From 587f32c59fc78b4f254b11f33e11c8296cbaeac8 Mon Sep 17 00:00:00 2001 From: CoprDistGit Date: Fri, 5 May 2023 12:13:23 +0000 Subject: automatic import of python-msticpy --- python-msticpy.spec | 711 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 711 insertions(+) create mode 100644 python-msticpy.spec (limited to 'python-msticpy.spec') diff --git a/python-msticpy.spec b/python-msticpy.spec new file mode 100644 index 0000000..64e7501 --- /dev/null +++ b/python-msticpy.spec @@ -0,0 +1,711 @@ +%global _empty_manifest_terminate_build 0 +Name: python-msticpy +Version: 2.4.0 +Release: 1 +Summary: MSTIC Security Tools +License: MIT License +URL: https://github.com/microsoft/msticpy +Source0: https://mirrors.nju.edu.cn/pypi/web/packages/a7/4a/9fcd9bfc0bd754b84043a15e343f1fffd4d8c4580458bc79394a21104f60/msticpy-2.4.0.tar.gz +BuildArch: noarch + +Requires: python3-attrs +Requires: python3-azure-common +Requires: python3-azure-core +Requires: python3-azure-identity +Requires: python3-azure-mgmt-subscription +Requires: python3-beautifulsoup4 +Requires: python3-bokeh +Requires: python3-cryptography +Requires: python3-deprecated +Requires: python3-dnspython +Requires: python3-folium +Requires: python3-geoip2 +Requires: python3-httpx +Requires: python3-html5lib +Requires: python3-ipywidgets +Requires: python3-KqlmagicCustom[auth_code_clipboard,jupyter-basic] +Requires: python3-lxml +Requires: python3-matplotlib +Requires: python3-msal +Requires: python3-msal-extensions +Requires: python3-msrest +Requires: python3-msrestazure +Requires: python3-nest-asyncio +Requires: python3-networkx +Requires: python3-numpy +Requires: python3-pandas +Requires: python3-pygments +Requires: python3-pyjwt +Requires: python3-dateutil +Requires: python3-pytz +Requires: python3-pyyaml +Requires: python3-setuptools +Requires: python3-tldextract +Requires: python3-tqdm +Requires: python3-typing-extensions +Requires: python3-urllib3 +Requires: python3-ipython +Requires: python3-ipython +Requires: python3-azure-mgmt-compute +Requires: python3-azure-mgmt-core +Requires: python3-azure-mgmt-monitor +Requires: python3-azure-mgmt-network +Requires: python3-azure-mgmt-resource +Requires: python3-azure-storage-blob +Requires: python3-azure-mgmt-resourcegraph +Requires: python3-KqlmagicCustom[jupyter-extended] +Requires: python3-azure-keyvault-secrets +Requires: python3-azure-mgmt-compute +Requires: python3-azure-mgmt-core +Requires: python3-azure-mgmt-keyvault +Requires: python3-azure-mgmt-monitor +Requires: python3-azure-mgmt-network +Requires: python3-azure-mgmt-resource +Requires: python3-azure-mgmt-resourcegraph +Requires: python3-azure-storage-blob +Requires: python3-keyring +Requires: python3-mo-sql-parsing +Requires: python3-nest-asyncio +Requires: python3-openpyxl +Requires: python3-passivetotal +Requires: python3-scikit-learn +Requires: python3-scipy +Requires: python3-splunk-sdk +Requires: python3-statsmodels +Requires: python3-sumologic-sdk +Requires: python3-vt-graph-api +Requires: python3-vt-py +Requires: python3-KqlmagicCustom[jupyter-extended] +Requires: python3-azure-keyvault-secrets +Requires: python3-azure-mgmt-compute +Requires: python3-azure-mgmt-core +Requires: python3-azure-mgmt-keyvault +Requires: python3-azure-mgmt-monitor +Requires: python3-azure-mgmt-network +Requires: python3-azure-mgmt-resource +Requires: python3-azure-mgmt-resourcegraph +Requires: python3-azure-storage-blob +Requires: python3-keyring +Requires: python3-azure-keyvault-secrets +Requires: python3-azure-mgmt-compute +Requires: python3-azure-mgmt-core +Requires: python3-azure-mgmt-keyvault +Requires: python3-azure-mgmt-monitor +Requires: python3-azure-mgmt-network +Requires: python3-azure-mgmt-resource +Requires: python3-azure-mgmt-resourcegraph +Requires: python3-azure-storage-blob +Requires: python3-keyring +Requires: python3-KqlmagicCustom[jupyter-extended] +Requires: python3-azure-keyvault-secrets +Requires: python3-azure-mgmt-compute +Requires: python3-azure-mgmt-core +Requires: python3-azure-mgmt-keyvault +Requires: python3-azure-mgmt-monitor +Requires: python3-azure-mgmt-network +Requires: