msticpy.nbtools.security_alert module

Module for SecurityAlert class.

class msticpy.nbtools.security_alert.SecurityAlert(*args, **kwargs)

Bases: SecurityBase

Security Alert Class.

Instantiates a security alert from a pandas Series and provides convenience access methods to retrieve properties.

Deprecated since version 1.7.0: Replaced by Alert entity in datamodel

Instantiate a security alert from a pandas Series.

property computer: str | None

Return the Computer name of the host associated with the alert.

(host FQDN, if available)

property data_environment: DataEnvironment

Return the data environment of the alert for subsequent queries.

property data_family: OSFamily

Return the data family of the alert for subsequent queries.

property entities: List[Entity]

Return a list of the Security Alert entities.

get_all_entities() DataFrame

Return a DataFrame of the Alert or Event entities.

Returns:

Pandas DataFrame of the Alert or Event entities.

Return type:

DataFrame

get_entities_of_type(entity_type: str) List[Entity]

Return entity collection for a give entity type.

Parameters:

entity_type (str, optional) – The entity type.

Returns:

The entities matching entity_type.

Return type:

List[Entity]

get_logon_id(account: Account | None = None) str | int | None

Get the logon Id for the alert or the account, if supplied.

If account is not supplied, return the logon id of the first host-logon-session or account entity.

Parameters:

account (Account, optional) – Account objec to use (the default is None)

Returns:

The logon Id for primary account

Return type:

Optional[Union[str, int]]

host_filter(operator='==')

Return a KQL host filter clause derived from the alert properties.

param operator=’==’:

the operator to use in the filter clause. ‘==’ and ‘!=’ typically.

property hostname: str

Return the Hostname (not FQDN) of the host associated with the alert.

property ids: Dict[str, str]

Return a collection of Identity properties for the alert.

property is_in_azure_sub: bool

Return True if the alert originates from an Azure Security Center host.

property is_in_log_analytics: bool

Return True if the alert originates from a Log Analytics Workspace host.

property is_in_workspace: bool

Return True if the alert has a Log Analytics WorkspaceID.

property origin_time: datetime

Return the datetime of event.

property primary_account: Process | Entity | None

Return the primary account entity (if any) associated with this object.

Returns:

primary account entity (if any)

Return type:

Optional[Process]

property primary_host: Host | Entity | None

Return the primary host entity (if any) associated with this object.

Returns:

primary host entity (if any)

Return type:

Optional[Host]

property primary_process: Process | Entity | None

Return the primary process entity (if any) associated with this object.

Returns:

primary process entity (if any)

Return type:

Optional[Process]

property properties: Dict[str, Any]

Return a dictionary of the Alert or Event properties.

Returns:

dictionary of the Alert or Event properties.

Return type:

Dict[str, Any]

property query_params: Dict[str, Any]

Query parameters derived from alert.

Returns:

Dictionary of parameter names/value

Return type:

Dict[str, Any]

subscription_filter(operator='==')

Return a KQL subscription filter clause derived from the alert properties.

to_html(show_entities=False) str

Return the item as HTML string.