msticpy.context.azure.sentinel_analytics module

Mixin Classes for Sentinel Analytics Features.

class msticpy.context.azure.sentinel_analytics.SentinelAnalyticsMixin(*, connect=False, cloud=None)

Bases: SentinelUtilsMixin

Mixin class for Sentinel Analytics feature integrations.

Initialize connector for Azure Python SDK.

Parameters:

  • connect (bool)

  • cloud (str | None)

base_url
check_connected()

Check that Sentinel workspace is connected.

Parameters:

self (Self)

Return type:

None

cloud
compute_client
connect(auth_methods=None, tenant_id=None, *, silent=False, cloud=None, **kwargs)

Authenticate to the Azure SDK.

Parameters:

  • auth_methods (List, optional) – list of preferred authentication methods to use, by default None

  • tenant_id (str, optional) – The tenant to authenticate against. If not supplied, the default tenant for the identity will be used.

  • silent (bool, optional) – Set true to prevent output during auth process, by default False

  • cloud (str, optional) – What Azure cloud to connect to. By default it will attempt to use the cloud setting from config file. If this is not set it will default to Azure Public Cloud

  • **kwargs – Additional keyword arguments to pass to the az_connect function.

  • self (Self)

Raises:

ClientAuthenticationError – If no valid credentials are found or if subscription client can’t be created

Return type:

None

See also

msticpy.auth.azure_auth.az_connect

function to authenticate to Azure SDK

create_analytic_rule(template=None, name=None, *, enabled=True, query=None, query_frequency='PT5H', query_period='PT5H', severity='Medium', suppression_duration='PT1H', suppression_enabled=False, trigger_operator='GreaterThan', trigger_threshold=0, description=None, tactics=None)

Create a Sentinel Analytics Rule.

Parameters:

  • template (str, optional) – The GUID or name of a templated to create the analytic from, by default None

  • name (str, optional) – The name to give the analytic, by default None

  • enabled (bool, optional) – Whether you want the analytic to be enabled once deployed, by default True

  • query (str, optional) – The KQL query string to use in the anlaytic, by default None

  • query_frequency (str, optional) – How often the query should run in ISO8601 format, by default “PT5H”

  • query_period (str, optional) – How far back the query should look in ISO8601 format, by default “PT5H”

  • severity (str, optional) – The severity to raise incidents as, by default “Medium” Options are; Informational, Low, Medium, or High

  • suppression_duration (str, optional) – How long to suppress duplicate alerts in ISO8601 format, by default “PT1H”

  • suppression_enabled (bool, optional) – Whether you want to suppress duplicates, by default False

  • trigger_operator (str, optional) – The operator for the trigger, by default “GreaterThan”

  • trigger_threshold (int, optional) – The threshold of events required to create the incident, by default 0

  • description (str, optional) – A description of the analytic, by default None

  • tactics (list, optional) – A list of MITRE ATT&CK tactics related to the analytic, by default None

  • self (Self)

Returns:

The name/ID of the analytic rule.

Return type:

str|None

Raises:

  • MsticpyUserError – If template provided isn’t found.

  • ClientAuthenticationError

  • ResourceNotFoundError

  • ResourceExistsError

  • ResourceNotModifiedError

  • HttpResponseError – If the API returns an error.

credentials
delete_analytic_rule(analytic_rule)

Delete a deployed Analytic rule from a Sentinel workspace.

Parameters:

  • analytic_rule (str) – The GUID or name of the analytic.

  • self (Self)

Raises:

  • ClientAuthenticationError

  • ResourceNotFoundError

  • ResourceExistsError

  • HttpResponseError – If the API returns an error.

Return type:

None

endpoints
get_alert_rules()

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

Parameters:

self (Self)

get_analytic_rules()

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

Parameters:

self (Self)

get_metrics(metrics, resource_id, sub_id, sample_time='hour', start_time=30)

Return specified metrics on Azure Resource.

