msticpy.context.azure.sentinel_analytics module

Mixin Classes for Sentinel Analytics Features.

class msticpy.context.azure.sentinel_analytics.SentinelAnalyticsMixin

Bases: object

Mixin class for Sentinel Analytics feature integrations.

create_analytic_rule(template: str | None = None, name: str | None = None, enabled: bool = True, query: str | None = None, query_frequency: str = 'PT5H', query_period: str = 'PT5H', severity: str = 'Medium', suppression_duration: str = 'PT1H', suppression_enabled: bool = False, trigger_operator: str = 'GreaterThan', trigger_threshold: int = 0, description: str | None = None, tactics: list | None = None) str | None

Create a Sentinel Analytics Rule.

Parameters:
  • template (str, optional) – The GUID or name of a templated to create the analytic from, by default None

  • name (str, optional) – The name to give the analytic, by default None

  • enabled (bool, optional) – Whether you want the analytic to be enabled once deployed, by default True

  • query (str, optional) – The KQL query string to use in the anlaytic, by default None

  • query_frequency (str, optional) – How often the query should run in ISO8601 format, by default “PT5H”

  • query_period (str, optional) – How far back the query should look in ISO8601 format, by default “PT5H”

  • severity (str, optional) – The severity to raise incidents as, by default “Medium” Options are; Informational, Low, Medium, or High

  • suppression_duration (str, optional) – How long to suppress duplicate alerts in ISO8601 format, by default “PT1H”

  • suppression_enabled (bool, optional) – Whether you want to suppress duplicates, by default False

  • trigger_operator (str, optional) – The operator for the trigger, by default “GreaterThan”

  • trigger_threshold (int, optional) – The threshold of events required to create the incident, by default 0

  • description (str, optional) – A description of the analytic, by default None

  • tactics (list, optional) – A list of MITRE ATT&CK tactics related to the analytic, by default None

Returns:

The name/ID of the analytic rule.

Return type:

Optional[str]

Raises:
  • MsticpyUserError – If template provided isn’t found.

  • CloudError – If the API returns an error.

delete_analytic_rule(analytic_rule: str)

Delete a deployed Analytic rule from a Sentinel workspace.

Parameters:

analytic_rule (str) – The GUID or name of the analytic.

Raises:

CloudError – If the API returns an error.

get_alert_rules() DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

get_analytic_rules() DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

list_alert_rules() DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

list_analytic_rules() DataFrame

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

list_analytic_templates() DataFrame

List Analytic Templates.

Returns:

A DataFrame containing the analytics templates

Return type:

pd.DataFrame

Raises:

CloudError – If a valid result is not returned.

class msticpy.context.azure.sentinel_analytics.SentinelHuntingMixin

Bases: object

Mixin class for Sentinel Hunting feature integrations.

get_hunting_queries() DataFrame

Return all custom hunting queries in a Microsoft Sentinel workspace.

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame

list_hunting_queries() DataFrame

Return all custom hunting queries in a Microsoft Sentinel workspace.

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame

list_saved_queries() DataFrame

Return all saved queries in a Microsoft Sentinel workspace.

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame