def _create_aad_account_entity(account_name: str,
acct_activity_df: pd.DataFrame,
geoip) -> entities.Account:
acc_entity = entities.Account()
account_events = acct_activity_df[
(acct_activity_df["AccountName"] == account_name)
&
(acct_activity_df["Source"] == AccountType.AzureActiveDirectory.name)]
account_event = account_events.iloc[0]
acc_entity.Name = account_event["UserPrincipalName"]
if "@" in account_event["UserPrincipalName"]:
acc_entity.UPNSuffix = account_event["UserPrincipalName"].split("@")[1]
acc_entity.AadTenantId = account_event["AADTenantId"]
acc_entity.AadUserId = account_event["UserId"]
acc_entity.DisplayName = account_event["UserDisplayName"]
acc_entity.DeviceDetail = account_event["DeviceDetail"]
acc_entity.Location = account_event["LocationDetails"]
acc_entity.UserAgent = account_event["UserAgent"]
ip_grp = _create_ip_group(account_events, "IPAddress")
ip_addrs = list(_create_ip_entities(ip_grp, geoip))
if len(ip_addrs) == 1:
acc_entity.IpAddress = ip_addrs[0]
else:
acc_entity.IpAddresses = ip_addrs
return acc_entity
def _create_account_entity(account_name, acct_type, acct_activity_dfs,
geoip) -> entities.Account:
if acct_type == AccountType.Windows:
acct_activity_df = acct_activity_dfs[AccountType.Windows]
return _create_win_account_entity(account_name, acct_activity_df,
geoip)
if acct_type == AccountType.Linux:
acct_activity_df = acct_activity_dfs[AccountType.Linux]
return _create_lx_account_entity(account_name, acct_activity_df, geoip)
if acct_type == AccountType.AzureActiveDirectory:
acct_activity_df = acct_activity_dfs[AccountType.AzureActiveDirectory]
return _create_aad_account_entity(account_name, acct_activity_df,
geoip)
if acct_type == AccountType.Office365:
acct_activity_df = acct_activity_dfs[AccountType.Office365]
return _create_o365_account_entity(account_name, acct_activity_df,
geoip)
acc_entity = entities.Account()
acc_entity.Name = account_name
return acc_entity
def _create_win_account_entity(account_name: str,
acct_activity_df: pd.DataFrame,
geoip) -> entities.Account:
account_events = acct_activity_df[acct_activity_df["AccountName"] ==
account_name]
account_event = account_events.iloc[0]
acc_entity = entities.Account(src_event=account_event)
acc_entity.LogonType = account_event["LogonTypeName"]
acc_entity.AadTenantId = account_event["TenantId"]
host_grp = _create_host_ip_group(account_events,
host_column="Computer",
ip_column="IpAddress")
acc_hosts = list(_create_host_entities(host_grp, geoip))
if len(acc_hosts) == 1:
acc_entity.Host = acc_hosts[0]
else:
acc_entity.Hosts = acc_hosts
return acc_entity
def _create_o365_account_entity(account_name, acct_activity_df, geoip):
acc_entity = entities.Account()
o365_events = acct_activity_df[
(acct_activity_df["AccountName"] == account_name)
& (acct_activity_df["Source"] == AccountType.Office365.name)]
account_event = o365_events.iloc[0]
acc_entity.Name = account_event["UserPrincipalName"]
if "@" in account_event["UserPrincipalName"]:
acc_entity.UPNSuffix = account_event["UserPrincipalName"].split("@")[1]
acc_entity.AadTenantId = account_event["TenantId"]
acc_entity.OrganizationId = account_event["OrganizationId"]
ip_grp = _create_ip_group(o365_events, "IPAddress")
ip_addrs = list(_create_ip_entities(ip_grp, geoip))
if len(ip_addrs) == 1:
acc_entity.IpAddress = ip_addrs[0]
else:
acc_entity.IpAddresses = ip_addrs
return acc_entity