Parameters:

  • metrics (str) – A string list of metrics you wish to collect (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported)

  • resource_id (str) – The resource ID of the resource to collet the metrics from

  • sub_id (str) – The subscription ID that the resource is part of

  • sample_time (str (Optional)) – You can select to collect the metrics every hour of minute - default is hour Accepted inputs = ‘hour’ or ‘minute’

  • start_time (int (Optional)) – The number of days prior to today to collect metrics for, default is 30

  • self (Self)

Returns:

results – A Dictionary of DataFrames containing the metrics details

Return type:

dict

get_network_details(network_id, sub_id)

Return details related to an Azure network interface and associated NSG.

Parameters:

  • network_id (str) – The ID of the network interface to return details on

  • sub_id (str) – The subscription ID that the network interface is part of

  • self (Self)

Returns:

details – A dictionary of items related to the network interface

Return type:

dict

get_resource_details(sub_id, resource_id=None, resource_details=None)

Return the details of a specific Azure resource.

Parameters:

  • resource_id (str, optional) – The ID of the resource to get details on

  • resource_details (dict, optional) –

    If ID is unknown provide the following details:

    -resource_group_name -resource_provider_namespace -resource_type -resource_name -parent_resource_path

  • sub_id (str) – The ID of the subscription to get resources from

  • self (Self)

Returns:

resource_details – The details of the requested resource

Return type:

dict

get_resources(sub_id, rgroup=None, *, get_props=False)

Return details on all resources in a subscription or Resource Group.

Parameters:

  • sub_id (str) – The subscription ID to get resources for

  • rgroup (str (Optional)) – The name of a Resource Group to get resources for

  • get_props (bool (Optional)) – Set to True if you want to get the full properties of every resource Warning this may be a slow process depending on the number of resources

  • self (Self)

Returns:

A dataframe of resource details

Return type:

pd.DataFrame

get_sentinel_workspaces(sub_id)

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

  • sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

  • self (Self)

Returns:

A dictionary of workspace names and ids

Return type:

Dict

get_subscription_info(sub_id)

Get information on a specific subscription.

Parameters:

  • sub_id (str) – The ID of the subscription to return details on.

  • self (Self)

Returns:

Details on the selected subscription.

Return type:

dict

Raises:

MsticpyNotConnectedError – If .connect() has not been called.

get_subscriptions()

Get details of all subscriptions within the tenant.

Returns:

Details of the subscriptions present in the users tenant.

Return type:

pd.DataFrame

Raises:

MsticpyNotConnectedError – If .connect() has not been called

Parameters:

self (Self)

list_alert_rules()

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

Parameters:

self (Self)

list_analytic_rules()

Return all Microsoft Sentinel alert rules for a workspace.

Returns:

A table of the workspace’s alert rules.

Return type:

pd.DataFrame

Parameters:

self (Self)

list_analytic_templates()

List Analytic Templates.

Returns:

A DataFrame containing the analytics templates

Return type:

pd.DataFrame

Raises:

  • ClientAuthenticationError

  • ResourceNotFoundError

  • ResourceExistsError

  • ResourceNotModifiedError

  • HttpResponseError – If a valid result is not returned.

list_sentinel_workspaces(sub_id)

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

  • sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

  • self (Self)

Returns:

A dictionary of workspace names and ids

Return type:

Dict

monitoring_client
network_client
resource_client
sent_urls
sub_client
url
class msticpy.context.azure.sentinel_analytics.SentinelHuntingMixin(*, connect=False, cloud=None)

Bases: SentinelUtilsMixin

Mixin class for Sentinel Hunting feature integrations.

Initialize connector for Azure Python SDK.

Parameters:

  • connect (bool)

  • cloud (str | None)

base_url
check_connected()

Check that Sentinel workspace is connected.

Parameters:

self (Self)

Return type:

None

cloud
compute_client
connect(auth_methods=None, tenant_id=None, *, silent=False, cloud=None, **kwargs)

Authenticate to the Azure SDK.

Parameters:

  • auth_methods (List, optional) – list of preferred authentication methods to use, by default None

  • tenant_id (str, optional) – The tenant to authenticate against. If not supplied, the default tenant for the identity will be used.

