## Early Warning Customer data

ID: fbc0c2a7-9b29-4ed2-a909-3e68c26bb251
Date Pulled: 2025-01-07
Data Sources:
- Okta system logs
- Crowdstrike
- TAP
- Exchange ORG details
- Active Directory

The purpose of this portion of the notebook is to examine the distribution of devices across AD data.

In [1]:
import polars as pl
import datetime as dt
import json
from typing import Any, Dict, Iterable
import os
import re
import pathlib
import zstandard as zstd
import csv
import warnings
warnings.filterwarnings("ignore", category=UserWarning)

# Decompress target files
def normalize(name: str) -> str:
    name = name.lower().strip()
    name = re.sub(r'\s+', '_', name)
    name = re.sub(r'[^a-z0-9._-]', '', name)
    return name

def unzst_directory(src_dir: pathlib.Path):
    src_dir = src_dir.resolve()
    for root, _, files in os.walk(src_dir):
        root = pathlib.Path(root)
        rel = root.relative_to(src_dir)
        target_root = src_dir / rel
        target_root.mkdir(parents=True, exist_ok=True)
        for file in files:
            if file.endswith('.zst'):
                inpath = root / file
                stem = pathlib.Path(normalize(file[:-4]))
                outpath = target_root / stem
                print(f"Decompressing {inpath} → {outpath}")
                with open(inpath, 'rb') as ifh, open(outpath, 'wb') as ofh:
                    dctx = zstd.ZstdDecompressor()
                    dctx.copy_stream(ifh, ofh)

def dict_with_most_keys(dicts: Iterable[Dict[Any, Any]]) -> Dict[Any, Any]:
    """
    Returns the dictionary from the iterable that has the most keys.
    If multiple dictionaries are tied, returns the first one encountered.
    Raises ValueError if the iterable is empty.
    """
    try:
        # `max` with key=len chooses the dict with the largest number of keys
        return max(dicts, key=len)
    except ValueError as e:
        # This will occur if dicts is empty
        raise ValueError("The input iterable must contain at least one dictionary") from e



In [3]:
unzst_directory(pathlib.Path("/Users/eric.louhi/Github/reach-data-experiments/data/earlywarning"))




In [2]:
az_ad_data: list[dict[str, Any]] = []
with open("../data/earlywarning/azure_ad", 'r') as f:
    az_ad_data = json.load(f)

In [3]:
az_users = az_ad_data["users"]
az_users[0]

{'displayName': 'On-Premises Directory Synchronization Service Account',
 'mailNickname': 'Sync_S8150CAWV_2ca7fb000046',
 'userType': 'Member',
 'accountEnabled': True,
 'passwordPolicies': 'DisablePasswordExpiration',
 'id': 'aa736530-e846-4f93-bd48-9366ce532039',
 'transitiveMemberOf': [],
 'devices': []}

In [4]:
dict_with_most_keys(az_users)

{'displayName': 'Galle, Shelly',
 'mailNickname': 'joenss',
 'givenName': 'Shelly',
 'surname': 'Galle',
 'jobTitle': 'Sr. Privacy Office Manager',
 'department': 'Privacy and Data Risk Management',
  'X500:/o=EWS/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Joens, Shelly329',
  'x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ffd50fa207f94f319c6f31c4a35a056d-Galle, Shel',
  'X500:/o=EWS/ou=External (FYDIBOHF25SPDLT)/cn=Recipients/cn=cc4c193a95be4a1791b27d8a545d1728'],
 'userType': 'Member',
 'employeeType': 'Regular',
 'accountEnabled': True,
 'onPremisesDistinguishedName': 'CN=Galle\\, Shelly,OU=FCRA Compliance,OU=Customer Implementation and Support,OU=Technology and Operations,OU=Scottsdale,OU=End Users and Systems,DC=EWS,DC=INT',
 'passwordPolicies': 'DisablePasswordExpiration',
 'deletedDateTime': None,
 'city': 'Scottsdale',
 'state': 'Arizona',
 'country': 'United States',
 'streetAddress': '5801 N. Pima Rd',
 'onPr

In [22]:
# Load the list of dictionaries into a Polars DataFrame
az_user_df = pl.DataFrame(az_users)

