msticpy.nbtools.security_base module
Module for SecurityAlert class.
- class msticpy.nbtools.security_base.SecurityBase(*args, **kwargs)
Bases:
QueryParamProvider
Security Base Class for alerts and events.
Instantiates a security event or alert from a pandas Series and provides convenience access methods to retrieve properties.
Deprecated since version 1.7.0: Replaced by Alert entity in datamodel
Instantiate a security alert from a pandas Series.
- property computer: str | None
Return the Computer name of the host associated with the alert.
(host FQDN, if available)
- property data_environment: DataEnvironment
Return the data environment of the alert for subsequent queries.
- property entities: List[Entity]
Return a list of the Alert or Event entities.
- Returns:
List of the Alert or Event entities.
- Return type:
List[Entity]
- get_all_entities() DataFrame
Return a DataFrame of the Alert or Event entities.
- Returns:
Pandas DataFrame of the Alert or Event entities.
- Return type:
DataFrame
- get_entities_of_type(entity_type: str) List[Entity]
Return entity collection for a give entity type.
- Parameters:
entity_type (str, optional) – The entity type.
- Returns:
The entities matching entity_type.
- Return type:
List[Entity]
- get_logon_id(account: Account | None = None) str | int | None
Get the logon Id for the alert or the account, if supplied.
If account is not supplied, return the logon id of the first host-logon-session or account entity.
- Parameters:
account (Account, optional) – Account objec to use (the default is None)
- Returns:
The logon Id for primary account
- Return type:
Optional[Union[str, int]]
- host_filter(operator='==')
Return a KQL host filter clause derived from the alert properties.
- param operator=’==’:
the operator to use in the filter clause. ‘==’ and ‘!=’ typically.
- property hostname: str
Return the Hostname (not FQDN) of the host associated with the alert.
- property ids: Dict[str, str]
Return a collection of Identity properties for the alert.
- property is_in_azure_sub: bool
Return True if the alert originates from an Azure Security Center host.
- property is_in_log_analytics: bool
Return True if the alert originates from a Log Analytics Workspace host.
- property is_in_workspace: bool
Return True if the alert has a Log Analytics WorkspaceID.
- property origin_time: datetime
Return the datetime of event.
- property primary_account: Process | Entity | None
Return the primary account entity (if any) associated with this object.
- Returns:
primary account entity (if any)
- Return type:
Optional[Process]
- property primary_host: Host | Entity | None
Return the primary host entity (if any) associated with this object.
- Returns:
primary host entity (if any)
- Return type:
Optional[Host]
- property primary_process: Process | Entity | None
Return the primary process entity (if any) associated with this object.
- Returns:
primary process entity (if any)
- Return type:
Optional[Process]
- property properties: Dict[str, Any]
Return a dictionary of the Alert or Event properties.
- Returns:
dictionary of the Alert or Event properties.
- Return type:
Dict[str, Any]
- property query_params: Dict[str, Any]
Query parameters derived from alert.
- Returns:
Dictionary of parameter names/values
- Return type:
Dict[str, Any]
- subscription_filter(operator='==')
Return a KQL subscription filter clause derived from the alert properties.
- to_html(show_entities: bool = False) str
Return the item as HTML string.