msticpy.init.pivot_init.pivot_data_queries module

Pivot query functions class.

class msticpy.init.pivot_init.pivot_data_queries.ParamAttrs(type, query, family, required)

Bases: tuple

Create new instance of ParamAttrs(type, query, family, required)

count(value, /)

Return number of occurrences of value.

family

Alias for field number 2

index(value, start=0, stop=9223372036854775807, /)

Return first index of value.

Raises ValueError if the value is not present.

query

Alias for field number 1

required

Alias for field number 3

type

Alias for field number 0

class msticpy.init.pivot_init.pivot_data_queries.PivQuerySettings(short_name, direct_func_entities, assigned_entities)

Bases: tuple

Create new instance of PivQuerySettings(short_name, direct_func_entities, assigned_entities)

assigned_entities

Alias for field number 2

count(value, /)

Return number of occurrences of value.

direct_func_entities

Alias for field number 1

index(value, start=0, stop=9223372036854775807, /)

Return first index of value.

Raises ValueError if the value is not present.

short_name

Alias for field number 0

class msticpy.init.pivot_init.pivot_data_queries.PivotQueryFunctions(query_provider: QueryProvider, ignore_reqd: List[str] = None)

Bases: object

Class to retrieve the queries and params from a provider.

Instantiate PivotQueryFunctions class.

Parameters:
  • query_provider ([type]) – The query provider to load

  • ignore_reqd (List[str], optional) – List of parameters to ignore when building the required parameters list (e.g. [‘start’, ‘end’]), by default None

current = None
get_param_attrs(param_name: str) List[ParamAttrs]

Get the attributes for a parameter name.

Parameters:

param_name (str) – Parameter name

Returns:

List of ParamAttrs named tuples: (type, query, family, required)

Return type:

List[ParamAttrs]

Notes

Since parameters may be defined for multiple queries, the set of parameter attributes will be returned for each query.

get_params(query_func_name: str) QueryParams | None

Get the parameters for a query function.

Parameters:

query_func_name (str) – Query name - the name must be fully-qualified (e.g. ‘WindowsSecurity.list_processes’)

Returns:

QueryParams named tuple (all, required, full_required, param_attrs, table)

Return type:

QueryParams

get_queries_and_types_for_param(param: str) Iterable[Tuple[str, str, str, Callable[[Any], Any]]]

Get queries and parameter data types for param.

Parameters:

param (str) – The parameter name.

Returns:

Iterable of tuples listing: query_name, param_type, query_func

Return type:

Iterable[Tuple[str, str, Callable[[Any], Any]]]

get_queries_for_param(param: str) Iterable[Tuple[str, str, Callable[[Any], Any]]]

Get the list of queries for a parameter.

Parameters:

param (str) – Parameter name

Returns:

Iterable of tuples listing: query_name, query_func

Return type:

Iterable[Tuple[str, str, Callable[[Any], Any]]]

get_query_pivot_settings(family: str, query: str) PivQuerySettings

Get Pivot settings metadata for a query.

Parameters:
  • family (str) – Data family

  • query (str) – Query name

Returns:

Named tuple:

  • short_name - short name for the query

  • direct_func_entities - the entities to add a top level function to

  • assigned_entities - entities to assign the query to (if parameter mapping is not applicable).

Return type:

PivQuerySettings

get_query_settings(family: str, query: str) QuerySource

Get the QuerySource for the named family and query.

Parameters:
  • family (str) – Data family name

  • query (str) – Query name

Returns:

Query settings object

Return type:

QuerySource

Raises:

KeyError – If family.`query` could not be found.

property instance_name: str | None

Return instance name, if any for provider.

Returns:

The instance name or None for drivers that do not support multiple instances.

Return type:

Optional[str]

class msticpy.init.pivot_init.pivot_data_queries.QueryParams(all, required, full_required, param_attrs, table)

Bases: tuple

Create new instance of QueryParams(all, required, full_required, param_attrs, table)

all

Alias for field number 0

count(value, /)

Return number of occurrences of value.

full_required

Alias for field number 2

index(value, start=0, stop=9223372036854775807, /)

Return first index of value.

Raises ValueError if the value is not present.

param_attrs

Alias for field number 3

required

Alias for field number 1

table

Alias for field number 4

msticpy.init.pivot_init.pivot_data_queries.add_data_queries_to_entities(provider: QueryProvider, get_timespan: Callable[[], TimeSpan] | None)

Add data queries from provider to entities.

Parameters:
  • provider (QueryProvider) – Query provider

  • get_timespan (Optional[Callable[[], TimeSpan]]) – Callback to get time span. If None it will use the Pivot built-in time range.

msticpy.init.pivot_init.pivot_data_queries.add_queries_to_entities(prov_qry_funcs: PivotQueryFunctions, container: str, get_timespan: Callable[[], TimeSpan] | None)

Add data queries to entities.

Parameters:
  • prov_qry_funcs (PivotQueryFunctions) – Collection of wrapped query functions

  • container (str) – The name of the container to add query functions to

  • get_timespan (Optional[Callable[[], TimeSpan]]) – Function to get the current timespan. If None it will use the Pivot built-in time range.