msticpy.datamodel.entities package
Submodules
msticpy.datamodel.entities.account module
Account Entity class.
- class msticpy.datamodel.entities.account.Account(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role: str = 'subject', **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Account Entity class.
- Name
Account Name
- Type
str
- NTDomain
Account NTDomain
- Type
str
- UPNSuffix
Account UPNSuffix
- Type
str
- LogonId
Account LogonId (deprecated)
- Type
str
- Sid
Account Sid
- Type
str
- AadTenantId
Account AadTenantId
- Type
str
- AadUserId
Account AadUserId
- Type
str
- PUID
Account PUID
- Type
str
- IsDomainJoined
Account IsDomainJoined
- Type
bool
- DisplayName
Account DisplayName
- Type
str
- ObjectGuid
The object ID of the user account
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing Account entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
role (str, optional) – ‘subject’ or ‘target’ - only relevant if the entity is being constructed from an event. (the default is ‘subject’)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['QualifiedName', 'Sid', 'AadUserId', 'PUID', 'ObjectGuid']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- property qualified_name: str
Windows qualified account name.
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.alert module
Alert Entity class.
- class msticpy.datamodel.entities.alert.Alert(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Alert Entity class.
- AlertDisplayName
Alert DisplayName
- Type
str
- CompromisedEntity
Alert CompromisedEntity
- Type
str
- Count
Alert Count
- Type
int
- StartTimeUtc
Alert StartTime
- Type
datetime
- EndTimeUtc
Alert EndTime
- Type
datetime
- Severity
Alert Severity
- Type
str
- SystemAlertIds
Alert SystemAlertIds
- Type
List[str]
- AlertType
Alert AlertType
- Type
str
- VendorName
Alert VendorName
- Type
str
- ProviderName
Alert ProviderName
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['SystemAlertIds']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return the item as HTML string.
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.azure_resource module
AzureResource Entity class.
- class msticpy.datamodel.entities.azure_resource.AzureResource(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
AzureResource Entity class.
- ResourceId
AzureResource ResourceId
- Type
str
- ResourceIdParts
AzureResource ResourceIdParts
- Type
Dict[str, str]
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['ResourceId']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- property Provider
Return the Provider name or None.
- property ResourceGroup
Return the ResourceGroup name or None.
- property SubscriptionId
Return the subscription Id or None.
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.cloud_application module
CloudApplication Entity class.
- class msticpy.datamodel.entities.cloud_application.CloudApplication(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
CloudApplication Entity class.
- Name
CloudApplication Name
- Type
str
- AppId
The AppId of the cloud application
- Type
str
- InstanceName
The instance name of the application
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Name']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.cloud_logon_session module
CloudApplication Entity class.
- class msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
CloudLogonSession Entity class.
- SessionId
The loggon session ID
- Type
str
- Account
The Account
- Type
str
- UserAgent
The UserAgent
- Type
str
- StartTime
The time the session started
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from an event
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Name']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.dns module
Dns Entity class.
- class msticpy.datamodel.entities.dns.Dns(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
DNS Resolve Entity class.
- DomainName
DnsResolve DomainName
- Type
str
- IpAdresses
DnsResolve IpAdresses
- Type
List[str]
- DnsServerIp
DnsResolve DnsServerIp
- Type
IPAddress
- HostIpAddress
DnsResolve HostIpAddress
- Type
IPAddress
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['DomainName']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.entity module
Entity Entity class.
- class msticpy.datamodel.entities.entity.ContextObject
Bases:
object
Information object attached to entity but is not an Entity.
- class msticpy.datamodel.entities.entity.Entity(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
abc.ABC
,msticpy.datamodel.entities.entity_graph.Node
Entity abstract base class.
Implements common methods for Entity classes
Create a new instance of an entity.
- Parameters
src_entity (Mapping[str, Any], optional) – If src_entity is supplied it attempts to extract common properties from the source entity and assign them to the new instance. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = []
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- Returns
Entity description (optional). If not overridden by the Entity instance type, it will return the Type string.
- Return type
str
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Name Description.
- Returns
Entity Name (optional). If not overridden by the Entity instance type, it will return the class name string.
- Return type
str
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
- msticpy.datamodel.entities.entity.camelcase_property_names(input_ent: Dict[str, Any]) Dict[str, Any]
Change initial letter Microsoft Sentinel API entity properties to upper case.
msticpy.datamodel.entities.entity_enums module
Entity enumerations.
