default False

  • sort_cols (bool, optional) – Alphabetically sort column names, by default False

Returns

The input DataFrame with only columns that match the filtering expressions.

Return type

pd.DataFrame

list_to_rows(cols: Union[str, Iterable[str]]) pandas.core.frame.DataFrame

Expand a list column to individual rows.

Parameters

cols (Union[str, Iterable[str]]) – The columns to be expanded.

Returns

The expanded DataFrame

Return type

pd.DataFrame

parse_json(cols: Union[str, Iterable[str]]) pandas.core.frame.DataFrame

Convert JSON string columns to Python types.

Parameters

cols (Union[str, Iterable[str]]) – Column or interable of columns to process

Returns

Processed dataframe

Return type

pd.DataFrame

run(func: Callable[[...], pandas.core.frame.DataFrame], **kwargs) pandas.core.frame.DataFrame

Run a pivot function on the current DataFrame.

Parameters
  • func (Callable[..., pd.DataFrame]) – Pivot function to run

  • kwargs – Keyword arguments to pass to func. A column specification (e.g. column=”src_col_name”) is usually the minimum needed. For data queries the column keyword must be the name of the the query parameter (e.g. host_name = “src_col_name”)

Returns

The output DataFrame from the function.

Return type

pd.DataFrame

Notes

You can pass the join keyword argument to most pivot functions. Values for join are “inner”, “left”, “right” or “outer”.

sort(cols: Union[str, Iterable[str], Dict[str, str]], ascending: Optional[bool] = None) pandas.core.frame.DataFrame

Sort output by column expression.

Parameters
  • cols (Union[str, Iterable[str], Dict[str, str]]) – If this is a string, then this should be a column name expression. A column name expression is either a column name, a case-insenstive column name or a regular expression to match one or more column names. Each column name expression can be of the format col_name_expr:desc to sort descending (col_name_expr:asc is the default). The col_name can also be a regular expression or partial column name. If this is a list, then each element should be a column name expression with an optional ‘:asc’ or ‘:desc’ suffix. If this is a dict, then the keys should be column name expressions and the values bools indication ‘ascending’ (True) or ‘descending’ (False) sort.

  • ascending ([type], optional) – Overrides any ordering specified for individual columns and sorts ‘ascending’ if True or ‘descending’ if False. If not supplied and no column-specific ordering is supplied it sorts ascending.

Returns

The sorted DataFrame

Return type

pd.DataFrame

Raises

ValueError – One or more column expressions matched no column name in the input.

tee(var_name: str, clobber: bool = False) pandas.core.frame.DataFrame

Save current dataframe to var_name in the IPython user namespace.

Parameters
  • var_name (str) – The name of the DF variable to create.

  • clobber (bool, optional) – Whether to overwrite an existing variable of the same name, by default False

Returns

Passed through input DataFrame.

Return type

pd.DataFrame

Notes

This function only works in an IPython/Jupyter notebook environment. It will attempt to create a variable in the user local namespace that references the current state of the DataFrame in the pipeline.

By default it will not overwrite an existing variable of the same name (specify clobber=True to overwrite)

tee_exec(df_func: str, *args, **kwargs) pandas.core.frame.DataFrame

Run a dataframe method on the dataframe without changing it.

Parameters
  • df_func (str) – The name of the function to execute. Accessor methods must be of the form “accessor.method”.

  • args (tuple) – Positional arguments to be passed to the function

  • kwargs (dict) – Keyword arguments to be passed to the function.

Returns

Passed through input DataFrame.

Return type

pd.DataFrame

Notes

This function runs the DataFrame method or accessor function. It does not alter the DataFrame (unless the function does any kind of in-place modification). The function is run and the original input DataFrame is returned.