msticpy.datamodel.entities package

Submodules

msticpy.datamodel.entities.account module

Account Entity class.

class msticpy.datamodel.entities.account.Account(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role: str = 'subject', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Account Entity class.

Name

Account Name

Type

str

NTDomain

Account NTDomain

Type

str

UPNSuffix

Account UPNSuffix

Type

str

Host

Account Host

Type

Host

LogonId

Account LogonId (deprecated)

Type

str

Sid

Account Sid

Type

str

AadTenantId

Account AadTenantId

Type

str

AadUserId

Account AadUserId

Type

str

PUID

Account PUID

Type

str

IsDomainJoined

Account IsDomainJoined

Type

bool

DisplayName

Account DisplayName

Type

str

ObjectGuid

The object ID of the user account

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing Account entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• role (str, optional) – ‘subject’ or ‘target’ - only relevant if the entity is being constructed from an event. (the default is ‘subject’)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['QualifiedName', 'Sid', 'AadUserId', 'PUID', 'ObjectGuid']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

property qualified_name: str

Windows qualified account name.

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.alert module

Alert Entity class.

class msticpy.datamodel.entities.alert.Alert(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Alert Entity class.

AlertDisplayName

Alert DisplayName

Type

str

CompromisedEntity

Alert CompromisedEntity

Type

str

Count

Alert Count

Type

int

StartTimeUtc

Alert StartTime

Type

datetime

EndTimeUtc

Alert EndTime

Type

datetime

Severity

Alert Severity

Type

str

SystemAlertIds

Alert SystemAlertIds

Type

List[str]

AlertType

Alert AlertType

Type

str

VendorName

Alert VendorName

Type

str

ProviderName

Alert ProviderName

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['SystemAlertIds']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return the item as HTML string.

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.azure_resource module

AzureResource Entity class.

class msticpy.datamodel.entities.azure_resource.AzureResource(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

AzureResource Entity class.

ResourceId

AzureResource ResourceId

Type

str

ResourceIdParts

AzureResource ResourceIdParts

Type

Dict[str, str]

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['ResourceId']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

property Provider

Return the Provider name or None.

property ResourceGroup

Return the ResourceGroup name or None.

property SubscriptionId

Return the subscription Id or None.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.cloud_application module

CloudApplication Entity class.

class msticpy.datamodel.entities.cloud_application.CloudApplication(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

CloudApplication Entity class.

Name

CloudApplication Name

Type

str

AppId

The AppId of the cloud application

Type

str

InstanceName

The instance name of the application

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Name']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.cloud_logon_session module

CloudApplication Entity class.

class msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

CloudLogonSession Entity class.

SessionId

The loggon session ID

Type

str

Account

The Account

Type

str

UserAgent

The UserAgent

Type

str

StartTime

The time the session started

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from an event

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Name']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.dns module

Dns Entity class.

class msticpy.datamodel.entities.dns.Dns(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

DNS Resolve Entity class.

DomainName

DnsResolve DomainName

Type

str

IpAdresses

DnsResolve IpAdresses

Type

List[str]

DnsServerIp

DnsResolve DnsServerIp

Type

IPAddress

HostIpAddress

DnsResolve HostIpAddress

Type

IPAddress

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['DomainName']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.entity module

Entity Entity class.

class msticpy.datamodel.entities.entity.ContextObject

Bases: object

Information object attached to entity but is not an Entity.

class msticpy.datamodel.entities.entity.Entity(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: abc.ABC, msticpy.datamodel.entities.entity_graph.Node

Entity abstract base class.

Implements common methods for Entity classes

Create a new instance of an entity.

Parameters

• src_entity (Mapping[str, Any], optional) – If src_entity is supplied it attempts to extract common properties from the source entity and assign them to the new instance. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = []

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

Returns

Entity description (optional). If not overridden by the Entity instance type, it will return the Type string.

Return type

str

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Name Description.

Returns

Entity Name (optional). If not overridden by the Entity instance type, it will return the class name string.

