msticpy.context.azure.sentinel_dynamic_summary module

Sentinel Dynamic Summary Mixin class.

class msticpy.context.azure.sentinel_dynamic_summary.SentinelDynamicSummaryMixin(*, connect=False, cloud=None)

Bases: SentinelUtilsMixin

Mixin class with Sentinel Dynamic Summary integrations.

Initialize connector for Azure Python SDK.

Parameters:

  • connect (bool)

  • cloud (str | None)

base_url
check_connected()

Check that Sentinel workspace is connected.

Parameters:

self (Self)

Return type:

None

cloud
compute_client
connect(auth_methods=None, tenant_id=None, *, silent=False, cloud=None, **kwargs)

Authenticate to the Azure SDK.

Parameters:

  • auth_methods (List, optional) – list of preferred authentication methods to use, by default None

  • tenant_id (str, optional) – The tenant to authenticate against. If not supplied, the default tenant for the identity will be used.

  • silent (bool, optional) – Set true to prevent output during auth process, by default False

  • cloud (str, optional) – What Azure cloud to connect to. By default it will attempt to use the cloud setting from config file. If this is not set it will default to Azure Public Cloud

  • **kwargs – Additional keyword arguments to pass to the az_connect function.

  • self (Self)

Raises:

ClientAuthenticationError – If no valid credentials are found or if subscription client can’t be created

Return type:

None

See also

msticpy.auth.azure_auth.az_connect

function to authenticate to Azure SDK

create_dynamic_summary(summary=None, name=None, description=None, data=None, *, summary_id=None, tenant_id=None, azure_tenant_id=None, search_key=None, tactics=None, techniques=None, source_info=None)

Create a Dynamic Summary in the Sentinel Workspace.

Parameters:

  • summary (DynamicSummary) – DynamicSummary instance.

  • name (str) – The name of the dynamic summary to create

  • description (str) – Dynamic Summary description

  • data (pd.DataFrame) – The summary data

  • summary_id (str | None) – Id of the summary object

  • tenant_id (str | None) – Tenant Id of the Sentinel workspace

  • azure_tenant_id (str | None) – Tenant Id of the Sentinel workspace

  • search_key (str, optional) – Search key for the entire summary, by default None

  • tactics (Union[str, List[str], None], optional) – Relevant MITRE tactics, by default None

  • techniques (Union[str, List[str], None], optional) – Relevant MITRE techniques, by default None

  • source_info (str, optional) – Summary source info, by default None

  • self (Self)

Returns:

The name/ID of the dynamic summary.

Return type:

Optional[str]

Raises:

MsticpyAzureConnectionError – If API returns an error.

credentials
delete_dynamic_summary(summary_id)

Delete the Dynamic Summary for summary_id.

Parameters:

  • summary_id (str, optional) – The UUID of the summary to delete.

  • self (Self)

Raises:

MsticpyAzureConnectionError – If the API returns an error.

Return type:

None

df_to_dynamic_summaries()

Return a list of DynamicSummary objects from a DataFrame of summaries.

Parameters:

data (pd.DataFrame) – DataFrame containing dynamic summaries

Returns:

List of Dynamic Summary objects.

Return type:

list[DynamicSummary]

Examples

Use the following steps to obtain a list of dynamic summaries from MS Sentinel and convert to DynamicSummary objects.

query = \"\"\"
    DynamicSummary
    | where <some filter criteria>
    | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem"
\"\"\"
data = qry_prov.exec_query(query)
dyn_summaries = df_to_dynamic_summaries(data)
df_to_dynamic_summary()

Return a single DynamicSummary object from a DataFrame.

Parameters:

data (pd.DataFrame) – DataFrame containing a single dynamic summary plus summary items.

Returns:

The DynamicSummary object.

Return type:

DynamicSummary

Examples

Use the following steps to query a single dynamic summary from MS Sentinel and convert to a DynamicSummary object.

query = \"\"\"
    DynamicSummary
    | where SummaryId == "26b95b5e-2645-4d33-91a7-ea3c1b8b4b8b"
    | where SummaryStatus == "Active" or SummaryDataType == "SummaryItem"
\"\"\"
data = qry_prov.exec_query(query)
dyn_summaries = df_to_dynamic_summary(data)
endpoints
get_dynamic_summary(summary_id, *, summary_items=False)

Return DynamicSummary for ID.

Parameters:

  • summary_id (str) – The ID of the Dynamic summary object.

  • summary_items (bool, optional) – Use a data query to retrieve the dynamic summary along with summary items (data records), by default, false.

  • self (Self)

Returns:

DynamicSummary object.

Return type:

DynamicSummary

Raises:

MsticpyAzureConnectionError – If API returns an error.

get_metrics(metrics, resource_id, sub_id, sample_time='hour', start_time=30)

Return specified metrics on Azure Resource.

Parameters:

  • metrics (str) – A string list of metrics you wish to collect (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported)

  • resource_id (str) – The resource ID of the resource to collet the metrics from

  • sub_id (str) – The subscription ID that the resource is part of

  • sample_time (str (Optional)) – You can select to collect the metrics every hour of minute - default is hour Accepted inputs = ‘hour’ or ‘minute’

  • start_time (int (Optional)) – The number of days prior to today to collect metrics for, default is 30

  • self (Self)

Returns:

results – A Dictionary of DataFrames containing the metrics details

Return type:

dict

get_network_details(network_id, sub_id)

Return details related to an Azure network interface and associated NSG.

