msticpy.context.azure.sentinel_incidents module
Mixin Classes for Sentinel Incident Features.
- class msticpy.context.azure.sentinel_incidents.SentinelIncidentsMixin
Bases:
object
Mixin class for Sentinel Incidents feature integrations.
- add_bookmark_to_incident(incident: str, bookmark: str)
Add a bookmark to an incident.
- Parameters:
incident (str) – Either an incident name or an incident GUID
bookmark (str) – Either a bookmark name or bookmark GUID
- Raises:
CloudError – If API returns error
- create_incident(title: str, severity: str, status: str = 'New', description: str | None = None, first_activity_time: datetime | None = None, last_activity_time: datetime | None = None, labels: List | None = None, bookmarks: List | None = None) str | None
Create a Sentinel Incident.
- Parameters:
title (str) – The title of the incident to create
severity (str) –
- The severity to assign the incident, options are:
Informational, Low, Medium, High
status (str, optional) – The status to assign the incident, by default “New” Options are: New, Active, Closed
description (str, optional) – A description of the incident, by default None
first_activity_time (datetime, optional) – The start time of the incident activity, by default None
last_activity_time (datetime, optional) – The end time of the incident activity, by default None
labels (List, optional) – Any labels to apply to the incident, by default None
bookmarks (List, optional) – A list of bookmark GUIDS you want to associate with the incident
- Returns:
The name/ID of the incident.
- Return type:
Optional[str]
- Raises:
CloudError – If the API returns an error
- get_entities(incident: str) list
Get the entities from an incident.
- Parameters:
incident (str) – Incident GUID or Name .
- Returns:
A list of entities.
- Return type:
list
- get_incident(incident: str, entities: bool = False, alerts: bool = False, comments: bool = False, bookmarks: bool = False) DataFrame
Get details on a specific incident.
- Parameters:
incident (str) – Incident ID GUID.
entities (bool, optional) – If True include all entities in the response. Default is False.
alerts (bool, optional) – If True include all alerts in the response. Default is False.
comments (bool, optional) – If True include all comments in the response. Default is False.
bookmarks (bool, optional) – If True include all bookmarks in the response. Default is False.
- Returns:
Table containing incident details.
- Return type:
pd.DataFrame
- Raises:
CloudError – If incident could not be retrieved.
- get_incident_alerts(incident: str) list
Get the alerts from an incident.
- Parameters:
incident (str) – Incident GUID or Name.
- Returns:
A list of alerts.
- Return type:
list
- get_incident_bookmarks(incident: str) list
Get the comments from an incident.
- Parameters:
incident (str) – Incident GUID or name.
- Returns:
A list of bookmarks.
- Return type:
list
- get_incident_comments(incident: str) list
Get the comments from an incident.
- Parameters:
incident (str) – Incident GUID or Name.
- Returns:
A list of comments.
- Return type:
list
- get_incidents(params: dict | None = None) DataFrame
Get a list of incident for a Sentinel workspace.
- Parameters:
params (Optional[dict], optional) – Additional parameters to pass to the API call, by default None
- Returns:
A table of incidents.
- Return type:
pd.DataFrame
- Raises:
CloudError – If incidents could not be retrieved.
- list_incidents(params: dict | None = None) DataFrame
Get a list of incident for a Sentinel workspace.
- Parameters:
params (Optional[dict], optional) – Additional parameters to pass to the API call, by default None
- Returns:
A table of incidents.
- Return type:
pd.DataFrame
- Raises:
CloudError – If incidents could not be retrieved.
- post_comment(incident_id: str, comment: str)
Write a comment for an incident.
- Parameters:
incident_id (str) – Incident ID GUID.
comment (str) – Comment message to post.
- Raises:
CloudError – If message could not be posted.
- update_incident(incident_id: str, update_items: dict)
Update properties of an incident.
- Parameters:
incident_id (str) – Incident ID GUID.
update_items (dict) – Dictionary of properties to update and their values. https://docs.microsoft.com/rest/api/securityinsights/ stable/incidents/create-or-update
- Raises:
CloudError – If incident could not be updated.