python3-azure-mgmt-resource +Requires: python3-azure-mgmt-resourcegraph +Requires: python3-azure-storage-blob +Requires: python3-keyring +Requires: python3-aiohttp +Requires: python3-async-cache +Requires: python3-bandit +Requires: python3-beautifulsoup4 +Requires: python3-black +Requires: python3-coverage +Requires: python3-docutils +Requires: python3-filelock +Requires: python3-flake8 +Requires: python3-isort +Requires: python3-markdown +Requires: python3-mccabe +Requires: python3-mypy +Requires: python3-nbdime +Requires: python3-nbconvert +Requires: python3-pandas +Requires: python3-pep8-naming +Requires: python3-pep8 +Requires: python3-pipreqs +Requires: python3-pre-commit +Requires: python3-pycodestyle +Requires: python3-pydocstyle +Requires: python3-pyflakes +Requires: python3-pygeohash +Requires: python3-pylint +Requires: python3-pyroma +Requires: python3-pytest-check +Requires: python3-pytest-cov +Requires: python3-pytest-xdist +Requires: python3-pytest +Requires: python3-readthedocs-sphinx-ext +Requires: python3-responses +Requires: python3-respx +Requires: python3-sphinx-rtd-theme +Requires: python3-sphinx +Requires: python3-types-attrs +Requires: python3-azure-keyvault-secrets +Requires: python3-azure-mgmt-keyvault +Requires: python3-keyring +Requires: python3-KqlmagicCustom[jupyter-extended] +Requires: python3-scikit-learn +Requires: python3-scipy +Requires: python3-statsmodels +Requires: python3-passivetotal +Requires: python3-KqlmagicCustom[jupyter-extended] +Requires: python3-azure-keyvault-secrets +Requires: python3-azure-mgmt-compute +Requires: python3-azure-mgmt-core +Requires: python3-azure-mgmt-keyvault +Requires: python3-azure-mgmt-monitor +Requires: python3-azure-mgmt-network +Requires: python3-azure-mgmt-resource +Requires: python3-azure-mgmt-resourcegraph +Requires: python3-azure-storage-blob +Requires: python3-keyring +Requires: python3-splunk-sdk +Requires: python3-mo-sql-parsing +Requires: python3-sumologic-sdk +Requires: python3-openpyxl +Requires: python3-KqlmagicCustom[jupyter-extended] +Requires: python3-aiohttp +Requires: python3-async-cache +Requires: python3-azure-keyvault-secrets +Requires: python3-azure-mgmt-compute +Requires: python3-azure-mgmt-core +Requires: python3-azure-mgmt-keyvault +Requires: python3-azure-mgmt-monitor +Requires: python3-azure-mgmt-network +Requires: python3-azure-mgmt-resource +Requires: python3-azure-mgmt-resourcegraph +Requires: python3-azure-storage-blob +Requires: python3-bandit +Requires: python3-beautifulsoup4 +Requires: python3-black +Requires: python3-coverage +Requires: python3-docutils +Requires: python3-filelock +Requires: python3-flake8 +Requires: python3-isort +Requires: python3-keyring +Requires: python3-markdown +Requires: python3-mccabe +Requires: python3-mo-sql-parsing +Requires: python3-mypy +Requires: python3-nbconvert +Requires: python3-nbdime +Requires: python3-nest-asyncio +Requires: python3-openpyxl +Requires: python3-pandas +Requires: python3-passivetotal +Requires: python3-pep8-naming +Requires: python3-pep8 +Requires: python3-pipreqs +Requires: python3-pre-commit +Requires: python3-pycodestyle +Requires: python3-pydocstyle +Requires: python3-pyflakes +Requires: python3-pygeohash +Requires: python3-pylint +Requires: python3-pyroma +Requires: python3-pytest-check +Requires: python3-pytest-cov +Requires: python3-pytest-xdist +Requires: python3-pytest +Requires: python3-readthedocs-sphinx-ext +Requires: python3-responses +Requires: python3-respx +Requires: python3-scikit-learn +Requires: python3-scipy +Requires: python3-sphinx-rtd-theme +Requires: python3-sphinx +Requires: python3-splunk-sdk +Requires: python3-statsmodels +Requires: python3-sumologic-sdk +Requires: python3-types-attrs +Requires: python3-vt-graph-api +Requires: python3-vt-py +Requires: python3-vt-py +Requires: python3-vt-graph-api +Requires: python3-nest-asyncio + +%description +## Log Data Acquisition +QueryProvider is an extensible query library targeting Azure Sentinel/Log Analytics, +Splunk, OData +and other log data sources. It also has special support for +[Mordor](https://github.com/OTRF/mordor) data sets and using local