Parameters:

  • network_id (str) – The ID of the network interface to return details on

  • sub_id (str) – The subscription ID that the network interface is part of

  • self (Self)

Returns:

details – A dictionary of items related to the network interface

Return type:

dict

get_resource_details(sub_id, resource_id=None, resource_details=None)

Return the details of a specific Azure resource.

Parameters:

  • resource_id (str, optional) – The ID of the resource to get details on

  • resource_details (dict, optional) –

    If ID is unknown provide the following details:

    -resource_group_name -resource_provider_namespace -resource_type -resource_name -parent_resource_path

  • sub_id (str) – The ID of the subscription to get resources from

  • self (Self)

Returns:

resource_details – The details of the requested resource

Return type:

dict

get_resources(sub_id, rgroup=None, *, get_props=False)

Return details on all resources in a subscription or Resource Group.

Parameters:

  • sub_id (str) – The subscription ID to get resources for

  • rgroup (str (Optional)) – The name of a Resource Group to get resources for

  • get_props (bool (Optional)) – Set to True if you want to get the full properties of every resource Warning this may be a slow process depending on the number of resources

  • self (Self)

Returns:

A dataframe of resource details

Return type:

pd.DataFrame

get_sentinel_workspaces(sub_id)

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

  • sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

  • self (Self)

Returns:

A dictionary of workspace names and ids

Return type:

Dict

get_subscription_info(sub_id)

Get information on a specific subscription.

Parameters:

  • sub_id (str) – The ID of the subscription to return details on.

  • self (Self)

Returns:

Details on the selected subscription.

Return type:

dict

Raises:

MsticpyNotConnectedError – If .connect() has not been called.

get_subscriptions()

Get details of all subscriptions within the tenant.

Returns:

Details of the subscriptions present in the users tenant.

Return type:

pd.DataFrame

Raises:

MsticpyNotConnectedError – If .connect() has not been called

Parameters:

self (Self)

list_dynamic_summaries()

Return current list of Dynamic Summaries from a Sentinel workspace.

Returns:

The current Dynamic Summary objects.

Return type:

pd.DataFrame

Parameters:

self (Self)

list_sentinel_workspaces(sub_id)

Return a list of Microsoft Sentinel workspaces in a Subscription.

Parameters:

  • sub_id (str) – The subscription ID to get a list of workspaces from. If not provided it will attempt to get sub_id from config files.

  • self (Self)

Returns:

A dictionary of workspace names and ids

Return type:

Dict

monitoring_client
network_client
classmethod new_dynamic_summary(summary_id=None, name=None, description=None, tenant_id=None, azure_tenant_id=None, search_key=None, tactics=None, techniques=None, source_info=None, summary_items=None)

Return a new DynamicSummary object.

Notes

See the DynamicSummary class documentation for details of expected parameters.

See also

DynamicSummary

Parameters:

  • summary_id (str | None)

  • name (str | None)

  • description (str | None)

  • tenant_id (str | None)

  • azure_tenant_id (str | None)

  • search_key (str | None)

  • tactics (str | list[str] | None)

  • techniques (str | list[str] | None)

  • source_info (dict[str, Any] | None)

  • summary_items (pd.DataFrame | Iterable[DynamicSummaryItem] | list[dict[str, Any]] | None)

Return type:

DynamicSummary

resource_client
sent_urls
sub_client
update_dynamic_summary(summary=None, summary_id=None, data=None, *, name=None, description=None, tenant_id=None, azure_tenant_id=None, search_key=None, tactics=None, techniques=None, source_info=None)

Update a dynamic summary in the Sentinel Workspace.

Parameters:

  • summary (DynamicSummary) – DynamicSummary instance.

  • summary_id (str) – The ID of the summary to update.

  • data (pd.DataFrame) – The summary data

  • name (str) – The name of the dynamic summary to create

  • description (str) – Dynamic Summary description

  • relation_name (str, optional) – The relation name, by default None

  • relation_id (str, optional) – The relation ID, by default None

  • search_key (str, optional) – Search key for the entire summary, by default None

  • tactics (Union[str, List[str], None], optional) – Relevant MITRE tactics, by default None

  • techniques (Union[str, List[str], None], optional) – Relevant MITRE techniques, by default None

  • source_info (str, optional) – Summary source info, by default None

  • summary_items (Union[pd, DataFrame, Iterable[DynamicSummaryItem],) –

    List[Dict[str, Any]]], optional

    Collection of summary items, by default

  • tenant_id (str | None) – Tenant Id of the Sentinel workspace

  • azure_tenant_id (str | None) – Tenant Id of the Sentinel workspace

  • self (Self)

Returns:

The name/ID of the dynamic summary.

Return type:

Optional[str]

Raises:
url
class msticpy.context.azure.sentinel_dynamic_summary.SentinelQueryProvider(workspace)

Bases: object

Class to encapsulate MS Sentinel data queries.

Initialize Sentinel Provider.

Parameters:

workspace (str)

get_dynamic_summaries(start, end)

Return dynamic summaries for date range.

Parameters:

  • self (Self)

  • start (datetime)

  • end (datetime)

Return type:

pd.DataFrame

get_dynamic_summary(summary_id)

Retrieve dynamic summary from MS Sentinel table.

Parameters:

  • self (Self)

  • summary_id (str)

Return type:

pd.DataFrame