Return type

str

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.entity.camelcase_property_names(input_ent: Dict[str, Any]) → Dict[str, Any]

Change initial letter Microsoft Sentinel API entity properties to upper case.

msticpy.datamodel.entities.entity_enums module

Entity enumerations.

class msticpy.datamodel.entities.entity_enums.Algorithm(value)

Bases: enum.Enum

FileHash Algorithm Enumeration.

MD5 = 1

SHA1 = 2

SHA256 = 3

SHA256AC = 4

Unknown = 0

class msticpy.datamodel.entities.entity_enums.ElevationToken(value)

Bases: enum.Enum

ElevationToken enumeration.

Default = 0

Full = 1

Limited = 2

class msticpy.datamodel.entities.entity_enums.OSFamily(value)

Bases: enum.Enum

OSFamily enumeration.

Linux = 0

Windows = 1

class msticpy.datamodel.entities.entity_enums.RegistryHive(value)

Bases: enum.Enum

RegistryHive enumeration.

HKEY_A = 8

HKEY_CLASSES_ROOT = 1

HKEY_CURRENT_CONFIG = 2

HKEY_CURRENT_USER = 9

HKEY_CURRENT_USER_LOCAL_SETTINGS = 4

HKEY_LOCAL_MACHINE = 0

HKEY_PERFORMANCE_DATA = 5

HKEY_PERFORMANCE_NLSTEXT = 6

HKEY_PERFORMANCE_TEXT = 7

HKEY_USERS = 3

property short_name: str

Return the key shortname.

msticpy.datamodel.entities.entity_graph module

Entity Graph classes.

class msticpy.datamodel.entities.entity_graph.Edge(source: msticpy.datamodel.entities.entity_graph.Node, target: msticpy.datamodel.entities.entity_graph.Node, attrs: Optional[Dict[str, Any]] = None)

Bases: object

Entity edge class.

Create a new edge between source and target.

Parameters

• source (Node) – Source node.

• target (Node) – Target node.

• attrs (Dict[str, Any], optional) – Dictionary of name/value edge attributes, by default None

add_attr(name: str, value: Any)

Add an edge attribute.

class msticpy.datamodel.entities.entity_graph.Node

Bases: object

Entity node.

Initialize the node.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

has_edge(other)

Return True if node has an edge with other.

msticpy.datamodel.entities.file module

File Entity class.

class msticpy.datamodel.entities.file.File(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role: str = 'new', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

File Entity class.

FullPath

File FullPath

Type

str

Directory

File Directory

Type

str

Name

File Name

Type

str

Md5

File Md5

Type

str

Host

File Host

Type

str

Sha1

File Sha1

Type

str

Sha256

File Sha256

Type

str

Sha256Ac

File Sha256Ac

Type

str

FileHashes

File FileHashes

Type

List[FileHash]

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['FullPath', 'Sha1', 'Sha256', 'Sha256ac', 'Md5']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

property file_hash: Optional[str]

Return the first defined file hash.

Returns

Returns first-defined file hash in order of SHA256, SHA1, MD5, SHA256AC (authenticode)

Return type

Optional[str]

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

property path_separator

Return the path separator used by the file.

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.file_hash module

FileHash Entity class.

class msticpy.datamodel.entities.file_hash.FileHash(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

File Hash class.

Algorithm

FileHash Algorithm

Type

Algorithm

Value

FileHash Value

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Value']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.geo_location module

GeoLocation Entity class.

class msticpy.datamodel.entities.geo_location.GeoLocation(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity, msticpy.datamodel.entities.entity.ContextObject

GeoLocation class.

CountryCode

GeoLocation CountryCode

Type

str

CountryName

GeoLocation CountryName

Type

str

State

GeoLocation State

Type

str

City

GeoLocation City

Type

str

Longitude

GeoLocation Longitude

Type

float

Latitude

GeoLocation Latitude

Type

float

Asn

GeoLocation Asn

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Longitude', 'Latitude', 'City', 'State', 'CountryCode']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

property coordinates: Tuple[float, float]

Return Latitude/Longitude as a tuple of floats.

