msticpy.context.azure.sentinel_analytics module

Mixin Classes for Sentinel Analytics Features.

class msticpy.context.azure.sentinel_analytics.SentinelAnalyticsMixin(*, connect: bool = False, cloud: str | None = None)

Bases: SentinelUtilsMixin

Mixin class for Sentinel Analytics feature integrations.

Initialize connector for Azure Python SDK.

check_connected() → None

Check that Sentinel workspace is connected.

connect(auth_methods: list[str] | None = None, tenant_id: str | None = None, *, silent: bool = False, cloud: str | None = None, **kwargs) → None

Authenticate to the Azure SDK.

Parameters:

• auth_methods (List, optional) – list of preferred authentication methods to use, by default None

• tenant_id (str, optional) – The tenant to authenticate against. If not supplied, the default tenant for the identity will be used.

• silent (bool, optional) – Set true to prevent output during auth process, by default False

• cloud (str, optional) – What Azure cloud to connect to. By default it will attempt to use the cloud setting from config file. If this is not set it will default to Azure Public Cloud

• **kwargs – Additional keyword arguments to pass to the az_connect function.

Raises:

CloudError – If no valid credentials are found or if subscription client can’t be created

See also

msticpy.auth.azure_auth.az_connect

function to authenticate to Azure SDK

create_analytic_rule(template: str | None = None, name: str | None = None, *, enabled: bool = True, query: str | None = None, query_frequency: str = 'PT5H', query_period: str = 'PT5H', severity: str = 'Medium', suppression_duration: str = 'PT1H', suppression_enabled: bool = False, trigger_operator: str = 'GreaterThan', trigger_threshold: int = 0, description: str | None = None, tactics: list[str] | None = None) → str | None

Create a Sentinel Analytics Rule.

Parameters:

• template (str, optional) – The GUID or name of a templated to create the analytic from, by default None

• name (str, optional) – The name to give the analytic, by default None

• enabled (bool, optional) – Whether you want the analytic to be enabled once deployed, by default True

• query (str, optional) – The KQL query string to use in the anlaytic, by default None

• query_frequency (str, optional) – How often the query should run in ISO8601 format, by default “PT5H”

• query_period (str, optional) – How far back the query should look in ISO8601 format, by default “PT5H”

• severity (str, optional) – The severity to raise incidents as, by default “Medium” Options are; Informational, Low, Medium, or High

• suppression_duration (str, optional) – How long to suppress duplicate alerts in ISO8601 format, by default “PT1H”

• suppression_enabled (bool, optional) – Whether you want to suppress duplicates, by default False

• trigger_operator (str, optional) – The operator for the trigger, by default “GreaterThan”

• trigger_threshold (int, optional) – The threshold of events required to create the incident, by default 0

• description (str, optional) – A description of the analytic, by default None

• tactics (list, optional) – A list of MITRE ATT&CK tactics related to the analytic, by default None

Returns:

The name/ID of the analytic rule.

Return type:

str|None

Raises:

• MsticpyUserError – If template provided isn’t found.

• CloudError – If the API returns an error.

delete_analytic_rule(analytic_rule: str) → None

Delete a deployed Analytic rule from a Sentinel workspace.

Parameters:

analytic_rule (str) – The GUID or name of the analytic.

Raises:

CloudError – If the API returns an error.

get_alert_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

get_analytic_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

get_metrics(metrics: str, resource_id: str, sub_id: str, sample_time: str = 'hour', start_time: int = 30) → dict[str, DataFrame]

Return specified metrics on Azure Resource.

Parameters:

• metrics (str) – A string list of metrics you wish to collect (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported)

• resource_id (str) – The resource ID of the resource to collet the metrics from

• sub_id (str) – The subscription ID that the resource is part of

• sample_time (str (Optional)) – You can select to collect the metrics every hour of minute - default is hour Accepted inputs = ‘hour’ or ‘minute’

• start_time (int (Optional)) – The number of days prior to today to collect metrics for, default is 30

Returns:

results – A Dictionary of DataFrames containing the metrics details

Return type:

dict

get_network_details(network_id: str, sub_id: str) → tuple[DataFrame, DataFrame]

Return details related to an Azure network interface and associated NSG.

Parameters:

• network_id (str) – The ID of the network interface to return details on

• sub_id (str) – The subscription ID that the network interface is part of

Returns:

details – A dictionary of items related to the network interface

Return type:

dict

get_resource_details(sub_id: str, resource_id: str | None = None, resource_details: dict[str, Any] | None = None) → dict

Return the details of a specific Azure resource.

Parameters:

• resource_id (str, optional) – The ID of the resource to get details on

• resource_details (dict, optional) –

  If ID is unknown provide the following details:

  -resource_group_name -resource_provider_namespace -resource_type -resource_name -parent_resource_path

• sub_id (str) – The ID of the subscription to get resources from

Returns:

resource_details – The details of the requested resource

Return type:

dict

get_resources(sub_id: str, rgroup: str | None = None, *, get_props: bool = False) → pd.DataFrame

Return details on all resources in a subscription or Resource Group.

Parameters:

• sub_id (str) – The subscription ID to get resources for

• rgroup (str (Optional)) – The name of a Resource Group to get resources for

• get_props (bool (Optional)) – Set to True if you want to get the full properties of every resource Warning this may be a slow process depending on the number of resources

Returns:

A dataframe of resource details

Return type:

pd.DataFrame

get_sentinel_workspaces(sub_id: str) → dict[str, str]

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

Returns:

A dictionary of workspace names and ids

Return type:

Dict

get_subscription_info(sub_id: str) → dict

Get information on a specific subscription.

