msticpy.context.preprocess_observable module

Module for TILookup classes.

Input can be a single IoC observable or a pandas DataFrame containing multiple observables. Processing may require a an API key and processing performance may be limited to a specific number of requests per minute for the account type that you have.

class msticpy.context.preprocess_observable.PreProcessor

Bases: object

Observable pre-processing class.

Initialize the processor dictionary.

add_check(value_type: str, checker: Callable[[...], SanitizedObservable]) None

Add a new checker to the processors.

check(value: str, value_type: str, *, require_url_encoding: bool = False) SanitizedObservable

Apply processing checks to the input value.

Parameters:
  • value (str) – The value to be checked.

  • value_type (str) – The type of value to be checked.

Returns:

Named tuple with two members:

  1. observable - with the pre-processed result, This is set to None if a check fails.

  2. status - this is set to “ok” if the checks completed. Otherwise, it has an error message.

Return type:

SanitizedObservable

property processors: dict[str, list[str | CheckerType]]

Return _processors value.

msticpy.context.preprocess_observable.get_schema_and_host(url: str, *, require_url_encoding: bool = False) tuple[str | None, str | None, str | None]

Return URL scheme and host and cleaned URL.

Parameters:
  • url (str) – Input URL

  • require_url_encoding (bool) – Set to True if url needs encoding. Default is False.

Returns:

tuple of URL, scheme, host

Return type:

tuple[Optional[str], Optional[str], Optional[str]

msticpy.context.preprocess_observable.preprocess_observable(observable: str, ioc_type: str, *, require_url_encoding: bool = False) SanitizedObservable

Preprocess and check validity of observable against declared IoC type.

Parameters:
  • observable (_type_) – the value of the observable

  • ioc_type (_type_) – The type of observable

  • require_url_encoding (bool, optional) – If the observable needs URL-encoding (URL types only), by default False

Returns:

Named tuple with two members:

  1. observable - with the pre-processed result,

    This is set to None if a check fails.

  2. status - this is set to “ok” if the checks completed.

    Otherwise, it has an error message.

Return type:

SanitizedObservable