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.graph_property module

Entity graph property.

msticpy.datamodel.entities.graph_property.graph_property(name: str, prop_type: Union[type, str], edge_name: Optional[str] = None) → property

Property factory for graph_property.

msticpy.datamodel.entities.host module

Host Entity class.

class msticpy.datamodel.entities.host.Host(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Host Entity class.

DnsDomain

Host DnsDomain

Type

str

NTDomain

Host NTDomain

Type

str

HostName

Host HostName

Type

str

NetBiosName

Host NetBiosName

Type

str

AzureID

Host AzureID

Type

str

OMSAgentID

Host OMSAgentID

Type

str

OSFamily

Host OSFamily

Type

str

OSVersion

Host OSVersion

Type

str

IsDomainJoined

Host IsDomainJoined

Type

bool

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

property FullName: Optional[str]

Return the full name of the host - either FQDN or Netbiosname.

ID_PROPERTIES: List[str] = ['fqdn', 'AzureID', 'OMSAgentID']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

property computer: Optional[str]

Return computer from source event.

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

property fqdn: Optional[str]

Construct FQDN from host + dns.

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.host_logon_session module

HostLogonSession Entity class.

class msticpy.datamodel.entities.host_logon_session.HostLogonSession(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

HostLogonSession Entity class.

Account

HostLogonSession Account

Type

Account

StartTimeUtc

HostLogonSession StartTimeUtc

Type

datetime

EndTimeUtc

HostLogonSession EndTimeUtc

Type

datetime

Host

HostLogonSession Host

Type

Host

SessionId

HostLogonSession SessionId

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Account', 'Host', 'SessionId']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.iot_device module

IoTDevice Entity class.

class msticpy.datamodel.entities.iot_device.IoTDevice(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

IoTDevice Entity class.

IoTHub

IoTHub of the IoT device

Type

str

DeviceId

DeviceId of the IoT device

Type

str

DeviceName

DeviceName of the IoT device

Type

str

IoTSecurityAgentId

IoTSecurityAgentId of the IoT device

Type

str

DeviceType

DeviceType of the IoT device

Type

str

Source

Source of the IoT device

Type

str

SourceRef

SourceRef of the IoT device

Type

str

Manufacturer

Manufacturer of the IoT device

Type

str

Model

Model of the IoT device

Type

str

OperatingSystem

OperatingSystem of the IoT device

Type

str

IpAddress

IpAddress of the IoT device

Type

str

MacAddress

MacAddress of the IoT device

Type

str

Protocols

Protocols of the IoT device

Type

str

SerialNumber

SerialNumber of the IoT device

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['IoTHub', 'DeviceId']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.ip_address module

IpAddress Entity class.

msticpy.datamodel.entities.ip_address.Ip

alias of msticpy.datamodel.entities.ip_address.IpAddress

class msticpy.datamodel.entities.ip_address.IpAddress(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

IPAddress Entity class.

Address

IpAddress Address

Type

str

Location

IpAddress Location

Type

GeoLocation

ThreatIntelligence

IpAddress ThreatIntelligence

Type

List[Threatintelligence]

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Address']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

property ip_address: Optional[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]

Return a python IP address object from the entity property.

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.mail_cluster module

MailCluster Entity class.

class msticpy.datamodel.entities.mail_cluster.MailCluster(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

MailCluster Entity class.

