Alerts notebooklets¶

msticnb.nb.azsent.alert.ti_enrich Alert TI enrichment - provides enrichment of alerts with threat intelligence.

Submodules¶

msticnb.nb.azsent.alert.ti_enrich module¶

Alert TI enrichment - provides enrichment of alerts with threat intelligence.

class msticnb.nb.azsent.alert.ti_enrich.EnrichAlerts(data_providers: Optional[msticnb.data_providers.DataProviders] = None, **kwargs)¶

Bases: msticnb.notebooklet.Notebooklet

Alert Enrichment Notebooklet Class.

Enriches Azure Sentinel alerts with TI data.

Intialize a new instance of the notebooklet class.

Parameters:	data_providers (DataProviders, Optional) – Optional DataProviders instance to query data. Most classes require this.
Raises:	`MsticnbDataProviderError` – If DataProviders has not been initialized. If required providers are specified by the notebooklet but are not available.

classmethod all_options() → List[str]¶

Return supported options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

check_table_exists(table: str) → bool¶

Check to see if the table exists in the provider.

Parameters:	table (str) – Table name
Returns:	True if the table exists, otherwise False.
Return type:	bool

check_valid_result_data(attrib: str = None, silent: bool = False) → bool¶

Check that the result is valid and attrib contains data.

Parameters:	attrib (str) – Name of the attribute to check, if None this function only checks for a valid _last_result. silent (bool) – If True, suppress output.
Returns:	Returns True if valid data is available, else False.
Return type:	bool

classmethod default_options() → List[str]¶

Return default options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod description() → str¶

Return description of the Notebooklet.

Returns:	Description
Return type:	str

classmethod entity_types() → List[str]¶

Entity types supported by the notebooklet.

Returns:	Entity names
Return type:	List[str]

classmethod get_help(fmt='html') → str¶: Return HTML document for class.

get_methods() → Dict[str, Callable[[Any], Any]]¶: Return methods available for this class.

get_pivot_run(get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])¶: Return Pivot-wrappable run function.

get_provider(provider_name: str)¶

Return data provider for the specified name.

Parameters:	provider_name (str) – Name of the provider
Returns:	Provider instance.
Return type:	Any
Raises:	`MsticnbDataProviderError` – If provider is not found.

classmethod get_settings(print_settings=True) → Optional[str]¶

Print or return metadata for class.

Parameters:	print_settings (bool, optional) – Print to standard, by default True or return the str formatted content.
Returns:	If print_settings is True, returns None. If False, returns LF-delimited string of metadata settings.
Return type:	Optional[str]

Notes

Use metadata attribute to retrieve the metadata directly.

classmethod import_cell()¶: Import the text of this module into a new cell.

classmethod keywords() → List[str]¶

Return search keywords for Notebooklet.

Returns:	Keywords
Return type:	List[str]

list_methods() → List[str]¶: Return list of methods with descriptions.

classmethod list_options() → str¶

Return options document for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod match_terms(search_terms: str) → Tuple[bool, int]¶

Search class definition for search_terms.

Parameters:	search_terms (str) – One or more search terms, separated by spaces or commas. Terms can be simple strings or regular expressions.
Returns:	Returns a tuple of bool (True if all terms match) and int (count of matched terms)
Return type:	Tuple[bool, int]

metadata = NBMetadata(name='EnrichAlerts', mod_name='msticnb.nb.azsent.alert.ti_enrich', description='Alert enrichment', default_options=[{'TI': 'Uses TI to enrich alert data. Will use your primary TI providers.'}, {'details': 'Displays a widget allowing you to see more detail about an alert.'}], other_options=[{'secondary': 'Uses secondary TI providers in lookups.'}], inputs=['value'], entity_types=['alert'], keywords=['alert', 'enrich', 'TI', 'windows', 'linux'], req_providers=['LogAnalytics|LocalData', 'tilookup'])¶

module_path = PosixPath('/home/docs/checkouts/readthedocs.org/user_builds/msticnb/checkouts/stable/msticnb/nb/azsent/alert/ti_enrich.py')¶

classmethod name() → str¶

Return name of the Notebooklet.

Returns:	Name
Return type:	str

classmethod print_options()¶: Print options for Notebooklet run function.

result¶

Return result of the most recent notebooklet run.

Returns:	Notebooklet result class or None if nothing has been run.
Return type:	Optional[NotebookletResult]

run(value: Optional[str] = None, data: Optional[pandas.core.frame.DataFrame] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, options: Optional[Iterable[str]] = None, **kwargs) → msticnb.nb.azsent.alert.ti_enrich.TIEnrichResult¶

Return an enriched set of Alerts.

Parameters:	timespan (TimeSpan) – Timespan for queries options (Optional[Iterable[str]], optional) – List of options to use, by default None. A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class. value (Optional[str], optional) – If you want to filter Alerts based on a specific entity specify it as a string. data (Optional[pd.DataFrame], optional) – If you have alerts in a DataFrame you can pass them rather than having the notebooklet query alerts.
Returns:	Result object with attributes for each result type.
Return type:	TIEnrichResult
Raises:	`MsticnbMissingParameterError` – If required parameters are missing `MsticnbDataProviderError` – If data is not avaliable

classmethod show_help()¶: Display Documentation for class.

silent¶

Get the current instance setting for silent running.

Returns:	Silent running is enabled.
Return type:	Optional[bool]

class msticnb.nb.azsent.alert.ti_enrich.TIEnrichResult(description: Optional[str] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, notebooklet: Optional[Notebooklet] = None)¶

Bases: msticnb.notebooklet_result.NotebookletResult

Template Results.

enriched_results¶

Alerts with additional TI enrichment

Type:	pd.DataFrame

picker¶

Alert picker

Type:	SelectAlert

Create new Notebooklet result instance.

Parameters:	description (Optional[str], optional) – Result description, by default None timespan (Optional[TimeSpan], optional) – TimeSpan for the results, by default None notebooklet (Optional[, optional) – Originating notebooklet, by default None

data_properties(empty: bool = False) → List[str]¶: Return list of attributes with populated data.

prop_doc(name) → Tuple[str, str]¶: Get the property documentation for the property.

properties¶: Return names of all properties.

view_events(summary_cols: List[str] = None, attrib: Optional[str] = None, data: Optional[pandas.core.frame.DataFrame] = None, **kwargs) → msticpy.nbtools.nbwidgets.select_item.SelectItem¶

Return simple data view for DataFrame/result attribute.

Parameters:	summary_cols (List[str], optional) – [description] attrib (Optional[str], optional) – [description], by default None data (Optional[pd.DataFrame], optional) – [description], by default None kwargs – Additional keyword arguments passed to the SelectItem widget.
Returns:	Browser for events in DataFrame.
Return type:	SelectItem
Raises:	`AttributeError` – Attribute name not in results class. `TypeError` – Input data or attribute is not a DataFrame `MsticnbMissingParameterError` – One of data or attrib parameters must be supplied `KeyError` – Summary column name specified that isn’t in the DataFrame

vis_properties() → List[str]¶: Return list of properties with visualizations.