msticpy.datamodel.entities.mail_cluster module
MailCluster Entity class.
- class msticpy.datamodel.entities.mail_cluster.MailCluster(src_entity: Mapping[str, Any] | None = None, src_event: Mapping[str, Any] | None = None, **kwargs)
Bases:
Entity
MailCluster Entity class.
- NetworkMessageIds
NetworkMessageIds of the Mail cluster
- Type:
List[str]
- CountByDeliveryStatus
CountByDeliveryStatus of the Mail cluster
- Type:
Dict[str, int] = {}
- CountByThreatType
CountByThreatType of the Mail cluster
- Type:
Dict[str, int] = {}
- CountByProtectionStatus
CountByProtectionStatus of the Mail cluster
- Type:
Dict[str, int] = {}
- Threats
Threats of the Mail cluster
- Type:
List[str]
- Query
Query of the Mail cluster
- Type:
str
- QueryTime
QueryTime of the Mail cluster
- Type:
datetime
- MailCount
MailCount of the Mail cluster
- Type:
int
- IsVolumeAnomaly
IsVolumeAnomaly of the Mail cluster
- Type:
bool
- Source
Source of the Mail cluster
- Type:
str
- ClusterSourceIdentifier
ClusterSourceIdentifier of the Mail cluster
- Type:
str
- ClusterSourceType
ClusterSourceType of the Mail cluster
- Type:
str
- ClusterQueryStartTime
ClusterQueryStartTime of the Mail cluster
- Type:
datetime
- ClusterQueryEndTime
ClusterQueryEndTime of the Mail cluster
- Type:
datetime
- ClusterGroup
ClusterGroup of the Mail cluster
- Type:
str
Create a new instance of the entity type.
- Parameters:
src_entity (Mapping[str, Any], optional) – Create entity from existing entity or other mapping object that implements entity properties. (the default is None)
src_event (Mapping[str, Any], optional) – Create entity from event properties (the default is None)
kwargs (Dict[str, Any]) – Supply the entity properties as a set of kw arguments.
- ENTITY_NAME_MAP: Dict[str, type] = {'ServicePrincipal': <class 'msticpy.datamodel.entities.service_principal.ServicePrincipal'>, 'SubmissionMail': <class 'msticpy.datamodel.entities.submission_mail.SubmissionMail'>, 'account': <class 'msticpy.datamodel.entities.account.Account'>, 'alert': <class 'msticpy.datamodel.entities.alert.Alert'>, 'alerts': <class 'msticpy.datamodel.entities.alert.Alert'>, 'azure-resource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'azureresource': <class 'msticpy.datamodel.entities.azure_resource.AzureResource'>, 'cloud-application': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloud-logon-session': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'cloudapplication': <class 'msticpy.datamodel.entities.cloud_application.CloudApplication'>, 'cloudlogonsession': <class 'msticpy.datamodel.entities.cloud_logon_session.CloudLogonSession'>, 'dns': <class 'msticpy.datamodel.entities.dns.Dns'>, 'dnsresolve': <class 'msticpy.datamodel.entities.dns.Dns'>, 'file': <class 'msticpy.datamodel.entities.file.File'>, 'filehash': <class 'msticpy.datamodel.entities.file_hash.FileHash'>, 'geolocation': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'host': <class 'msticpy.datamodel.entities.host.Host'>, 'host-logon-session': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'hostlogonsession': <class 'msticpy.datamodel.entities.host_logon_session.HostLogonSession'>, 'incident': <class 'msticpy.datamodel.soc.incident.Incident'>, 'iotdevice': <class 'msticpy.datamodel.entities.iot_device.IoTDevice'>, 'ip': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'ipaddress': <class 'msticpy.datamodel.entities.ip_address.IpAddress'>, 'location': <class 'msticpy.datamodel.entities.geo_location.GeoLocation'>, 'machine': <class 'msticpy.datamodel.entities.Machine'>, 'mail-cluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mail-message': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'mailbox': <class 'msticpy.datamodel.entities.mailbox.Mailbox'>, 'mailboxconfiguration': <class 'msticpy.datamodel.entities.mailbox_configuration.MailboxConfiguration'>, 'mailcluster': <class 'msticpy.datamodel.entities.mail_cluster.MailCluster'>, 'mailmessage': <class 'msticpy.datamodel.entities.mail_message.MailMessage'>, 'malware': <class 'msticpy.datamodel.entities.malware.Malware'>, 'network-connection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'networkconnection': <class 'msticpy.datamodel.entities.network_connection.NetworkConnection'>, 'oauthapplication': <class 'msticpy.datamodel.entities.oauth_application.OAuthApplication'>, 'process': <class 'msticpy.datamodel.entities.process.Process'>, 'registry-key': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registry-value': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'registrykey': <class 'msticpy.datamodel.entities.registry_key.RegistryKey'>, 'registryvalue': <class 'msticpy.datamodel.entities.registry_value.RegistryValue'>, 'security-group': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'securitygroup': <class 'msticpy.datamodel.entities.security_group.SecurityGroup'>, 'threatintelligence': <class 'msticpy.datamodel.entities.threat_intelligence.Threatintelligence'>, 'unknown': <class 'msticpy.datamodel.entities.unknown_entity.UnknownEntity'>, 'url': <class 'msticpy.datamodel.entities.url.Url'>, 'user': <class 'msticpy.datamodel.entities.User'>}
- ID_PROPERTIES: List[str] = ['Query', 'Source']
- JSONEncoder
alias of
_EntityJSONEncoder
- add_edge(target: Node, edge_attrs: Dict[str, Any] | None = None)
Add an edge between self and target.
