{
"cells": [
{
"cell_type": "markdown",
"id": "a5f54665-3f32-4d04-abd8-6cfa2386a322",
"metadata": {},
"source": [
"# Resource Graph Explorer Data Provider\n",
"\n",
"## Description\n",
"This data provider allows for a connection to the [Azure Resource Graph](https://docs.microsoft.com/azure/governance/resource-graph/overview) and a way to query against the [Azure Resource Graph Explorer](https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal). The data connector functions in the same way as other data connectors and uses the Kusto Query Language (KQL) and has with some subtle differences to other connectors in they way that authentication is handled.\n",
"\n",
"You would use this data connector to flexibly and quickly get details on deployed Azure resources within a subscription. It allows for bulk queries on various aspects of resources and returns data in a very structured format. This makes it much more effective and efficient than getting resource specific details via the resource API.\n",
"\n",
"More details about data providers in MSTICPy can be found in [the documentation](https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProviders.html)\n",
"\n",
"### Installation\n",
"Installation of this data connector requires that MSTICPy be installed with the Azure extras:\n",
"`pip install msticpy['azure']`\n",
"\n",
"### Initialization\n",
"The provider for the Azure Resource Graph is named `ResourceGraph`\n"
]
},
{
"cell_type": "code",
"execution_count": 1,
"id": "83457852-f9b1-42b6-895e-7102be7c0db5",
"metadata": {},
"outputs": [],
"source": [
"from msticpy.data.data_providers import QueryProvider\n",
"qry_prov = QueryProvider(\"ResourceGraph\")"
]
},
{
"cell_type": "markdown",
"id": "51a2e987-b940-4b05-bf18-034210028628",
"metadata": {},
"source": [
"### Authentication\n",
"Once initialized the first step in using the data provider is to authenticate. The Resource Graph provider uses MSTICPy's [Azure authentication features](https://msticpy.readthedocs.io/en/latest/data_acquisition/AzureData.html?highlight=azure#instantiating-and-connecting-with-an-azure-data-connector) and you can provide a set of authentication methods when connecting. By default the provider will attempt to authenticate using credentials stored in msticpyconfig.yaml (or as environment variables) and an Azure CLI connection but this can be customized with the 'auth_methods' keyword.
\n",
"\n",
"If storing details in msticpyconfig.yaml they must be under the `AzureCLI` DataProviders section - for more details see [this documentation](https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html).\n",
"\n",
"Once successfully connected you will be presented with a \"Connected\" message.\n"
]
},
{
"cell_type": "code",
"execution_count": 2,
"id": "399f8801-2ee5-4bd7-a037-e3ab9968d70c",
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Connected\n"
]
}
],
"source": [
"qry_prov.connect(auth_methods=[\"cli\"])"
]
},
{
"cell_type": "markdown",
"id": "d7497d92-183e-4ed8-b35b-ec97e8122c53",
"metadata": {},
"source": [
"## Listing available queries\n",
"As with other data providers there are a number of built-in queries with this provider. Once connected you can view the available queries with `QUERY_PROVIDER.list_queries()`.\n",
"\n",
"Alternatively you can view query details in an interactive widget with `QUERY_PROVIDER.browse_queries()`\n",
"\n",
"For more information, refer documentation : [Listing available queries](https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProviders.html#listing-available-queries)."
]
},
{
"cell_type": "code",
"execution_count": 19,
"id": "a7da0ae6-b14d-49f6-ab40-d143d74ecc68",
"metadata": {},
"outputs": [
{
"data": {
"application/vnd.jupyter.widget-view+json": {
"model_id": "5a10e2d1d1d3481691eeaf9cc9420080",
"version_major": 2,
"version_minor": 0
},
"text/plain": [
"VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"
Parameters
Query
{table} \n", "| where type =~ \"microsoft.compute/virtualmachines\" \n", "| where name contains \"{host_name}\" \n", "| extend nics=array_length(properties.networkProfile.networkInterfaces) \n", "| mv-expand nic=properties.networkProfile.networkInterfaces \n", "| where nics == 1 or nic.properties.primary =~ \"true\" or isempty(nic) \n", "| project vmId = id, vmName = name,\n", " vmSize=tostring(properties.hardwareProfile.vmSize), nicId =\n", " tostring(nic.id)\n", "| join kind=leftouter ( Resources \n", "| where type =~ \"microsoft.network/networkinterfaces\" \n", "| extend ipConfigsCount=array_length(properties.ipConfigurations) \n", "| mv-expand ipconfig=properties.ipConfigurations \n", "| where ipConfigsCount == 1 or ipconfig.properties.primary =~ \"true\" \n", "| project nicId = id, publicIpId =\n", " tostring(ipconfig.properties.publicIPAddress.id)) on nicId\n", "| project-away nicId1 \n", "| summarize by vmId, vmName, vmSize, nicId, publicIpId \n", "| join kind=leftouter ( Resources \n", "| where type =~ \"microsoft.network/publicipaddresses\" \n", "| project publicIpId = id, publicIpAddress = properties.ipAddress) on publicIpId \n", "| project-away publicIpId1 {add_query_items}
Example
\n", "{QueryProvider}[.QueryPath].QueryName(params...)
