Microsoft Sentinel Workspaces
This is a class to help you search and resolve Microsoft Sentinel workspace details.
The methods of this class are class methods - so, unlike other Sentinel APIs, you do not need to instantiate the class with a specific workspace.
Many of the methods of this class require authenticated access to the
Azure Resource Graph, so you should run az_connect()
before trying to use them.
Getting Workspace details from portal URL
You can copy a URL from the Sentinel portal and use
get_workspace_details_from_url
to retrieve full details of the workspace.
These are returned in a format that you can add to your Microsoft Sentinel settings.
import msticpy
from msticpy.context.azure import MicrosoftSentinel
from msticpy.auth.azure_auth import az_connect
az_connect()
portal_url = "https://ms.portal.azure.com/#blade/Microsoft_Azure_Secu..."
MicrosoftSentinel.get_workspace_details_from_url(portal_url)
{'contoso55': {'WorkspaceId': '4cf452c0-b9ac-4b2f-a8b4-f83d13c07a5b',
'TenantId': '72f988bf-86f1-41af-91ab-2d7cd011db47',
'SubscriptionId': '3c1bb38c-82e3-4f8d-a115-a7110ba70d05',
'ResourceGroup': 'contoso55-eus',
'WorkspaceName': 'contoso55',
'WorkspaceTenantId': '72f988bf-86f1-41af-91ab-2d7cd011db47'}}
Get workspace resource id from URL
get_resource_id_from_url
MicrosoftSentinel.get_resource_id_from_url(portal_url)
'/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso55-eus/providers/Microsoft.OperationalInsights/workspaces/contoso55'
Get workspace ID from a Workspace Name
get_workspace_id
MicrosoftSentinel.get_workspace_id(workspace_name="asihuntomsworkspacev4")
'52b1ab41-869e-4138-9e40-2a4457f09bf0'
If you have access to multiple workspaces you may see the warning shown above.
Add a subscription_id
or resource_group name
to disambiguate this
'52b1ab41-869e-4138-9e40-2a4457f09bf0'
Warning: query returned multiple results. Specify subscription_id and/or resource_group for more accurate results.
'4cf452c0-b9ac-4b2f-a8b4-f83d13c07a5b'
Get workspace name from a Workspace or Resource ID
get_workspace_name
MicrosoftSentinel.get_workspace_name('52b1ab41-869e-4138-9e40-2a4457f09bf0')
'ASIHuntOMSWorkspaceV4'
Get Workspace settings from Workspace name or ID
get_workspace_settings
MicrosoftSentinel.get_workspace_settings('52b1ab41-869e-4138-9e40-2a4457f09bf0')
{'ASIHuntOMSWorkspaceV4': {'WorkspaceId': '52b1ab41-869e-4138-9e40-2a4457f09bf0',
'TenantId': '72f988bf-86f1-41af-91ab-2d7cd011db47',
'SubscriptionId': '40dcc8bf-0478-4f3b-b275-ed0a94f2c013',
'ResourceGroup': 'asihuntomsworkspacerg',
'WorkspaceName': 'ASIHuntOMSWorkspaceV4',
'WorkspaceTenantId': '72f988bf-86f1-41af-91ab-2d7cd011db47'}}
get_workspace_settings_by_name
MicrosoftSentinel.get_workspace_settings_by_name('ASIHuntOMSWorkspaceV4')
{'ASIHuntOMSWorkspaceV4': {'WorkspaceId': '52b1ab41-869e-4138-9e40-2a4457f09bf0',
'TenantId': '72f988bf-86f1-41af-91ab-2d7cd011db47',
'SubscriptionId': '40dcc8bf-0478-4f3b-b275-ed0a94f2c013',
'ResourceGroup': 'asihuntomsworkspacerg',
'WorkspaceName': 'ASIHuntOMSWorkspaceV4',
'WorkspaceTenantId': '72f988bf-86f1-41af-91ab-2d7cd011db47'}}
Again, when search for workspace details by name, you may need to provide the Subscription ID and or Resource Group name to disambiguate multiple workspaces with the same name.
These functions are used in the MSTICPy configuration tools
MpConfigEdit
and
MpConfigFile
to help resolve workspace settings details for configuration.