msticpy.context.azure.sentinel_ti module

Mixin Classes for Sentinel Analytics Features.

class msticpy.context.azure.sentinel_ti.SentinelTIMixin

Bases: object

Mixin class for Sentinel Hunting feature integrations.

add_tag(indicator_id: str, tag: str)

Add a tag to an existing indicator.

Parameters:

  • indicator_id (str) – The GUID of the indicator to add a tag to.

  • tag (str) – The tag to add.

bulk_create_indicators(data: DataFrame, indicator_column: str = 'Observable', indicator_type_column: str = 'IoCType', **kwargs)

Bulk create indicators from a DataFrame.

Parameters:

  • data (pd.DataFrame) – A dataframe containing indicators and indicator types

  • indicator_column (str, optional) – The column containing indicator values to create, by default “Observable”

  • indicator_type_column (str, optional) – The column containing indicator type values, by default “IoCType”

  • confidence_column (str, optional) – The column containing indicator confidence values, by default 0 value used.

create_indicator(indicator: str, ioc_type: str, name: str = 'TI Indicator', confidence: int = 0, silent: bool = False, **kwargs) str

Create a new indicator within the Microsoft Sentinel workspace.

Parameters:

  • indicator (str) – The indicator to create - i.e. IP address, domain name etc.

  • ioc_type (str) – The type of indicator to create - can be: “dns”, “url”, “ipv4”, “ipv6”, “md5_hash”, “sha1_hash”, “sha256_hash”

  • name (str, optional) – A common name to give to the indicator default is ‘TI Indicator’

  • confidence (int, optional) – A score between 0-100 of the confidence in the indicator, defualt is 0

  • silent (bool, optional) – If True no output is displayed, defaults to False

  • description (str, optional) – An description of the indicator

  • labels (list, optional) – A list of string object labels to associate with the indicator

  • kill_chain_phases (list, optional) – A list of string objects relating to the kill chain phases an indicator is assocaited with

  • threat_types (list, optional) – A list of threat types associated with the indicator (list of string objects)

  • external_references (list, optional) – A list of URLs that provide an external reference for the indicator

  • valid_from (datetime, optional) – A datetime from which the indicator is valid from, defaults to now

  • valid_to (datetime, optional) – A datetime to which the indicator is valid until

Return type:

The ID of the created indicator

Raises:

  • MsticpyUserError – If invalid ioc_type or confidence value provided

  • CloudError – If API call fails

delete_indicator(indicator_id: str)

Delete a specific TI indicator.

Parameters:

indicator_id (str) – The GUID of the indicator to delete

Raises:

CloudError – If API call fails

get_all_indicators(limit: int | None = None, orderby: str | None = None) DataFrame

Return all TI indicators in a Microsoft Sentinel workspace.

Parameters:

  • limit (int, optional) – If set returns top n results

  • orderby (Optional[str], optional) – Order results by a specific column

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame

get_indicator(indicator_id: str) dict

Get a specific indicator by its ID.

Parameters:

indicator_id (str) – The GUID of the indicator to get

Returns:

Indicator details

Return type:

dict

Raises:

CloudError – If API call fails.

get_ti_metrics() DataFrame

Return metrics about TI indicators in a Microsoft Sentinel workspace.

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame

query_indicators(**kwargs) DataFrame

Query for indicators in a Sentinel workspace.

Parameters:

  • includeDisabled (bool, optional) – Parameter to include/exclude disabled indicators.

  • keywords (str, optional) – Keyword for searching threat intelligence indicators Use this to search for specific indicator values.

  • maxConfidence (int, optional) – Maximum confidence.

  • maxValidUntil (str, optional) – End time for ValidUntil filter.

  • minConfidence (int, optional) – Minimum confidence.

  • minValidUntil (str, optional) – Start time for ValidUntil filter.

  • pageSize (int, optional) – Maximum number of results to return in one page.

  • patternTypes (list, optional) – A list of IoC types to include.

  • sortBy (List, optional) – Columns to sort by and sorting order as: [{“itemKey”: COLUMN_NAME, “sortOrder”: ascending/descending}]

  • sources (list, optional) – A list of indicator sources to include

  • threatTypes (list, optional) – A list of Threat types to include

Returns:

A set of matching indicators

Return type:

pd.DataFrame

Raises:

CloudError – If API call fails

update_indicator(indicator_id: str, **kwargs)

Update an existing indicator within the Microsoft Sentinel workspace.

Parameters:

  • indicator_id (str) – The GUID of the indicator to update

  • name (str, optional) – A common name to give to the indicator default is ‘TI Indicator’

  • confidence (int, optional) – A score between 0-100 of the confidence in the indicator

  • description (str, optional) – An description of the indicator

  • labels (list, optional) – A list of string object labels to associate with the indicator

  • kill_chain_phases (list, optional) – A list of string objects relating to the kill chain phases an indicator is assocaited with

  • threat_types (list, optional) – A list of threat types associated with the indicator (list of string objects)

  • external_references (list, optional) – A list of URLs that provide an external reference for the indicator

  • valid_from (datetime, optional) – A datetime from which the indicator is valid from, defaults to now

  • valid_to (datetime, optional) – A datetime to which the indicator is valid until

Raises:

CloudError – If API call fails