msticpy.context.azure.sentinel_core module

Uses the Microsoft Sentinel APIs to interact with Microsoft Sentinel Workspaces.

msticpy.context.azure.sentinel_core.AzureSentinel

alias of MicrosoftSentinel

class msticpy.context.azure.sentinel_core.MicrosoftSentinel(res_id: Optional[str] = None, connect: bool = False, cloud: Optional[str] = None, sub_id: Optional[str] = None, res_grp: Optional[str] = None, ws_name: Optional[str] = None, **kwargs)

Bases: SentinelAnalyticsMixin, SentinelHuntingMixin, SentinelBookmarksMixin, SentinelIncidentsMixin, SentinelUtilsMixin, SentinelWatchlistsMixin, SentinelSearchlistsMixin, SentinelWorkspacesMixin, AzureData

Class for returning key Microsoft Sentinel elements.

Initialize connector for Azure APIs.

Parameters

• res_id (str, optional) – Set the Sentinel workspace resource ID you want to use, if not specified defaults will be looked for or details can be passed seperately with functions.

• connect (bool, optional) – Set true if you want to connect to API on initialization, by default False

• cloud (str, optional) – Specify cloud to use, overriding any configuration value. Default is to use configuration setting or public cloud if no configuration setting is available.

• sub_id (str, optional) – If not specifying a resource ID the Subscription ID of the Sentinel Workspace by default None

• res_grp (str, optional) – If not specifying a resource ID the Resource Group name of the Sentinel Workspace, by default None

• ws_name (str, optional) – If not specifying a resource ID the Workspace name of the Sentinel Workspace, by default None

add_bookmark_to_incident(incident: str, bookmark: str)

Add a bookmark to an incident.

Parameters

• incident (str) – Either an incident name or an incident GUID

• bookmark (str) – Either a bookmark name or bookmark GUID

Raises

CloudError – If API returns error

add_watchlist_item(watchlist_name: str, item: Union[Dict, Series, DataFrame], overwrite: bool = False)

Add or update an item in a Watchlist.

Parameters

• watchlist_name (str) – The name of the watchlist to add items to

• item (Union[Dict, pd.Series, pd.DataFrame]) – The item to add, this can be a dictionary of valies, a Pandas Series, or DataFrame

• overwrite (bool, optional) – Wether you want to overwrite an item if it already exists in the watchlist, by default False

Raises

• MsticpyUserError – If the specified Watchlist does not exist.

• MsticpyUserError – If the item already exists in the Watchlist and overwrite is set to False

• CloudError – If the API returns an error.

check_connected()

Check that Sentinel workspace is connected.

check_search_status(search_name: str) → bool

Check the status of a search job.

Parameters

search_name (str) – The name of the search job to check.

Returns

Returns True if search is ready.

Return type

bool

Raises

CloudError – If error in checking the search job status.

connect(auth_methods: Optional[List] = None, tenant_id: Optional[str] = None, silent: bool = False, **kwargs)

Authenticate with the SDK & API.

Parameters

• auth_methods (List, optional) – list of preferred authentication methods to use, by default None

• tenant_id (str, optional) – Specify cloud tenant to use

• silent (bool, optional) – Set true to prevent output during auth process, by default False

create_analytic_rule(template: Optional[str] = None, name: Optional[str] = None, enabled: bool = True, query: Optional[str] = None, query_frequency: str = 'PT5H', query_period: str = 'PT5H', severity: str = 'Medium', suppression_duration: str = 'PT1H', suppression_enabled: bool = False, trigger_operator: str = 'GreaterThan', trigger_threshold: int = 0, description: Optional[str] = None, tactics: Optional[list] = None)

Create a Sentinel Analytics Rule.

Parameters

• template (str, optional) – The GUID or name of a templated to create the analytic from, by default None

• name (str, optional) – The name to give the analytic, by default None

• enabled (bool, optional) – Whether you want the analytic to be enabled once deployed, by default True

• query (str, optional) – The KQL query string to use in the anlaytic, by default None

• query_frequency (str, optional) – How often the query should run in ISO8601 format, by default “PT5H”

• query_period (str, optional) – How far back the query should look in ISO8601 format, by default “PT5H”

• severity (str, optional) – The severity to raise incidents as, by default “Medium” Options are; Informational, Low, Medium, or High

• suppression_duration (str, optional) – How long to suppress duplicate alerts in ISO8601 format, by default “PT1H”

• suppression_enabled (bool, optional) – Whether you want to suppress duplicates, by default False

• trigger_operator (str, optional) – The operator for the trigger, by default “GreaterThan”

• trigger_threshold (int, optional) – The threshold of events required to create the incident, by default 0

• description (str, optional) – A description of the analytic, by default None

• tactics (list, optional) – A list of MITRE ATT&CK tactics related to the analytic, by default None

Raises

• MsticpyUserError – If template provided isn’t found.