data. +Built-in parameterized queries allow complex queries to be run +from a single function call. Add your own queries using a simple YAML +schema. +[Data Queries Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/Data_Queries.ipynb) +## Data Enrichment +### Threat Intelligence providers +The TILookup class can lookup IoCs across multiple TI providers. built-in +providers include AlienVault OTX, IBM XForce, VirusTotal and Azure Sentinel. +The input can be a single IoC observable or a pandas DataFrame containing +multiple observables. Depending on the provider, you may require an account +and an API key. Some providers also enforce throttling (especially for free +tiers), which might affect performing bulk lookups. +[TIProviders](https://msticpy.readthedocs.io/en/latest/data_acquisition/TIProviders.html) +and +[TILookup Usage Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/TIProviders.ipynb) +### GeoLocation Data +The GeoIP lookup classes allow you to match the geo-locations of IP addresses +using either: +- GeoLiteLookup - Maxmind Geolite (see ) +- IPStackLookup - IPStack (see ) +Folium map +[GeoIP Lookup](https://msticpy.readthedocs.io/en/latest/data_acquisition/GeoIPLookups.html) +and +[GeoIP Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/GeoIPLookups.ipynb) +### Azure Resource Data, Storage and Azure Sentinel API +The AzureData module contains functionality for enriching data regarding Azure host +details with additional host details exposed via the Azure API. The AzureSentinel +module allows you to query incidents, retrieve detector and hunting +queries. AzureBlogStorage lets you read and write data from blob storage. +[Azure Resource APIs](https://msticpy.readthedocs.io/en/latest/data_acquisition/AzureData.html), +[Azure Sentinel APIs](https://msticpy.readthedocs.io/en/latest/data_acquisition/Sentinel.html), +[Azure Storage](https://msticpy.readthedocs.io/en/latest/data_acquisition/AzureBlobStorage.html) +## Security Analysis +This subpackage contains several modules helpful for working on security investigations and hunting: +### Anomalous Sequence Detection +Detect unusual sequences of events in your Office, Active Directory or other log data. +You can extract sessions (e.g. activity initiated by the same account) and identify and +visualize unusual sequences of activity. For example, detecting an attacker setting +a mail forwarding rule on someone's mailbox. +[Anomalous Sessions](https://msticpy.readthedocs.io/en/latest/data_analysis/AnomalousSequence.html) +and +[Anomalous Sequence Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/AnomalousSequence.ipynb) +### Time Series Analysis +Time series analysis allows you to identify unusual patterns in your log data +taking into account normal seasonal variations (e.g. the regular ebb and flow of +events over hours of the day, days of the week, etc.). Using both analysis and +visualization highlights unusual traffic flows or event activity for any data +set. + +[Time Series](https://msticpy.readthedocs.io/en/latest/visualization/TimeSeriesAnomalies.html) +## Visualization +### Event Timelines +Display any log events on an interactive timeline. Using the +[Bokeh Visualization Library](https://bokeh.org/) the timeline control enables +you to visualize one or more event streams, interactively zoom into specific time +slots and view event details for plotted events. + +[Timeline](https://msticpy.readthedocs.io/en/latest/visualization/EventTimeline.html) +and +[Timeline Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/EventTimeline.ipynb) +### Process Trees +The process tree functionality has two main components: +- Process Tree creation - taking a process creation log from a host and building + the parent-child relationships between processes in the data set. +- Process Tree visualization - this takes the processed output displays an interactive process tree using Bokeh plots. +There are a set of utility functions to extract individual and partial trees from the processed data set. + +[Process Tree](https://msticpy.readthedocs.io/en/latest/visualization/ProcessTree.html) +and +[Process Tree Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/ProcessTree.ipynb) +## Data Manipulation and Utility functions +### Pivot Functions +Lets you use *MSTICPy* functionality in an "entity-centric" way. +All functions, queries and lookups that relate to a particular entity type +(e.g. Host, IpAddress, Url) are collected together as methods of that +entity class. So, if you want to do things with an IP address, just load +the IpAddress entity and browse its methods. +[Pivot Functions](https://msticpy.readthedocs.io/en/latest/data_analysis/PivotFunctions.html) +and +[Pivot Functions Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/PivotFunctions.ipynb) +### base64unpack +Base64 and archive (gz, zip, tar) extractor. It will try to identify any base64 encoded +strings and try decode them. If the result looks like one of the supported archive types it +will unpack the contents. The results of each decode/unpack are rechecked for further +base64 content and up to a specified depth. +[Base64 Decoding](https://msticpy.readthedocs.io/en/latest/data_analysis/Base64Unpack.html) +and +[Base64Unpack Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/Base64Unpack.ipynb) +### iocextract +Uses regular expressions to look for Indicator of Compromise (IoC) patterns - IP Addresses, URLs, +DNS domains, Hashes, file paths. +Input can be a single string or a pandas dataframe. +[IoC Extraction](https://msticpy.readthedocs.io/en/latest/data_analysis/IoCExtract.html) +and +[IoCExtract Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/IoCExtract.ipynb) +### eventcluster (experimental) +This module is intended to be used to summarize large numbers of +events into clusters of different patterns. High volume repeating +events can often make it difficult to see unique and interesting items. +Clustering +This is an unsupervised learning module implemented using SciKit Learn DBScan. +[Event Clustering](https://msticpy.readthedocs.io/en/latest/data_analysis/EventClustering.html) +and +[Event Clustering Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/EventClustering.ipynb) +### auditdextract +Module to load and decode Linux audit logs. It collapses messages sharing the same +message ID into single events, decodes hex-encoded data fields and performs some +event-specific formatting and normalization (e.g. for process start events it will +re-assemble the process command line arguments into a single string). +### syslog_utils +Module to support an investigation of a Linux host with only syslog logging enabled. +This includes functions for collating host data, clustering logon events and detecting +user sessions containing suspicious activity. +### cmd_line +A module to support the detection of known malicious command line activity or suspicious +patterns of command line activity. +### domain_utils +A module to support investigation of domain names and URLs with functions to +validate a domain name and screenshot a URL. +### Notebook widgets +These are built from the [Jupyter ipywidgets](https://ipywidgets.readthedocs.io/) collection +and group common functionality useful in InfoSec tasks such as list pickers, +query time boundary settings and event display into an easy-to-use format. +Time span Widget +Alert browser) +- IPStackLookup - IPStack (see ) +Folium map +[GeoIP Lookup](https://msticpy.readthedocs.io/en/latest/data_acquisition/GeoIPLookups.html) +and +[GeoIP Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/GeoIPLookups.ipynb) +### Azure Resource Data, Storage and Azure Sentinel API +The AzureData module contains functionality for enriching data regarding Azure host +details with additional host details exposed via the Azure API. The AzureSentinel +module allows you to query incidents, retrieve detector and hunting +queries. AzureBlogStorage lets you read and write data from blob storage. +[Azure Resource APIs](https://msticpy.readthedocs.io/en/latest/data_acquisition/AzureData.html), +[Azure Sentinel APIs](https://msticpy.readthedocs.io/en/latest/data_acquisition/Sentinel.html), +[Azure Storage](https://msticpy.readthedocs.io/en/latest/data_acquisition/AzureBlobStorage.html) +## Security