| Azure |
list_aad_signins_for_account |
Lists Azure AD Signins for Account |
account_name (str) |
SigninLogs |
| Azure |
list_aad_signins_for_ip |
Lists Azure AD Signins for an IP Address |
ip_address_list (list) |
SigninLogs |
| Azure |
list_all_signins_geo |
Gets Signin data used by morph charts |
|
SigninLogs |
| Azure |
list_azure_activity_for_account |
Lists Azure Activity for Account |
account_name (str) |
AzureActivity |
| Azure |
list_azure_activity_for_ip |
Lists Azure Activity for Caller IP Address(es) |
ip_address_list (list) |
AzureActivity |
| Azure |
list_azure_activity_for_resource |
Lists Azure Activity for a Resource |
resource (str) |
AzureActivity |
| AzureNetwork |
az_net_analytics |
All Azure Network Analytics Data |
start (datetime), end (datetime) |
AzureNetworkAnalytics_CL |
| AzureNetwork |
get_heartbeat_for_host |
Retrieves latest OMS Heartbeat event for host. |
host_name (str) |
Heartbeat |
| AzureNetwork |
get_heartbeat_for_ip |
Retrieves latest OMS Heartbeat event for ip address. |
ip_address (str) |
Heartbeat |
| AzureNetwork |
get_host_for_ip |
Gets the latest AzureNetworkAnalytics interface event for a host. |
ip_address (str) |
AzureNetworkAnalytics_CL |
| AzureNetwork |
get_ips_for_host |
Gets the latest AzureNetworkAnalytics interface event for a host. |
host_name (str) |
AzureNetworkAnalytics_CL |
| AzureNetwork |
list_azure_network_flows_by_host |
Retrieves Azure network analytics flow events. |
host_name (str), start (datetime), end (datetime) |
AzureNetworkAnalytics_CL |
| AzureNetwork |
list_azure_network_flows_by_ip |
Retrieves Azure network analytics flow events. |
ip_address_list (list), start (datetime), end (datetime) |
AzureNetworkAnalytics_CL |
| AzureSentinel |
get_bookmark_by_id |
Retrieves a single Bookmark by BookmarkId |
bookmark_id (str) |
HuntingBookmark |
| AzureSentinel |
get_bookmark_by_name |
Retrieves one or more Bookmarks by Bookmark Name |
bookmark_name (str) |
HuntingBookmark |
| AzureSentinel |
list_bookmarks |
Retrieves list of bookmarks |
|
HuntingBookmark |
| AzureSentinel |
list_bookmarks_for_entity |
Retrieves bookmarks for entity string |
entity_id (str) |
HuntingBookmark |
| AzureSentinel |
list_bookmarks_for_tags |
Retrieves Bookmark by one or mare Tags |
bookmark_tags (list) |
HuntingBookmark |
| Heartbeat |
get_heartbeat_for_host |
Retrieves latest OMS Heartbeat event for host. |
host_name (str) |
Heartbeat |
| Heartbeat |
get_heartbeat_for_ip |
Retrieves latest OMS Heartbeat event for ip address. |
ip_address (str) |
Heartbeat |
| Heartbeat |
get_info_by_hostname |
Retrieves Information by Hostname |
start (datetime), end (datetime), host_name (str) |
Heartbeat |
| Heartbeat |
get_info_by_ipaddress |
Retrieves Information by IP address |
start (datetime), end (datetime), ip_address (str) |
Heartbeat |
| LinuxAudit |
auditd_all |
Extract all audit messages grouped by mssg_id |
start (datetime), end (datetime) |
AuditLog_CL |
| LinuxSyslog |
all_syslog |
Returns all syslog activity for a host |
start (datetime), end (datetime) |
Syslog |
| LinuxSyslog |
cron_activity |
All cron activity |
start (datetime), end (datetime) |
Syslog |
| LinuxSyslog |
list_host_logon_failures |
All failed user logon events on a host |
start (datetime), end (datetime), host_name (str) |
Syslog |
| LinuxSyslog |
list_logon_failures |
All failed user logon events on any host |
start (datetime), end (datetime) |
Syslog |
| LinuxSyslog |
list_logons_for_account |
All successful user logon events for account (all hosts) |
start (datetime), end (datetime), account_name (str) |
Syslog |
| LinuxSyslog |
list_logons_for_host |
All logon events on a host |
start (datetime), end (datetime), host_name (str) |
Syslog |
| LinuxSyslog |
