msticpy.context.azure.sentinel_analytics module
Mixin Classes for Sentinel Analytics Features.
- class msticpy.context.azure.sentinel_analytics.SentinelAnalyticsMixin
Bases:
object
Mixin class for Sentinel Analytics feature integrations.
- create_analytic_rule(template: str | None = None, name: str | None = None, enabled: bool = True, query: str | None = None, query_frequency: str = 'PT5H', query_period: str = 'PT5H', severity: str = 'Medium', suppression_duration: str = 'PT1H', suppression_enabled: bool = False, trigger_operator: str = 'GreaterThan', trigger_threshold: int = 0, description: str | None = None, tactics: list | None = None) str | None
Create a Sentinel Analytics Rule.
- Parameters:
template (str, optional) – The GUID or name of a templated to create the analytic from, by default None
name (str, optional) – The name to give the analytic, by default None
enabled (bool, optional) – Whether you want the analytic to be enabled once deployed, by default True
query (str, optional) – The KQL query string to use in the anlaytic, by default None
query_frequency (str, optional) – How often the query should run in ISO8601 format, by default “PT5H”
query_period (str, optional) – How far back the query should look in ISO8601 format, by default “PT5H”
severity (str, optional) – The severity to raise incidents as, by default “Medium” Options are; Informational, Low, Medium, or High
suppression_duration (str, optional) – How long to suppress duplicate alerts in ISO8601 format, by default “PT1H”
suppression_enabled (bool, optional) – Whether you want to suppress duplicates, by default False
trigger_operator (str, optional) – The operator for the trigger, by default “GreaterThan”
trigger_threshold (int, optional) – The threshold of events required to create the incident, by default 0
description (str, optional) – A description of the analytic, by default None
tactics (list, optional) – A list of MITRE ATT&CK tactics related to the analytic, by default None
- Returns:
The name/ID of the analytic rule.
- Return type:
Optional[str]
- Raises:
MsticpyUserError – If template provided isn’t found.
CloudError – If the API returns an error.
- delete_analytic_rule(analytic_rule: str)
Delete a deployed Analytic rule from a Sentinel workspace.
- Parameters:
analytic_rule (str) – The GUID or name of the analytic.
- Raises:
CloudError – If the API returns an error.
- get_alert_rules() DataFrame
Return all Microsoft Sentinel alert rules for a workspace.
- Returns:
A table of the workspace’s alert rules.
- Return type:
pd.DataFrame
- get_analytic_rules() DataFrame
Return all Microsoft Sentinel alert rules for a workspace.
- Returns:
A table of the workspace’s alert rules.
- Return type:
pd.DataFrame
- list_alert_rules() DataFrame
Return all Microsoft Sentinel alert rules for a workspace.
- Returns:
A table of the workspace’s alert rules.
- Return type:
pd.DataFrame
- class msticpy.context.azure.sentinel_analytics.SentinelHuntingMixin
Bases:
object
Mixin class for Sentinel Hunting feature integrations.
- get_hunting_queries() DataFrame
Return all custom hunting queries in a Microsoft Sentinel workspace.
- Returns:
A table of the custom hunting queries.
- Return type:
pd.DataFrame