Analysis +This subpackage contains several modules helpful for working on security investigations and hunting: +### Anomalous Sequence Detection +Detect unusual sequences of events in your Office, Active Directory or other log data. +You can extract sessions (e.g. activity initiated by the same account) and identify and +visualize unusual sequences of activity. For example, detecting an attacker setting +a mail forwarding rule on someone's mailbox. +[Anomalous Sessions](https://msticpy.readthedocs.io/en/latest/data_analysis/AnomalousSequence.html) +and +[Anomalous Sequence Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/AnomalousSequence.ipynb) +### Time Series Analysis +Time series analysis allows you to identify unusual patterns in your log data +taking into account normal seasonal variations (e.g. the regular ebb and flow of +events over hours of the day, days of the week, etc.). Using both analysis and +visualization highlights unusual traffic flows or event activity for any data +set. + +[Time Series](https://msticpy.readthedocs.io/en/latest/visualization/TimeSeriesAnomalies.html) +## Visualization +### Event Timelines +Display any log events on an interactive timeline. Using the +[Bokeh Visualization Library](https://bokeh.org/) the timeline control enables +you to visualize one or more event streams, interactively zoom into specific time +slots and view event details for plotted events. + +[Timeline](https://msticpy.readthedocs.io/en/latest/visualization/EventTimeline.html) +and +[Timeline Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/EventTimeline.ipynb) +### Process Trees +The process tree functionality has two main components: +- Process Tree creation - taking a process creation log from a host and building + the parent-child relationships between processes in the data set. +- Process Tree visualization - this takes the processed output displays an interactive process tree using Bokeh plots. +There are a set of utility functions to extract individual and partial trees from the processed data set. + +[Process Tree](https://msticpy.readthedocs.io/en/latest/visualization/ProcessTree.html) +and +[Process Tree Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/ProcessTree.ipynb) +## Data Manipulation and Utility functions +### Pivot Functions +Lets you use *MSTICPy* functionality in an "entity-centric" way. +All functions, queries and lookups that relate to a particular entity type +(e.g. Host, IpAddress, Url) are collected together as methods of that +entity class. So, if you want to do things with an IP address, just load +the IpAddress entity and browse its methods. +[Pivot Functions](https://msticpy.readthedocs.io/en/latest/data_analysis/PivotFunctions.html) +and +[Pivot Functions Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/PivotFunctions.ipynb) +### base64unpack +Base64 and archive (gz, zip, tar) extractor. It will try to identify any base64 encoded +strings and try decode them. If the result looks like one of the supported archive types it +will unpack the contents. The results of each decode/unpack are rechecked for further +base64 content and up to a specified depth. +[Base64 Decoding](https://msticpy.readthedocs.io/en/latest/data_analysis/Base64Unpack.html) +and +[Base64Unpack Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/Base64Unpack.ipynb) +### iocextract +Uses regular expressions to look for Indicator of Compromise (IoC) patterns - IP Addresses, URLs, +DNS domains, Hashes, file paths. +Input can be a single string or a pandas dataframe. +[IoC Extraction](https://msticpy.readthedocs.io/en/latest/data_analysis/IoCExtract.html) +and +[IoCExtract Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/IoCExtract.ipynb) +### eventcluster (experimental) +This module is intended to be used to summarize large numbers of +events into clusters of different patterns. High volume repeating +events can often make it difficult to see unique and interesting items. +Clustering +This is an unsupervised learning module implemented using SciKit Learn DBScan. +[Event Clustering](https://msticpy.readthedocs.io/en/latest/data_analysis/EventClustering.html) +and +[Event Clustering Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/EventClustering.ipynb) +### auditdextract +Module to load and decode Linux audit logs. It collapses messages sharing the same +message ID into single events, decodes hex-encoded data fields and performs some +event-specific formatting and normalization (e.g. for process start events it will +re-assemble the process command line arguments into a single string). +### syslog_utils +Module to support an investigation of a Linux host with only syslog logging enabled. +This includes functions for collating host data, clustering logon events and detecting +user sessions containing suspicious activity. +### cmd_line +A module to support the detection of known malicious command line activity or suspicious +patterns of command line activity. +### domain_utils +A module to support investigation of domain names and URLs with functions to +validate a domain name and screenshot a URL. +### Notebook widgets +These are built from the [Jupyter ipywidgets](https://ipywidgets.readthedocs.io/) collection +and group common functionality useful in InfoSec tasks such as list pickers, +query time boundary settings and event display into an easy-to-use format. +Time span Widget +Alert browser) +- IPStackLookup - IPStack (see ) +Folium map +[GeoIP Lookup](https://msticpy.readthedocs.io/en/latest/data_acquisition/GeoIPLookups.html) +and +[GeoIP Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/GeoIPLookups.ipynb) +### Azure Resource Data, Storage and Azure Sentinel API +The AzureData module contains functionality for enriching data regarding Azure host +details with additional host details exposed via the Azure API. The AzureSentinel +module allows you to query incidents, retrieve detector and hunting +queries. AzureBlogStorage lets you read and write data from blob storage. +[Azure Resource APIs](https://msticpy.readthedocs.io/en/latest/data_acquisition/AzureData.html), +[Azure Sentinel APIs](https://msticpy.readthedocs.io/en/latest/data_acquisition/Sentinel.html), +[Azure Storage](https://msticpy.readthedocs.io/en/latest/data_acquisition/AzureBlobStorage.html) +## Security Analysis +This subpackage contains several modules helpful for working on security investigations and hunting: +### Anomalous Sequence Detection +Detect unusual sequences of events in your Office, Active Directory or other log data. +You can extract sessions (e.g. activity initiated by the same account) and identify and +visualize unusual sequences of activity. For example, detecting an attacker setting +a mail forwarding rule on someone's mailbox. +[Anomalous Sessions](https://msticpy.readthedocs.io/en/latest/data_analysis/AnomalousSequence.html) +and +[Anomalous Sequence Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/AnomalousSequence.ipynb) +### Time Series Analysis +Time series analysis allows you to identify unusual patterns in your log data +taking into account normal seasonal variations (e.g. the regular ebb and flow of +events over hours of the day, days of the week, etc.). Using both analysis and +visualization highlights unusual traffic flows or event activity for any data +set. + +[Time Series](https://msticpy.readthedocs.io/en/latest/visualization/TimeSeriesAnomalies.html) +## Visualization +### Event Timelines +Display any log events on an interactive timeline. Using the +[Bokeh Visualization Library](https://bokeh.org/) the timeline control enables +you to visualize one or more event streams, interactively zoom into specific time +slots and view event details for plotted events. + +[Timeline](https://msticpy.readthedocs.io/en/latest/visualization/EventTimeline.html) +and +[Timeline Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/EventTimeline.ipynb) +### Process Trees +The process tree functionality has two main components: +- Process Tree creation - taking a process creation log from a host and building + the parent-child relationships between processes in the data set. +- Process Tree visualization - this takes the processed output displays an interactive process tree using