msticpy.vis.entity_graph_tools module

Creates an entity graph for a Microsoft Sentinel Incident.

class msticpy.vis.entity_graph_tools.EntityGraph(entity: Union[Incident, Alert, DataFrame, Series, Entity, SecurityAlert])

Bases: object

Create a graph for visualizing and tracking links between entities.

Create a new instance of the entity graph.

Parameters

entity (Union[Incident, Alert, pd.DataFrame, pd.Series, Entity, SecurityAlert]) – The initial item to add to the graph. Can be an Incident, Alert, SecurityAlert or other Entity

add_entity(ent: Entity, attached_to: Optional[str] = None)

Add an entity to the graph.

Parameters

• ent (Entity) – The entity object to add the graph

• attached_to (str, optional) – The name of the node to attach the entity to, by default None

add_incident(incident: Union[Incident, Alert, DataFrame])

Add another incident or set of incidents to the graph.

Parameters

incident (Union[Incident, Alert, pd.DataFrame]) – This can be an alert, and incident or a DataFrame of alerts or incidents

add_link(source: str, target: str)

Add a link between 2 nodes on the graph.

Parameters

• source (str) – Name of node to link from

• target (str) – Name of node to link to

Raises

MsticpyUserError – If nodes aren’t present in the graph

add_note(name: str, description: Optional[str] = None, attached_to: Optional[Union[str, List]] = None)

Add a node to the graph representing a note or comment.

Parameters

• name (str) – The name of the node to add

• description (Optional[str], optional) – A description of the note, by default None

• attached_to (Union[str, List], optional) – What existing nodes on the graph to attach it the note to, by default None

• user (str, optional) – What user to associate the note with

property graph: networkx.Graph

Return the raw NetworkX graph.

plot(hide: bool = False, timeline: bool = False, **kwargs) → bokeh.models.LayoutDOM

Plot a graph of entities.

Parameters

• hide (bool, optional) – Set true to not display the graphic, by default False

• timeline (bool, optional) – Set to True to display a timeline, by default False

• node_size (int, optional) – Size of the nodes in pixels, by default 25

• font_size (int, optional) – Font size for node labels, by default 10 Can be an integer (point size) or a string (e.g. “10pt”)

• width (int, optional) – Width in pixels, by default 800

• height (int, optional) – Image height (the default is 800)

• scale (int, optional) – Position scale (the default is 2)

Returns

A Bokeh figure object

Return type

LayoutDOM

remove_link(source: str, target: str)

Remove a link between 2 nodes on the graph.

Parameters

• source (str) – Name of node to remove link from

• target (str) – name of node to remove link to

Raises

MsticpyUserError – If edge isn’t present in the graph

remove_node(name: str)

Remove a node from the graph.

Parameters

name (str) – The name of the node to remove.

to_df() → DataFrame

Generate a dataframe of nodes in the graph.

msticpy.vis.entity_graph_tools.plot_entitygraph(entity_graph: networkx.Graph, node_size: int = 25, font_size: Union[int, str] = 10, height: int = 800, width: int = 800, scale: int = 2, hide: bool = False) → bokeh.plotting.figure

Plot entity graph with Bokeh.

Parameters

• entity_graph (nx.Graph) – The entity graph as a networkX graph

• node_size (int, optional) – Size of the nodes in pixels, by default 25

• font_size (int, optional) – Font size for node labels, by default 10 Can be an integer (point size) or a string (e.g. “10pt”)

• width (int, optional) – Width in pixels, by default 800

• height (int, optional) – Image height (the default is 800)

• scale (int, optional) – Position scale (the default is 2)

• hide (bool, optional) – Don’t show the plot, by default False. If True, just return the figure.

Returns

The network plot.

Return type

bokeh.plotting.figure