# Explode the array field to individual rows, then aggregate the counts
aggregated_counts = (
    az_user_df.with_columns(pl.col("devices").list.len().alias("device_count"))  # length of each list
    .group_by("device_count")                                       # group by that length
    .agg(pl.count("id").alias("user_count"))                     # count IDs per length
    .sort(["user_count"], descending=True)
)
filtered_az_user_df = aggregated_counts.filter(pl.col("device_count")>=1)
filtered_az_user_df.write_csv("../data/earlywarning/ad-users-devices.csv")
print(filtered_az_user_df)


shape: (33, 2)
┌──────────────┬────────────┐
│ device_count ┆ user_count │
│ ---          ┆ ---        │
│ u32          ┆ u32        │
╞══════════════╪════════════╡
│ 2            ┆ 339        │
│ 1            ┆ 304        │
│ 3            ┆ 296        │
│ 4            ┆ 205        │
│ 5            ┆ 139        │
│ …            ┆ …          │
│ 54           ┆ 1          │
│ 41           ┆ 1          │
│ 38           ┆ 1          │
│ 29           ┆ 1          │
│ 26           ┆ 1          │
└──────────────┴────────────┘


In [21]:
# hist_chart
chart = filtered_az_user_df["device_count"].plot.hist()
chart

In [24]:
print(aggregated_counts)

shape: (34, 2)
┌──────────────┬────────────┐
│ device_count ┆ user_count │
│ ---          ┆ ---        │
│ u32          ┆ u32        │
╞══════════════╪════════════╡
│ 0            ┆ 808        │
│ 2            ┆ 339        │
│ 1            ┆ 304        │
│ 3            ┆ 296        │
│ 4            ┆ 205        │
│ …            ┆ …          │
│ 54           ┆ 1          │
│ 41           ┆ 1          │
│ 38           ┆ 1          │
│ 29           ┆ 1          │
│ 26           ┆ 1          │
└──────────────┴────────────┘


In [41]:
az_users
# pl.col("devices").list.len().alias("device_count")
filtered_az_user_device_cnt_df = az_user_df.filter(pl.col("devices").list.len()==339),


In [42]:
filtered_az_user_device_cnt_df

(shape: (0, 21)
 ┌────────────┬────────────┬──────────┬───────────┬───┬───────────┬─────────┬───────────┬───────────┐
 │ displayNam ┆ mailNickna ┆ userType ┆ accountEn ┆ … ┆ manager@d ┆ manager ┆ otherMail ┆ identitie │
 │ e          ┆ me         ┆ ---      ┆ abled     ┆   ┆ elta      ┆ ---     ┆ s         ┆ s         │
 │ ---        ┆ ---        ┆ str      ┆ ---       ┆   ┆ ---       ┆ str     ┆ ---       ┆ ---       │
 │ str        ┆ str        ┆          ┆ bool      ┆   ┆ list[stru ┆         ┆ list[str] ┆ list[stru │
 │            ┆            ┆          ┆           ┆   ┆ ct[2]]    ┆         ┆           ┆ ct[3]]    │
 ╞════════════╪════════════╪══════════╪═══════════╪═══╪═══════════╪═════════╪═══════════╪═══════════╡
 └────────────┴────────────┴──────────┴───────────┴───┴───────────┴─────────┴───────────┴───────────┘,)

In [50]:
t_df = pl.DataFrame([x for x in az_users if len(x.get("devices",[])) > 30])

