def test_connect_queries_dotted(self):
"""Test queries provided at connect time."""
# Same test as above but with dotted container
ut_provider = UTDataDriver()
dotted_container_qs = _TEST_QUERIES.copy()
for query in dotted_container_qs:
query["query_container"] = "Saved.Searches"
ut_provider.svc_queries = dotted_container_qs
data_provider = QueryProvider(data_environment="LogAnalytics",
driver=ut_provider)
data_provider.connect("testuri")
self.assertTrue(hasattr(data_provider, "Saved"))
saved_searches = getattr(data_provider, "Saved")
saved_searches = getattr(saved_searches, "Searches")
for attr in dotted_container_qs:
attr = attr["name"].split(".")[0]
self.assertTrue(hasattr(saved_searches, attr))
self.assertTrue(
isinstance(getattr(saved_searches, attr),
(partial, QueryContainer)))
q_store = data_provider.query_store
q_src = q_store.get_query("Saved.Searches.test.query3")
self.assertEqual(q_src.query, dotted_container_qs[2]["query"])
def test_connect_queries_dotted(self):
"""Test queries provided at connect time."""
queries = {
"test_query1": "Select * from test",
"test_query2": "Select * from test2",
"test.query3": "Select * from test2",
}
# Same test as above but with dotted container
ut_provider = UTDataDriver()
ut_provider.svc_queries = (queries, "Saved.Searches")
data_provider = QueryProvider(
data_environment="LogAnalytics", driver=ut_provider
)
data_provider.connect("testuri")
self.assertTrue(hasattr(data_provider, "Saved"))
saved_searches = getattr(data_provider, "Saved")
saved_searches = getattr(saved_searches, "Searches")
for attr in queries:
attr = attr.split(".")[0]
self.assertTrue(hasattr(saved_searches, attr))
self.assertTrue(
isinstance(getattr(saved_searches, attr), (partial, QueryContainer))
)
q_store = data_provider._query_store
q_src = q_store.get_query("Saved.Searches.test.query3")
self.assertEqual(q_src.query, queries["test.query3"])
def test_create_provider(self):
"""Test method."""
qry_prov = QueryProvider("LocalData")
qry_prov.connect()
self.assertTrue(qry_prov.connected)
queries = qry_prov.list_queries()
self.assertGreaterEqual(len(queries), 8)
self.assertIn("SecurityAlert.list_alerts", queries)
self.assertIn("WindowsSecurity.list_host_events", queries)
self.assertIn("Network.list_azure_network_flows_by_ip", queries)
def test_connect_queries(self):
"""Test queries provided at connect time."""
ut_provider = UTDataDriver()
ut_provider.svc_queries = _TEST_QUERIES
data_provider = QueryProvider(data_environment="LogAnalytics",
driver=ut_provider)
data_provider.connect("testuri")
# Check that we have expected attributes
self.assertTrue(hasattr(data_provider, "SavedSearches"))
saved_searches = getattr(data_provider, "SavedSearches")
for attr in _TEST_QUERIES:
attr = attr["name"].split(".")[0]
self.assertTrue(hasattr(saved_searches, attr))
self.assertTrue(
isinstance(getattr(saved_searches, attr),
(partial, QueryContainer)))
# Check that we have expected query text
q_store = data_provider.query_store
q_src = q_store.get_query("SavedSearches.test.query3")
self.assertEqual(q_src.query, _TEST_QUERIES[2]["query"])
### Import Libraries
import os
import pandas as pd
from msticpy.nbtools.wsconfig import WorkspaceConfig
from msticpy.data.data_providers import QueryProvider
os.environ["KQLMAGIC_LOAD_MODE"]="silent"
### Define Connection String
We are going to authenticate to our demo workspace with an AppKey. Therefore, there is no need for you to pass an azure account or authenticate with your credentials! This is a great demo environment to test your notebooks!
connect_str = f"loganalytics://workspace='DEMO_WORKSPACE';appkey='DEMO_KEY';alias='myworkspace'"
qry_prov = QueryProvider("LogAnalytics")
qry_prov.connect(connect_str)
### Native Kqlmagic interface
See https://github.com/Microsoft/jupyter-Kqlmagic
%kql SecurityEvent | take 1
### MSITCPy query interface
alerts_df = qry_prov.exec_query("""
SecurityAlert
| take 10
""")
print(type(alerts_df))
alerts_df.head(5)