- Parameters:
target (Node) – Target node.
edge_attrs (Optional[Dict[str, Any]], optional) – Attributes to assign to new edge, by default None
- can_merge(other: Any) bool
Return True if the entities can be merged.
- Parameters:
other (Any) – The other entity (object) to check
- Returns:
True if other has no conflicting properties.
- Return type:
bool
- classmethod create(src_entity: Mapping[str, Any] | None = None, **kwargs) Entity
Create an entity from a mapping type (e.g. pd.Series) or dict or kwargs.
- Returns:
Instantiated entity
- Return type:
Notes
The entity type should be specified as “Type”, in either a key of src_entity or as a keyword argument.
- classmethod del_pivot_shortcut(func_name: str)
Remove a pivot shortcut.
- Parameters:
func_name (str) – The name of the shortcut function.
- Raises:
AttributeError – The class does not have an attribute func_name
TypeError – The attribute to delete is not a pivot shortcut.
- property description_str
Return Entity Description.
- edges: Set['Edge']
- classmethod get_pivot_list(search_str: str | None = None) List[str]
Return list of current pivot functions.
- Returns:
List of pivot functions assigned to entity.
- Return type:
List[str]
- has_edge(other)
Return True if node has an edge with other.
- classmethod instantiate_entity(raw_entity: Mapping[str, Any], entity_type: Type | None = None) Entity | Mapping[str, Any]
Class factory to return entity from raw dictionary representation.
- Parameters:
raw_entity (Mapping[str, Any]) – A mapping object (e.g. dictionary or pandas Series) that contains the properties of the entity.
entity_type (Optional[Type]) – The entity type to create, by default None.
- Returns:
The instantiated entity
- Return type:
- is_equivalent(other: Any) bool
Return True if the entities are equivalent.
- Parameters:
other (Any) – The entity to check
- Returns:
True if equivalent.
- Return type:
bool
Notes
This method checks that the compared entities do not have any property values with conflicting values. E.g. self.A == other.A self.B == “xyz” and other.B == None self.C == [] and other.C == [1, 2, 3]
- list_pivot_funcs()
Print list of pivot functions assigned to entity.
- classmethod make_pivot_shortcut(func_name: str, target: str, overwrite: bool = False)
Add a shortcut to a pivot function to the class.
- Parameters:
func_name (str) – The name of source pivot function.
target (str) – The shortcut name (this will be a member function of the class)
overwrite (bool, optional) – Force overwrite an existing pivot function, by default False
- Raises:
AttributeError – The source function does not exist
TypeError – The source function is not a pivot function.
TypeError – The target attribute exists and is not a pivot function
AttributeError – The target function exists and ‘overwrite=True’ was not specified.
- merge(other: Any) Entity
Merge with other entity to create new entity.
- Returns:
Merged entity.
- Return type:
- Raises:
AttributeError – If the entities cannot be merged.
- property name_str: str
Return Entity Name.
- property node_properties: Dict[str, Any]
Return all public properties that are not entities.
- Returns:
Dictionary of name, value properties.
- Return type:
Dict[str, Any]
- classmethod pivots(search_str: str | None = None) List[str]
Return list of current pivot functions.
- Returns:
List of pivot functions assigned to entity.
- Return type:
List[str]
- property properties: dict
Return dictionary properties of entity.
- Returns:
Entity properties.
- Return type:
dict
- to_html() str
Return HTML representation of entity.
- Returns:
HTML representation of entity
- Return type:
str
- to_json()
Return object as a JSON string.
- to_networkx(graph: networkx.Graph | None = None) networkx.Graph
Return networkx graph of entities.
- Parameters:
graph (nx.Graph, optional) – Graph to add entities to. If not supplied the function creates and returns a new graph. By default None
- Returns:
Graph with entity and any connected entities.
- Return type:
nx.Graph