NetworkMessageIds

NetworkMessageIds of the Mail cluster

Type

List[str]

CountByDeliveryStatus

CountByDeliveryStatus of the Mail cluster

Type

Dict[str, int] = {}

CountByThreatType

CountByThreatType of the Mail cluster

Type

Dict[str, int] = {}

CountByProtectionStatus

CountByProtectionStatus of the Mail cluster

Type

Dict[str, int] = {}

Threats

Threats of the Mail cluster

Type

List[str]

Query

Query of the Mail cluster

Type

str

QueryTime

QueryTime of the Mail cluster

Type

datetime

MailCount

MailCount of the Mail cluster

Type

int

IsVolumeAnomaly

IsVolumeAnomaly of the Mail cluster

Type

bool

Source

Source of the Mail cluster

Type

str

ClusterSourceIdentifier

ClusterSourceIdentifier of the Mail cluster

Type

str

ClusterSourceType

ClusterSourceType of the Mail cluster

Type

str

ClusterQueryStartTime

ClusterQueryStartTime of the Mail cluster

Type

datetime

ClusterQueryEndTime

ClusterQueryEndTime of the Mail cluster

Type

datetime

ClusterGroup

ClusterGroup of the Mail cluster

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Query', 'Source']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.mail_message module

MailMessage Entity class.

class msticpy.datamodel.entities.mail_message.MailMessage(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

MailMessage Entity class.

Recipient

Recipient of the Mail message

Type

str

Files

Files of the Mail message

Type

List[Entity]

Urls

Urls of the Mail message

Type

List[str]

Threats

Threats of the Mail message

Type

List[str]

Sender

Sender of the Mail message

Type

str

P1Sender

P1Sender of the Mail message

Type

str

P1SenderDisplayName

P1SenderDisplayName of the Mail message

Type

str

P1SenderDomain

P1SenderDomain of the Mail message

Type

str

SenderIP

SenderIP of the Mail message

Type

str

P2Sender

P2Sender of the Mail message

Type

str

P2SenderDisplayName

P2SenderDisplayName of the Mail message

Type

str

P2SenderDomain

P2SenderDomain of the Mail message

Type

str

ReceivedDate

ReceivedDate of the Mail message

Type

datetime

NetworkMessageId

NetworkMessageId of the Mail message

Type

str

InternetMessageId

InternetMessageId of the Mail message

Type

str

Subject

Subject of the Mail message

Type

str

BodyFingerprintBin1

BodyFingerprintBin1 of the Mail message

Type

str

BodyFingerprintBin2

BodyFingerprintBin2 of the Mail message

Type

str

BodyFingerprintBin3

BodyFingerprintBin3 of the Mail message

Type

str

BodyFingerprintBin4

BodyFingerprintBin4 of the Mail message

Type

str

BodyFingerprintBin5

BodyFingerprintBin5 of the Mail message

Type

str

AntispamDirection

AntispamDirection of the Mail message

Type

str

DeliveryAction

DeliveryAction of the Mail message

Type

str

DeliveryLocation

DeliveryLocation of the Mail message

Type

str

Language

Language of the Mail message

Type

str

ThreatDetectionMethods

ThreatDetectionMethods of the Mail message

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['NetworkMessageId', 'Recipient']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.mailbox module

Mailbox Entity class.

class msticpy.datamodel.entities.mailbox.Mailbox(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Mailbox Entity class.

MailboxPrimaryAddress

PrimaryAddress of the Mailbox

Type

str

DisplayName

DisplayName of the Mailbox

Type

str

Upn

Upn of the Mailbox

Type

str

ExternalDirectoryObjectId

ExternalDirectoryObjectId of the Mailbox

Type

str

RiskLevel

RiskLevel of the Mailbox

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['MailboxPrimaryAddress']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.malware module

Malware Entity class.

class msticpy.datamodel.entities.malware.Malware(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Malware Entity class.

Name

Malware Name

Type

str

Category

Malware Category

Type

str

File

Malware File

Type

File

Files

Malware Files

Type

List[File]

Processes

Malware Processes

Type

List[Process]

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Name']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.network_connection module

NetworkConnection Entity class.

class msticpy.datamodel.entities.network_connection.NetworkConnection(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

NetworkConnection Entity class.

