msticpy.context.azure.sentinel_core module
Uses the Microsoft Sentinel APIs to interact with Microsoft Sentinel Workspaces.
- msticpy.context.azure.sentinel_core.AzureSentinel
alias of
MicrosoftSentinel
- class msticpy.context.azure.sentinel_core.MicrosoftSentinel(resource_id: str | None = None, connect: bool | None = False, cloud: str | None = None, subscription_id: str | None = None, resource_group: str | None = None, workspace_name: str | None = None, **kwargs)
Bases:
SentinelAnalyticsMixin
,SentinelHuntingMixin
,SentinelBookmarksMixin
,SentinelDynamicSummaryMixin
,SentinelIncidentsMixin
,SentinelUtilsMixin
,SentinelWatchlistsMixin
,SentinelSearchlistsMixin
,SentinelWorkspacesMixin
,SentinelTIMixin
,AzureData
Class for returning key Microsoft Sentinel elements.
Initialize connector for Azure APIs.
- Parameters:
resource_id (str, optional) – Set the Sentinel workspace resource ID you want to use, if not specified defaults will be looked for or details can be passed separately with functions, by default None res_id is an alias for resource_id.
connect (bool, optional) – Set true if you want to connect to API on initialization, by default False
cloud (str, optional) – Specify cloud to use, overriding any configuration value. Default is to use configuration setting or public cloud if no configuration setting is available.
subscription_id (str, optional) – If not specifying a resource ID the Subscription ID of the Sentinel Workspace by default None sub_id is an alias for subscription_id
resource_group (str, optional) – If not specifying a resource ID the Resource Group name of the Sentinel Workspace, by default None res_grp is an alias for resource_group
workspace_name (str, optional) – If not specifying a resource ID, the Workspace name of the Sentinel Workspace, by default None ws_name and workspace are aliases for workspace_name
Notes
There are multiple ways to set the default workspace for the Microsoft Sentinel class: 1. Specify a full Azure resource ID for the workspace in the resource_id parameter. 2. Specify the subscription ID and resource group and workspace name in the subscription_id, resource_group and workspace parameters. 3. Specify only a workspace name in the workspace parameter. This will read the workspace details from the msticpyconfig configuration file.
- add_bookmark_to_incident(incident: str, bookmark: str)
Add a bookmark to an incident.
- Parameters:
incident (str) – Either an incident name or an incident GUID
bookmark (str) – Either a bookmark name or bookmark GUID
- Raises:
CloudError – If API returns error
- add_tag(indicator_id: str, tag: str)
Add a tag to an existing indicator.
- Parameters:
indicator_id (str) – The GUID of the indicator to add a tag to.
tag (str) – The tag to add.
- add_watchlist_item(watchlist_name: str, item: Dict | Series | DataFrame, overwrite: bool = False)
Add or update an item in a Watchlist.
- Parameters:
watchlist_name (str) – The name of the watchlist to add items to
item (Union[Dict, pd.Series, pd.DataFrame]) – The item to add, this can be a dictionary of valies, a Pandas Series, or DataFrame
overwrite (bool, optional) – Wether you want to overwrite an item if it already exists in the watchlist, by default False
- Raises:
MsticpyUserError – If the specified Watchlist does not exist.
MsticpyUserError – If the item already exists in the Watchlist and overwrite is set to False
CloudError – If the API returns an error.
- bulk_create_indicators(data: DataFrame, indicator_column: str = 'Observable', indicator_type_column: str = 'IoCType', **kwargs)
Bulk create indicators from a DataFrame.
- Parameters:
data (pd.DataFrame) – A dataframe containing indicators and indicator types
indicator_column (str, optional) – The column containing indicator values to create, by default “Observable”
indicator_type_column (str, optional) – The column containing indicator type values, by default “IoCType”
confidence_column (str, optional) – The column containing indicator confidence values, by default 0 value used.
- check_connected()
Check that Sentinel workspace is connected.
- check_search_status(search_name: str) bool
Check the status of a search job.
