msticpy.data.core.query_defns module
Query helper definitions.
- class msticpy.data.core.query_defns.DataEnvironment(value)
Bases:
Enum
Enumeration of data environments.
Used to identify which queries are relevant for which data sources.
- AzureDataExplorer = 2
- AzureSentinel = 1
- Cybereason = 12
- Elastic = 14
- Kusto = 2
- Kusto_KQLM = 17
- Kusto_Legacy = 17
- Kusto_New = 2
- LocalData = 6
- LogAnalytics = 1
- M365D = 11
- M365DGraph = 20
- MDATP = 5
- MDE = 5
- MSGraph = 4
- MSSentinel = 1
- MSSentinel_KQLM = 16
- MSSentinel_Legacy = 16
- MSSentinel_New = 1
- Mordor = 8
- OSQuery = 15
- OSQueryLogs = 15
- OTRF = 8
- ResourceGraph = 9
- SecurityGraph = 4
- Splunk = 7
- Sumologic = 10
- Unknown = 0
- Velociraptor = 18
- VelociraptorLogs = 18
- classmethod parse(value: str | int) DataEnvironment
Convert string or int to enum.
- Parameters:
value (Union[str, int]) – value to parse
- class msticpy.data.core.query_defns.DataFamily(value)
Bases:
Enum
Enumeration of data families.
Used to identify which queries are relevant for which data sources.
- AzureNetwork = 6
- Cybereason = 11
- Elastic = 14
- LinuxSecurity = 2
- LinuxSyslog = 5
- MDATP = 7
- ResourceGraph = 9
- SecurityAlert = 3
- SecurityGraphAlert = 4
- Splunk = 8
- Sumologic = 10
- Unknown = 0
- WindowsSecurity = 1
- classmethod parse(value: str | int) DataFamily
Convert string or int to enum.
- Parameters:
value (Union[str, int]) – value to parse
- class msticpy.data.core.query_defns.Formatters
Bases:
object
Names of custom format handlers specified by driver.
- DATETIME = 'datetime'
- LIST = 'list'
- PARAM_HANDLER = 'custom_param_handler'
- class msticpy.data.core.query_defns.QueryParamProvider
Bases:
ABC
Abstract type for QueryParamProvider.
Method query_params must be overridden by derived classes.
- abstract property query_params
Return dict of query parameters.
These parameters are sourced in the object implementing this method.
- Return type:
dict – dictionary of query parameter values.