Python SIEM Query Utils with Ibis support

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for wagov-dtt from gravatar.com wagov-dtt

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Adon Metcalfe
  • Tags siem , security , azure , sentinel , query , automation
  • Requires: Python >=3.12
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

wagov-squ

Python SIEM Query Utils with Ibis support for scalable data processing.

GitHub Actions PyPI Version

Features

  • Azure Sentinel Integration: Query Log Analytics workspaces with KQL
  • Multiple Output Formats: Support for pandas DataFrame, CSV, JSON, list, and Ibis expressions
  • Scalable Processing: Built on Ibis for efficient data transformations
  • Modern Architecture: Built on uv for fast dependency management

Install

pip install wagov-squ

Development Setup

git clone https://github.com/wagov/nbdev-squ.git
cd nbdev-squ
uv sync --dev

Configuration

Set the SQU_CONFIG environment variable to specify Azure Key Vault configuration:

import os
os.environ["SQU_CONFIG"] = "keyvault_name/tenant_id"

Quick Start

Basic Usage

from wagov_squ import list_workspaces, query_all, Fmt

# List Azure Sentinel workspaces (returns pandas DataFrame by default)
workspaces = list_workspaces()
print(workspaces)

# Get data in different formats
csv_data = list_workspaces(fmt=Fmt.csv)
json_data = list_workspaces(fmt=Fmt.json) 
list_data = list_workspaces(fmt=Fmt.list)

# Execute KQL queries
results = query_all("SecurityEvent | take 10")

Ibis Support

from wagov_squ import list_workspaces, Fmt

# Get data as Ibis expression for advanced processing
ibis_expr = list_workspaces(fmt=Fmt.ibis)

# Use Ibis for complex transformations
filtered = ibis_expr.filter(ibis_expr.alias == "MyAgency")
result = filtered.to_pandas()  # Convert back to pandas when needed

API Reference

Core Functions

  • list_workspaces(fmt="df", agency="ALL") - List Azure Sentinel workspaces
  • list_securityinsights(fmt="df") - List Security Insights resources
  • query_all(query, fmt="df", timespan=14d) - Execute KQL queries across workspaces
  • clients.jira - Access Jira API client

Output Formats

  • Fmt.pandas or "df" - pandas DataFrame (default)
  • Fmt.csv or "csv" - CSV string
  • Fmt.json or "json" - List of dictionaries
  • Fmt.list or "list" - List of lists
  • Fmt.ibis or "ibis" - Ibis expression for advanced processing

Integration with dbt & SQLMesh

dbt Integration

wagov-squ includes a built-in dbt-duckdb plugin for seamless integration. Configure your dbt profiles.yml:

your_project:
  target: dev
  outputs:
    dev:
      type: duckdb
      path: 'dbt.duckdb'
      plugins:
        - module: 'wagov_squ.api'
          alias: 'squ'

Then use in your dbt models:

-- models/security/persistence_hunting.sql
{{ config(materialized='view') }}

SELECT * FROM (
  SELECT * FROM squ(kql_path='queries/persistence_detection.kql', timespan='14d')
)

Create queries/persistence_detection.kql:

DeviceProcessEvents
| where ActionType == "ProcessCreated" 
| where ProcessCommandLine has_all (dynamic(['reg',' ADD', @'Software\Microsoft\Windows\CurrentVersion\Run']))
| where InitiatingProcessFileName !in (dynamic(['Discord.exe','Skype.exe']))
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName

Or query workspaces directly:

SELECT * FROM squ(list_workspaces=true)

SQLMesh Integration

# models/security_events.py
from sqlmesh import model
from wagov_squ import query_all, Fmt

@model(
    "security.persistence_events",
    kind="view",
    cron="@daily"
)
def persistence_events(context):
    kql_query = """
    DeviceProcessEvents
    | where ActionType == "ProcessCreated"
    | where ProcessCommandLine contains "reg add"
    | project Timestamp, DeviceName, ProcessCommandLine
    """
    
    # Get data as Ibis expression for further processing
    data = query_all(kql_query, fmt=Fmt.ibis)
    return data.filter(data.Timestamp >= context.start_date)

Security Considerations

Configuration secrets are cached securely in the user_cache_dir with restricted permissions. Ensure:

  • System runs on encrypted disk
  • User cache directory access is restricted
  • No external logging of cache directory
  • Use isolated VMs/workstations for sensitive activities

Development

Commands

just install          # Install development dependencies
just test             # Run all tests  
just test-fast        # Run unit tests only
just test-integration # Run integration tests (requires SQU_CONFIG)
just lint             # Format and lint code
just build            # Build package
just complexity       # Analyze code complexity

Testing

Integration tests require Azure authentication via SQU_CONFIG:

export SQU_CONFIG="keyvault_name/tenant_id"  
just test-integration

License

Apache-2.0

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for wagov-dtt from gravatar.com wagov-dtt

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Adon Metcalfe
  • Tags siem , security , azure , sentinel , query , automation
  • Requires: Python >=3.12
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.5.3

1.5.2

1.5.1

1.5.0

1.4.9

1.4.8

1.4.7

1.4.6

1.4.5

1.4.4

1.4.3

This version

1.4.2

1.4.1

1.4.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

wagov_squ-1.4.2.tar.gz (347.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

wagov_squ-1.4.2-py3-none-any.whl (344.1 kB view details)

Uploaded Python 3

File details

Details for the file wagov_squ-1.4.2.tar.gz.

File metadata

  • Download URL: wagov_squ-1.4.2.tar.gz
  • Upload date:
  • Size: 347.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for wagov_squ-1.4.2.tar.gz
Algorithm Hash digest
SHA256 64daa8a3ed21e2d248a467db62a6580ff756742472912a77f16f8a26d4468799
MD5 e65f48ed04ba7c50e6c1d4eb4630d36f
BLAKE2b-256 e4378937e9269f3a5c497f089709906ddd4929abe4a26ebdc97346842f120c88

See more details on using hashes here.

Provenance

The following attestation bundles were made for wagov_squ-1.4.2.tar.gz:

Publisher: release.yml on wagov/nbdev-squ

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file wagov_squ-1.4.2-py3-none-any.whl.

File metadata

  • Download URL: wagov_squ-1.4.2-py3-none-any.whl
  • Upload date:
  • Size: 344.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for wagov_squ-1.4.2-py3-none-any.whl
Algorithm Hash digest
SHA256 4ba5bf2790b251a1a23e8b113f975228b45d636d7de2fe6222c11b651db93c93
MD5 378cea54b3d62495a87ac3f54c69a3bc
BLAKE2b-256 8246360e5f8db7489b9af7c08a42cd7973943df83f13571e8b91b7edcb6c072e

See more details on using hashes here.

Provenance

The following attestation bundles were made for wagov_squ-1.4.2-py3-none-any.whl:

Publisher: release.yml on wagov/nbdev-squ

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page