- class msticpy.datamodel.entities.entity_enums.Algorithm(value)
Bases:
enum.Enum
FileHash Algorithm Enumeration.
- MD5 = 1
- SHA1 = 2
- SHA256 = 3
- SHA256AC = 4
- Unknown = 0
- class msticpy.datamodel.entities.entity_enums.ElevationToken(value)
Bases:
enum.Enum
ElevationToken enumeration.
- Default = 0
- Full = 1
- Limited = 2
- class msticpy.datamodel.entities.entity_enums.OSFamily(value)
Bases:
enum.Enum
OSFamily enumeration.
- Linux = 0
- Windows = 1
- class msticpy.datamodel.entities.entity_enums.RegistryHive(value)
Bases:
enum.Enum
RegistryHive enumeration.
- HKEY_A = 8
- HKEY_CLASSES_ROOT = 1
- HKEY_CURRENT_CONFIG = 2
- HKEY_CURRENT_USER = 9
- HKEY_CURRENT_USER_LOCAL_SETTINGS = 4
- HKEY_LOCAL_MACHINE = 0
- HKEY_PERFORMANCE_DATA = 5
- HKEY_PERFORMANCE_NLSTEXT = 6
- HKEY_PERFORMANCE_TEXT = 7
- HKEY_USERS = 3
- property short_name: str
Return the key shortname.
msticpy.datamodel.entities.entity_graph module
Entity Graph classes.
- class msticpy.datamodel.entities.entity_graph.Edge(source: msticpy.datamodel.entities.entity_graph.Node, target: msticpy.datamodel.entities.entity_graph.Node, attrs: Optional[Dict[str, Any]] = None)
Bases:
object
Entity edge class.
Create a new edge between source and target.
- Parameters
- add_attr(name: str, value: Any)
Add an edge attribute.
- class msticpy.datamodel.entities.entity_graph.Node
Bases:
object
Entity node.
Initialize the node.
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- has_edge(other)
Return True if node has an edge with other.
msticpy.datamodel.entities.file module
File Entity class.
- class msticpy.datamodel.entities.file.File(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role: str = 'new', **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
File Entity class.
- FullPath
File FullPath
- Type
str
- Directory
File Directory
- Type
str
- Name
File Name
- Type
str
- Md5
File Md5
- Type
str
- Host
File Host
- Type
str
- Sha1
File Sha1
- Type
str
- Sha256
File Sha256
- Type
str
- Sha256Ac
File Sha256Ac
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['FullPath', 'Sha1', 'Sha256', 'Sha256ac', 'Md5']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- property file_hash: Optional[str]
Return the first defined file hash.
- Returns
Returns first-defined file hash in order of SHA256, SHA1, MD5, SHA256AC (authenticode)
- Return type
Optional[str]
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- property path_separator
Return the path separator used by the file.
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.file_hash module
FileHash Entity class.
- class msticpy.datamodel.entities.file_hash.FileHash(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
File Hash class.
- Value
FileHash Value
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Value']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.geo_location module
GeoLocation Entity class.
- class msticpy.datamodel.entities.geo_location.GeoLocation(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
,msticpy.datamodel.entities.entity.ContextObject
GeoLocation class.
- CountryCode
GeoLocation CountryCode
- Type
str
- CountryName
GeoLocation CountryName
- Type
str
- State
GeoLocation State
- Type
str
- City
GeoLocation City
- Type
str
- Longitude
GeoLocation Longitude
- Type
float
- Latitude
GeoLocation Latitude
- Type
float
- Asn
GeoLocation Asn
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Longitude', 'Latitude', 'City', 'State', 'CountryCode']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- property coordinates: Tuple[float, float]
Return Latitude/Longitude as a tuple of floats.
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.graph_property module
Entity graph property.
- msticpy.datamodel.entities.graph_property.graph_property(name: str, prop_type: Union[type, str], edge_name: Optional[str] = None) property
Property factory for graph_property.
msticpy.datamodel.entities.host module
Host Entity class.
- class msticpy.datamodel.entities.host.Host(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Host Entity class.
