msticpy.context.azure.sentinel_dynamic_summary_types module
Sentinel Dynamic Summary classes.
- class msticpy.context.azure.sentinel_dynamic_summary_types.DynamicSummary(summary_id: str | None = None, **kwargs)
Bases:
object
Dynamic Summary class.
Initialize a DynamicSummary instance.
- Parameters:
summary_id (str, optional) – The summary UUID, by default auto-generated UUID
summary_name (str, optional) – Name of the dynamic summary instance, by default None
summary_description (str, optional) – Summary description, by default None
tenant_id (str, optional) – Azure tenant ID, by default None
relation_name (str, optional) – The relation name, by default None
relation_id (str, optional) – The relation ID, by default None
search_key (str, optional) – Search key column for the summarized data, by default None
tactics (Union[str, List[str], None], optional) – Relevant MITRE tactics, by default None
techniques (Union[str, List[str], None], optional) – Relevant MITRE techniques, by default None
source_info (Dict[str, Any], optional) – Summary source info dictionary, by default None
summary_items (Union[pd, DataFrame, Iterable[DynamicSummaryItem],)
List[Dict[str – Collection of summary items, by default None
Any]]] – Collection of summary items, by default None
optional – Collection of summary items, by default None
- add_summary_items(data: Iterable[DynamicSummaryItem] | Iterable[Dict[str, Any]] | DataFrame, **kwargs)
Add list of DynamicSummaryItems replacing existing list.
- Parameters:
data (Union[Iterable[DynamicSummaryItem], Iterable[Dict[str, Any]], pd.DataFrame]) – Iterable or DataFrame of DynamicSummary Items.
summary_fields (Optional[Dict[str, str]], optional) – (only relevant if data is a DataFrame) Dictionary of mappings to extract from the DataFrame and use as SummaryItem properties, by default None. For example: {“col_a”: “tactics”, “col_b”: “relation_name”} See DynamicSummaryItem for a list of available properties.
See also
- append_summary_items(data: Iterable[DynamicSummaryItem] | Iterable[Dict[str, Any]] | DataFrame, **kwargs)
Append list of DynamicSummaryItems to existing list.
- Parameters:
data (Union[Iterable[DynamicSummaryItem], Iterable[Dict[str, Any]], pd.DataFrame]) – Iterable or DataFrame of DynamicSummary Items.
summary_fields (Optional[Dict[str, str]], optional) – (only relevant if data is a DataFrame) Dictionary of mappings to extract from the DataFrame and use as SummaryItem properties, by default None. For example: {“col_a”: “tactics”, “col_b”: “relation_name”} See DynamicSummaryItem for a list of available properties.
See also
- static df_to_dynamic_summaries(data: DataFrame) List[DynamicSummary]
Return a list of DynamicSummary objects from a DataFrame of summaries.
- Parameters:
data (pd.DataFrame) – DataFrame containing dynamic summaries
- Returns:
List of Dynamic Summary objects.
- Return type:
List[DynamicSummary]
Examples
Use the following steps to obtain a list of dynamic summaries from MS Sentinel and convert to DynamicSummary objects.
query = \"\"\" DynamicSummary | where <some filter criteria> | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem" \"\"\" data = qry_prov.exec_query(query) dyn_summaries = df_to_dynamic_summaries(data)
- static df_to_dynamic_summary(data: DataFrame) DynamicSummary
Return a single DynamicSummary object from a DataFrame.
- Parameters:
data (pd.DataFrame) – DataFrame containing a single dynamic summary plus summary items.
- Returns:
The DynamicSummary object.
- Return type:
Examples
Use the following steps to query a single dynamic summary from MS Sentinel and convert to a DynamicSummary object.
query = \"\"\" DynamicSummary | where SummaryId == "26b95b5e-2645-4d33-91a7-ea3c1b8b4b8b" | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem" \"\"\" data = qry_prov.exec_query(query) dyn_summaries = df_to_dynamic_summary(data)
- fields = Fields: SUMMARY_ID='summary_id' SUMMARY_NAME='summary_name' SUMMARY_DESCRIPTION='summary_description' TENANT_ID='tenant_id' RELATION_NAME='relation_name' RELATION_ID='relation_id' SEARCH_KEY='search_key' TACTICS='tactics' TECHNIQUES='techniques' SOURCE_INFO='source_info' SUMMARY_ITEMS='summary_items'
- classmethod from_json(data: Dict[str, Any] | str) DynamicSummary
Create new DynamicSummary instance from json string or dict.