SourceAddress

NetworkConnection SourceAddress

Type

IPAddress

SourcePort

NetworkConnection SourcePort

Type

int

DestinationAddress

NetworkConnection DestinationAddress

Type

IPAddress

DestinationPort

NetworkConnection DestinationPort

Type

int

Protocol

NetworkConnection Protocol

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['SourceAddress', 'SourcePort', 'DestinationAddress', 'DestinationPort']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.process module

Process Entity class.

class msticpy.datamodel.entities.process.Process(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, role='new', **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Process Entity class.

ProcessId

Process ProcessId

Type

str

CommandLine

Process CommandLine

Type

str

ElevationToken

Process ElevationToken

Type

str

CreationTimeUtc

Process CreationTimeUtc

Type

datetime

ImageFile

Process ImageFile

Type

File

Account

Process Account

Type

Account

ParentProcess

Process ParentProcess

Type

Process

Host

Process Host

Type

Host

LogonSession

Process LogonSession

Type

HostLogonSession

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• role (str, optional) – ‘new’ or ‘parent’ - only relevant if the entity is being constructed from an event. (the default is ‘new’)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['ProcessId', 'ImageFile', 'CreationTimeUtc', 'CommandLine']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

property ProcessFilePath: Optional[str]

Return the name of the process file path.

property ProcessName: Optional[str]

Return the name of the process file.

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.registry_key module

RegistryValue Entity class.

class msticpy.datamodel.entities.registry_key.RegistryKey(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

RegistryKey Entity class.

Hive

RegistryKey Hive

Type

RegistryHive

Key

RegistryKey Key

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Hive', 'Key']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.registry_value module

RegistryValue Entity class.

class msticpy.datamodel.entities.registry_value.RegistryValue(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

RegistryValue Entity class.

Key

RegistryValue Key

Type

str

Name

RegistryValue Name

Type

str

Value

RegistryValue Value

Type

str

ValueType

RegistryValue ValueType

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Key', 'Name', 'Value']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.security_group module

SecurityGroup Entity class.

class msticpy.datamodel.entities.security_group.SecurityGroup(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

SecurityGroup Entity class.

DistinguishedName

SecurityGroup DistinguishedName

Type

str

SID

SecurityGroup SID

Type

str

ObjectGuid

SecurityGroup ObjectGuid

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['DistinguishedName', 'SID', 'ObjectGuid']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.submission_mail module

Submission mail Entity class.

class msticpy.datamodel.entities.submission_mail.SubmissionMail(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

SubmissionMail Entity class.

SubmissionId

SubmissionId of the submission mail

Type

str

SubmissionDate

SubmissionDate of the submission mail

Type

datetime

Submitter

Submitter email of the submission mail

Type

str

NetworkMessageId

NetworkMessageId of the submission mail

Type

str

Timestamp

The Time stamp when the message is received

Type

datetime

Recipient

Recipient of the submission mail

Type

str

Sender

Sender of the submission mail

Type

str

SenderIp

SenderIp of the submission mail

Type

str

Subject

Subject of the submission mail

Type

str

ReportType

ReportType of the submission mail

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['NetworkMessageId', 'Recipient']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.threat_intelligence module

Threatintelligence Entity class.

class msticpy.datamodel.entities.threat_intelligence.Threatintelligence(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Threatintelligence Entity class.

ProviderName

Threatintelligence ProviderName

Type

str

ThreatType

Threatintelligence ThreatType

Type

str

ThreatName

Threatintelligence ThreatName

Type

str

Confidence

Threatintelligence Confidence

Type

str

ReportLink

Threatintelligence ReportLink

Type

str

ThreatDescription

Threatintelligence ThreatDescription

Type

str

Create a new instance of the entity type.

param src_entity

instantiate entity using properties of src entity

param kwargs

key-value pair representation of entity

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['ProviderName', 'ThreatName', 'ReportLink']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.unknown_entity module

Threatintelligence Entity class.

class msticpy.datamodel.entities.unknown_entity.UnknownEntity(src_entity: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

Generic Entity class.

