msticpy.data.drivers.sentinel_query_reader module
Github Sentinel Query repo import class and helpers.
- class msticpy.data.drivers.sentinel_query_reader.SentinelQuery(query_id: str = NOTHING, name: str = NOTHING, description: str = NOTHING, severity: str = NOTHING, query_frequency: str = NOTHING, query_period: str = NOTHING, trigger_operator: str = NOTHING, trigger_threshold: str = NOTHING, version: str = NOTHING, kind: str = NOTHING, folder_name: str = NOTHING, source_file_name: str = NOTHING, query_type: str = NOTHING, tactics: list = NOTHING, relevant_techniques: list = NOTHING, query: str = NOTHING, entity_mappings: dict = NOTHING, custom_details: dict = NOTHING, alert_details_override: dict = NOTHING, tags: list = NOTHING, required_data_connectors: dict = NOTHING)
Bases:
object
Attrs class that represents a Sentinel Query yaml file.
Method generated by attrs for class SentinelQuery.
- alert_details_override: dict
- custom_details: dict
- description: str
- entity_mappings: dict
- folder_name: str
- kind: str
- name: str
- query: str
- query_frequency: str
- query_id: str
- query_period: str
- query_type: str
- relevant_techniques: list
- required_data_connectors: dict
- severity: str
- source_file_name: str
- tactics: list
- tags: list
- trigger_operator: str
- trigger_threshold: str
- version: str
- msticpy.data.drivers.sentinel_query_reader.download_and_write_sentinel_queries(query_type: str, yaml_output_folder: str, github_outputdir: str | None = None)
Download queries from GitHub and write out YAML files for the given query type.
- Parameters:
query_type (str) – Either “Hunting Queries” or “Detections” or otherwise named query category
yaml_output_folder (str) – Path to the folder you want the new generated YAML files to be stored in
github_outputdir (Optional[str]) – Path to the directory you want the Github download to be stored in
- msticpy.data.drivers.sentinel_query_reader.get_sentinel_queries_from_github(git_url: str | None = 'https://github.com/Azure/Azure-Sentinel/archive/master.zip', outputdir: str | None = None) bool
Download Microsoft Sentinel Github archive and extract detection and hunting queries.
- Parameters:
git_url (str, optional) – URL of the GIT Repository to be downloaded, by default “https://github.com/Azure/Azure-Sentinel/archive/master.zip”
outputdir (str, optional) – Provide absolute path to the output folder to save downloaded archive (e.g. ‘/usr/home’ or ‘C:downloads’). If no path provided, it will download to .msticpy dir under Azure-Sentinel directory.
- msticpy.data.drivers.sentinel_query_reader.import_sentinel_queries(yaml_files: dict, query_type: str) list
Create list of SentinelQuery attr objects.
- Parameters:
yaml_files (dict) – Dictionary mapping query file addresses to yaml file text created by read_yaml_files
query_type (str) – Either “Hunting Queries” or “Detections” or otherwise named query category
- Returns:
Returns a list of SentinelQuery attr objects from a dict of yaml files and query type given
- Return type:
list
- msticpy.data.drivers.sentinel_query_reader.read_yaml_files(parent_dir: str, child_dir: str) dict
Create dictionary mapping query file paths with the yaml file text each contains.
- Parameters:
parent_dir (str) – Directory storing the Hunting and Detections directories
child_dir (str) – Either “Hunting Queries” or “Detections” or otherwise named query category
- Returns:
Dictionary mapping query file paths to corresponding yaml file text in the parent_dir/child_dir specified. Only identifies .yaml files.
- Return type:
dict
- msticpy.data.drivers.sentinel_query_reader.write_to_yaml(query_list: list, query_type: str, output_folder: str) bool
Write out generated YAML files of the given query_list into the given output_folder.
- Parameters:
query_list (list) – List of SentinelQuery attr objects generated by import_sentinel_queries()
query_type (str) – Either “Hunting Queries” or “Detections” or otherwise named query category
output_folder (str) – The name of the folder you want the written YAML files to be stored in
- Returns:
True if succeeded; False if an error occurred
- Return type:
bool