- classmethod new_dynamic_summary(**kwargs)
Return a new DynamicSummary object.
Notes
See the DynamicSummary class documentation for details of expected parameters.
See also
- to_json()
Return JSON representation of DynamicSummary.
- to_json_api()
Return API-ready JSON representation of DynamicSummary.
- class msticpy.context.azure.sentinel_dynamic_summary_types.DynamicSummaryItem(summary_item_id: str | None = None, relation_name: str | None = None, relation_id: str | None = None, search_key: str | None = None, tactics: str | ~typing.List[str] | None = <factory>, techniques: str | ~typing.List[str] | None = <factory>, event_time_utc: ~datetime.datetime | None = None, observable_type: str | None = None, observable_value: str | None = None, packed_content: ~typing.Dict[str, ~typing.Any] = <factory>)
Bases:
object
DynamicSummaryItem class.
- Parameters:
summary_item_id (Optional[str]) – The ID of the item
relation_name (Optional[str] = None) – The name of the summary item relation
relation_id (Optional[str] = None) – The ID of the summary item relation
search_key (Optional[str] = None) – Searchable key value for summary item
tactics (Union[str, List[str], None] = None) – Relevant MITRE tactics for the summary item
techniques (Union[str, List[str], None] = None) – Relevant MITRE techniques for the summary item
event_time_utc (Optional[datetime] = None) – Event time for the summary item
observable_type (Optional[str] = None) – Observable type of the summary item
observable_value (Optional[str] = None) – Observable value of the summary item
packed_content (Dict[str, Any]) – Dictionary of item details.
- event_time_utc: datetime | None = None
- fields: ClassVar = Fields: SUMMARY_ITEM_ID='summary_item_id' RELATION_NAME='relation_name' RELATION_ID='relation_id' SEARCH_KEY='search_key' TACTICS='tactics' TECHNIQUES='techniques' EVENT_TIME_UTC='event_time_utc' OBSERVABLE_TYPE='observable_type' OBSERVABLE_VALUE='observable_value' PACKED_CONTENT='packed_content'
- observable_type: str | None = None
- observable_value: str | None = None
- packed_content: Dict[str, Any]
- relation_id: str | None = None
- relation_name: str | None = None
- search_key: str | None = None
- summary_item_id: str | None = None
- tactics: str | List[str] | None
- techniques: str | List[str] | None
- to_api_dict()
Return attributes as a JSON-serializable dictionary.
- class msticpy.context.azure.sentinel_dynamic_summary_types.FieldList(fieldnames: Iterable[str])
Bases:
object
Class to hold field names.
Add fields to field mapping.
- msticpy.context.azure.sentinel_dynamic_summary_types.df_to_dynamic_summaries(data: DataFrame) List[DynamicSummary]
Return a list of DynamicSummary objects from a DataFrame of summaries.
- Parameters:
data (pd.DataFrame) – DataFrame containing dynamic summaries
- Returns:
List of Dynamic Summary objects.
- Return type:
List[DynamicSummary]
Examples
Use the following steps to obtain a list of dynamic summaries from MS Sentinel and convert to DynamicSummary objects.
query = \"\"\" DynamicSummary | where <some filter criteria> | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem" \"\"\" data = qry_prov.exec_query(query) dyn_summaries = df_to_dynamic_summaries(data)
- msticpy.context.azure.sentinel_dynamic_summary_types.df_to_dynamic_summary(data: DataFrame) DynamicSummary
Return a single DynamicSummary object from a DataFrame.
- Parameters:
data (pd.DataFrame) – DataFrame containing a single dynamic summary plus summary items.
- Returns:
The DynamicSummary object.
- Return type:
Examples
Use the following steps to query a single dynamic summary from MS Sentinel and convert to a DynamicSummary object.
query = \"\"\" DynamicSummary | where SummaryId == "26b95b5e-2645-4d33-91a7-ea3c1b8b4b8b" | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem" \"\"\" data = qry_prov.exec_query(query) dyn_summaries = df_to_dynamic_summary(data)