Create a new instance of the entity type.

param src_entity

instantiate entity using properties of src entity

param kwargs

key-value pair representation of entity

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = []

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

msticpy.datamodel.entities.url module

Url Entity class.

class msticpy.datamodel.entities.url.Url(src_entity: Optional[Mapping[str, Any]] = None, src_event: Optional[Mapping[str, Any]] = None, **kwargs)

Bases: msticpy.datamodel.entities.entity.Entity

URL Entity.

Url

The URL

Type

str

DetonationVerdict

The verdict of the URL detection

Type

str

Create a new instance of the entity type.

Parameters

• src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)

• src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)

• kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.

ENTITY_NAME_MAP: Dict[str, type] = {'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>}

ID_PROPERTIES: List[str] = ['Url']

JSONEncoder

alias of msticpy.datamodel.entities.entity._EntityJSONEncoder

add_edge(target: msticpy.datamodel.entities.entity_graph.Node, edge_attrs: Optional[Dict[str, Any]] = None)

Add an edge between self and target.

Parameters

• target (Node) – Target node.

• edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None

can_merge(other: Any) → bool

Return True if the entities can be merged.

Parameters

other (Any) – The other entity (object) to check

Returns

True if other has no conflicting properties.

Return type

bool

classmethod create(src_entity: Optional[Mapping[str, Any]] = None, **kwargs) → msticpy.datamodel.entities.entity.Entity

Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.

Returns

Instantiated entity

Return type

Entity

Notes

The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.

classmethod del_pivot_shortcut(func_name: str)

Remove a pivot shortcut.

Parameters

func_name (str) – The name of the shortcut function.

Raises

• AttributeError – The class does not have an attribute func_name

• TypeError – The attribute to delete is not a pivot shortcut.

property description_str: str

Return Entity Description.

edges: Set['Edge']

classmethod get_pivot_list() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

has_edge(other)

Return True if node has an edge with other.

classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Optional[Type] = None) → Union[msticpy.datamodel.entities.entity.Entity, Mapping[str, Any]]

Class factory to return entity from raw dictionary representation.

Parameters

• raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.

• entity_type (Optional[Type]) – The entity type to create, by default None.

Returns

The instantiated entity

Return type

Entity

is_equivalent(other: Any) → bool

Return True if the entities are equivalent.

Parameters

other (Any) – The entity to check

Returns

True if equivalent.

Return type

bool

Notes

This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]

list_pivot_funcs()

Print list of pivot functions assigned to entity.

classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)

Add a shortcut to a pivot function to the class.

Parameters

• func_name (str) – The name of source pivot function.

• target (str) – The shortcut name (this will be a member function of the class)

• overwrite (bool, optional) – Force overwrite an existing pivot function, by default False

Raises

• AttributeError – The source function does not exist

• TypeError – The source function is not a pivot function.

• TypeError – The target attribute exists and is not a pivot function

• AttributeError – The target function exists and ‘overwrite=True’ was not specified.

merge(other: Any) → msticpy.datamodel.entities.entity.Entity

Merge with other entity to create new entity.

Returns

Merged entity.

Return type

Entity

Raises

AttributeError – If the entities cannot be merged.

property name_str: str

Return Entity Name.

property node_properties: Dict[str, Any]

Return all public properties that are not entities.

Returns

Dictionary of name, value properties.

Return type

Dict[str, Any]

classmethod pivots() → List[str]

Return list of current pivot functions.

Returns

List of pivot functions assigned to entity.

Return type

List[str]

property properties: dict

Return dictionary properties of entity.

Returns

Entity properties.

Return type

dict

to_html() → str

Return HTML representation of entity.

Returns

HTML representation of entity

Return type

str

to_json()

Return object as a JSON string.

to_networkx(graph: Optional[networkx.classes.graph.Graph] = None) → networkx.classes.graph.Graph

Return networkx graph of entities.

Parameters

graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None

Returns

Graph with entity and any connected entities.

Return type

nx.Graph

Module contents

Entity sub-package.

msticpy.datamodel.entities.find_entity(entity)

Find entity name.