list_logons_for_source_ip |
All successful user logon events for source IP (all hosts) |
start (datetime), end (datetime), ip_address (str) |
Syslog |
| LinuxSyslog |
squid_activity |
All squid proxy activity |
start (datetime), end (datetime), host_name (str) |
Syslog |
| LinuxSyslog |
sudo_activity |
All sudo activity |
start (datetime), end (datetime) |
Syslog |
| LinuxSyslog |
user_group_activity |
All user/group additions, deletions, and modifications |
start (datetime), end (datetime) |
Syslog |
| LinuxSyslog |
user_logon |
All user logon events on a host |
start (datetime), end (datetime), host_name (str) |
Syslog |
| MultiDataSource |
get_timeseries_anomalies |
Time Series filtered anomalies detected using built-in KQL time series function-series_decompose_anomalies |
table (str), start (datetime), end (datetime) |
na |
| MultiDataSource |
get_timeseries_data |
Retrieves TimeSeriesData prepared to use with built-in KQL time series functions |
table (str), start (datetime), end (datetime) |
na |
| MultiDataSource |
get_timeseries_decompose |
Time Series decomposition and anomalies generated using built-in KQL time series function- series_decompose |
table (str), start (datetime), end (datetime) |
na |
| MultiDataSource |
plot_timeseries_datawithbaseline |
Plot timeseries data using built-in KQL time series decomposition using built-in KQL render method |
table (str), start (datetime), end (datetime) |
na |
| MultiDataSource |
plot_timeseries_scoreanomolies |
Plot timeseries anomaly score using built-in KQL render method |
table (str), start (datetime), end (datetime) |
na |
| Network |
get_heartbeat_for_host |
Retrieves latest OMS Heartbeat event for host. |
host_name (str) |
Heartbeat |
| Network |
get_heartbeat_for_ip |
Retrieves latest OMS Heartbeat event for ip address. |
ip_address (str) |
Heartbeat |
| Network |
get_host_for_ip |
Gets the latest AzureNetworkAnalytics interface event for a host. |
ip_address (str) |
AzureNetworkAnalytics_CL |
| Network |
get_ips_for_host |
Gets the latest AzureNetworkAnalytics interface event for a host. |
host_name (str) |
AzureNetworkAnalytics_CL |
| Network |
list_azure_network_flows_by_host |
Retrieves Azure network analytics flow events. |
host_name (str), start (datetime), end (datetime) |
AzureNetworkAnalytics_CL |
| Network |
list_azure_network_flows_by_ip |
Retrieves Azure network analytics flow events. |
ip_address_list (list), start (datetime), end (datetime) |
AzureNetworkAnalytics_CL |
| Office365 |
list_activity_for_account |
Lists Office Activity for Account |
account_name (str) |
OfficeActivity |
| Office365 |
list_activity_for_ip |
Lists Office Activity for Caller IP Address(es) |
ip_address_list (list) |
OfficeActivity |
| Office365 |
list_azure_activity_for_resource |
Lists Office Activity for a Resource |
resource (str) |
OfficeActivity |
| SecurityAlert |
get_alert |
Retrieves a single alert by SystemAlertId |
system_alert_id (str) |
SecurityAlert |
| SecurityAlert |
list_alerts |
Retrieves list of alerts |
|
SecurityAlert |
| SecurityAlert |
list_alerts_counts |
Retrieves summary count of alerts by type |
|
SecurityAlert |
| SecurityAlert |
list_alerts_for_ip |
Retrieves list of alerts with a common IP Address |
start (datetime), end (datetime), source_ip_list (str) |
SecurityAlert |
| SecurityAlert |
list_related_alerts |
Retrieves list of alerts with a common host, account or process |
|
SecurityAlert |
| ThreatIntelligence |
list_indicators |
Retrieves list of all current indicators. |
|
ThreatIntelligenceIndicator |
| ThreatIntelligence |
list_indicators_by_domain |
Retrieves list of indicators by domain |
observables (list) |
ThreatIntelligenceIndicator |
| ThreatIntelligence |
list_indicators_by_email |
