msticpy.context.azure.sentinel_dynamic_summary_types module

Sentinel Dynamic Summary classes.

class msticpy.context.azure.sentinel_dynamic_summary_types.DynamicSummary(summary_id: str | None = None, **kwargs)

Bases: object

Dynamic Summary class.

Initialize a DynamicSummary instance.

Parameters:

summary_id (str, optional) – The summary UUID, by default auto-generated UUID
summary_name (str, optional) – Name of the dynamic summary instance, by default None
summary_description (str, optional) – Summary description, by default None
tenant_id (str, optional) – Azure tenant ID, by default None
relation_name (str, optional) – The relation name, by default None
relation_id (str, optional) – The relation ID, by default None
search_key (str, optional) – Search key column for the summarized data, by default None
tactics (Union[str, List[str], None], optional) – Relevant MITRE tactics, by default None
techniques (Union[str, List[str], None], optional) – Relevant MITRE techniques, by default None
source_info (Dict[str, Any], optional) – Summary source info dictionary, by default None
summary_items (Union[pd, DataFrame, Iterable[DynamicSummaryItem],)
List[Dict[str – Collection of summary items, by default None
Any]]] – Collection of summary items, by default None
optional – Collection of summary items, by default None

add_summary_items(data: Iterable[DynamicSummaryItem] | Iterable[Dict[str, Any]] | DataFrame, **kwargs)

Add list of DynamicSummaryItems replacing existing list.

Parameters:

data (Union[Iterable[DynamicSummaryItem], Iterable[Dict[str, Any]], pd.DataFrame]) – Iterable or DataFrame of DynamicSummary Items.
summary_fields (Optional[Dict[str, str]], optional) – (only relevant if data is a DataFrame) Dictionary of mappings to extract from the DataFrame and use as SummaryItem properties, by default None. For example: {“col_a”: “tactics”, “col_b”: “relation_name”} See DynamicSummaryItem for a list of available properties.

See also

DynamicSummaryItem

static df_to_dynamic_summaries(data: DataFrame) → List[DynamicSummary]

Return a list of DynamicSummary objects from a DataFrame of summaries.

Parameters:: data (pd.DataFrame) – DataFrame containing dynamic summaries
Returns:: List of Dynamic Summary objects.
Return type:: List[DynamicSummary]

Examples

Use the following steps to obtain a list of dynamic summaries from MS Sentinel and convert to DynamicSummary objects.

query = \"\"\"
    DynamicSummary
    | where <some filter criteria>
    | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem"
\"\"\"
data = qry_prov.exec_query(query)
dyn_summaries = df_to_dynamic_summaries(data)

static df_to_dynamic_summary(data: DataFrame) → DynamicSummary

Return a single DynamicSummary object from a DataFrame.

Parameters:: data (pd.DataFrame) – DataFrame containing a single dynamic summary plus summary items.
Returns:: The DynamicSummary object.
Return type:: DynamicSummary

Examples

Use the following steps to query a single dynamic summary from MS Sentinel and convert to a DynamicSummary object.

query = \"\"\"
    DynamicSummary
    | where SummaryId == "26b95b5e-2645-4d33-91a7-ea3c1b8b4b8b"
    | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem"
\"\"\"
data = qry_prov.exec_query(query)
dyn_summaries = df_to_dynamic_summary(data)

fields = Fields: SUMMARY_ID='summary_id' SUMMARY_NAME='summary_name' SUMMARY_DESCRIPTION='summary_description' TENANT_ID='tenant_id' RELATION_NAME='relation_name' RELATION_ID='relation_id' SEARCH_KEY='search_key' TACTICS='tactics' TECHNIQUES='techniques' SOURCE_INFO='source_info' SUMMARY_ITEMS='summary_items'

classmethod from_json(data: Dict[str, Any] | str) → DynamicSummary: Create new DynamicSummary instance from json string or dict.

classmethod new_dynamic_summary(**kwargs)

Return a new DynamicSummary object.

