msticpy
latest
  • Getting Started
  • Querying and Importing Data
  • Enriching Data
    • Threat Intel Lookup
    • GeoIP Lookup
    • Azure Data Enrichment
    • Microsoft Sentinel APIs
      • Microsoft Sentinel Analytics
      • Microsoft Sentinel Bookmarks
      • Microsoft Sentinel Dynamic Summaries
      • Microsoft Sentinel Incidents
      • Microsoft Sentinel Watchlists
      • Microsoft Sentinel Search
        • Create Search
        • Check Search Status
        • Delete a Search
      • Microsoft Sentinel Workspaces
      • Microsoft Sentinel Threat Intelligence
      • Description
      • Instantiating and Connecting the Microsoft Sentinel API Connector
      • Get Microsoft Sentinel Workspaces
      • Incidents
      • Hunting Queries
      • Analytics
      • Bookmarks
      • Watchlists
      • Search
    • IP Whois Enrichment
  • Analyzing Data
  • Displaying/Visualizing Data
  • msticpy API
  • Notebook Examples
  • Articles, Labs and other Resources
  • Releases
  • Contributing
  • License
msticpy
  • Enriching Data
  • Microsoft Sentinel APIs
  • Microsoft Sentinel Search
  • Edit on GitHub

Microsoft Sentinel Search

Create Search

You can trigger a Search job with ‘create_search’. When calling this function, you can pass the following parameters:

  • ‘query’: the KQL query to run for the search.

  • ‘start’: the start time of the search. The default is 90 days ago.

  • ‘end’: the end time of the search. The default is now.

  • ‘search_name’: the name to give the search. The default is a random GUID.

  • ‘timespan’: if not passing start and end times you can provide a TimeSpan object.

  • ‘limit’: the max number of results to return, default is 1000.

See create_search

sentinel.create_search(query="SecurityEvent | where * contains 'infected.exe'", search_name="docssearch")

Check Search Status

Complex Searches can take some time to complete. You can check the status of a search job with check_search_status.

Pass the function a Search job name and it will display the current status. If the Search results are ready for querying it will return True, otherwise False.

sentinel.check_search_status("docssearch")

If this funciton returns True you can run queries against the KQL table with the Search name to see the results. Note the table name has ‘_SRCH’ appended to the name provider to create_search:

qry_prov.exec_query("docssearch_SRCH | take 10")

Delete a Search

Once a Search job is not longer useful you can delete it with delete_search. This deletes the table associated with the search.

sentinel.delete_search("docssearch")
Previous Next

© Copyright 2019, (c) Microsoft Corporation.. Revision 559f910e.

Built with Sphinx using a theme provided by Read the Docs.
Read the Docs v: latest
Versions
latest
stable
v2.3.0
v2.2.0
v2.1.0
v2.0.0
v1.8.0
v1.7.5
v1.7.0
v1.6.1
v1.5.0
v1.4.0
v1.3.0
v1.2.1
v1.1.0
v1.0.0
release-msticpy-v2.0.0
Downloads
On Read the Docs
Project Home
Builds