msticpy.context.azure.sentinel_analytics module

Mixin Classes for Sentinel Analytics Features.

class msticpy.context.azure.sentinel_analytics.SentinelAnalyticsMixin

Bases: object

Mixin class for Sentinel Analytics feature integrations.

create_analytic_rule(template: str | None = None, name: str | None = None, enabled: bool = True, query: str | None = None, query_frequency: str = 'PT5H', query_period: str = 'PT5H', severity: str = 'Medium', suppression_duration: str = 'PT1H', suppression_enabled: bool = False, trigger_operator: str = 'GreaterThan', trigger_threshold: int = 0, description: str | None = None, tactics: list | None = None) → str | None

Create a Sentinel Analytics Rule.

Parameters:

template (str, optional) – The GUID or name of a templated to create the analytic from, by default None
name (str, optional) – The name to give the analytic, by default None
enabled (bool, optional) – Whether you want the analytic to be enabled once deployed, by default True
query (str, optional) – The KQL query string to use in the anlaytic, by default None
query_frequency (str, optional) – How often the query should run in ISO8601 format, by default “PT5H”
query_period (str, optional) – How far back the query should look in ISO8601 format, by default “PT5H”
severity (str, optional) – The severity to raise incidents as, by default “Medium” Options are; Informational, Low, Medium, or High
suppression_duration (str, optional) – How long to suppress duplicate alerts in ISO8601 format, by default “PT1H”
suppression_enabled (bool, optional) – Whether you want to suppress duplicates, by default False
trigger_operator (str, optional) – The operator for the trigger, by default “GreaterThan”
trigger_threshold (int, optional) – The threshold of events required to create the incident, by default 0
description (str, optional) – A description of the analytic, by default None
tactics (list, optional) – A list of MITRE ATT&CK tactics related to the analytic, by default None

Returns:

The name/ID of the analytic rule.

Return type:

Optional[str]

Raises:

MsticpyUserError – If template provided isn’t found.
CloudError – If the API returns an error.

delete_analytic_rule(analytic_rule: str)

Delete a deployed Analytic rule from a Sentinel workspace.

Parameters:: analytic_rule (str) – The GUID or name of the analytic.
Raises:: CloudError – If the API returns an error.

get_alert_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:: A table of the workspace’s alert rules.
Return type:: pd.DataFrame

get_analytic_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:: A table of the workspace’s alert rules.
Return type:: pd.DataFrame

list_alert_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:: A table of the workspace’s alert rules.
Return type:: pd.DataFrame

list_analytic_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:: A table of the workspace’s alert rules.
Return type:: pd.DataFrame

list_analytic_templates() → DataFrame

List Analytic Templates.

Returns:: A DataFrame containing the analytics templates
Return type:: pd.DataFrame
Raises:: CloudError – If a valid result is not returned.

class msticpy.context.azure.sentinel_analytics.SentinelHuntingMixin

Bases: object

Mixin class for Sentinel Hunting feature integrations.

get_hunting_queries() → DataFrame

Return all custom hunting queries in a Microsoft Sentinel workspace.

Returns:: A table of the custom hunting queries.
Return type:: pd.DataFrame

list_hunting_queries() → DataFrame

Return all custom hunting queries in a Microsoft Sentinel workspace.

Returns:: A table of the custom hunting queries.
Return type:: pd.DataFrame

list_saved_queries() → DataFrame

Return all saved queries in a Microsoft Sentinel workspace.

Returns:: A table of the custom hunting queries.
Return type:: pd.DataFrame