def _create_win_account_entity(
account_name: str, acct_activity_df: pd.DataFrame
) -> entities.Account:
account_event = acct_activity_df[
acct_activity_df["AccountName"] == account_name
].iloc[0]
acc_entity = entities.Account(src_event=account_event)
host = entities.Host(src_event=account_event)
acc_entity.Host = host
acc_entity.IpAddress = entities.IpAddress(address=account_event["IpAddress"])
acc_entity.LogonType = account_event["LogonTypeName"]
acc_entity.AadTenantId = account_event["TenantId"]
return acc_entity
def _create_lx_account_entity(
account_name: str, acct_activity_df: pd.DataFrame
) -> entities.Account:
acc_entity = entities.Account()
account_event = acct_activity_df[
acct_activity_df["AccountName"] == account_name
].iloc[0]
acc_entity.Name = account_event["AccountName"]
host = entities.Host(HostName=account_event["Computer"])
host.IpAddress = entities.IpAddress(address=account_event["HostIP"])
acc_entity.Host = host
acc_entity.IpAddress = entities.IpAddress(address=account_event["SourceIP"])
acc_entity.LogonType = account_event["LogonType"]
acc_entity.Sid = account_event["UID"]
acc_entity.AadTenantId = account_event["TenantId"]
return acc_entity
def _create_o365_account_entity(account_name, acct_activity_df):
acc_entity = entities.Account()
account_event = acct_activity_df[acct_activity_df["UserId"] == account_name].iloc[0]
acc_entity.Name = account_event["UserId"]
if "@" in account_event["UserId"]:
acc_entity.UPNSuffix = account_event["UserId"].split("@")[1]
acc_entity.AadTenantId = account_event["TenantId"]
acc_entity.OrganizationId = account_event["OrganizationId"]
client_ip = ""
if "ClientIP" in account_event:
client_ip = account_event["ClientIP"]
elif "ClientIP_" in account_event:
client_ip = account_event["ClientIP_"]
elif "IPAddress" in account_event:
client_ip = account_event["IPAddress"]
if client_ip:
acc_entity.IpAddress = entities.IpAddress(Address=client_ip)
return acc_entity
def _create_aad_account_entity(
account_name: str, acct_activity_df: pd.DataFrame
) -> entities.Account:
acc_entity = entities.Account()
account_event = acct_activity_df[
acct_activity_df["UserPrincipalName"] == account_name
].iloc[0]
acc_entity.Name = account_event["UserPrincipalName"]
if "@" in account_event["UserPrincipalName"]:
acc_entity.UPNSuffix = account_event["UserPrincipalName"].split("@")[1]
acc_entity.AadTenantId = account_event["AADTenantId"]
acc_entity.AadUserId = account_event["UserId"]
acc_entity.DisplayName = account_event["UserDisplayName"]
acc_entity.IpAddress = entities.IpAddress(Address=account_event["IPAddress"])
acc_entity.DeviceDetail = account_event["DeviceDetail"]
acc_entity.Location = account_event["LocationDetails"]
acc_entity.UserAgent = account_event["UserAgent"]
return acc_entity
def _create_account_entity(
account_name, acct_type, acct_activity_dfs
) -> entities.Account:
if acct_type == AccountType.Windows:
acct_activity_df = acct_activity_dfs[AccountType.Windows]
return _create_win_account_entity(account_name, acct_activity_df)
if acct_type == AccountType.Linux:
acct_activity_df = acct_activity_dfs[AccountType.Linux]
return _create_lx_account_entity(account_name, acct_activity_df)
if acct_type == AccountType.AzureActiveDirectory:
acct_activity_df = acct_activity_dfs[AccountType.AzureActiveDirectory]
return _create_aad_account_entity(account_name, acct_activity_df)
if acct_type == AccountType.Office365:
acct_activity_df = acct_activity_dfs[AccountType.Office365]
return _create_o365_account_entity(account_name, acct_activity_df)
acc_entity = entities.Account()
acc_entity.Name = account_name
return acc_entity