  • silent (bool, optional) – Set true to prevent output during auth process, by default False

  • cloud (str, optional) – What Azure cloud to connect to. By default it will attempt to use the cloud setting from config file. If this is not set it will default to Azure Public Cloud

  • **kwargs – Additional keyword arguments to pass to the az_connect function.

  • self (Self)

Raises:

ClientAuthenticationError – If no valid credentials are found or if subscription client can’t be created

Return type:

None

See also

msticpy.auth.azure_auth.az_connect

function to authenticate to Azure SDK

credentials
endpoints
get_hunting_queries()

Return all custom hunting queries in a Microsoft Sentinel workspace.

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame

Parameters:

self (Self)

get_metrics(metrics, resource_id, sub_id, sample_time='hour', start_time=30)

Return specified metrics on Azure Resource.

Parameters:

  • metrics (str) – A string list of metrics you wish to collect (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported)

  • resource_id (str) – The resource ID of the resource to collet the metrics from

  • sub_id (str) – The subscription ID that the resource is part of

  • sample_time (str (Optional)) – You can select to collect the metrics every hour of minute - default is hour Accepted inputs = ‘hour’ or ‘minute’

  • start_time (int (Optional)) – The number of days prior to today to collect metrics for, default is 30

  • self (Self)

Returns:

results – A Dictionary of DataFrames containing the metrics details

Return type:

dict

get_network_details(network_id, sub_id)

Return details related to an Azure network interface and associated NSG.

Parameters:

  • network_id (str) – The ID of the network interface to return details on

  • sub_id (str) – The subscription ID that the network interface is part of

  • self (Self)

Returns:

details – A dictionary of items related to the network interface

Return type:

dict

get_resource_details(sub_id, resource_id=None, resource_details=None)

Return the details of a specific Azure resource.

Parameters:

  • resource_id (str, optional) – The ID of the resource to get details on

  • resource_details (dict, optional) –

    If ID is unknown provide the following details:

    -resource_group_name -resource_provider_namespace -resource_type -resource_name -parent_resource_path

  • sub_id (str) – The ID of the subscription to get resources from

  • self (Self)

Returns:

resource_details – The details of the requested resource

Return type:

dict

get_resources(sub_id, rgroup=None, *, get_props=False)

Return details on all resources in a subscription or Resource Group.

Parameters:

  • sub_id (str) – The subscription ID to get resources for

  • rgroup (str (Optional)) – The name of a Resource Group to get resources for

  • get_props (bool (Optional)) – Set to True if you want to get the full properties of every resource Warning this may be a slow process depending on the number of resources

  • self (Self)

Returns:

A dataframe of resource details

Return type:

pd.DataFrame

get_sentinel_workspaces(sub_id)

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

  • sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

  • self (Self)

Returns:

A dictionary of workspace names and ids

Return type:

Dict

get_subscription_info(sub_id)

Get information on a specific subscription.

Parameters:

  • sub_id (str) – The ID of the subscription to return details on.

  • self (Self)

Returns:

Details on the selected subscription.

Return type:

dict

Raises:

MsticpyNotConnectedError – If .connect() has not been called.

get_subscriptions()

Get details of all subscriptions within the tenant.

Returns:

Details of the subscriptions present in the users tenant.

Return type:

pd.DataFrame

Raises:

MsticpyNotConnectedError – If .connect() has not been called

Parameters:

self (Self)

list_hunting_queries()

Return all custom hunting queries in a Microsoft Sentinel workspace.

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame

Parameters:

self (Self)

list_saved_queries()

Return all saved queries in a Microsoft Sentinel workspace.

Returns:

A table of the custom hunting queries.

Return type:

pd.DataFrame

Parameters:

self (Self)

list_sentinel_workspaces(sub_id)

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

  • sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

  • self (Self)

Returns:

A dictionary of workspace names and ids

Return type:

Dict

monitoring_client
network_client
resource_client
sent_urls
sub_client
url