In [51]:
t_df

displayName,mailNickname,givenName,surname,jobTitle,department,mail,proxyAddresses,userType,employeeType,accountEnabled,companyName,onPremisesDistinguishedName,passwordPolicies,city,state,country,streetAddress,userPrincipalName,onPremisesSamAccountName,id,manager@delta,manager,transitiveMemberOf,devices
str,str,str,str,str,str,str,list[str],str,str,bool,str,str,str,str,str,str,str,str,str,str,list[struct[2]],str,list[str],list[struct[25]]
"""Gajulapalli, Krishna""","""gajulapk""","""Krishna""","""Gajulapalli""","""Sr. Software Engineer - Java""","""Product Engineering - Zelle""","""Krishna.Gajulapalli@earlywarni…","[""SMTP:Krishna.Gajulapalli@earlywarning.com"", ""smtp:Krishna.Gajulapalli@earlywarningservices.onmicrosoft.com"", … ""X500:/o=EWS/ou=External (FYDIBOHF25SPDLT)/cn=Recipients/cn=7764e7e4db644f5bb96e8111438f27da""]","""Member""","""Regular""",True,"""Early Warning Services, LLC""","""CN=Gajulapalli\, Krishna,OU=So…","""DisablePasswordExpiration""","""Scottsdale""","""Arizona""","""United States""","""5801 N. Pima Rd""","""Krishna.Gajulapalli@earlywarni…","""gajulapk""","""391b13e0-979f-4f0d-be8e-819589…","[{""#microsoft.graph.user"",""88ab9f8f-f5e6-4bf3-b8fc-6146dfd9fe88""}]","""88ab9f8f-f5e6-4bf3-b8fc-6146df…","[""6fcd6edc-e490-443e-b2ed-06a41b9d5f4a"", ""8bc382d1-f63d-4569-a4ec-a301b756c25c"", … ""3109d342-be42-4565-8726-193fd6c27b4e""]","[{""e86aa2d4-3495-4856-a658-9717bb54a970"",""MN93XFCCX4"",""MacOS"",""12.5.1"",""RegisteredDevice"",true,""2022-09-13T17:23:01Z"",""2022-09-13T17:23:01Z"",null,""7351d8f5-b375-4182-b2c4-2b2fcc1f2980"",null,null,null,null,null,null,null,null,null,null,null,null,""2022-09-13T10:23:01Z"",""Workplace"",2}, {""c30da7db-5aaa-48cc-a1f0-0f8e9757ad43"",""MN93XFCCX4"",""MacOS"",""12.5.0"",""RegisteredDevice"",true,""2022-08-17T15:31:55Z"",""2022-08-17T15:31:55Z"",null,""eeac05a1-a455-4b94-9dd2-0092d154809e"",null,null,null,null,null,null,null,null,null,null,null,null,""2022-08-17T08:31:55Z"",""Workplace"",2}, … {""b4012aba-8df2-442b-99ca-f34e170b798f"",""MN93XFCCX4"",""MacOS"",""12.5.1"",""RegisteredDevice"",true,""2022-09-13T13:12:48Z"",""2022-09-13T13:12:48Z"",null,""144b9e12-c334-40a4-8fb9-f01ef5c7fd32"",null,null,null,null,null,null,null,null,null,null,null,null,""2022-09-13T06:12:48Z"",""Workplace"",2}]"
"""Goodgame, Christopher""","""goodgach""","""Christopher""","""Goodgame""","""IT Asset Specialist II""","""IT Asset Management""","""Christopher.Goodgame@earlywarn…","[""SMTP:Christopher.Goodgame@earlywarning.com"", ""smtp:goodgach@earlywarningservices.onmicrosoft.com"", … ""X500:/o=EWS/ou=External (FYDIBOHF25SPDLT)/cn=Recipients/cn=ed69e648351f44bfa77786f7d90c6606""]","""Member""","""Regular""",True,"""Early Warning Services, LLC""","""CN=Goodgame\, Christopher,OU=D…","""DisablePasswordExpiration""","""Scottsdale""","""Arizona""",,"""5801 N. Pima