- DnsDomain
Host DnsDomain
- Type
str
- NTDomain
Host NTDomain
- Type
str
- HostName
Host HostName
- Type
str
- NetBiosName
Host NetBiosName
- Type
str
- AzureID
Host AzureID
- Type
str
- OMSAgentID
Host OMSAgentID
- Type
str
- OSFamily
Host OSFamily
- Type
str
- OSVersion
Host OSVersion
- Type
str
- IsDomainJoined
Host IsDomainJoined
- Type
bool
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- property FullName: Optional[str]
Return the full name of the host - either FQDN or Netbiosname.
- ID_PROPERTIES: List[str] = ['fqdn', 'AzureID', 'OMSAgentID']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- property computer: Optional[str]
Return computer from source event.
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- property fqdn: Optional[str]
Construct FQDN from host + dns.
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.host_logon_session module
HostLogonSession Entity class.
- class msticpy.datamodel.entities.host_logon_session.HostLogonSession(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
HostLogonSession Entity class.
- StartTimeUtc
HostLogonSession StartTimeUtc
- Type
datetime
- EndTimeUtc
HostLogonSession EndTimeUtc
- Type
datetime
- SessionId
HostLogonSession SessionId
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Account', 'Host', 'SessionId']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.iot_device module
IoTDevice Entity class.
- class msticpy.datamodel.entities.iot_device.IoTDevice(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
IoTDevice Entity class.
- IoTHub
IoTHub of the IoT device
- Type
str
- DeviceId
DeviceId of the IoT device
- Type
str
- DeviceName
DeviceName of the IoT device
- Type
str
- IoTSecurityAgentId
IoTSecurityAgentId of the IoT device
- Type
str
- DeviceType
DeviceType of the IoT device
- Type
str
- Source
Source of the IoT device
- Type
str
- SourceRef
SourceRef of the IoT device
- Type
str
- Manufacturer
Manufacturer of the IoT device
- Type
str
- Model
Model of the IoT device
- Type
str
- OperatingSystem
OperatingSystem of the IoT device
- Type
str
- IpAddress
IpAddress of the IoT device
- Type
str
- MacAddress
MacAddress of the IoT device
- Type
str
- Protocols
Protocols of the IoT device
- Type
str
- SerialNumber
SerialNumber of the IoT device
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['IoTHub', 'DeviceId']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.ip_address module
IpAddress Entity class.
- msticpy.datamodel.entities.ip_address.Ip
- class msticpy.datamodel.entities.ip_address.IpAddress(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
IPAddress Entity class.
- Address
IpAddress Address
- Type
str
- Location
IpAddress Location
- Type
- ThreatIntelligence
IpAddress ThreatIntelligence
- Type
List[Threatintelligence]
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Address']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- property ip_address: Optional[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]
Return a python IP address object from the entity property.
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.mail_cluster module
MailCluster Entity class.
- class msticpy.datamodel.entities.mail_cluster.MailCluster(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
MailCluster Entity class.
- NetworkMessageIds
NetworkMessageIds of the Mail cluster
- Type
List[str]
- CountByDeliveryStatus
CountByDeliveryStatus of the Mail cluster
- Type
Dict[str, int] = {}
- CountByThreatType
CountByThreatType of the Mail cluster
- Type
Dict[str, int] = {}
- CountByProtectionStatus
CountByProtectionStatus of the Mail cluster
- Type
Dict[str, int] = {}
- Threats
Threats of the Mail cluster
- Type
List[str]
- Query
Query of the Mail cluster
- Type
str
- QueryTime
QueryTime of the Mail cluster
- Type
datetime
- MailCount
MailCount of the Mail cluster
- Type
int
- IsVolumeAnomaly
IsVolumeAnomaly of the Mail cluster
- Type
bool
- Source
Source of the Mail cluster
- Type
str
- ClusterSourceIdentifier
ClusterSourceIdentifier of the Mail cluster
- Type
str
- ClusterSourceType
ClusterSourceType of the Mail cluster
- Type
str
- ClusterQueryStartTime
ClusterQueryStartTime of the Mail cluster
- Type
datetime
- ClusterQueryEndTime
ClusterQueryEndTime of the Mail cluster
- Type
datetime
- ClusterGroup
ClusterGroup of the Mail cluster
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Query', 'Source']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.mail_message module
MailMessage Entity class.
- class msticpy.datamodel.entities.mail_message.MailMessage(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
MailMessage Entity class.
