msticpy.context.azure.sentinel_watchlists module

Mixin Classes for Sentinel Watchlist Features.

class msticpy.context.azure.sentinel_watchlists.SentinelWatchlistsMixin(*, connect: bool = False, cloud: str | None = None)

Bases: SentinelUtilsMixin

Mixin class for Sentinel Watchlist feature integrations.

Initialize connector for Azure Python SDK.

add_watchlist_item(watchlist_name: str, item: dict | pd.Series | pd.DataFrame, *, overwrite: bool = False) None

Add or update an item in a Watchlist.

Parameters:

  • watchlist_name (str) – The name of the watchlist to add items to

  • item (Union[Dict, pd.Series, pd.DataFrame]) – The item to add, this can be a dictionary of valies, a Pandas Series, or DataFrame

  • overwrite (bool, optional) – Wether you want to overwrite an item if it already exists in the watchlist, by default False

Raises:

  • MsticpyUserError – If the specified Watchlist does not exist.

  • MsticpyUserError – If the item already exists in the Watchlist and overwrite is set to False

  • CloudError – If the API returns an error.

check_connected() None

Check that Sentinel workspace is connected.

connect(auth_methods: list[str] | None = None, tenant_id: str | None = None, *, silent: bool = False, cloud: str | None = None, **kwargs) None

Authenticate to the Azure SDK.

Parameters:

  • auth_methods (List, optional) – list of preferred authentication methods to use, by default None

  • tenant_id (str, optional) – The tenant to authenticate against. If not supplied, the default tenant for the identity will be used.

  • silent (bool, optional) – Set true to prevent output during auth process, by default False

  • cloud (str, optional) – What Azure cloud to connect to. By default it will attempt to use the cloud setting from config file. If this is not set it will default to Azure Public Cloud

  • **kwargs – Additional keyword arguments to pass to the az_connect function.

Raises:

CloudError – If no valid credentials are found or if subscription client can’t be created

See also

msticpy.auth.azure_auth.az_connect

function to authenticate to Azure SDK

create_watchlist(watchlist_name: str, description: str, search_key: str, provider: str = 'MSTICPy', source: str = 'Notebook', data: pd.DataFrame | None = None) str | None

Create a new watchlist.

Parameters:

  • watchlist_name (str) – The name of the watchlist you want to create, this can’t be the name of an existing watchlist.

  • description (str) – A description of the watchlist to be created.

  • search_key (str) – The search key is used to optimize query performance when using watchlists for joins with other data. This should be the key column that will be used in the watchlist when joining to other data tables.

  • provider (str, optional) – This is the label attached to the watchlist showing who created it, by default “MSTICPy”

  • source (str, optional) – The source of the data to be put in the watchlist, by default “Notebook”

  • data (pd.DataFrame, optional) – The data you want to upload to the watchlist

Returns:

The name/ID of the watchlist.

Return type:

Optional[str]

Raises:

  • MsticpyUserError – Raised if the watchlist name already exists.

  • CloudError – If there is an issue creating the watchlist.

delete_watchlist(watchlist_name: str) None

Delete a selected Watchlist.

Parameters:

watchlist_name (str) – The name of the Watchlist to deleted

Raises:

  • MsticpyUserError – If Watchlist does not exist.

  • CloudError – If the API returns an error.

delete_watchlist_item(watchlist_name: str, watchlist_item_id: str) None

Delete a Watchlist item.

Parameters:

  • watchlist_name (str) – The name of the watchlist with the item to be deleted

  • watchlist_item_id (str) – The watchlist item ID to delete

Raises:

  • MsticpyUserError – If the specified Watchlist does not exist.

  • CloudError – If the API returns an error.

get_metrics(metrics: str, resource_id: str, sub_id: str, sample_time: str = 'hour', start_time: int = 30) dict[str, DataFrame]

Return specified metrics on Azure Resource.

Parameters:

  • metrics (str) – A string list of metrics you wish to collect (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported)

  • resource_id (str) – The resource ID of the resource to collet the metrics from

  • sub_id (str) – The subscription ID that the resource is part of

  • sample_time (str (Optional)) – You can select to collect the metrics every hour of minute - default is hour Accepted inputs = ‘hour’ or ‘minute’

  • start_time (int (Optional)) – The number of days prior to today to collect metrics for, default is 30

Returns:

results – A Dictionary of DataFrames containing the metrics details

Return type:

dict

get_network_details(network_id: str, sub_id: str) tuple[DataFrame, DataFrame]

Return details related to an Azure network interface and associated NSG.

Parameters:

  • network_id (str) – The ID of the network interface to return details on

  • sub_id (str) – The subscription ID that the network interface is part of

Returns:

details – A dictionary of items related to the network interface

Return type:

dict

get_resource_details(sub_id: str, resource_id: str | None = None, resource_details: dict[str, Any] | None = None) dict

Return the details of a specific Azure resource.

Parameters:

  • resource_id (str, optional) – The ID of the resource to get details on

  • resource_details (dict, optional) –

    If ID is unknown provide the following details:

    -resource_group_name -resource_provider_namespace -resource_type -resource_name -parent_resource_path

  • sub_id (str) – The ID of the subscription to get resources from

Returns:

resource_details – The details of the requested resource

Return type:

dict

get_resources(sub_id: str, rgroup: str | None = None, *, get_props: bool = False) pd.DataFrame

Return details on all resources in a subscription or Resource Group.

Parameters:

  • sub_id (str) – The subscription ID to get resources for

  • rgroup (str (Optional)) – The name of a Resource Group to get resources for

  • get_props (bool (Optional)) – Set to True if you want to get the full properties of every resource Warning this may be a slow process depending on the number of resources

Returns:

A dataframe of resource details

Return type:

pd.DataFrame

get_sentinel_workspaces(sub_id: str) dict[str, str]

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

Returns:

A dictionary of workspace names and ids

Return type:

Dict

get_subscription_info(sub_id: str) dict

Get information on a specific subscription.

Parameters:

sub_id (str) – The ID of the subscription to return details on.

Returns:

Details on the selected subscription.

Return type:

dict

Raises:

MsticpyNotConnectedError – If .connect() has not been called.

get_subscriptions() DataFrame

Get details of all subscriptions within the tenant.

Returns:

Details of the subscriptions present in the users tenant.

Return type:

pd.DataFrame

Raises:

MsticpyNotConnectedError – If .connect() has not been called

list_sentinel_workspaces(sub_id: str) dict[str, str]

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

Returns:

A dictionary of workspace names and ids

Return type:

Dict

list_watchlist_items(watchlist_name: str) DataFrame

List items in a watchlist.

Parameters:

watchlist_name (str) – The name of the watchlist to get items from

Returns:

A DataFrame containing the watchlists

Return type:

pd.DataFrame

Raises:

CloudError – If a valid result is not returned.

list_watchlists() DataFrame

List Deployed Watchlists.

Returns:

A DataFrame containing the watchlists

Return type:

pd.DataFrame

Raises:

CloudError – If a valid result is not returned.