Rd""","""Christopher.Goodgame@earlywarn…","""goodgach""","""20827d7b-40df-4486-b02d-7ed416…","[{""#microsoft.graph.user"",""d9d2b03d-3833-42bf-af5c-2cab2c861906""}]","""d9d2b03d-3833-42bf-af5c-2cab2c…","[""eb8a69d1-205a-40b3-8b8a-656865d3aac1"", ""aaca1fb1-3dfe-481d-a0f4-c77021f95937"", … ""5eee81fb-24e8-4283-9a79-db2e756a239b""]","[{""6f32770e-5a56-48f8-93d3-8dbab8a75a52"",""iPhone-DX3FXADW0DXP"",""IPhone"",""16.5"",""RegisteredDevice"",true,""2023-05-31T18:32:07Z"",""2023-05-31T18:32:07Z"",""Corporate Device"",""4b998717-7b21-49f0-86c9-aec7ce42600f"",""Company"",""iOS Devices"",""CompanyPortalBulkEnrollment"",false,false,false,""MDM"",""Apple"",""0000000a-0000-0000-c000-000000000000"",""iPhone 12"",null,null,""2023-05-31T11:32:07Z"",""Workplace"",2}, {""4fd6c79a-f344-44fc-86ef-4848c88d1b26"",""SCTL8491"",""Windows"",""10.0.16299.0"",""RegisteredDevice"",true,""2021-01-22T16:45:48Z"",""2021-01-22T16:45:48Z"",null,""4079f86a-c65b-42db-a4ac-cb82eac13033"",null,null,null,null,null,null,null,null,null,null,null,null,""2021-01-22T08:45:48Z"",""Workplace"",2}, … {""e7157191-c4b9-411f-9ec3-785af1ad8cb7"",""C02T22L5GTDY"",""MacOS"",""11.6.2"",""RegisteredDevice"",true,""2022-01-28T13:42:31Z"",""2021-10-10T20:31:09Z"",null,""eaffda48-4536-4a07-91fb-67a78555ce59"",null,null,null,false,false,null,null,null,null,null,null,null,""2021-10-10T13:31:09Z"",""Workplace"",2}]"
"""Aaron, Dinah""","""aarond""","""Dinah""","""Aaron""","""Market Solutions Director""","""Market Solutions""","""Dinah.Aaron@earlywarning.com""","[""SMTP:Dinah.Aaron@earlywarning.com"", ""X500:/o=netEPS/ou=Scottsdale/cn=Recipients/cn=DinahA"", … ""X500:/o=EWS/ou=External (FYDIBOHF25SPDLT)/cn=Recipients/cn=b2c7dbc4a15941edaf25614a12564294""]","""Member""","""Regular""",True,"""Early Warning Services, LLC""","""CN=Aaron\, Dinah,OU=Direct Sal…","""DisablePasswordExpiration""","""Scottsdale""","""Arizona""",,"""5801 N. Pima Rd""","""Dinah.Aaron@earlywarning.com""","""aarond""","""5b64a31a-bf8c-40a3-910e-db0a44…","[{""#microsoft.graph.user"",""ac57388b-9ba0-4e51-bb5d-50f7efba68d4""}]","""ac57388b-9ba0-4e51-bb5d-50f7ef…","[""eb8a69d1-205a-40b3-8b8a-656865d3aac1"", ""fdd19719-6a43-4da4-930b-4ed85b138945"", … ""f6412b91-f905-4f48-953b-44b9b375b2eb""]","[{""77d478cc-37a9-4c9f-962d-d668622616e7"",""C02Y83NWJGH5"",""MacOS"",""10.15.7"",""RegisteredDevice"",true,""2021-08-20T14:32:43Z"",""2021-07-21T17:22:13Z"",null,""f8e24795-e7b3-49f0-8c4c-38c554c711dd"",null,null,null,null,null,null,null,null,null,null,null,null,""2021-07-21T10:22:12Z"",""Workplace"",2}, {""5300110f-6702-4ac3-b7d1-82827e9bf0ea"",""WNJ49DWW97"",""MacOS"",""12.2.1"",""RegisteredDevice"",true,""2022-07-23T16:26:26Z"",""2022-07-23T16:26:26Z"",null,""b684d7df-04ca-4a06-8e55-7f2cdb32d979"",null,null,null,null,null,null,null,null,null,null,null,null,""2022-07-23T09:26:26Z"",""Workplace"",2}, … {""7f452a3a-e862-484b-80fe-ba5d5e931ea5"",""C02Y83NWJGH5"",""MacOS"",""12.4.0"",""RegisteredDevice"",true,""2022-07-22T17:38:30Z"",""2022-07-22T17:38:30Z"",null,""aecc8cf6-42ae-4842-9913-ddb26b088ed7"",null,null,null,null,null,null,null,null,null,null,null,null,""2022-07-22T10:38:30Z"",""Workplace"",2}]"
"""Woolridge, Davin""","""woolridd""","""Davin""","""Woolridge""","""Desktop Support Technician I""","""Desktop Support""","""Davin.Woolridge@earlywarning.c…","[""SMTP:Davin.Woolridge@earlywarning.com"", ""smtp:woolridd@earlywarningservices.onmicrosoft.com"", … ""X500:/o=EWS/ou=External (FYDIBOHF25SPDLT)/cn=Recipients/cn=130f1fc4ec5946cdb2bb8fa86d485d42""]","""Member""","""Regular""",True,"""Early Warning Services, LLC""","""CN=Woolridge\, Davin,OU=Deploy…","""DisablePasswordExpiration""","""Scottsdale""","""Arizona""",,"""5801 N. Pima Rd""","""Davin.Woolridge@earlywarning.c…","""woolridd""","""0cbbd96a-ce92-4de2-9629-4880fd…","[{""#microsoft.graph.user"",""ad39eb66-0212-4164-a14b-fe638fc47505""}]","""ad39eb66-0212-4164-a14b-fe638f…","[""aaca1fb1-3dfe-481d-a0f4-c77021f95937"", ""cf1d3e5f-cc92-4477-8d18-0ba8663bb846"", … ""5eee81fb-24e8-4283-9a79-db2e756a239b""]","[{""cf8af278-55d9-474b-85ff-4a98233116de"",""SCTL0Y9dYoPdGGk"",""Windows"",""10.0.22631.3296"",""Shared"",true,""2024-04-19T20:49:22Z"",""2022-03-17T20:50:40Z"",null,""55fecf84-7e0e-4950-b0ff-0311685e5995"",""Company"",""Hybrid Preprovision over VPN"",""OnPremiseUsingWhiteGlove"",false,false,false,""MDM"",""Dell Inc."",null,""Precision 3560"",null,null,""2024-04-02T09:52:49Z"",""AzureAd"",2}, {""3c9f2662-6eb7-4740-82fb-e3bdab340086"",""SCTD1005"",""Windows"",""10.0.16299.0"",""RegisteredDevice"",true,""2022-04-11T13:34:17Z"",""2021-01-09T14:00:47Z"",null,""a95dd3e2-ec50-4098-9fab-aecf9fe56c34"",null,null,null,null,null,null,null,null,null,null,null,null,""2021-01-09T06:00:46Z"",""Workplace"",2}, … {""090463ba-1927-4e8b-8276-b3614eec5317"",""SCTLV9LLHTYPnop"",""Windows"",""10.0.22631.3155"",""Shared"",true,""2024-02-20T21:35:33Z"",""2023-02-04T03:37:16Z"",null,""7b89bbba-5564-4b52-b15b-f229c37dc29f"",""Company"",""Hybrid Preprovision over VPN"",""OnPremiseUsingWhiteGlove"",false,false,false,""MDM"",""Dell Inc."",null,""Precision 3470"",null,[""DESKTOP-JC1RER3""],""2024-02-21T13:39:45Z"",""AzureAd"",2}]"
"""Richards, Chris""","""richarc""","""Chris""","""Richards""","""Sr. Staff Engineer""","""Zelle Engineering""","""Chris.Richards@earlywarning.co…","[""SMTP:Chris.Richards@earlywarning.com"", ""smtp:Chris.Richards@earlywarningservices.onmicrosoft.com"", … ""x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=d2de6687ad4043d1b1b8c67054a96cce-Richards, C""]","""Member""","""Regular""",True,"""Early Warning