- Parameters:
search_name (str) – The name of the search job to check.
- Returns:
Returns True if search is ready.
- Return type:
bool
- Raises:
CloudError – If error in checking the search job status.
- connect(auth_methods: List | None = None, tenant_id: str | None = None, silent: bool = False, **kwargs)
Authenticate with the SDK & API.
- Parameters:
auth_methods (List, optional) – list of preferred authentication methods to use, by default None
tenant_id (str, optional) – Specify cloud tenant to use
silent (bool, optional) – Set true to prevent output during auth process, by default False
cloud (str, optional) – What Azure cloud to connect to. By default it will attempt to use the cloud setting from config file. If this is not set it will default to Azure Public Cloud
credential (AzureCredential, optional) – Credentials to use for authentication. This will use the credential directly and bypass the MSTICPy Azure credential selection process.
workspace_name (str, optional) – If specified, this will override any default workspace settings set during initialization. workspace is an alias for workspace_name.
subscription_id (str, optional) – If specified, this will override the subscription ID set during initialization. sub_id is an alias for subscription_id.
resource_group (str, optional) – If specified, this will override the resource group name set during initialization. res_grp is an alias for resource_group.
Notes
You can also supply override the default settings (set during initialization) for by supplying either 1) a full Azure resource_id for the workspace or 2) individual subscription_id, resource_group and workspace_name parameters. For this last case, supplying one or more of these will override the default settings from initialization for the duration of the authenticated session. E.g. specifying a workspace_name will override the default workspace name but the subscription ID and resource group will remain as set during initialization.
To revert to the initialization default settings, run connect() again without any of these parameters.
See also
msticpy.auth.azure_auth.az_connect
function to authenticate to Azure SDK
set_default_workspace
method to set the default workspace settings
- create_analytic_rule(template: str | None = None, name: str | None = None, enabled: bool = True, query: str | None = None, query_frequency: str = 'PT5H', query_period: str = 'PT5H', severity: str = 'Medium', suppression_duration: str = 'PT1H', suppression_enabled: bool = False, trigger_operator: str = 'GreaterThan', trigger_threshold: int = 0, description: str | None = None, tactics: list | None = None) str | None
Create a Sentinel Analytics Rule.
- Parameters:
template (str, optional) – The GUID or name of a templated to create the analytic from, by default None
name (str, optional) – The name to give the analytic, by default None
enabled (bool, optional) – Whether you want the analytic to be enabled once deployed, by default True
query (str, optional) – The KQL query string to use in the anlaytic, by default None
query_frequency (str, optional) – How often the query should run in ISO8601 format, by default “PT5H”
query_period (str, optional) – How far back the query should look in ISO8601 format, by default “PT5H”
severity (str, optional) – The severity to raise incidents as, by default “Medium” Options are; Informational, Low, Medium, or High
suppression_duration (str, optional) – How long to suppress duplicate alerts in ISO8601 format, by default “PT1H”
suppression_enabled (bool, optional) – Whether you want to suppress duplicates, by default False
trigger_operator (str, optional) – The operator for the trigger, by default “GreaterThan”
trigger_threshold (int, optional) – The threshold of events required to create the incident, by default 0
description (str, optional) – A description of the analytic, by default None
tactics (list, optional) – A list of MITRE ATT&CK tactics related to the analytic, by default None
- Returns:
The name/ID of the analytic rule.
- Return type:
Optional[str]
- Raises:
MsticpyUserError – If template provided isn’t found.
CloudError – If the API returns an error.
- create_bookmark(name: str, query: str, results: str | None = None, notes: str | None = None, labels: List[str] | None = None) str | None
Create a bookmark in the Sentinel Workspace.
- Parameters:
name (str) – The name of the bookmark to use
query (str) – The KQL query for the bookmark
results (str, optional) – The results of the query to include with the bookmark, by default None
notes (str, optional) – Any notes you want associated with the bookmark, by default None
labels (List[str], optional) – Any labels you want associated with the bookmark, by default None
- Returns:
The name/ID of the bookmark.
- Return type:
Optional[str]
- Raises:
CloudError – If API returns an error.
- create_dynamic_summary(summary: DynamicSummary | None = None, name: str | None = None, description: str | None = None, data: DataFrame | None = None, **kwargs) str | None
Create a Dynamic Summary in the Sentinel Workspace.
- Parameters:
summary (DynamicSummary) – DynamicSummary instance.
name (str) – The name of the dynamic summary to create
description (str) – Dynamic Summary description
data (pd.DataFrame) – The summary data
- Returns:
The name/ID of the dynamic summary.
- Return type:
Optional[str]
- Raises:
MsticpyAzureConnectionError – If API returns an error.
- create_incident(title: str, severity: str, status: str = 'New', description: str | None = None, first_activity_time: datetime | None = None, last_activity_time: datetime | None = None, labels: List | None = None, bookmarks: List | None = None) str | None
Create a Sentinel Incident.
- Parameters:
title (str) – The title of the incident to create
severity (str) –
- The severity to assign the incident, options are:
Informational, Low, Medium, High
status (str, optional) – The status to assign the incident, by default “New” Options are: New, Active, Closed
description (str, optional) – A description of the incident, by default None
first_activity_time (datetime, optional) – The start time of the incident activity, by default None
last_activity_time (datetime, optional) – The end time of the incident activity, by default None
labels (List, optional) – Any labels to apply to the incident, by default None
bookmarks (List, optional) – A list of bookmark GUIDS you want to associate with the incident
- Returns:
The name/ID of the incident.
- Return type:
Optional[str]
- Raises:
CloudError – If the API returns an error
- create_indicator(indicator: str, ioc_type: str, name: str = 'TI Indicator', confidence: int = 0, silent: bool = False, **kwargs) str
Create a new indicator within the Microsoft Sentinel workspace.
- Parameters:
indicator (str) – The indicator to create - i.e. IP address, domain name etc.
ioc_type (str) – The type of indicator to create - can be: “dns”, “url”, “ipv4”, “ipv6”, “md5_hash”, “sha1_hash”, “sha256_hash”
name (str, optional) – A common name to give to the indicator default is ‘TI Indicator’
confidence (int, optional) – A score between 0-100 of the confidence in the indicator, defualt is 0
silent (bool, optional) – If True no output is displayed, defaults to False
description (str, optional) – An description of the indicator
labels (list, optional) – A list of string object labels to associate with the indicator
kill_chain_phases (list, optional) – A list of string objects relating to the kill chain phases an indicator is assocaited with
threat_types (list, optional) – A list of threat types associated with the indicator (list of string objects)
external_references (list, optional) – A list of URLs that provide an external reference for the indicator
valid_from (datetime, optional) – A datetime from which the indicator is valid from, defaults to now
valid_to (datetime, optional) – A datetime to which the indicator is valid until
- Return type:
The ID of the created indicator
- Raises:
MsticpyUserError – If invalid ioc_type or confidence value provided
CloudError – If API call fails
- create_search(query: str, start: datetime | None = None, end: datetime | None = None, search_name: str | None = None, **kwargs)
Create a Search job.
- Parameters:
query (str) – The KQL query to run as a job.
start (datetime, optional) – The start time for the query, by default 90 days ago.
end (datetime, optional) – The end time for the query, by default now.
search_name (str, optional) – A name to apply to the search, by default a random GUID is generated.
- Raises:
CloudError – If there is an error creating the search job.
- create_watchlist(watchlist_name: str, description: str, search_key: str, provider: str = 'MSTICPy', source: str = 'Notebook', data: DataFrame | None = None) str | None
Create a new watchlist.
- Parameters:
watchlist_name (str) – The name of the watchlist you want to create, this can’t be the name of an existing watchlist.
description (str) – A description of the watchlist to be created.
search_key (str) – The search key is used to optimize query performance when using watchlists for joins with other data. This should be the key column that will be used in the watchlist when joining to other data tables.
provider (str, optional) – This is the label attached to the watchlist showing who created it, by default “MSTICPy”
source (str, optional) – The source of the data to be put in the watchlist, by default “Notebook”
data (pd.DataFrame, optional) – The data you want to upload to the watchlist
- Returns:
The name/ID of the watchlist.
- Return type:
Optional[str]
- Raises:
MsticpyUserError – Raised if the watchlist name already exists.
CloudError – If there is an issue creating the watchlist.
- property default_resource_group: str | None
Return the default resource group.
- property default_resource_id: str | None
Return the default resource ID.
- property default_subscription_id: str | None
Return the default subscription ID.
- property default_workspace_name: str | None
Return the default workspace Name.
- property default_workspace_settings: Dict[str, Any]
Return current default workspace settings.
- delete_analytic_rule(analytic_rule: str)
Delete a deployed Analytic rule from a Sentinel workspace.
- Parameters:
analytic_rule (str) – The GUID or name of the analytic.
- Raises:
CloudError – If the API returns an error.
- delete_bookmark(bookmark: str)
Delete the selected bookmark.
- Parameters:
bookmark (str, optional) – The name or GIUD of the bookmark to delete.
- Raises:
CloudError – If the API returns an error.
- delete_dynamic_summary(summary_id: str)
Delete the Dynamic Summary for summary_id.
- Parameters:
summary_id (str, optional) – The UUID of the summary to delete.
- Raises:
MsticpyAzureConnectionError – If the API returns an error.
- delete_indicator(indicator_id: str)
Delete a specific TI indicator.
- Parameters:
indicator_id (str) – The GUID of the indicator to delete
- Raises:
CloudError – If API call fails
- delete_search(search_name: str)
Delete a search result.
- Parameters:
search_name (str) – The name of the search to delete.
- Raises:
CloudError – If an error occurs when attempting to delete the search
- delete_watchlist(watchlist_name: str)
Delete a selected Watchlist.
- Parameters:
watchlist_name (str) – The name of the Watchlist to deleted
- Raises:
MsticpyUserError – If Watchlist does not exist.
CloudError – If the API returns an error.
- delete_watchlist_item(watchlist_name: str, watchlist_item_id: str)
Delete a Watchlist item.
- Parameters:
watchlist_name (str) – The name of the watchlist with the item to be deleted
watchlist_item_id (str) – The watchlist item ID to delete
- Raises:
MsticpyUserError – If the specified Watchlist does not exist.
CloudError – If the API returns an error.
- df_to_dynamic_summaries() List[DynamicSummary]
Return a list of DynamicSummary objects from a DataFrame of summaries.
- Parameters:
data (pd.DataFrame) – DataFrame containing dynamic summaries
- Returns:
List of Dynamic Summary objects.
- Return type:
List[DynamicSummary]
Examples
Use the following steps to obtain a list of dynamic summaries from MS Sentinel and convert to DynamicSummary objects.
query = \"\"\" DynamicSummary | where <some filter criteria> | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem" \"\"\" data = qry_prov.exec_query(query) dyn_summaries = df_to_dynamic_summaries(data)
- df_to_dynamic_summary() DynamicSummary
Return a single DynamicSummary object from a DataFrame.
- Parameters:
data (pd.DataFrame) – DataFrame containing a single dynamic summary plus summary items.
- Returns:
The DynamicSummary object.
- Return type:
Examples
Use the following steps to query a single dynamic summary from MS Sentinel and convert to a DynamicSummary object.
query = \"\"\" DynamicSummary | where SummaryId == "26b95b5e-2645-4d33-91a7-ea3c1b8b4b8b" | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem" \"\"\" data = qry_prov.exec_query(query) dyn_summaries = df_to_dynamic_summary(data)
- get_alert_rules() DataFrame
Return all Microsoft Sentinel alert rules for a workspace.
- Returns:
A table of the workspace’s alert rules.
- Return type:
pd.DataFrame
- get_all_indicators(limit: int | None = None, orderby: str | None = None) DataFrame
Return all TI indicators in a Microsoft Sentinel workspace.
- Parameters:
limit (int, optional) – If set returns top n results
orderby (Optional[str], optional) – Order results by a specific column
- Returns:
A table of the custom hunting queries.
- Return type:
pd.DataFrame
- get_analytic_rules() DataFrame
Return all Microsoft Sentinel alert rules for a workspace.
- Returns:
A table of the workspace’s alert rules.
- Return type:
pd.DataFrame
- get_bookmarks() DataFrame
Return a list of Bookmarks from a Sentinel workspace.
- Returns:
A set of bookmarks.
- Return type:
pd.DataFrame
- get_dynamic_summary(summary_id: str, summary_items=False) DynamicSummary
Return DynamicSummary for ID.
- Parameters:
summary_id (str) – The ID of the Dynamic summary object.
summary_items (bool, optional) – Use a data query to retrieve the dynamic summary along with summary items (data records), by default, false.
- Returns:
DynamicSummary object.
- Return type:
- Raises:
MsticpyAzureConnectionError – If API returns an error.
- get_entities(incident: str) list
Get the entities from an incident.
- Parameters:
incident (str) – Incident GUID or Name .
- Returns:
A list of entities.
- Return type:
list
- get_hunting_queries() DataFrame
Return all custom hunting queries in a Microsoft Sentinel workspace.
- Returns:
A table of the custom hunting queries.
- Return type:
pd.DataFrame
- get_incident(incident: str, entities: bool = False, alerts: bool = False, comments: bool = False, bookmarks: bool = False) DataFrame
Get details on a specific incident.
- Parameters:
incident (str) – Incident ID GUID.
entities (bool, optional) – If True include all entities in the response. Default is False.
alerts (bool, optional) – If True include all alerts in the response. Default is False.
comments (bool, optional) – If True include all comments in the response. Default is False.
bookmarks (bool, optional) – If True include all bookmarks in the response. Default is False.
- Returns:
Table containing incident details.
- Return type:
pd.DataFrame
- Raises:
CloudError – If incident could not be retrieved.
- get_incident_alerts(incident: str) list
Get the alerts from an incident.
- Parameters:
incident (str) – Incident GUID or Name.
- Returns:
A list of alerts.
- Return type:
list
- get_incident_bookmarks(incident: str) list
Get the comments from an incident.
- Parameters:
incident (str) – Incident GUID or name.
- Returns:
A list of bookmarks.
- Return type:
list
- get_incident_comments(incident: str) list
Get the comments from an incident.
- Parameters:
incident (str) – Incident GUID or Name.
- Returns:
A list of comments.
- Return type:
list
- get_incidents(params: dict | None = None) DataFrame
Get a list of incident for a Sentinel workspace.
- Parameters:
params (Optional[dict], optional) – Additional parameters to pass to the API call, by default None
- Returns:
A table of incidents.
- Return type:
pd.DataFrame
- Raises:
CloudError – If incidents could not be retrieved.
- get_indicator(indicator_id: str) dict
Get a specific indicator by its ID.
- Parameters:
indicator_id (str) – The GUID of the indicator to get
- Returns:
Indicator details
- Return type:
dict
- Raises:
CloudError – If API call fails.
- get_metrics(metrics: str, resource_id: str, sub_id: str, sample_time: str = 'hour', start_time: int = 30) Dict[str, DataFrame]
Return specified metrics on Azure Resource.
- Parameters:
metrics (str) – A string list of metrics you wish to collect (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported)
resource_id (str) – The resource ID of the resource to collet the metrics from
sub_id (str) – The subscription ID that the resource is part of
sample_time (str (Optional)) – You can select to collect the metrics every hour of minute - default is hour Accepted inputs = ‘hour’ or ‘minute’
start_time (int (Optional)) – The number of days prior to today to collect metrics for, default is 30
- Returns:
results – A Dictionary of DataFrames containing the metrics details
- Return type:
dict
- get_network_details(network_id: str, sub_id: str) Tuple[DataFrame, DataFrame]
Return details related to an Azure network interface and associated NSG.
- Parameters:
network_id (str) – The ID of the network interface to return details on
sub_id (str) – The subscription ID that the network interface is part of
- Returns:
details – A dictionary of items related to the network interface
- Return type:
dict
- get_resource_details(sub_id: str, resource_id: str | None = None, resource_details: dict | None = None) dict
Return the details of a specific Azure resource.
- Parameters:
resource_id (str, optional) – The ID of the resource to get details on
resource_details (dict, optional) –
- If ID is unknown provide the following details:
-resource_group_name -resource_provider_namespace -resource_type -resource_name -parent_resource_path
sub_id (str) – The ID of the subscription to get resources from
- Returns:
resource_details – The details of the requested resource
- Return type:
dict
- classmethod get_resource_id_from_url(portal_url: str) str
Return resource ID components from Sentinel portal URL.
- get_resources(sub_id: str, rgroup: str | None = None, get_props: bool = False) DataFrame
Return details on all resources in a subscription or Resource Group.
- Parameters:
sub_id (str) – The subscription ID to get resources for
rgroup (str (Optional)) – The name of a Resource Group to get resources for
get_props (bool (Optional)) – Set to True if you want to get the full properties of every resource Warning this may be a slow process depending on the number of resources
- Returns:
A dataframe of resource details
- Return type:
pd.DataFrame
- get_sentinel_workspaces(sub_id: str) Dict[str, str]
Return a list of Microsoft Sentinel workspaces in a Subscription.
- Parameters:
sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.
- Returns:
A dictionary of workspace names and ids
- Return type:
Dict
- get_subscription_info(sub_id: str) dict
Get information on a specific subscription.
- Parameters:
sub_id (str) – The ID of the subscription to return details on.
- Returns:
Details on the selected subscription.
- Return type:
dict
- Raises:
MsticpyNotConnectedError – If .connect() has not been called.
- get_subscriptions() DataFrame
Get details of all subscriptions within the tenant.
- Returns:
Details of the subscriptions present in the users tenant.
- Return type:
pd.DataFrame
- Raises:
MsticpyNotConnectedError – If .connect() has not been called
- get_ti_metrics() DataFrame
Return metrics about TI indicators in a Microsoft Sentinel workspace.
- Returns:
A table of the custom hunting queries.
- Return type:
pd.DataFrame
- classmethod get_workspace_details_from_url(portal_url: str) Dict[str, Dict[str, str]]
Return workspace settings from portal URL.
- Parameters:
portal_url (str) – URL from Sentinel Azure portal
- Return type:
Dict[str, Dict[str, str]]
- classmethod get_workspace_id(workspace_name: str, subscription_id: str = '', resource_group: str = '') str | None
Return the workspace ID given workspace name.
- Parameters:
workspace_name (str) – Workspace name (case insensitive)
subscription_id (str, optional) – Azure subscription UUID, by default “”
resource_group (str, optional) – Azure resource group name, by default “”
- Returns:
The ID of the workspace if found, else None
- Return type:
Optional[str]
- classmethod get_workspace_name(workspace_id: str | None = None, resource_id: str | None = None) str | None
Return resolved name from workspace ID or resource ID.
- Parameters:
workspace_id (Optional[str], optional) – The UUID of the Sentinel workspace, by default None
resource_id (Optional[str], optional) – The Resource ID string of the workspace, by default None
- Returns:
The workspace name, if found, else None
- Return type:
Optional[str]
- Raises:
ValueError – If neither workspace_id or resource_id parameters are supplied.
- classmethod get_workspace_settings(workspace_id: str | None = None, resource_id: str | None = None)
Return resolved workspace settings from workspace ID or resource ID.
- Parameters:
workspace_id (Optional[str], optional) – The UUID of the Sentinel workspace, by default None
resource_id (Optional[str], optional) – The Resource ID string of the workspace, by default None
- Returns:
The workspace name, if found, else None
- Return type:
Dict[str, str]
- Raises:
ValueError – If neither workspace_id or resource_id parameters are supplied.
- classmethod get_workspace_settings_by_name(workspace_name: str, subscription_id: str = '', resource_group: str = '')
Return the workspace ID given workspace name.
- Parameters:
workspace_name (str) – Workspace name (case insensitive)
subscription_id (str, optional) – Azure subscription UUID, by default “”
resource_group (str, optional) – Azure resource group name, by default “”
- Returns:
The ID of the workspace if found, else None
- Return type:
Optional[str]
- list_alert_rules() DataFrame
Return all Microsoft Sentinel alert rules for a workspace.
- Returns:
A table of the workspace’s alert rules.
- Return type:
pd.DataFrame
- list_analytic_rules() DataFrame
Return all Microsoft Sentinel alert rules for a workspace.
- Returns:
A table of the workspace’s alert rules.
- Return type:
pd.DataFrame
- list_analytic_templates() DataFrame
List Analytic Templates.
- Returns:
A DataFrame containing the analytics templates
- Return type:
pd.DataFrame
- Raises:
CloudError – If a valid result is not returned.
- list_bookmarks() DataFrame
Return a list of Bookmarks from a Sentinel workspace.
- Returns:
A set of bookmarks.
- Return type:
pd.DataFrame
- list_data_connectors() DataFrame
List deployed data connectors.
- Returns:
A DataFrame containing the deployed data connectors
- Return type:
pd.DataFrame
- Raises:
CloudError – If a valid result is not returned.
- list_dynamic_summaries() DataFrame
Return current list of Dynamic Summaries from a Sentinel workspace.
- Returns:
The current Dynamic Summary objects.
- Return type:
pd.DataFrame
- list_hunting_queries() DataFrame
Return all custom hunting queries in a Microsoft Sentinel workspace.
- Returns:
A table of the custom hunting queries.
- Return type:
pd.DataFrame
- list_incidents(params: dict | None = None) DataFrame
Get a list of incident for a Sentinel workspace.
- Parameters:
params (Optional[dict], optional) – Additional parameters to pass to the API call, by default None
- Returns:
A table of incidents.
- Return type:
pd.DataFrame
- Raises:
CloudError – If incidents could not be retrieved.
- list_saved_queries() DataFrame
Return all saved queries in a Microsoft Sentinel workspace.
- Returns:
A table of the custom hunting queries.
- Return type:
pd.DataFrame
- list_sentinel_workspaces(sub_id: str) Dict[str, str]
Return a list of Microsoft Sentinel workspaces in a Subscription.
- Parameters:
sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.
- Returns:
A dictionary of workspace names and ids
- Return type:
Dict
- list_watchlist_items(watchlist_name: str) DataFrame
List items in a watchlist.
- Parameters:
watchlist_name (str) – The name of the watchlist to get items from
- Returns:
A DataFrame containing the watchlists
- Return type:
pd.DataFrame
- Raises:
CloudError – If a valid result is not returned.
- list_watchlists() DataFrame
List Deployed Watchlists.
- Returns:
A DataFrame containing the watchlists
- Return type:
pd.DataFrame
- Raises:
CloudError – If a valid result is not returned.
- classmethod new_dynamic_summary(**kwargs)
Return a new DynamicSummary object.
Notes
See the DynamicSummary class documentation for details of expected parameters.
See also
DynamicSummary
- post_comment(incident_id: str, comment: str)
Write a comment for an incident.
- Parameters:
incident_id (str) – Incident ID GUID.
comment (str) – Comment message to post.
- Raises:
CloudError – If message could not be posted.
- query_indicators(**kwargs) DataFrame
Query for indicators in a Sentinel workspace.
- Parameters:
includeDisabled (bool, optional) – Parameter to include/exclude disabled indicators.
keywords (str, optional) – Keyword for searching threat intelligence indicators Use this to search for specific indicator values.
maxConfidence (int, optional) – Maximum confidence.
maxValidUntil (str, optional) – End time for ValidUntil filter.
minConfidence (int, optional) – Minimum confidence.
minValidUntil (str, optional) – Start time for ValidUntil filter.
pageSize (int, optional) – Maximum number of results to return in one page.
patternTypes (list, optional) – A list of IoC types to include.
sortBy (List, optional) – Columns to sort by and sorting order as: [{“itemKey”: COLUMN_NAME, “sortOrder”: ascending/descending}]
sources (list, optional) – A list of indicator sources to include
threatTypes (list, optional) – A list of Threat types to include
- Returns:
A set of matching indicators
- Return type:
pd.DataFrame
- Raises:
CloudError – If API call fails
- set_default_subscription(subscription_id: str)
Set the default subscription to use to subscription_id.
- set_default_workspace(workspace: str | None = None, resource_id: str | None = None, **kwargs)
Set the default workspace from workspace name or resource id.
- Parameters:
workspace (Optional[str], optional) – Name of the workspace, by default None.
resource_id (Optional[str], optional) – Azure resource ID for the workspace, by default None.
Notes
If no workspace is specified, the workspace details will be the default workspace read from the msticpyconfig configuration file. After changing the default workspace, you will need to call connect() to authenticate with the new workspace.
- update_dynamic_summary(summary: DynamicSummary | None = None, summary_id: str | None = None, data: DataFrame | None = None, **kwargs)
Update a dynamic summary in the Sentinel Workspace.
- Parameters:
summary (DynamicSummary) – DynamicSummary instance.
summary_id (str) – The ID of the summary to update.
data (pd.DataFrame) – The summary data
name (str) – The name of the dynamic summary to create
description (str) – Dynamic Summary description
relation_name (str, optional) – The relation name, by default None
relation_id (str, optional) – The relation ID, by default None
search_key (str, optional) – Search key for the entire summary, by default None
tactics (Union[str, List[str], None], optional) – Relevant MITRE tactics, by default None
techniques (Union[str, List[str], None], optional) – Relevant MITRE techniques, by default None
source_info (str, optional) – Summary source info, by default None
summary_items (Union[pd, DataFrame, Iterable[DynamicSummaryItem],)
List[Dict[str – Collection of summary items, by default None
Any]]] – Collection of summary items, by default None
optional – Collection of summary items, by default None
- Returns:
The name/ID of the dynamic summary.
- Return type:
Optional[str]
- Raises:
MsticpyParameterError – If existing summary_id not supplied.
MsticpyAzureConnectionError – If API returns an error.
- update_incident(incident_id: str, update_items: dict)
Update properties of an incident.
- Parameters:
incident_id (str) – Incident ID GUID.
update_items (dict) – Dictionary of properties to update and their values. https://docs.microsoft.com/rest/api/securityinsights/ stable/incidents/create-or-update
- Raises:
CloudError – If incident could not be updated.
- update_indicator(indicator_id: str, **kwargs)
Update an existing indicator within the Microsoft Sentinel workspace.
- Parameters:
indicator_id (str) – The GUID of the indicator to update
name (str, optional) – A common name to give to the indicator default is ‘TI Indicator’
confidence (int, optional) – A score between 0-100 of the confidence in the indicator
description (str, optional) – An description of the indicator
labels (list, optional) – A list of string object labels to associate with the indicator
kill_chain_phases (list, optional) – A list of string objects relating to the kill chain phases an indicator is assocaited with
threat_types (list, optional) – A list of threat types associated with the indicator (list of string objects)
external_references (list, optional) – A list of URLs that provide an external reference for the indicator
valid_from (datetime, optional) – A datetime from which the indicator is valid from, defaults to now
valid_to (datetime, optional) – A datetime to which the indicator is valid until
- Raises:
CloudError – If API call fails