Notes

See the DynamicSummary class documentation for details of expected parameters.

See also

DynamicSummary

to_df() → DataFrame: Return summary items as DataFrame.

to_json(): Return JSON representation of DynamicSummary.

to_json_api(): Return API-ready JSON representation of DynamicSummary.

class msticpy.context.azure.sentinel_dynamic_summary_types.DynamicSummaryItem(summary_item_id: str | None = None, relation_name: str | None = None, relation_id: str | None = None, search_key: str | None = None, tactics: str | ~typing.List[str] | None = <factory>, techniques: str | ~typing.List[str] | None = <factory>, event_time_utc: ~datetime.datetime | None = None, observable_type: str | None = None, observable_value: str | None = None, packed_content: ~typing.Dict[str, ~typing.Any] = <factory>)

Bases: object

DynamicSummaryItem class.

Parameters:

summary_item_id (Optional[str]) – The ID of the item
relation_name (Optional[str] = None) – The name of the summary item relation
relation_id (Optional[str] = None) – The ID of the summary item relation
search_key (Optional[str] = None) – Searchable key value for summary item
tactics (Union[str, List[str], None] = None) – Relevant MITRE tactics for the summary item
techniques (Union[str, List[str], None] = None) – Relevant MITRE techniques for the summary item
event_time_utc (Optional[datetime] = None) – Event time for the summary item
observable_type (Optional[str] = None) – Observable type of the summary item
observable_value (Optional[str] = None) – Observable value of the summary item
packed_content (Dict[str, Any]) – Dictionary of item details.

event_time_utc: datetime | None = None

fields: ClassVar = Fields: SUMMARY_ITEM_ID='summary_item_id' RELATION_NAME='relation_name' RELATION_ID='relation_id' SEARCH_KEY='search_key' TACTICS='tactics' TECHNIQUES='techniques' EVENT_TIME_UTC='event_time_utc' OBSERVABLE_TYPE='observable_type' OBSERVABLE_VALUE='observable_value' PACKED_CONTENT='packed_content'

observable_type: str | None = None

observable_value: str | None = None

packed_content: Dict[str, Any]

relation_id: str | None = None

relation_name: str | None = None

search_key: str | None = None

summary_item_id: str | None = None

tactics: str | List[str] | None

techniques: str | List[str] | None

to_api_dict(): Return attributes as a JSON-serializable dictionary.

class msticpy.context.azure.sentinel_dynamic_summary_types.FieldList(fieldnames: Iterable[str])

Bases: object

Class to hold field names.

Add fields to field mapping.

msticpy.context.azure.sentinel_dynamic_summary_types.df_to_dynamic_summaries(data: DataFrame) → List[DynamicSummary]

Return a list of DynamicSummary objects from a DataFrame of summaries.

Parameters:: data (pd.DataFrame) – DataFrame containing dynamic summaries
Returns:: List of Dynamic Summary objects.
Return type:: List[DynamicSummary]

Examples

Use the following steps to obtain a list of dynamic summaries from MS Sentinel and convert to DynamicSummary objects.

query = \"\"\"
    DynamicSummary
    | where <some filter criteria>
    | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem"
\"\"\"
data = qry_prov.exec_query(query)
dyn_summaries = df_to_dynamic_summaries(data)

msticpy.context.azure.sentinel_dynamic_summary_types.df_to_dynamic_summary(data: DataFrame) → DynamicSummary

Return a single DynamicSummary object from a DataFrame.

Parameters:: data (pd.DataFrame) – DataFrame containing a single dynamic summary plus summary items.
Returns:: The DynamicSummary object.
Return type:: DynamicSummary

Examples

Use the following steps to query a single dynamic summary from MS Sentinel and convert to a DynamicSummary object.

query = \"\"\"
    DynamicSummary
    | where SummaryId == "26b95b5e-2645-4d33-91a7-ea3c1b8b4b8b"
    | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem"
\"\"\"
data = qry_prov.exec_query(query)
dyn_summaries = df_to_dynamic_summary(data)