• CloudError – If the API returns an error.

create_bookmark(name: str, query: str, results: Optional[str] = None, notes: Optional[str] = None, labels: Optional[List[str]] = None)

Create a bookmark in the Sentinel Workpsace.

Parameters

• name (str) – The name of the bookmark to use

• query (str) – The KQL query for the bookmark

• results (str, optional) – The results of the query to include with the bookmark, by default None

• notes (str, optional) – Any notes you want associated with the bookmark, by default None

• labels (List[str], optional) – Any labels you want associated with the bookmark, by default None

Raises

CloudError – If API retunrs an error.

create_incident(title: str, severity: str, status: str = 'New', description: Optional[str] = None, first_activity_time: Optional[datetime] = None, last_activity_time: Optional[datetime] = None, labels: Optional[List] = None, bookmarks: Optional[List] = None)

Create a Sentinel Incident.

Parameters

• title (str) – The title of the incident to create

• severity (str) –

  The severity to assign the incident, options are:

  Informational, Low, Medium, High

• status (str, optional) – The status to assign the incident, by default “New” Options are: New, Active, Closed

• description (str, optional) – A description of the incident, by default None

• first_activity_time (datetime, optional) – The start time of the incident activity, by default None

• last_activity_time (datetime, optional) – The end time of the incident activity, by default None

• labels (List, optional) – Any labels to apply to the incident, by default None

• bookmarks (List, optional) – A list of bookmark GUIDS you want to associate with the incident

Raises

CloudError – If the API returns an error

create_search(query: str, start: Optional[datetime] = None, end: Optional[datetime] = None, search_name: Optional[str] = None, **kwargs)

Create a Search job.

Parameters

• query (str) – The KQL query to run as a job.

• start (datetime, optional) – The start time for the query, by default 90 days ago.

• end (datetime, optional) – The end time for the query, by default now.

• search_name (str, optional) – A name to apply to the search, by default a random GUID is generated.

Raises

CloudError – If there is an error creating the search job.

create_watchlist(watchlist_name: str, description: str, search_key: str, provider: str = 'MSTICPy', source: str = 'Notebook', data: Optional[DataFrame] = None)

Create a new watchlist.

Parameters

• watchlist_name (str) – The name of the watchlist you want to create, this can’t be the name of an existing watchlist.

• description (str) – A description of the watchlist to be created.

• search_key (str) – The search key is used to optimize query performance when using watchlists for joins with other data. This should be the key column that will be used in the watchlist when joining to other data tables.

• provider (str, optional) – This is the label attached to the watchlist showing who created it, by default “MSTICPy”

• source (str, optional) – The source of the data to be put in the watchlist, by default “Notebook”

• data (pd.DataFrame, optional) – The data you want to upload to the watchlist

Raises

• MsticpyUserError – Raised if the watchlist name already exists.

• CloudError – If there is an issue creating the watchlist.

delete_analytic_rule(analytic_rule: str)

Delete a deployed Analytic rule from a Sentinel workspace.

Parameters

analytic_rule (str) – The GUID or name of the analytic.

Raises

CloudError – If the API returns an error.

delete_bookmark(bookmark: str)

Delete the selected bookmark.

Parameters

bookmark (str, optional) – The name or GIUD of the bookmark to delete.

Raises

CloudError – If the API returns an error.

delete_search(search_name: str)

Delete a search result.

Parameters

search_name (str) – The name of the search to delete.

Raises

CloudError – If an error occurs when attempting to delete the search

delete_watchlist(watchlist_name: str)

Delete a selected Watchlist.

Parameters

watchlist_name (str) – The name of the Watchlist to deleted

Raises

• MsticpyUserError – If Watchlist does not exist.

• CloudError – If the API returns an error.

get_alert_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns

A table of the workspace’s alert rules.

Return type

pd.DataFrame

get_analytic_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns

A table of the workspace’s alert rules.

Return type

pd.DataFrame

get_bookmarks() → DataFrame

Return a list of Bookmarks from a Sentinel workspace.

Returns

A set of bookmarks.

Return type

pd.DataFrame

get_entities(incident: str) → list

Get the entities from an incident.

Parameters

incident (str) – Incident GUID or Name .

Returns

A list of entities.

Return type

list

get_hunting_queries() → DataFrame

Return all custom hunting queries in a Microsoft Sentinel workspace.