Parameters:

sub_id (str) – The ID of the subscription to return details on.

Returns:

Details on the selected subscription.

Return type:

dict

Raises:

MsticpyNotConnectedError – If .connect() has not been called.

get_subscriptions() → DataFrame

Get details of all subscriptions within the tenant.

Returns:

Details of the subscriptions present in the users tenant.

Return type:

pd.DataFrame

Raises:

MsticpyNotConnectedError – If .connect() has not been called

list_alert_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

list_analytic_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

list_analytic_templates() → DataFrame

List Analytic Templates.

Returns:

A DataFrame containing the analytics templates

Return type:

pd.DataFrame

Raises:

CloudError – If a valid result is not returned.

list_sentinel_workspaces(sub_id: str) → dict[str, str]

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

Returns:

A dictionary of workspace names and ids

Return type:

Dict

class msticpy.context.azure.sentinel_analytics.SentinelHuntingMixin(*, connect: bool = False, cloud: str | None = None)

Bases: SentinelUtilsMixin

Mixin class for Sentinel Hunting feature integrations.

Initialize connector for Azure Python SDK.

check_connected() → None

Check that Sentinel workspace is connected.

connect(auth_methods: list[str] | None = None, tenant_id: str | None = None, *, silent: bool = False, cloud: str | None = None, **kwargs) → None

Authenticate to the Azure SDK.

Parameters:

• auth_methods (List, optional) – list of preferred authentication methods to use, by default None

• tenant_id (str, optional) – The tenant to authenticate against. If not supplied, the default tenant for the identity will be used.

• silent (bool, optional) – Set true to prevent output during auth process, by default False

• cloud (str, optional) – What Azure cloud to connect to. By default it will attempt to use the cloud setting from config file. If this is not set it will default to Azure Public Cloud

• **kwargs – Additional keyword arguments to pass to the az_connect function.

Raises:

CloudError – If no valid credentials are found or if subscription client can’t be created

See also

msticpy.auth.azure_auth.az_connect

function to authenticate to Azure SDK

get_hunting_queries() → DataFrame

Return all custom hunting queries in a Microsoft Sentinel workspace.

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame

get_metrics(metrics: str, resource_id: str, sub_id: str, sample_time: str = 'hour', start_time: int = 30) → dict[str, DataFrame]

Return specified metrics on Azure Resource.

Parameters:

• metrics (str) – A string list of metrics you wish to collect (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported)

• resource_id (str) – The resource ID of the resource to collet the metrics from

• sub_id (str) – The subscription ID that the resource is part of

• sample_time (str (Optional)) – You can select to collect the metrics every hour of minute - default is hour Accepted inputs = ‘hour’ or ‘minute’

• start_time (int (Optional)) – The number of days prior to today to collect metrics for, default is 30

Returns:

results – A Dictionary of DataFrames containing the metrics details

Return type:

dict

get_network_details(network_id: str, sub_id: str) → tuple[DataFrame, DataFrame]

Return details related to an Azure network interface and associated NSG.

Parameters:

• network_id (str) – The ID of the network interface to return details on

• sub_id (str) – The subscription ID that the network interface is part of

Returns:

details – A dictionary of items related to the network interface

Return type:

dict

get_resource_details(sub_id: str, resource_id: str | None = None, resource_details: dict[str, Any] | None = None) → dict

Return the details of a specific Azure resource.

Parameters:

• resource_id (str, optional) – The ID of the resource to get details on

• resource_details (dict, optional) –

  If ID is unknown provide the following details:

  -resource_group_name -resource_provider_namespace -resource_type -resource_name -parent_resource_path

• sub_id (str) – The ID of the subscription to get resources from

Returns:

resource_details – The details of the requested resource

Return type:

dict

get_resources(sub_id: str, rgroup: str | None = None, *, get_props: bool = False) → pd.DataFrame

Return details on all resources in a subscription or Resource Group.

Parameters:

• sub_id (str) – The subscription ID to get resources for

• rgroup (str (Optional)) – The name of a Resource Group to get resources for

• get_props (bool (Optional)) – Set to True if you want to get the full properties of every resource Warning this may be a slow process depending on the number of resources

Returns:

A dataframe of resource details

Return type:

pd.DataFrame

get_sentinel_workspaces(sub_id: str) → dict[str, str]

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

Returns:

A dictionary of workspace names and ids

Return type:

Dict

get_subscription_info(sub_id: str) → dict

Get information on a specific subscription.

Parameters:

sub_id (str) – The ID of the subscription to return details on.

Returns:

Details on the selected subscription.

Return type:

dict

Raises:

MsticpyNotConnectedError – If .connect() has not been called.

get_subscriptions() → DataFrame

Get details of all subscriptions within the tenant.

Returns:

Details of the subscriptions present in the users tenant.

Return type:

pd.DataFrame

Raises:

MsticpyNotConnectedError – If .connect() has not been called

list_hunting_queries() → DataFrame

Return all custom hunting queries in a Microsoft Sentinel workspace.

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame

list_saved_queries() → DataFrame

Return all saved queries in a Microsoft Sentinel workspace.

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame

list_sentinel_workspaces(sub_id: str) → dict[str, str]

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

Returns:

A dictionary of workspace names and ids

Return type:

Dict