msticpy.context.azure.sentinel_incidents module

Mixin Classes for Sentinel Incident Features.

class msticpy.context.azure.sentinel_incidents.SentinelIncidentsMixin

Bases: object

Mixin class for Sentinel Incidents feature integrations.

add_bookmark_to_incident(incident: str, bookmark: str)

Add a bookmark to an incident.

Parameters:
  • incident (str) – Either an incident name or an incident GUID

  • bookmark (str) – Either a bookmark name or bookmark GUID

Raises:

CloudError – If API returns error

create_incident(title: str, severity: str, status: str = 'New', description: str | None = None, first_activity_time: datetime | None = None, last_activity_time: datetime | None = None, labels: List | None = None, bookmarks: List | None = None) str | None

Create a Sentinel Incident.

Parameters:
  • title (str) – The title of the incident to create

  • severity (str) –

    The severity to assign the incident, options are:

    Informational, Low, Medium, High

  • status (str, optional) – The status to assign the incident, by default “New” Options are: New, Active, Closed

  • description (str, optional) – A description of the incident, by default None

  • first_activity_time (datetime, optional) – The start time of the incident activity, by default None

  • last_activity_time (datetime, optional) – The end time of the incident activity, by default None

  • labels (List, optional) – Any labels to apply to the incident, by default None

  • bookmarks (List, optional) – A list of bookmark GUIDS you want to associate with the incident

Returns:

The name/ID of the incident.

Return type:

Optional[str]

Raises:

CloudError – If the API returns an error

get_entities(incident: str) list

Get the entities from an incident.

Parameters:

incident (str) – Incident GUID or Name .

Returns:

A list of entities.

Return type:

list

get_incident(incident: str, entities: bool = False, alerts: bool = False, comments: bool = False, bookmarks: bool = False) DataFrame

Get details on a specific incident.

Parameters:
  • incident (str) – Incident ID GUID.

  • entities (bool, optional) – If True include all entities in the response. Default is False.

  • alerts (bool, optional) – If True include all alerts in the response. Default is False.

  • comments (bool, optional) – If True include all comments in the response. Default is False.

  • bookmarks (bool, optional) – If True include all bookmarks in the response. Default is False.

Returns:

Table containing incident details.

Return type:

pd.DataFrame

Raises:

CloudError – If incident could not be retrieved.

get_incident_alerts(incident: str) list

Get the alerts from an incident.

Parameters:

incident (str) – Incident GUID or Name.

Returns:

A list of alerts.

Return type:

list

get_incident_bookmarks(incident: str) list

Get the comments from an incident.

Parameters:

incident (str) – Incident GUID or name.

Returns:

A list of bookmarks.

Return type:

list

get_incident_comments(incident: str) list

Get the comments from an incident.

Parameters:

incident (str) – Incident GUID or Name.

Returns:

A list of comments.

Return type:

list

get_incidents(params: dict | None = None) DataFrame

Get a list of incident for a Sentinel workspace.

Parameters:

params (Optional[dict], optional) – Additional parameters to pass to the API call, by default None

Returns:

A table of incidents.

Return type:

pd.DataFrame

Raises:

CloudError – If incidents could not be retrieved.

list_incidents(params: dict | None = None) DataFrame

Get a list of incident for a Sentinel workspace.

Parameters:

params (Optional[dict], optional) – Additional parameters to pass to the API call, by default None

Returns:

A table of incidents.

Return type:

pd.DataFrame

Raises:

CloudError – If incidents could not be retrieved.

post_comment(incident_id: str, comment: str)

Write a comment for an incident.

Parameters:
  • incident_id (str) – Incident ID GUID.

  • comment (str) – Comment message to post.

Raises:

CloudError – If message could not be posted.

update_incident(incident_id: str, update_items: dict)

Update properties of an incident.

Parameters:
Raises:

CloudError – If incident could not be updated.