msticpy.context.azure.sentinel_ti module
Mixin Classes for Sentinel Analytics Features.
- class msticpy.context.azure.sentinel_ti.SentinelTIMixin
Bases:
object
Mixin class for Sentinel Hunting feature integrations.
- add_tag(indicator_id: str, tag: str)
Add a tag to an existing indicator.
- Parameters:
indicator_id (str) – The GUID of the indicator to add a tag to.
tag (str) – The tag to add.
- bulk_create_indicators(data: DataFrame, indicator_column: str = 'Observable', indicator_type_column: str = 'IoCType', **kwargs)
Bulk create indicators from a DataFrame.
- Parameters:
data (pd.DataFrame) – A dataframe containing indicators and indicator types
indicator_column (str, optional) – The column containing indicator values to create, by default “Observable”
indicator_type_column (str, optional) – The column containing indicator type values, by default “IoCType”
confidence_column (str, optional) – The column containing indicator confidence values, by default 0 value used.
- create_indicator(indicator: str, ioc_type: str, name: str = 'TI Indicator', confidence: int = 0, silent: bool = False, **kwargs) str
Create a new indicator within the Microsoft Sentinel workspace.
- Parameters:
indicator (str) – The indicator to create - i.e. IP address, domain name etc.
ioc_type (str) – The type of indicator to create - can be: “dns”, “url”, “ipv4”, “ipv6”, “md5_hash”, “sha1_hash”, “sha256_hash”
name (str, optional) – A common name to give to the indicator default is ‘TI Indicator’
confidence (int, optional) – A score between 0-100 of the confidence in the indicator, defualt is 0
silent (bool, optional) – If True no output is displayed, defaults to False
description (str, optional) – An description of the indicator
labels (list, optional) – A list of string object labels to associate with the indicator
kill_chain_phases (list, optional) – A list of string objects relating to the kill chain phases an indicator is assocaited with
threat_types (list, optional) – A list of threat types associated with the indicator (list of string objects)
external_references (list, optional) – A list of URLs that provide an external reference for the indicator
valid_from (datetime, optional) – A datetime from which the indicator is valid from, defaults to now
valid_to (datetime, optional) – A datetime to which the indicator is valid until
- Return type:
The ID of the created indicator
- Raises:
MsticpyUserError – If invalid ioc_type or confidence value provided
CloudError – If API call fails
- delete_indicator(indicator_id: str)
Delete a specific TI indicator.
- Parameters:
indicator_id (str) – The GUID of the indicator to delete
- Raises:
CloudError – If API call fails
- get_all_indicators(limit: int | None = None, orderby: str | None = None) DataFrame
Return all TI indicators in a Microsoft Sentinel workspace.
- Parameters:
limit (int, optional) – If set returns top n results
orderby (Optional[str], optional) – Order results by a specific column
- Returns:
A table of the custom hunting queries.
- Return type:
pd.DataFrame
- get_indicator(indicator_id: str) dict
Get a specific indicator by its ID.
- Parameters:
indicator_id (str) – The GUID of the indicator to get
- Returns:
Indicator details
- Return type:
dict
- Raises:
CloudError – If API call fails.
- get_ti_metrics() DataFrame
Return metrics about TI indicators in a Microsoft Sentinel workspace.
- Returns:
A table of the custom hunting queries.
- Return type:
pd.DataFrame
- query_indicators(**kwargs) DataFrame
Query for indicators in a Sentinel workspace.
- Parameters:
includeDisabled (bool, optional) – Parameter to include/exclude disabled indicators.
keywords (str, optional) – Keyword for searching threat intelligence indicators Use this to search for specific indicator values.
maxConfidence (int, optional) – Maximum confidence.
maxValidUntil (str, optional) – End time for ValidUntil filter.
minConfidence (int, optional) – Minimum confidence.
minValidUntil (str, optional) – Start time for ValidUntil filter.
pageSize (int, optional) – Maximum number of results to return in one page.
patternTypes (list, optional) – A list of IoC types to include.
sortBy (List, optional) – Columns to sort by and sorting order as: [{“itemKey”: COLUMN_NAME, “sortOrder”: ascending/descending}]
sources (list, optional) – A list of indicator sources to include
threatTypes (list, optional) – A list of Threat types to include
- Returns:
A set of matching indicators
- Return type:
pd.DataFrame
- Raises:
CloudError – If API call fails
- update_indicator(indicator_id: str, **kwargs)
Update an existing indicator within the Microsoft Sentinel workspace.
- Parameters:
indicator_id (str) – The GUID of the indicator to update
name (str, optional) – A common name to give to the indicator default is ‘TI Indicator’
confidence (int, optional) – A score between 0-100 of the confidence in the indicator
description (str, optional) – An description of the indicator
labels (list, optional) – A list of string object labels to associate with the indicator
kill_chain_phases (list, optional) – A list of string objects relating to the kill chain phases an indicator is assocaited with
threat_types (list, optional) – A list of threat types associated with the indicator (list of string objects)
external_references (list, optional) – A list of URLs that provide an external reference for the indicator
valid_from (datetime, optional) – A datetime from which the indicator is valid from, defaults to now
valid_to (datetime, optional) – A datetime to which the indicator is valid until
- Raises:
CloudError – If API call fails