Bokeh plots. +There are a set of utility functions to extract individual and partial trees from the processed data set. + +[Process Tree](https://msticpy.readthedocs.io/en/latest/visualization/ProcessTree.html) +and +[Process Tree Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/ProcessTree.ipynb) +## Data Manipulation and Utility functions +### Pivot Functions +Lets you use *MSTICPy* functionality in an "entity-centric" way. +All functions, queries and lookups that relate to a particular entity type +(e.g. Host, IpAddress, Url) are collected together as methods of that +entity class. So, if you want to do things with an IP address, just load +the IpAddress entity and browse its methods. +[Pivot Functions](https://msticpy.readthedocs.io/en/latest/data_analysis/PivotFunctions.html) +and +[Pivot Functions Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/PivotFunctions.ipynb) +### base64unpack +Base64 and archive (gz, zip, tar) extractor. It will try to identify any base64 encoded +strings and try decode them. If the result looks like one of the supported archive types it +will unpack the contents. The results of each decode/unpack are rechecked for further +base64 content and up to a specified depth. +[Base64 Decoding](https://msticpy.readthedocs.io/en/latest/data_analysis/Base64Unpack.html) +and +[Base64Unpack Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/Base64Unpack.ipynb) +### iocextract +Uses regular expressions to look for Indicator of Compromise (IoC) patterns - IP Addresses, URLs, +DNS domains, Hashes, file paths. +Input can be a single string or a pandas dataframe. +[IoC Extraction](https://msticpy.readthedocs.io/en/latest/data_analysis/IoCExtract.html) +and +[IoCExtract Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/IoCExtract.ipynb) +### eventcluster (experimental) +This module is intended to be used to summarize large numbers of +events into clusters of different patterns. High volume repeating +events can often make it difficult to see unique and interesting items. +Clustering +This is an unsupervised learning module implemented using SciKit Learn DBScan. +[Event Clustering](https://msticpy.readthedocs.io/en/latest/data_analysis/EventClustering.html) +and +[Event Clustering Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/EventClustering.ipynb) +### auditdextract +Module to load and decode Linux audit logs. It collapses messages sharing the same +message ID into single events, decodes hex-encoded data fields and performs some +event-specific formatting and normalization (e.g. for process start events it will +re-assemble the process command line arguments into a single string). +### syslog_utils +Module to support an investigation of a Linux host with only syslog logging enabled. +This includes functions for collating host data, clustering logon events and detecting +user sessions containing suspicious activity. +### cmd_line +A module to support the detection of known malicious command line activity or suspicious +patterns of command line activity. +### domain_utils +A module to support investigation of domain names and URLs with functions to +validate a domain name and screenshot a URL. +### Notebook widgets +These are built from the [Jupyter ipywidgets](https://ipywidgets.readthedocs.io/) collection +and group common functionality useful in InfoSec tasks such as list pickers, +query time boundary settings and event display into an easy-to-use format. +Time span Widget +Alert browser> filelist.lst +fi +if [ -d usr/lib64 ]; then + find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/bin ]; then + find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/sbin ]; then + find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst +fi +touch doclist.lst +if [ -d usr/share/man ]; then + find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst +fi +popd +mv %{buildroot}/filelist.lst . +mv %{buildroot}/doclist.lst . + +%files -n python3-msticpy -f filelist.lst +%dir %{python3_sitelib}/* + +%files help -f doclist.lst +%{_docdir}/* + +%changelog +* Fri May 05 2023 Python_Bot - 2.4.0-1 +- Package Spec generated -- cgit v1.2.3