### Imports

In [None]:
import pandas as pd

pd.set_option("display.max_rows", None)
pd.set_option("display.max_colwidth", None)

from taegis_magic.pandas.context import (
    normalize_entities,
    relate_entities,
    generate_context_queries,
    display_facets,
    add_threat_intel,
    get_ti_pubs,
)

%load_ext taegis_magic

### Set Context for Queries

In [None]:
GROUP_BY = "@user"  # or @ip/@domain/@hash/@host
REGION = "charlie"  # or delta/echo/foxtrot
TENANT = "00000"

### Search Entrypoint

In [None]:
%%taegis alerts search --region $REGION --tenant $TENANT --assign alerts_dataframe
FROM alert
WHERE
    metadata.creator.detector.detector_id = 'app:event-filter' AND
    metadata.title != 'AWS - GetCredentialReport'
EARLIEST=-7d

### Normalize and Relate Entities

In [None]:
entities_df = alerts_dataframe.pipe(normalize_entities).pipe(relate_entities)
entities_df = entities_df[
    entities_df["taegis_magic.entities.field"] == GROUP_BY
].reset_index(drop=True)
entities_df[
    [
        "tenant.id",
        "metadata.title",
        "taegis_magic.entities.field",
        "taegis_magic.entities.value",
    ]
    + [
        column
        for column in entities_df.columns
        if column.startswith("@") and column != GROUP_BY
    ]
]

### Generate Context Search Queries based on Entities

In [None]:
entities_df = entities_df.pipe(
    generate_context_queries,
)
entities_df[
    [
        "taegis_magic.open_alerts_query",
        "taegis_magic.resolved_alerts_query",
        "taegis_magic.investigations_query",
        "taegis_magic.events_query",
    ]
]

In [None]:
entity_queries = {}

for _, row in entities_df[
    [
        "taegis_magic.entities.value",
        "taegis_magic.open_alerts_query",
        "taegis_magic.resolved_alerts_query",
        "taegis_magic.investigations_query",
        "taegis_magic.events_query",
    ]
].iterrows():
    # setup
    entity = row["taegis_magic.entities.value"]
    open_alerts_query = row["taegis_magic.open_alerts_query"]
    resolved_alerts_query = row["taegis_magic.resolved_alerts_query"]
    investigations_query = row["taegis_magic.investigations_query"]
    events_query = row["taegis_magic.events_query"]

    # run queries
    %taegis alerts search --assign open_alerts --region $REGION --tenant $TENANT --cell "$open_alerts_query"
    %taegis alerts search --assign resolved_alerts --region $REGION --tenant $TENANT --cell "$resolved_alerts_query"
    %taegis alerts search --assign investigations --region $REGION --tenant $TENANT --cell "$investigations_query"
    %taegis events search --assign events --region $REGION --tenant $TENANT --cell "$events_query"

    # relate back to entity
    entity_queries[entity] = {}
    entity_queries[entity]["open_alerts"] = open_alerts
    entity_queries[entity]["resolved_alerts"] = resolved_alerts
    entity_queries[entity]["investigations"] = investigations
    entity_queries[entity]["events"] = events

In [None]:
# correlate threat intel
# new correlations can be added as a custom callable
for entity in entity_queries:
    for query in entity_queries[entity]:
        print(f"Trying {entity}, {query}...")
        entity_queries[entity][query] = entity_queries[entity][query].pipe(
            add_threat_intel,
            correlations=[get_ti_pubs],
            tenant.id=TENANT,
            region=REGION,
        )

### Display Results

In [None]:
display_facets(entity_queries, additional_columns=["tips.found"])