Services, LLC""","""CN=Richards\, Chris,OU=Remote,…","""DisablePasswordExpiration""",,,,,"""Chris.Richards@earlywarning.co…","""richarc""","""8e746daa-a183-4f8b-84e2-af72b2…","[{""#microsoft.graph.user"",""654254f3-8f83-4ec5-87a0-ffdaf72d503a""}]","""654254f3-8f83-4ec5-87a0-ffdaf7…","[""6fcd6edc-e490-443e-b2ed-06a41b9d5f4a"", ""520edd51-cbd6-4c1e-8918-3a2149383600"", … ""5eee81fb-24e8-4283-9a79-db2e756a239b""]","[{""96ce292e-3630-4c64-a772-92769d062f59"",""FVFC71PML413"",""MacOS"",""12.4.0"",""RegisteredDevice"",true,""2022-07-21T03:24:36Z"",""2022-06-15T20:57:58Z"",null,""484e187a-505f-4ddc-add6-181950ec0f0f"",null,null,null,false,false,null,null,null,null,null,null,null,""2022-06-15T13:57:58Z"",""Workplace"",2}, {""5d3619b0-1caf-43f2-bec5-935e1bebea73"",""FVFC71PML413"",""MacOS"",""12.4.0"",""RegisteredDevice"",true,""2022-06-14T21:49:41Z"",""2022-06-14T21:49:41Z"",null,""5343d543-b859-4dd1-9eb3-eda82ea2be7f"",null,null,null,null,null,null,null,null,null,null,null,null,""2022-06-14T14:49:41Z"",""Workplace"",2}, … {""062ddebe-ea8d-42c7-a77e-96400a6861f1"",""FVFC71PML413"",""MacOS"",""12.4.0"",""RegisteredDevice"",true,""2022-06-15T00:28:25Z"",""2022-06-15T00:28:25Z"",null,""567bdd60-705d-4ac1-80ec-8b6bb08e7963"",null,null,null,null,null,null,null,null,null,null,null,null,""2022-06-14T17:28:25Z"",""Workplace"",2}]"
"""Hon, Preston""","""honp""","""Preston""","""Hon""","""Software Engineer - Java""","""Product Engineering - Zelle""","""Preston.Hon@earlywarning.com""","[""SMTP:Preston.Hon@earlywarning.com"", ""smtp:Preston.Hon@earlywarningservices.mail.onmicrosoft.com"", … ""x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=38b3473bc8714e8a9af13382f57c773a-Hon, Presto""]","""Member""","""Regular""",True,"""Early Warning Services, LLC""","""CN=Hon\, Preston,OU=Software D…","""DisablePasswordExpiration""","""Scottsdale""","""Arizona""",,"""5801 N. Pima Rd""","""Preston.Hon@earlywarning.com""","""honp""","""8e48fd4a-2623-405e-95bc-a840d4…","[{""#microsoft.graph.user"",""88ab9f8f-f5e6-4bf3-b8fc-6146dfd9fe88""}]","""88ab9f8f-f5e6-4bf3-b8fc-6146df…","[""8bc382d1-f63d-4569-a4ec-a301b756c25c"", ""f7a0b50f-125b-443b-89f9-41fc1886875d"", … ""5eee81fb-24e8-4283-9a79-db2e756a239b""]","[{""f50fff71-481d-4d63-b74a-02076180ea4a"",""C02C9686MD6T"",""MacOS"",""10.15.7"",""RegisteredDevice"",true,""2021-07-21T16:58:06Z"",""2021-07-21T16:58:06Z"",null,""af162b73-2073-4890-807c-defc7e7919cf"",null,null,null,null,null,null,null,null,null,null,null,null,""2021-07-21T09:58:06Z"",""Workplace"",2}, {""7c91e837-f154-418c-9e99-f5e2d8173ab0"",""C02C9686MD6T"",""MacOS"",""13.1"",""RegisteredDevice"",true,""2023-03-20T06:37:47Z"",""2022-05-23T21:14:31Z"",null,""d4f67d5b-38e5-40eb-be21-21280ee1ac21"",null,null,null,false,false,null,null,null,null,null,null,null,""2022-05-23T14:14:31Z"",""Workplace"",2}, … {""2e1e4281-b961-4a69-ab63-14dfa2de0b64"",""Preston.Hon_AndroidForWork_8/30/2024_3:59 PM"",""AndroidForWork"",""15.0"",""RegisteredDevice"",true,""2024-12-30T14:58:12Z"",""2024-08-30T15:59:42Z"",""Personal Device"",""8600f068-8200-45d8-9010-778e2dd9b770"",""Personal"",null,""UserEnrollment"",true,true,false,""MDM"",""Google"",""0000000a-0000-0000-c000-000000000000"",""Pixel 9 Pro XL"",null,null,""2024-08-30T08:59:42Z"",""Workplace"",2}]"


In [53]:
total_device_cnt = sum([len(x) for x in az_users if len(x.get("devices",[])) > 0])
total_device_cnt

36979