Returns

A table of the custom hunting queries.

Return type

pd.DataFrame

get_incident(incident: str, entities: bool = False, alerts: bool = False, comments: bool = False, bookmarks: bool = False) → DataFrame

Get details on a specific incident.

Parameters

• incident (str) – Incident ID GUID.

• entities (bool, optional) – If True include all entities in the response. Default is False.

• alerts (bool, optional) – If True include all alerts in the response. Default is False.

• comments (bool, optional) – If True include all comments in the response. Default is False.

• bookmarks (bool, optional) – If True include all bookmarks in the response. Default is False.

Returns

Table containing incident details.

Return type

pd.DataFrame

Raises

CloudError – If incident could not be retrieved.

get_incident_alerts(incident: str) → list

Get the alerts from an incident.

Parameters

incident (str) – Incident GUID or Name.

Returns

A list of alerts.

Return type

list

get_incident_bookmarks(incident: str) → list

Get the comments from an incident.

Parameters

incident (str) – Incident GUID or name.

Returns

A list of bookmarks.

Return type

list

get_incident_comments(incident: str) → list

Get the comments from an incident.

Parameters

incident (str) – Incident GUID or Name.

Returns

A list of comments.

Return type

list

get_incidents() → DataFrame

Get a list of incident for a Sentinel workspace.

Returns

A table of incidents.

Return type

pd.DataFrame

Raises

CloudError – If incidents could not be retrieved.

get_metrics(metrics: str, resource_id: str, sub_id: str, sample_time: str = 'hour', start_time: int = 30) → Dict[str, DataFrame]

Return specified metrics on Azure Resource.

Parameters

• metrics (str) – A string list of metrics you wish to collect (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported)

• resource_id (str) – The resource ID of the resource to collet the metrics from

• sub_id (str) – The subscription ID that the resource is part of

• sample_time (str (Optional)) – You can select to collect the metrics every hour of minute - default is hour Accepted inputs = ‘hour’ or ‘minute’

• start_time (int (Optional)) – The number of days prior to today to collect metrics for, default is 30

Returns

results – A Dictionary of DataFrames containing the metrics details

Return type

dict

get_network_details(network_id: str, sub_id: str) → Tuple[DataFrame, DataFrame]

Return details related to an Azure network interface and associated NSG.

Parameters

• network_id (str) – The ID of the network interface to return details on

• sub_id (str) – The subscription ID that the network interface is part of

Returns

details – A dictionary of items related to the network interface

Return type

dict

get_resource_details(sub_id: str, resource_id: Optional[str] = None, resource_details: Optional[dict] = None) → dict

Return the details of a specific Azure resource.

Parameters

• resource_id (str, optional) – The ID of the resource to get details on

• resource_details (dict, optional) –

  If ID is unknown provide the following details:

  -resource_group_name -resource_provider_namespace -resource_type -resource_name -parent_resource_path

• sub_id (str) – The ID of the subscription to get resources from

Returns

resource_details – The details of the requested resource

Return type

dict

classmethod get_resource_id_from_url(portal_url: str) → str

Return resource ID components from Sentinel portal URL.

get_resources(sub_id: str, rgroup: Optional[str] = None, get_props: bool = False) → DataFrame

Return details on all resources in a subscription or Resource Group.

Parameters

• sub_id (str) – The subscription ID to get resources for

• rgroup (str (Optional)) – The name of a Resource Group to get resources for

• get_props (bool (Optional)) – Set to True if you want to get the full properties of every resource Warning this may be a slow process depending on the number of resources

Returns

A dataframe of resource details

Return type

pd.DataFrame

get_sentinel_workspaces(sub_id: str) → Dict[str, str]

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters

sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

Returns

A dictionary of workspace names and ids

Return type

Dict

get_subscription_info(sub_id: str) → dict

Get information on a specific subscription.

Parameters

sub_id (str) – The ID of the subscription to return details on.

Returns

Details on the selected subscription.

Return type

dict

Raises

MsticpyNotConnectedError – If .connect() has not been called.

get_subscriptions() → DataFrame

Get details of all subscriptions within the tenant.

Returns

Details of the subscriptions present in the users tenant.

Return type

pd.DataFrame

Raises

MsticpyNotConnectedError – If .connect() has not been called

classmethod get_workspace_details_from_url(portal_url: str) → Dict[str, Dict[str, str]]

Return workspace settings from portal URL.

Parameters

portal_url (str) – URL from Sentinel Azure portal

Return type

Dict[str, Dict[str, str]]

classmethod get_workspace_id(workspace_name: str, subscription_id: str = '', resource_group: str = '') → Optional[str]

Return the workspace ID given workspace name.

