Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
Azure
GitHub Repository: Azure/Azure-Sentinel-Notebooks
 Path: blob/master/msticpyconfig.yaml.sample
3249 views
## For details of how to configure settings in this file, please
## see https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html
##
AzureSentinel:
  Workspaces:
    # Workspace used if you don't explicitly name a workspace when creating WorkspaceConfig
    # Specifying values here overrides config.json settings unless you explictly load
    # WorkspaceConfig with config_file parameter (WorkspaceConfig(config_file="../config.json")
    Default:
      WorkspaceId: "d973e3d2-28e6-458e-b2cf-d38876fb1ba4"
      TenantId: "4cdf87a8-f0fc-40bb-9d85-68bcf4ac8e61"
    # To use these launch with an explicit name - WorkspaceConfig(workspace_name="Workspace2")
    Workspace2:
      WorkspaceId: "c88dd3c2-d657-4eb3-b913-58d58d811a41"
      TenantId: "f1f64e65-ff7c-4d71-ad5b-091b6ab39d51"
    Workspace3:
      WorkspaceId: "17e64332-19c9-472e-afd7-3629f299300c"
      TenantId: "4ea41beb-4546-4fba-890b-55553ce6003a"
QueryDefinitions:
  # Add paths to folders containing custom query definitions here
  Custom:
    - /var/global-queries
    - /home/myuser/queries
    - c:/users/myuser/documents
TIProviders:
  # If a provider has Primary: True it will be run by default on IoC lookups
  # Secondary providers can be 
  OTX:
    Args:
      AuthKey: "4ea41beb-4546-4fba-890b-55553ce6003a"
    Primary: True
    Provider: "OTX"
  VirusTotal:
    Args:
      AuthKey: "4ea41beb-4546-4fba-890b-55553ce6003a"
    Primary: False
    Provider: "VirusTotal"
  XForce:
    # You can store items in an environment variable using this syntax
    Args:
      ApiID:
        EnvironmentVar: "XFORCE_ID"
      AuthKey:
        EnvironmentVar: "XFORCE_KEY"
    Primary: True
    Provider: "XForce"
  AzureSentinel:
    # Note this can be a different workspace/tenant from your main workspace
    # This only controls where the Microsoft Sentinel TI provider looks for the 
    # ThreatIndicator table.
    Args:
      WorkspaceID: "c88dd3c2-d657-4eb3-b913-58d58d811a41"
      TenantID: "f1f64e65-ff7c-4d71-ad5b-091b6ab39d51"
    Primary: True
    Provider: "AzSTI"
  OpenPageRank:
    Args:
      AuthKey: "c88dd3c2-d657-4eb3-b913-58d58d811a41"
    Primary: False
    Provider: "OPR"
  TorExitNodes:
    Primary: True
    Provider: "Tor"
OtherProviders:
  GeoIPLite:
    Args:
      AuthKey: c88dd3c2-d657-4eb3-b913-58d58d811a41
    Provider: GeoLiteLookup
  IPStack:
    Args:
      AuthKey:c88dd3c2-d657-4eb3-b913-58d58d811a41
    Provider: IPStackLookup
DataProviders:
  AzureCLI:
    Args:
      auth_methods: cli # options=[env; msi; cli; interactive]
  Splunk:
    Args:
      host: my-splunk-srv
      username: sp_user
  LocalData:
    data_paths: /home/myuser/.local_data
  Mordor:
    save_folder: /home/myuser/.mordor_cache
    use_cached: True
KeyVault:
  Authority: global
  AzureRegion: Azure region name
  ResourceGroup: MyResourceGroup
  SubscriptionId: c88dd3c2-d657-4eb3-b913-58d58d811a41
  TenantId: c88dd3c2-d657-4eb3-b913-58d58d811a41
  UseKeyring: true
  VaultName: my-vault-name
UserDefaults:
  # List of query providers to load
  QueryProviders:
    AzureSentinel:
      Default:
        alias: asi
        connect: False
      CyberSoc:
        alias: soc
        connect: False
    Splunk:
      connect: False
    LocalData:
      alias: local
  # List of other providers/components to load
  LoadComponents:
    TILookup:
    GeoIpLookup:
      provider: GeoLiteLookup
    Notebooklets:
      query_provider:
        LocalData:
          workspace: CyberSoc
          some_param: some_value
    Pivot:
    AzureData:
      auth_methods: ['cli','interactive']
      connect: False
    AzureSentinelAPI:
      auth_methods: ['env','interactive']
      connect: False