Retrieves list of indicators by email address |
observables (list) |
ThreatIntelligenceIndicator |
| ThreatIntelligence |
list_indicators_by_filepath |
Retrieves list of indicators by file path |
observables (list) |
ThreatIntelligenceIndicator |
| ThreatIntelligence |
list_indicators_by_hash |
Retrieves list of indicators by file hash |
observables (list) |
ThreatIntelligenceIndicator |
| ThreatIntelligence |
list_indicators_by_ip |
Retrieves list of indicators by IP Address |
observables (list) |
ThreatIntelligenceIndicator |
| ThreatIntelligence |
list_indicators_by_url |
Retrieves list of indicators by URL |
observables (list) |
ThreatIntelligenceIndicator |
| WindowsSecurity |
get_host_logon |
Retrieves the logon event for the session id on the host |
start (datetime), end (datetime), host_name (str), logon_session_id (str) |
SecurityEvent |
| WindowsSecurity |
get_parent_process |
Retrieves the parent process of a supplied process |
start (datetime), end (datetime), host_name (str), process_name (str), process_id (str), logon_session_id (str) |
SecurityEvent |
| WindowsSecurity |
get_process_tree |
Retrieves the process tree of a supplied process |
start (datetime), end (datetime), host_name (str), process_name (str), process_id (str), logon_session_id (str) |
SecurityEvent |
| WindowsSecurity |
list_all_logons_by_host |
account all failed or successful logons to a host |
start (datetime), end (datetime), host_name (str) |
SecurityEvent |
| WindowsSecurity |
list_events |
Retrieves list of all events |
start (datetime), end (datetime) |
SecurityEvent |
| WindowsSecurity |
list_events_by_id |
Retrieves list of events on a host |
start (datetime), end (datetime), event_list (list) |
SecurityEvent |
| WindowsSecurity |
list_host_events |
Retrieves list of all events on a host |
start (datetime), end (datetime), host_name (str) |
SecurityEvent |
| WindowsSecurity |
list_host_events_by_id |
Retrieves list of events on a host |
start (datetime), end (datetime), host_name (str) |
SecurityEvent |
| WindowsSecurity |
list_host_logon_failures |
Retrieves the logon failure events on the host |
start (datetime), end (datetime), host_name (str) |
SecurityEvent |
| WindowsSecurity |
list_host_logons |
Retrieves the logon events on the host |
start (datetime), end (datetime), host_name (str) |
SecurityEvent |
| WindowsSecurity |
list_host_processes |
Retrieves list of processes on a host |
start (datetime), end (datetime), host_name (str) |
SecurityEvent |
| WindowsSecurity |
list_hosts_matching_commandline |
Retrieves processes on hosts with matching commandline |
start (datetime), end (datetime), process_name (str), commandline (str) |
SecurityEvent |
| WindowsSecurity |
list_logon_attempts_by_account |
Retrieves the logon events for an account |
start (datetime), end (datetime), account_name (str) |
SecurityEvent |
| WindowsSecurity |
list_logon_failures_by_account |
Retrieves the logon failure events for an account |
start (datetime), end (datetime), account_name (str) |
SecurityEvent |
| WindowsSecurity |
list_logons_by_account |
Retrieves the logon events for an account |
start (datetime), end (datetime), account_name (str) |
SecurityEvent |
| WindowsSecurity |
list_matching_processes |
Retrieves list of processes matching process name |
start (datetime), end (datetime), process_name (str) |
SecurityEvent |
| WindowsSecurity |
list_other_events |
Retrieves list of events other than logon and process on a host |
start (datetime), end (datetime), host_name (str) |
SecurityEvent |
| WindowsSecurity |
list_processes_in_session |
Retrieves all processes on the host for a logon session |
start (datetime), end (datetime), host_name (str), process_name (str), process_id (str), logon_session_id (str) |
SecurityEvent |