Python SIEM Query Utils with Ibis support

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for wagov-dtt from gravatar.com wagov-dtt

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Adon Metcalfe
  • Tags siem , security , azure , sentinel , query , automation
  • Requires: Python >=3.12
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

wagov-squ

Python SIEM Query Utils with Ibis support for scalable data processing.

GitHub Actions PyPI Version OpenSSF Scorecard

Features

  • Azure Sentinel Integration: Query Log Analytics workspaces with KQL
  • Multiple Output Formats: Support for pandas DataFrame, CSV, JSON, list, and Ibis expressions
  • Scalable Processing: Built on Ibis for efficient data transformations
  • Backward Compatible: Zero breaking changes for existing code
  • Modern Architecture: Built on uv for fast dependency management

Install

pip install wagov-squ

Development Setup

git clone https://github.com/wagov/nbdev-squ.git
cd nbdev-squ
uv sync --dev

Configuration

Set the SQU_CONFIG environment variable to specify Azure Key Vault configuration:

import os
os.environ["SQU_CONFIG"] = "keyvault_name/tenant_id"

Quick Start

Basic Usage

from wagov_squ import list_workspaces, query_all, Fmt

# List Azure Sentinel workspaces (returns pandas DataFrame by default)
workspaces = list_workspaces()
print(workspaces)

# Get data in different formats
csv_data = list_workspaces(fmt=Fmt.csv)
json_data = list_workspaces(fmt=Fmt.json) 
list_data = list_workspaces(fmt=Fmt.list)

# Execute KQL queries
results = query_all("SecurityEvent | take 10")

Ibis Support

from wagov_squ import list_workspaces, Fmt

# Get data as Ibis expression for advanced processing
ibis_expr = list_workspaces(fmt=Fmt.ibis)

# Use Ibis for complex transformations
filtered = ibis_expr.filter(ibis_expr.alias == "MyAgency")
result = filtered.to_pandas()  # Convert back to pandas when needed

API Reference

Core Functions

  • list_workspaces(fmt="df", agency="ALL") - List Azure Sentinel workspaces
  • list_securityinsights(fmt="df") - List Security Insights resources
  • query_all(query, fmt="df", timespan=14d) - Execute KQL queries across workspaces
  • clients.jira - Access Jira API client

Output Formats

  • Fmt.pandas or "df" - pandas DataFrame (default)
  • Fmt.csv or "csv" - CSV string
  • Fmt.json or "json" - List of dictionaries
  • Fmt.list or "list" - List of lists
  • Fmt.ibis or "ibis" - Ibis expression for advanced processing

Integration with dbt & SQLMesh

dbt Integration

wagov-squ includes a built-in dbt-duckdb plugin for seamless integration. Configure your dbt profiles.yml:

your_project:
  target: dev
  outputs:
    dev:
      type: duckdb
      path: 'dbt.duckdb'
      plugins:
        - module: 'wagov_squ.api'
          alias: 'squ'

Then use in your dbt models:

-- models/security/persistence_hunting.sql
{{ config(materialized='view') }}

SELECT * FROM (
  SELECT * FROM squ(kql_path='queries/persistence_detection.kql', timespan='14d')
)

Create queries/persistence_detection.kql:

DeviceProcessEvents
| where ActionType == "ProcessCreated" 
| where ProcessCommandLine has_all (dynamic(['reg',' ADD', @'Software\Microsoft\Windows\CurrentVersion\Run']))
| where InitiatingProcessFileName !in (dynamic(['Discord.exe','Skype.exe']))
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName

Or query workspaces directly:

SELECT * FROM squ(list_workspaces=true)

SQLMesh Integration

# models/security_events.py
from sqlmesh import model
from wagov_squ import query_all, Fmt

@model(
    "security.persistence_events",
    kind="view",
    cron="@daily"
)
def persistence_events(context):
    kql_query = """
    DeviceProcessEvents
    | where ActionType == "ProcessCreated"
    | where ProcessCommandLine contains "reg add"
    | project Timestamp, DeviceName, ProcessCommandLine
    """
    
    # Get data as Ibis expression for further processing
    data = query_all(kql_query, fmt=Fmt.ibis)
    return data.filter(data.Timestamp >= context.start_date)

Security Considerations

Configuration secrets are cached securely in the user_cache_dir with restricted permissions. Ensure:

  • System runs on encrypted disk
  • User cache directory access is restricted
  • No external logging of cache directory
  • Use isolated VMs/workstations for sensitive activities

Development

Commands

just install          # Install development dependencies
just test             # Run all tests  
just test-fast        # Run unit tests only
just test-integration # Run integration tests (requires SQU_CONFIG)
just lint             # Format and lint code
just build            # Build package
just complexity       # Analyze code complexity

Testing

Integration tests require Azure authentication via SQU_CONFIG:

export SQU_CONFIG="keyvault_name/tenant_id"  
just test-integration

License

Apache-2.0

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for wagov-dtt from gravatar.com wagov-dtt

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Adon Metcalfe
  • Tags siem , security , azure , sentinel , query , automation
  • Requires: Python >=3.12
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.5.3

1.5.2

1.5.1

1.5.0

1.4.9

1.4.8

1.4.7

1.4.6

1.4.5

1.4.4

1.4.3

1.4.2

This version

1.4.1

1.4.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

wagov_squ-1.4.1.tar.gz (347.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

wagov_squ-1.4.1-py3-none-any.whl (344.1 kB view details)

Uploaded Python 3

File details

Details for the file wagov_squ-1.4.1.tar.gz.

File metadata

  • Download URL: wagov_squ-1.4.1.tar.gz
  • Upload date:
  • Size: 347.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for wagov_squ-1.4.1.tar.gz
Algorithm Hash digest
SHA256 c323c2b516fe2144a19268b0fff988cf7eaf7dae1a558886a1522e93a685f56a
MD5 3068f1a271cb63e90a3c725cb2596934
BLAKE2b-256 5d92709dd26661e2a76acd01a54c0bb6a21b8a2b9667118e47db52562888f468

See more details on using hashes here.

Provenance

The following attestation bundles were made for wagov_squ-1.4.1.tar.gz:

Publisher: release.yml on wagov/nbdev-squ

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file wagov_squ-1.4.1-py3-none-any.whl.

File metadata

  • Download URL: wagov_squ-1.4.1-py3-none-any.whl
  • Upload date:
  • Size: 344.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for wagov_squ-1.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 e8a44b05b80dbea192d68aeec7c94d8d7969e77017c300462b4e0e2b343fecf2
MD5 d7ece34b88f7a002e8a374782e7400db
BLAKE2b-256 f8b488ec9cde00a54da31dac173219af80bf46b34557a61d0ed89ec2f399c3bf

See more details on using hashes here.

Provenance

The following attestation bundles were made for wagov_squ-1.4.1-py3-none-any.whl:

Publisher: release.yml on wagov/nbdev-squ

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page