- Recipient
Recipient of the Mail message
- Type
str
- Urls
Urls of the Mail message
- Type
List[str]
- Threats
Threats of the Mail message
- Type
List[str]
- Sender
Sender of the Mail message
- Type
str
- P1Sender
P1Sender of the Mail message
- Type
str
- P1SenderDisplayName
P1SenderDisplayName of the Mail message
- Type
str
- P1SenderDomain
P1SenderDomain of the Mail message
- Type
str
- SenderIP
SenderIP of the Mail message
- Type
str
- P2Sender
P2Sender of the Mail message
- Type
str
- P2SenderDisplayName
P2SenderDisplayName of the Mail message
- Type
str
- P2SenderDomain
P2SenderDomain of the Mail message
- Type
str
- ReceivedDate
ReceivedDate of the Mail message
- Type
datetime
- NetworkMessageId
NetworkMessageId of the Mail message
- Type
str
- InternetMessageId
InternetMessageId of the Mail message
- Type
str
- Subject
Subject of the Mail message
- Type
str
- BodyFingerprintBin1
BodyFingerprintBin1 of the Mail message
- Type
str
- BodyFingerprintBin2
BodyFingerprintBin2 of the Mail message
- Type
str
- BodyFingerprintBin3
BodyFingerprintBin3 of the Mail message
- Type
str
- BodyFingerprintBin4
BodyFingerprintBin4 of the Mail message
- Type
str
- BodyFingerprintBin5
BodyFingerprintBin5 of the Mail message
- Type
str
- AntispamDirection
AntispamDirection of the Mail message
- Type
str
- DeliveryAction
DeliveryAction of the Mail message
- Type
str
- DeliveryLocation
DeliveryLocation of the Mail message
- Type
str
- Language
Language of the Mail message
- Type
str
- ThreatDetectionMethods
ThreatDetectionMethods of the Mail message
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['NetworkMessageId', 'Recipient']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.mailbox module
Mailbox Entity class.
- class msticpy.datamodel.entities.mailbox.Mailbox(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Mailbox Entity class.
- MailboxPrimaryAddress
PrimaryAddress of the Mailbox
- Type
str
- DisplayName
DisplayName of the Mailbox
- Type
str
- Upn
Upn of the Mailbox
- Type
str
- ExternalDirectoryObjectId
ExternalDirectoryObjectId of the Mailbox
- Type
str
- RiskLevel
RiskLevel of the Mailbox
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['MailboxPrimaryAddress']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.malware module
Malware Entity class.
- class msticpy.datamodel.entities.malware.Malware(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Malware Entity class.
- Name
Malware Name
- Type
str
- Category
Malware Category
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Name']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.network_connection module
NetworkConnection Entity class.
- class msticpy.datamodel.entities.network_connection.NetworkConnection(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
NetworkConnection Entity class.
- SourceAddress
NetworkConnection SourceAddress
- Type
IPAddress
- SourcePort
NetworkConnection SourcePort
- Type
int
- DestinationAddress
NetworkConnection DestinationAddress
- Type
IPAddress
- DestinationPort
NetworkConnection DestinationPort
- Type
int
- Protocol
NetworkConnection Protocol
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['SourceAddress', 'SourcePort', 'DestinationAddress', 'DestinationPort']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.process module
Process Entity class.
- class msticpy.datamodel.entities.process.Process(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role='new', **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Process Entity class.
- ProcessId
Process ProcessId
- Type
str
- CommandLine
Process CommandLine
- Type
str
- ElevationToken
Process ElevationToken
- Type
str
- CreationTimeUtc
Process CreationTimeUtc
- Type
datetime
- LogonSession
Process LogonSession
- Type
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['ProcessId', 'ImageFile', 'CreationTimeUtc', 'CommandLine']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- property ProcessFilePath: Optional[str]
Return the name of the process file path.
- property ProcessName: Optional[str]
Return the name of the process file.
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.registry_key module
RegistryValue Entity class.
- class msticpy.datamodel.entities.registry_key.RegistryKey(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
RegistryKey Entity class.
- Hive
RegistryKey Hive
- Type
- Key
RegistryKey Key
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Hive', 'Key']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.registry_value module
RegistryValue Entity class.
- class msticpy.datamodel.entities.registry_value.RegistryValue(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
RegistryValue Entity class.