Parameters

• workspace_name (str) – Workspace name (case insensitive)

• subscription_id (str, optional) – Azure subscription UUID, by default “”

• resource_group (str, optional) – Azure resource group name, by default “”

Returns

The ID of the workspace if found, else None

Return type

Optional[str]

classmethod get_workspace_name(workspace_id: Optional[str] = None, resource_id: Optional[str] = None) → Optional[str]

Return resolved name from workspace ID or resource ID.

Parameters

• workspace_id (Optional[str], optional) – The UUID of the Sentinel workspace, by default None

• resource_id (Optional[str], optional) – The Resource ID string of the workspace, by default None

Returns

The workspace name, if found, else None

Return type

Optional[str]

Raises

ValueError – If neither workspace_id or resource_id parameters are supplied.

classmethod get_workspace_settings(workspace_id: Optional[str] = None, resource_id: Optional[str] = None)

Return resolved workspace settings from workspace ID or resource ID.

Parameters

• workspace_id (Optional[str], optional) – The UUID of the Sentinel workspace, by default None

• resource_id (Optional[str], optional) – The Resource ID string of the workspace, by default None

Returns

The workspace name, if found, else None

Return type

Dict[str, str]

Raises

ValueError – If neither workspace_id or resource_id parameters are supplied.

classmethod get_workspace_settings_by_name(workspace_name: str, subscription_id: str = '', resource_group: str = '')

Return the workspace ID given workspace name.

Parameters

• workspace_name (str) – Workspace name (case insensitive)

• subscription_id (str, optional) – Azure subscription UUID, by default “”

• resource_group (str, optional) – Azure resource group name, by default “”

Returns

The ID of the workspace if found, else None

Return type

Optional[str]

list_alert_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns

A table of the workspace’s alert rules.

Return type

pd.DataFrame

list_analytic_rules() → DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns

A table of the workspace’s alert rules.

Return type

pd.DataFrame

list_analytic_templates() → DataFrame

List Analytic Templates.

Returns

A DataFrame containing the analytics templates

Return type

pd.DataFrame

Raises

CloudError – If a valid result is not returned.

list_bookmarks() → DataFrame

Return a list of Bookmarks from a Sentinel workspace.

Returns

A set of bookmarks.

Return type

pd.DataFrame

list_data_connectors() → DataFrame

List deployed data connectors.

Returns

A DataFrame containing the deployed data connectors

Return type

pd.DataFrame

Raises

CloudError – If a valid result is not returned.

list_hunting_queries() → DataFrame

Return all custom hunting queries in a Microsoft Sentinel workspace.

Returns

A table of the custom hunting queries.

Return type

pd.DataFrame

list_incidents() → DataFrame

Get a list of incident for a Sentinel workspace.

Returns

A table of incidents.

Return type

pd.DataFrame

Raises

CloudError – If incidents could not be retrieved.

list_sentinel_workspaces(sub_id: str) → Dict[str, str]

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters

sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

Returns

A dictionary of workspace names and ids

Return type

Dict

list_watchlist_items(watchlist_name: str) → DataFrame

List items in a watchlist.

Parameters

watchlist_name (str) – The name of the watchlist to get items from

Returns

A DataFrame containing the watchlists

Return type

pd.DataFrame

Raises

CloudError – If a valid result is not returned.

list_watchlists() → DataFrame

List Deployed Watchlists.

Returns

A DataFrame containing the watchlists

Return type

pd.DataFrame

Raises

CloudError – If a valid result is not returned.

post_comment(incident_id: str, comment: str)

Write a comment for an incident.

Parameters

• incident_id (str) – Incident ID GUID.

• comment (str) – Comment message to post.

Raises

CloudError – If message could not be posted.

set_default_subscription(subscription_id: str)

Set the default subscription to use to subscription_id.

set_default_workspace(sub_id: Optional[str], workspace: Optional[str] = None)

Set the default workspace.

Parameters

• sub_id (Optional[str], optional) – Subscription ID containing the workspace. If not specified, the subscription will be taken from the default_subscription or from configuration.

• workspace (Optional[str], optional) – Name of the workspace, by default None. If not specified and there is only one workspace in the subscription, this will be set as the default.

Raises

ValueError – If no current or default subscription has been set.

update_incident(incident_id: str, update_items: dict)

Update properties of an incident.

Parameters

• incident_id (str) – Incident ID GUID.

• update_items (dict) – Dictionary of properties to update and their values. https://docs.microsoft.com/rest/api/securityinsights/ stable/incidents/create-or-update

Raises

CloudError – If incident could not be updated.