\n", "qry_prov.ResourceGraph.list_detailed_virtual_machines(start=start, end=end, hostname=host)\n", " " ], "text/plain": [ "
\n", " | type | \n", "apiVersion | \n", "
---|---|---|
0 | \n", "microsoft.alertsmanagement/actionrules | \n", "2019-05-05-preview | \n", "
1 | \n", "microsoft.alertsmanagement/smartdetectoralertr... | \n", "2021-04-01 | \n", "
2 | \n", "microsoft.apimanagement/service | \n", "2019-12-01 | \n", "
3 | \n", "microsoft.automanage/accounts | \n", "2020-06-30-preview | \n", "
4 | \n", "microsoft.automation/automationaccounts | \n", "2018-06-30 | \n", "
... | \n", "... | \n", "... | \n", "
161 | \n", "microsoft.web/serverfarms | \n", "2020-10-01 | \n", "
162 | \n", "microsoft.web/sites | \n", "2019-08-01 | \n", "
163 | \n", "microsoft.web/sites/slots | \n", "2019-08-01 | \n", "
164 | \n", "microsoft.web/staticsites | \n", "2019-12-01-preview | \n", "
165 | \n", "sendgrid.email/accounts | \n", "2015-01-01 | \n", "
166 rows × 2 columns
\n", "\n", " | id | \n", "name | \n", "type | \n", "tenantId | \n", "kind | \n", "location | \n", "resourceGroup | \n", "subscriptionId | \n", "managedBy | \n", "sku | \n", "... | \n", "tags.azsecpack | \n", "identity.userAssignedIdentities./subscriptions/8eebd9ad-e271-4989-a796-d60c57655743/resourceGroups/AzSecPackAutoConfigRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AzSecPackAutoConfigUA-eastus2.principalId | \n", "identity.userAssignedIdentities./subscriptions/8eebd9ad-e271-4989-a796-d60c57655743/resourceGroups/AzSecPackAutoConfigRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AzSecPackAutoConfigUA-eastus2.clientId | \n", "identity.type | \n", "identity | \n", "properties.storageProfile.osDisk.vhd.uri | \n", "properties.osProfile.windowsConfiguration.patchSettings.patchMode | \n", "properties.osProfile.windowsConfiguration.provisionVMAgent | \n", "properties.osProfile.windowsConfiguration.enableAutomaticUpdates | \n", "properties.diagnosticsProfile.bootDiagnostics.storageUri | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "/subscriptions/8eebd9ad-e271-4989-a796-d60c576... | \n", "RHEL77Base | \n", "microsoft.compute/virtualmachines | \n", "72f988bf-86f1-41af-91ab-2d7cd011db47 | \n", "\n", " | eastus2 | \n", "linuxtestlab | \n", "8eebd9ad-e271-4989-a796-d60c57655743 | \n", "\n", " | None | \n", "... | \n", "nonprod | \n", "e660337c-1cc7-4818-b8c8-3f005dbc6f2a | \n", "5fae63c7-985a-4432-9ff2-ef6ff0dc7db6 | \n", "UserAssigned | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
1 | \n", "/subscriptions/8eebd9ad-e271-4989-a796-d60c576... | \n", "Ubuntu18ASC | \n", "microsoft.compute/virtualmachines | \n", "72f988bf-86f1-41af-91ab-2d7cd011db47 | \n", "\n", " | eastus2 | \n", "linuxtestlab | \n", "8eebd9ad-e271-4989-a796-d60c57655743 | \n", "\n", " | None | \n", "... | \n", "nonprod | \n", "e660337c-1cc7-4818-b8c8-3f005dbc6f2a | \n", "5fae63c7-985a-4432-9ff2-ef6ff0dc7db6 | \n", "UserAssigned | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
2 | \n", "/subscriptions/8eebd9ad-e271-4989-a796-d60c576... | \n", "GodzillaTron1 | \n", "microsoft.compute/virtualmachines | \n", "72f988bf-86f1-41af-91ab-2d7cd011db47 | \n", "\n", " | japanwest | \n", "monster-island | \n", "8eebd9ad-e271-4989-a796-d60c57655743 | \n", "\n", " | None | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "https://monsterislanddisks868.blob.core.window... | \n", "AutomaticByOS | \n", "True | \n", "True | \n", "https://monsterislanddiag271.blob.core.windows... | \n", "
3 rows × 58 columns
\n", "\n", " | id | \n", "name | \n", "type | \n", "tenantId | \n", "kind | \n", "location | \n", "resourceGroup | \n", "subscriptionId | \n", "managedBy | \n", "sku | \n", "... | \n", "properties.extended.instanceView.powerState.displayStatus | \n", "properties.extended.instanceView.powerState.level | \n", "properties.extended.instanceView.powerState.code | \n", "properties.vmId | \n", "properties.diagnosticsProfile.bootDiagnostics.enabled | \n", "tags.platformsettings.host_environment.service.platform_optedin_for_rootcerts | \n", "tags.azsecpack | \n", "identity.principalId | \n", "identity.tenantId | \n", "identity.type | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f... | \n", "MSTIC-DSVM | \n", "microsoft.compute/virtualmachines | \n", "72f988bf-86f1-41af-91ab-2d7cd011db47 | \n", "\n", " | eastus | \n", "msticpy | \n", "40dcc8bf-0478-4f3b-b275-ed0a94f2c013 | \n", "\n", " | None | \n", "... | \n", "VM deallocated | \n", "Info | \n", "PowerState/deallocated | \n", "280b7966-c42f-4730-b993-62bef12b187d | \n", "True | \n", "true | \n", "nonprod | \n", "7eece21d-835f-432e-b049-2c3002f3879e | \n", "72f988bf-86f1-41af-91ab-2d7cd011db47 | \n", "SystemAssigned, UserAssigned | \n", "
1 rows × 46 columns
\n", "