msticpy.data.drivers.sentinel_query_reader module

Github Sentinel Query repo import class and helpers.

class msticpy.data.drivers.sentinel_query_reader.SentinelQuery(query_id=NOTHING, name=NOTHING, description=NOTHING, severity=NOTHING, query_frequency=NOTHING, query_period=NOTHING, trigger_operator=NOTHING, trigger_threshold=NOTHING, version=NOTHING, kind=NOTHING, folder_name=NOTHING, source_file_name=NOTHING, query_type=NOTHING, tactics=NOTHING, relevant_techniques=NOTHING, query=NOTHING, entity_mappings=NOTHING, custom_details=NOTHING, alert_details_override=NOTHING, tags=NOTHING, required_data_connectors=NOTHING)

Bases: object

Attrs class that represents a Sentinel Query yaml file.

Method generated by attrs for class SentinelQuery.

Parameters:

  • query_id (str)

  • name (str)

  • description (str)

  • severity (str)

  • query_frequency (str)

  • query_period (str)

  • trigger_operator (str)

  • trigger_threshold (str)

  • version (str)

  • kind (str)

  • folder_name (str)

  • source_file_name (str)

  • query_type (str)

  • tactics (list)

  • relevant_techniques (list)

  • query (str)

  • entity_mappings (dict)

  • custom_details (dict)

  • alert_details_override (dict)

  • tags (list)

  • required_data_connectors (dict)

alert_details_override: dict
custom_details: dict
description: str
entity_mappings: dict
folder_name: str
kind: str
name: str
query: str
query_frequency: str
query_id: str
query_period: str
query_type: str
relevant_techniques: list
required_data_connectors: dict
severity: str
source_file_name: str
tactics: list
tags: list
trigger_operator: str
trigger_threshold: str
version: str
msticpy.data.drivers.sentinel_query_reader.download_and_write_sentinel_queries(query_type, yaml_output_folder, github_outputdir=None)

Download queries from GitHub and write out YAML files for the given query type.

Parameters:

  • query_type (str) – Either “Hunting Queries” or “Detections” or otherwise named query category

  • yaml_output_folder (str) – Path to the folder you want the new generated YAML files to be stored in

  • github_outputdir (Optional[str]) – Path to the directory you want the Github download to be stored in

msticpy.data.drivers.sentinel_query_reader.get_sentinel_queries_from_github(git_url='https://github.com/Azure/Azure-Sentinel/archive/master.zip', outputdir=None)

Download Microsoft Sentinel Github archive and extract detection and hunting queries.

Parameters:

  • git_url (str, optional) – URL of the GIT Repository to be downloaded, by default “https://github.com/Azure/Azure-Sentinel/archive/master.zip

  • outputdir (str, optional) – Provide absolute path to the output folder to save downloaded archive (e.g. ‘/usr/home’ or ‘C:downloads’). If no path provided, it will download to .msticpy dir under Azure-Sentinel directory.

Return type:

bool

msticpy.data.drivers.sentinel_query_reader.import_sentinel_queries(yaml_files, query_type)

Create list of SentinelQuery attr objects.

Parameters:

  • yaml_files (dict) – Dictionary mapping query file addresses to yaml file text created by read_yaml_files

  • query_type (str) – Either “Hunting Queries” or “Detections” or otherwise named query category

Returns:

Returns a list of SentinelQuery attr objects from a dict of yaml files and query type given

Return type:

list

msticpy.data.drivers.sentinel_query_reader.read_yaml_files(parent_dir, child_dir)

Create dictionary mapping query file paths with the yaml file text each contains.

Parameters:

  • parent_dir (str) – Directory storing the Hunting and Detections directories

  • child_dir (str) – Either “Hunting Queries” or “Detections” or otherwise named query category

Returns:

Dictionary mapping query file paths to corresponding yaml file text in the parent_dir/child_dir specified. Only identifies .yaml files.

Return type:

dict

msticpy.data.drivers.sentinel_query_reader.write_to_yaml(query_list, query_type, output_folder)

Write out generated YAML files of the given query_list into the given output_folder.

Parameters:

  • query_list (list) – List of SentinelQuery attr objects generated by import_sentinel_queries()

  • query_type (str) – Either “Hunting Queries” or “Detections” or otherwise named query category

  • output_folder (str) – The name of the folder you want the written YAML files to be stored in

Returns:

True if succeeded; False if an error occurred

Return type:

bool