msticpy.context.tiproviders.ti_provider_base module

Module for TILookup classes.

Input can be a single IoC observable or a pandas DataFrame containing multiple observables. Processing may require a an API key and processing performance may be limited to a specific number of requests per minute for the account type that you have.

class msticpy.context.tiproviders.ti_provider_base.TIPivotProvider

Bases: ABC

A class which provides pivot functions and a means of registering them.

abstract register_pivots(pivot_reg: PivotRegistration, pivot: Pivot)

Register pivot functions for the TI Provider.

Parameters

  • pivot_reg (PivotRegistration) – Pivot registration settings.

  • pivot (Pivot) – Pivot library instance

class msticpy.context.tiproviders.ti_provider_base.TIProvider(**kwargs)

Bases: ABC

Abstract base class for Threat Intel providers.

Initialize the provider.

property ioc_query_defs: Dict[str, Any]

Return current dictionary of IoC query/request definitions.

Returns

IoC query/request definitions keyed by IoCType

Return type

Dict[str, Any]

classmethod is_known_type(ioc_type: str) bool

Return True if this a known IoC Type.

Parameters

ioc_type (str) – IoCType string to test

Returns

True if known type.

Return type

bool

is_supported_type(ioc_type: Union[str, IoCType]) bool

Return True if the passed type is supported.

Parameters

ioc_type (Union[str, IoCType]) – IoC type name or instance

Returns

True if supported.

Return type

bool

abstract lookup_ioc(ioc: str, ioc_type: Optional[str] = None, query_type: Optional[str] = None, **kwargs) LookupResult

Lookup a single IoC observable.

Parameters

  • ioc (str) – IoC Observable value

  • ioc_type (str, optional) – IoC Type, by default None (type will be inferred)

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the IoC type will be returned.

Returns

The returned results.

Return type

LookupResult

lookup_iocs(data: Union[DataFrame, Dict[str, str], Iterable[str]], obs_col: Optional[str] = None, ioc_type_col: Optional[str] = None, query_type: Optional[str] = None, **kwargs) DataFrame

Lookup collection of IoC observables.

Parameters

  • data (Union[pd.DataFrame, Dict[str, str], Iterable[str]]) – Data input in one of three formats: 1. Pandas dataframe (you must supply the column name in obs_col parameter) 2. Dict of observable, IoCType 3. Iterable of observables - IoCTypes will be inferred

  • obs_col (str, optional) – DataFrame column to use for observables, by default None

  • ioc_type_col (str, optional) – DataFrame column to use for IoCTypes, by default None

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the IoC type will be returned.

Returns

DataFrame of results.

Return type

pd.DataFrame

async lookup_iocs_async(data: Union[DataFrame, Dict[str, str], Iterable[str]], obs_col: Optional[str] = None, ioc_type_col: Optional[str] = None, query_type: Optional[str] = None, **kwargs) DataFrame

Lookup collection of IoC observables.

Parameters

  • data (Union[pd.DataFrame, Dict[str, str], Iterable[str]]) – Data input in one of three formats: 1. Pandas dataframe (you must supply the column name in obs_col parameter) 2. Dict of observable, IoCType 3. Iterable of observables - IoCTypes will be inferred

  • obs_col (str, optional) – DataFrame column to use for observables, by default None

  • ioc_type_col (str, optional) – DataFrame column to use for IoCTypes, by default None

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the IoC type will be returned.

Returns

DataFrame of results.

Return type

pd.DataFrame

property name: str

Return the name of the provider.

abstract parse_results(response: LookupResult) Tuple[bool, ResultSeverity, Any]

Return the details of the response.

Parameters

response (LookupResult) – The returned data response

Returns

bool = positive or negative hit ResultSeverity = enumeration of severity Object with match details

Return type

Tuple[bool, ResultSeverity, Any]

static resolve_ioc_type(observable: str) str

Return IoCType determined by IoCExtract.

Parameters

observable (str) – IoC observable string

Returns

IoC Type (or unknown if type could not be determined)

Return type

str

property supported_types: List[str]

Return list of supported IoC types for this provider.

Returns

List of supported type names

Return type

List[str]

classmethod usage()

Print usage of provider.

msticpy.context.tiproviders.ti_provider_base.generate_items(data: Any, obs_col: Optional[str] = None, ioc_type_col: Optional[str] = None) Iterable[Tuple[Optional[str], Optional[str]]]
msticpy.context.tiproviders.ti_provider_base.generate_items(data: DataFrame, obs_col: str, ioc_type_col: Optional[str] = None)
msticpy.context.tiproviders.ti_provider_base.generate_items(data: dict, obs_col: Optional[str] = None, ioc_type_col: Optional[str] = None)

Generate item pairs from different input types.

Parameters

  • data (Any) – DataFrame, dictionary or iterable

  • obs_col (Optional[str]) – If data is a DataFrame, the column containing the observable value.

  • ioc_type_col (Optional[str]) – If data is a DataFrame, the column containing the observable type.

Return type

Iterable[Tuple[Optional[str], Optional[str]]]] - a tuple of Observable/Type.