Python SIEM Query Utils with Ibis support
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
wagov-squ
Python SIEM Query Utils with Ibis support for scalable data processing.
Features
- Azure Sentinel Integration: Query Log Analytics workspaces with KQL
- Multiple Output Formats: Support for pandas DataFrame, CSV, JSON, list, and Ibis expressions
- Scalable Processing: Built on Ibis for efficient data transformations
- Modern Architecture: Built on uv for fast dependency management
Install
pip install wagov-squ
Development Setup
git clone https://github.com/wagov/nbdev-squ.git
cd nbdev-squ
uv sync --dev
Configuration
Azure Key Vault (Recommended)
Set the SQU_CONFIG environment variable to specify Azure Key Vault configuration:
import os
os.environ["SQU_CONFIG"] = "keyvault_name/tenant_id"
Environment Variables (Alternative)
You can also configure services directly with environment variables:
export SQU_JIRA_URL="https://yourorg.atlassian.net"
export SQU_JIRA_USERNAME="user@example.com"
export SQU_JIRA_PASSWORD="your-api-token"
export SQU_RUNZERO_APITOKEN="your-runzero-token"
export SQU_ABUSEIPDB_API_KEY="your-abuseipdb-key"
export SQU_TENABLE_ACCESS_KEY="your-tenable-key"
export SQU_TENABLE_SECRET_KEY="your-tenable-secret"
Quick Start
Basic Usage
from wagov_squ import list_workspaces, query_all, Fmt
# List Azure Sentinel workspaces (returns pandas DataFrame by default)
workspaces = list_workspaces()
print(workspaces)
# Get data in different formats
csv_data = list_workspaces(fmt=Fmt.csv)
json_data = list_workspaces(fmt=Fmt.json)
list_data = list_workspaces(fmt=Fmt.list)
# Execute KQL queries
results = query_all("SecurityEvent | take 10")
Ibis Support
from wagov_squ import list_workspaces, Fmt
# Get data as Ibis expression for advanced processing
ibis_expr = list_workspaces(fmt=Fmt.ibis)
# Use Ibis for complex transformations
filtered = ibis_expr.filter(ibis_expr.alias == "MyAgency")
result = filtered.to_pandas() # Convert back to pandas when needed
API Reference
Core Functions
list_workspaces(fmt="df", agency="ALL")- List Azure Sentinel workspaceslist_securityinsights(fmt="df")- List Security Insights resourcesquery_all(query, fmt="df", timespan=14d)- Execute KQL queries across workspacesclients.jira- Access Jira API client
Output Formats
Fmt.pandasor"df"- pandas DataFrame (default)Fmt.csvor"csv"- CSV stringFmt.jsonor"json"- List of dictionariesFmt.listor"list"- List of listsFmt.ibisor"ibis"- Ibis expression for advanced processing
Integration with dbt & SQLMesh
dbt Integration
wagov-squ includes a built-in dbt-duckdb plugin for seamless integration. Configure your dbt profiles.yml:
your_project:
target: dev
outputs:
dev:
type: duckdb
path: 'dbt.duckdb'
plugins:
- module: 'wagov_squ.api'
alias: 'squ'
Then use in your dbt models:
-- models/security/persistence_hunting.sql
{{ config(materialized='view') }}
SELECT * FROM (
SELECT * FROM squ(kql_path='queries/persistence_detection.kql', timespan='14d')
)
Create queries/persistence_detection.kql:
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_all (dynamic(['reg',' ADD', @'Software\Microsoft\Windows\CurrentVersion\Run']))
| where InitiatingProcessFileName !in (dynamic(['Discord.exe','Skype.exe']))
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName
Or query workspaces directly:
SELECT * FROM squ(list_workspaces=true)
SQLMesh Integration
# models/security_events.py
from sqlmesh import model
from wagov_squ import query_all, Fmt
@model(
"security.persistence_events",
kind="view",
cron="@daily"
)
def persistence_events(context):
kql_query = """
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "reg add"
| project Timestamp, DeviceName, ProcessCommandLine
"""
# Get data as Ibis expression for further processing
data = query_all(kql_query, fmt=Fmt.ibis)
return data.filter(data.Timestamp >= context.start_date)
Security Considerations
Configuration secrets are cached securely in the user_cache_dir with restricted permissions. Ensure:
- System runs on encrypted disk
- User cache directory access is restricted
- No external logging of cache directory
- Use isolated VMs/workstations for sensitive activities
Development
Commands
just install # Install development dependencies
just test # Run all tests
just test-fast # Run unit tests only
just test-integration # Run integration tests (requires SQU_CONFIG)
just lint # Format and lint code
just build # Build package
just complexity # Analyze code complexity
Testing
Integration tests require Azure authentication via SQU_CONFIG:
export SQU_CONFIG="keyvault_name/tenant_id"
just test-integration
License
Apache-2.0
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
wagov_squ-1.4.8.tar.gz
(354.5 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
wagov_squ-1.4.8-py3-none-any.whl
(349.6 kB
view details)
File details
Details for the file wagov_squ-1.4.8.tar.gz.
File metadata
- Download URL: wagov_squ-1.4.8.tar.gz
- Upload date:
- Size: 354.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
31e0cfa18f2a50bbb7d7ce9a2ff11280d1d3a713996c852f8ae71115fef170da
|
|
| MD5 |
ed687327aad25975501cceb92773f66b
|
|
| BLAKE2b-256 |
36c56c4b017526d0004c5ae2b574a556cdd104851eaa2ccee7845f686d09ef17
|
Provenance
The following attestation bundles were made for wagov_squ-1.4.8.tar.gz:
Publisher:
release.yml on wagov/nbdev-squ
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
wagov_squ-1.4.8.tar.gz -
Subject digest:
31e0cfa18f2a50bbb7d7ce9a2ff11280d1d3a713996c852f8ae71115fef170da - Sigstore transparency entry: 535844726
- Sigstore integration time:
-
Permalink:
wagov/nbdev-squ@b60ccf791351acd3579e4710bac82fec5e52d6fc -
Branch / Tag:
refs/tags/v1.4.8 - Owner: https://github.com/wagov
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@b60ccf791351acd3579e4710bac82fec5e52d6fc -
Trigger Event:
push
-
Statement type:
File details
Details for the file wagov_squ-1.4.8-py3-none-any.whl.
File metadata
- Download URL: wagov_squ-1.4.8-py3-none-any.whl
- Upload date:
- Size: 349.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
492c9c578c4f05f0bcea1dd0609675ce571e4260842f10760b709228bb823c89
|
|
| MD5 |
bca7ea57653d53cda5ed237b4f5bde56
|
|
| BLAKE2b-256 |
5c4e558d6ea2cc11b4e016d5b6e66f972f7629ea39c362019e3e04258306f12c
|
Provenance
The following attestation bundles were made for wagov_squ-1.4.8-py3-none-any.whl:
Publisher:
release.yml on wagov/nbdev-squ
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
wagov_squ-1.4.8-py3-none-any.whl -
Subject digest:
492c9c578c4f05f0bcea1dd0609675ce571e4260842f10760b709228bb823c89 - Sigstore transparency entry: 535844731
- Sigstore integration time:
-
Permalink:
wagov/nbdev-squ@b60ccf791351acd3579e4710bac82fec5e52d6fc -
Branch / Tag:
refs/tags/v1.4.8 - Owner: https://github.com/wagov
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@b60ccf791351acd3579e4710bac82fec5e52d6fc -
Trigger Event:
push
-
Statement type:
