Python SIEM Query Utils with Ibis support
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
wagov-squ
Python SIEM Query Utils with Ibis support for scalable data processing.
Features
- Azure Sentinel Integration: Query Log Analytics workspaces with KQL
- Multiple Output Formats: Support for pandas DataFrame, CSV, JSON, list, and Ibis expressions
- Scalable Processing: Built on Ibis for efficient data transformations
- Modern Architecture: Built on uv for fast dependency management
Install
pip install wagov-squ
Development Setup
git clone https://github.com/wagov/nbdev-squ.git
cd nbdev-squ
uv sync --dev
Configuration
Azure Key Vault (Recommended)
Set the SQU_CONFIG environment variable to specify Azure Key Vault configuration:
import os
os.environ["SQU_CONFIG"] = "keyvault_name/tenant_id"
Environment Variables (Alternative)
You can also configure services directly with environment variables:
export SQU_JIRA_URL="https://yourorg.atlassian.net"
export SQU_JIRA_USERNAME="user@example.com"
export SQU_JIRA_PASSWORD="your-api-token"
export SQU_RUNZERO_APITOKEN="your-runzero-token"
export SQU_ABUSEIPDB_API_KEY="your-abuseipdb-key"
export SQU_TENABLE_ACCESS_KEY="your-tenable-key"
export SQU_TENABLE_SECRET_KEY="your-tenable-secret"
Quick Start
Basic Usage
from wagov_squ import list_workspaces, query_all, Fmt
# List Azure Sentinel workspaces (returns pandas DataFrame by default)
workspaces = list_workspaces()
print(workspaces)
# Get data in different formats
csv_data = list_workspaces(fmt=Fmt.csv)
json_data = list_workspaces(fmt=Fmt.json)
list_data = list_workspaces(fmt=Fmt.list)
# Execute KQL queries
results = query_all("SecurityEvent | take 10")
Ibis Support
from wagov_squ import list_workspaces, Fmt
# Get data as Ibis expression for advanced processing
ibis_expr = list_workspaces(fmt=Fmt.ibis)
# Use Ibis for complex transformations
filtered = ibis_expr.filter(ibis_expr.alias == "MyAgency")
result = filtered.to_pandas() # Convert back to pandas when needed
API Reference
Core Functions
list_workspaces(fmt="df", agency="ALL")- List Azure Sentinel workspaceslist_securityinsights(fmt="df")- List Security Insights resourcesquery_all(query, fmt="df", timespan=14d)- Execute KQL queries across workspacesclients.jira- Access Jira API client
Output Formats
Fmt.pandasor"df"- pandas DataFrame (default)Fmt.csvor"csv"- CSV stringFmt.jsonor"json"- List of dictionariesFmt.listor"list"- List of listsFmt.ibisor"ibis"- Ibis expression for advanced processing
Integration with dbt & SQLMesh
dbt Integration
wagov-squ includes a built-in dbt-duckdb plugin for seamless integration. Configure your dbt profiles.yml:
your_project:
target: dev
outputs:
dev:
type: duckdb
path: 'dbt.duckdb'
plugins:
- module: 'wagov_squ.api'
alias: 'squ'
Then use in your dbt models:
-- models/security/persistence_hunting.sql
{{ config(materialized='view') }}
SELECT * FROM (
SELECT * FROM squ(kql_path='queries/persistence_detection.kql', timespan='14d')
)
Create queries/persistence_detection.kql:
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_all (dynamic(['reg',' ADD', @'Software\Microsoft\Windows\CurrentVersion\Run']))
| where InitiatingProcessFileName !in (dynamic(['Discord.exe','Skype.exe']))
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName
Or query workspaces directly:
SELECT * FROM squ(list_workspaces=true)
SQLMesh Integration
# models/security_events.py
from sqlmesh import model
from wagov_squ import query_all, Fmt
@model(
"security.persistence_events",
kind="view",
cron="@daily"
)
def persistence_events(context):
kql_query = """
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "reg add"
| project Timestamp, DeviceName, ProcessCommandLine
"""
# Get data as Ibis expression for further processing
data = query_all(kql_query, fmt=Fmt.ibis)
return data.filter(data.Timestamp >= context.start_date)
Security Considerations
Configuration secrets are cached securely in the user_cache_dir with restricted permissions. Ensure:
- System runs on encrypted disk
- User cache directory access is restricted
- No external logging of cache directory
- Use isolated VMs/workstations for sensitive activities
Development
Commands
just install # Install development dependencies
just test # Run all tests
just test-fast # Run unit tests only
just test-integration # Run integration tests (requires SQU_CONFIG)
just lint # Format and lint code
just build # Build package
just complexity # Analyze code complexity
Testing
Integration tests require Azure authentication via SQU_CONFIG:
export SQU_CONFIG="keyvault_name/tenant_id"
just test-integration
License
Apache-2.0
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
wagov_squ-1.4.9.tar.gz
(354.6 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
wagov_squ-1.4.9-py3-none-any.whl
(349.8 kB
view details)
File details
Details for the file wagov_squ-1.4.9.tar.gz.
File metadata
- Download URL: wagov_squ-1.4.9.tar.gz
- Upload date:
- Size: 354.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ce5ecc22b53c4398d604d3aa9746b262cbe73dca2fa365b185b338dc405224e5
|
|
| MD5 |
77895a5e487df0966011365ae8630d0d
|
|
| BLAKE2b-256 |
e801461cf002cec87dbfdc844a8525b4cafefa4791342f2d5aa3bcce419dea76
|
Provenance
The following attestation bundles were made for wagov_squ-1.4.9.tar.gz:
Publisher:
release.yml on wagov/nbdev-squ
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
wagov_squ-1.4.9.tar.gz -
Subject digest:
ce5ecc22b53c4398d604d3aa9746b262cbe73dca2fa365b185b338dc405224e5 - Sigstore transparency entry: 536503446
- Sigstore integration time:
-
Permalink:
wagov/nbdev-squ@a72d53b02dacccc5c82839c0851eb7aff9198d11 -
Branch / Tag:
refs/tags/v1.4.9 - Owner: https://github.com/wagov
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@a72d53b02dacccc5c82839c0851eb7aff9198d11 -
Trigger Event:
push
-
Statement type:
File details
Details for the file wagov_squ-1.4.9-py3-none-any.whl.
File metadata
- Download URL: wagov_squ-1.4.9-py3-none-any.whl
- Upload date:
- Size: 349.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3d2e9ea112cd9cf1c8bda70c46c99af08e7d7b764c3e87c09a1d0ef8fa199d2a
|
|
| MD5 |
cd268b63f62a025deccf88b5e209cfeb
|
|
| BLAKE2b-256 |
1484545da7116fa8f62ad11bbd89330c6ea2aa7abb7242c0514ab927cbd9eb43
|
Provenance
The following attestation bundles were made for wagov_squ-1.4.9-py3-none-any.whl:
Publisher:
release.yml on wagov/nbdev-squ
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
wagov_squ-1.4.9-py3-none-any.whl -
Subject digest:
3d2e9ea112cd9cf1c8bda70c46c99af08e7d7b764c3e87c09a1d0ef8fa199d2a - Sigstore transparency entry: 536503461
- Sigstore integration time:
-
Permalink:
wagov/nbdev-squ@a72d53b02dacccc5c82839c0851eb7aff9198d11 -
Branch / Tag:
refs/tags/v1.4.9 - Owner: https://github.com/wagov
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@a72d53b02dacccc5c82839c0851eb7aff9198d11 -
Trigger Event:
push
-
Statement type:
