msticpy.context.azure.sentinel_dynamic_summary module

Sentinel Dynamic Summary Mixin class.

class msticpy.context.azure.sentinel_dynamic_summary.SentinelDynamicSummaryMixin

Bases: object

Mixin class with Sentinel Dynamic Summary integrations.

create_dynamic_summary(summary: DynamicSummary | None = None, name: str | None = None, description: str | None = None, data: DataFrame | None = None, **kwargs) str | None

Create a Dynamic Summary in the Sentinel Workspace.

Parameters:
  • summary (DynamicSummary) – DynamicSummary instance.

  • name (str) – The name of the dynamic summary to create

  • description (str) – Dynamic Summary description

  • data (pd.DataFrame) – The summary data

Returns:

The name/ID of the dynamic summary.

Return type:

Optional[str]

Raises:

MsticpyAzureConnectionError – If API returns an error.

delete_dynamic_summary(summary_id: str)

Delete the Dynamic Summary for summary_id.

Parameters:

summary_id (str, optional) – The UUID of the summary to delete.

Raises:

MsticpyAzureConnectionError – If the API returns an error.

df_to_dynamic_summaries() List[DynamicSummary]

Return a list of DynamicSummary objects from a DataFrame of summaries.

Parameters:

data (pd.DataFrame) – DataFrame containing dynamic summaries

Returns:

List of Dynamic Summary objects.

Return type:

List[DynamicSummary]

Examples

Use the following steps to obtain a list of dynamic summaries from MS Sentinel and convert to DynamicSummary objects.

query = \"\"\"
    DynamicSummary
    | where <some filter criteria>
    | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem"
\"\"\"
data = qry_prov.exec_query(query)
dyn_summaries = df_to_dynamic_summaries(data)
df_to_dynamic_summary() DynamicSummary

Return a single DynamicSummary object from a DataFrame.

Parameters:

data (pd.DataFrame) – DataFrame containing a single dynamic summary plus summary items.

Returns:

The DynamicSummary object.

Return type:

DynamicSummary

Examples

Use the following steps to query a single dynamic summary from MS Sentinel and convert to a DynamicSummary object.

query = \"\"\"
    DynamicSummary
    | where SummaryId == "26b95b5e-2645-4d33-91a7-ea3c1b8b4b8b"
    | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem"
\"\"\"
data = qry_prov.exec_query(query)
dyn_summaries = df_to_dynamic_summary(data)
get_dynamic_summary(summary_id: str, summary_items=False) DynamicSummary

Return DynamicSummary for ID.

Parameters:
  • summary_id (str) – The ID of the Dynamic summary object.

  • summary_items (bool, optional) – Use a data query to retrieve the dynamic summary along with summary items (data records), by default, false.

Returns:

DynamicSummary object.

Return type:

DynamicSummary

Raises:

MsticpyAzureConnectionError – If API returns an error.

list_dynamic_summaries() DataFrame

Return current list of Dynamic Summaries from a Sentinel workspace.

Returns:

The current Dynamic Summary objects.

Return type:

pd.DataFrame

classmethod new_dynamic_summary(**kwargs)

Return a new DynamicSummary object.

Notes

See the DynamicSummary class documentation for details of expected parameters.

See also

DynamicSummary

update_dynamic_summary(summary: DynamicSummary | None = None, summary_id: str | None = None, data: DataFrame | None = None, **kwargs)

Update a dynamic summary in the Sentinel Workspace.

Parameters:
  • summary (DynamicSummary) – DynamicSummary instance.

  • summary_id (str) – The ID of the summary to update.

  • data (pd.DataFrame) – The summary data

  • name (str) – The name of the dynamic summary to create

  • description (str) – Dynamic Summary description

  • relation_name (str, optional) – The relation name, by default None

  • relation_id (str, optional) – The relation ID, by default None

  • search_key (str, optional) – Search key for the entire summary, by default None

  • tactics (Union[str, List[str], None], optional) – Relevant MITRE tactics, by default None

  • techniques (Union[str, List[str], None], optional) – Relevant MITRE techniques, by default None

  • source_info (str, optional) – Summary source info, by default None

  • summary_items (Union[pd, DataFrame, Iterable[DynamicSummaryItem],)

  • List[Dict[str – Collection of summary items, by default None

  • Any]]] – Collection of summary items, by default None

  • optional – Collection of summary items, by default None

Returns:

The name/ID of the dynamic summary.

Return type:

Optional[str]

Raises:
class msticpy.context.azure.sentinel_dynamic_summary.SentinelQueryProvider(workspace: str)

Bases: object

Class to encapsulate MS Sentinel data queries.

Initialize Sentinel Provider.

get_dynamic_summaries(start: datetime, end: datetime) DataFrame

Return dynamic summaries for date range.

get_dynamic_summary(summary_id) DataFrame

Retrieve dynamic summary from MS Sentinel table.