- Key
RegistryValue Key
- Type
str
- Name
RegistryValue Name
- Type
str
- Value
RegistryValue Value
- Type
str
- ValueType
RegistryValue ValueType
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Key', 'Name', 'Value']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.security_group module
SecurityGroup Entity class.
- class msticpy.datamodel.entities.security_group.SecurityGroup(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
SecurityGroup Entity class.
- DistinguishedName
SecurityGroup DistinguishedName
- Type
str
- SID
SecurityGroup SID
- Type
str
- ObjectGuid
SecurityGroup ObjectGuid
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['DistinguishedName', 'SID', 'ObjectGuid']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.submission_mail module
Submission mail Entity class.
- class msticpy.datamodel.entities.submission_mail.SubmissionMail(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
SubmissionMail Entity class.
- SubmissionId
SubmissionId of the submission mail
- Type
str
- SubmissionDate
SubmissionDate of the submission mail
- Type
datetime
- Submitter
Submitter email of the submission mail
- Type
str
- NetworkMessageId
NetworkMessageId of the submission mail
- Type
str
- Timestamp
The Time stamp when the message is received
- Type
datetime
- Recipient
Recipient of the submission mail
- Type
str
- Sender
Sender of the submission mail
- Type
str
- SenderIp
SenderIp of the submission mail
- Type
str
- Subject
Subject of the submission mail
- Type
str
- ReportType
ReportType of the submission mail
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['NetworkMessageId', 'Recipient']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.threat_intelligence module
Threatintelligence Entity class.
- class msticpy.datamodel.entities.threat_intelligence.Threatintelligence(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Threatintelligence Entity class.
- ProviderName
Threatintelligence ProviderName
- Type
str
- ThreatType
Threatintelligence ThreatType
- Type
str
- ThreatName
Threatintelligence ThreatName
- Type
str
- Confidence
Threatintelligence Confidence
- Type
str
- ReportLink
Threatintelligence ReportLink
- Type
str
- ThreatDescription
Threatintelligence ThreatDescription
- Type
str
Create a new instance of the entity type.
- param src_entity
instantiate entity using properties of src entity
- param kwargs
key-value pair representation of entity
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['ProviderName', 'ThreatName', 'ReportLink']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.unknown_entity module
Threatintelligence Entity class.
- class msticpy.datamodel.entities.unknown_entity.UnknownEntity(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
Generic Entity class.
Create a new instance of the entity type.
- param src_entity
instantiate entity using properties of src entity
- param kwargs
key-value pair representation of entity
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = []
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
msticpy.datamodel.entities.url module
Url Entity class.
- class msticpy.datamodel.entities.url.Url(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)
Bases:
msticpy.datamodel.entities.entity.Entity
URL Entity.
- Url
The URL
- Type
str
- DetonationVerdict
The verdict of the URL detection
- Type
str
Create a new instance of the entity type.
- Parameters
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}
- ID_PROPERTIES: List[str] = ['Url']
- JSONEncoder
alias of
msticpy.datamodel.entities.entity._EntityJSONEncoder
- add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)
Add an edge between self and target.
- Parameters
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters
other (Any) – The other entity (object) to check
- Returns
True if other has no conflicting properties.
- Return type
bool
- classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) msticpy.datamodel.entities.entity.Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns
Instantiated entity
- Return type
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters
func_name (str) – The name of the shortcut function.
- Raises
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str: str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]
Class factory to return entity from raw dictionary representation.
- Parameters
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns
The instantiated entity
- Return type
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters
other (Any) – The entity to check
- Returns
True if equivalent.
- Return type
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) msticpy.datamodel.entities.entity.Entity
Merge with other entity to create new entity.
- Returns
Merged entity.
- Return type
- Raises
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns
Dictionary of name, value properties.
- Return type
Dict[str, Any]
- classmethod pivots() List[str]
Return list of current pivot functions.
- Returns
List of pivot functions assigned to entity.
- Return type
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns
Entity properties.
- Return type
dict
- to_html() str
Return HTML representation of entity.
- Returns
HTML representation of entity
- Return type
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) networkx.classes.graph.Graph
Return networkx graph of entities.
- Parameters
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns
Graph with entity and any connected entities.
- Return type
nx.Graph
Module contents
Entity sub-package.
- msticpy.datamodel.entities.find_entity(entity)
Find entity name.