msticpy.data.drivers.sentinel_query_reader module

Github Sentinel Query repo import class and helpers.

class msticpy.data.drivers.sentinel_query_reader.SentinelQuery(query_id: str = NOTHING, name: str = NOTHING, description: str = NOTHING, severity: str = NOTHING, query_frequency: str = NOTHING, query_period: str = NOTHING, trigger_operator: str = NOTHING, trigger_threshold: str = NOTHING, version: str = NOTHING, kind: str = NOTHING, folder_name: str = NOTHING, source_file_name: str = NOTHING, query_type: str = NOTHING, tactics: list = NOTHING, relevant_techniques: list = NOTHING, query: str = NOTHING, entity_mappings: dict = NOTHING, custom_details: dict = NOTHING, alert_details_override: dict = NOTHING, tags: list = NOTHING, required_data_connectors: dict = NOTHING)

Bases: object

Attrs class that represents a Sentinel Query yaml file.

Method generated by attrs for class SentinelQuery.

alert_details_override: dict
custom_details: dict
description: str
entity_mappings: dict
folder_name: str
kind: str
name: str
query: str
query_frequency: str
query_id: str
query_period: str
query_type: str
relevant_techniques: list
required_data_connectors: dict
severity: str
source_file_name: str
tactics: list
tags: list
trigger_operator: str
trigger_threshold: str
version: str
msticpy.data.drivers.sentinel_query_reader.download_and_write_sentinel_queries(query_type: str, yaml_output_folder: str, github_outputdir: str | None = None)

Download queries from GitHub and write out YAML files for the given query type.

Parameters:

  • query_type (str) – Either “Hunting Queries” or “Detections” or otherwise named query category

  • yaml_output_folder (str) – Path to the folder you want the new generated YAML files to be stored in

  • github_outputdir (Optional[str]) – Path to the directory you want the Github download to be stored in

msticpy.data.drivers.sentinel_query_reader.get_sentinel_queries_from_github(git_url: str | None = 'https://github.com/Azure/Azure-Sentinel/archive/master.zip', outputdir: str | None = None) bool

Download Microsoft Sentinel Github archive and extract detection and hunting queries.

Parameters:

  • git_url (str, optional) – URL of the GIT Repository to be downloaded, by default “https://github.com/Azure/Azure-Sentinel/archive/master.zip

  • outputdir (str, optional) – Provide absolute path to the output folder to save downloaded archive (e.g. ‘/usr/home’ or ‘C:downloads’). If no path provided, it will download to .msticpy dir under Azure-Sentinel directory.

msticpy.data.drivers.sentinel_query_reader.import_sentinel_queries(yaml_files: dict, query_type: str) list

Create list of SentinelQuery attr objects.

Parameters:

  • yaml_files (dict) – Dictionary mapping query file addresses to yaml file text created by read_yaml_files

  • query_type (str) – Either “Hunting Queries” or “Detections” or otherwise named query category

Returns:

Returns a list of SentinelQuery attr objects from a dict of yaml files and query type given

Return type:

list

msticpy.data.drivers.sentinel_query_reader.read_yaml_files(parent_dir: str, child_dir: str) dict

Create dictionary mapping query file paths with the yaml file text each contains.

Parameters:

  • parent_dir (str) – Directory storing the Hunting and Detections directories

  • child_dir (str) – Either “Hunting Queries” or “Detections” or otherwise named query category

Returns:

Dictionary mapping query file paths to corresponding yaml file text in the parent_dir/child_dir specified. Only identifies .yaml files.

Return type:

dict

msticpy.data.drivers.sentinel_query_reader.write_to_yaml(query_list: list, query_type: str, output_folder: str) bool

Write out generated YAML files of the given query_list into the given output_folder.

Parameters:

  • query_list (list) – List of SentinelQuery attr objects generated by import_sentinel_queries()

  • query_type (str) – Either “Hunting Queries” or “Detections” or otherwise named query category

  • output_folder (str) – The name of the folder you want the written YAML files to be stored in

Returns:

True if succeeded; False if an error occurred

Return type:

bool