Azure Management SecurityInsight SDK for Python

Overview
Installation
Authentication
Client Class
Operation Groups
Key Model Classes
Important Enums
Usage Examples
Dependencies
Additional Resources

Overview

The Azure Management SecurityInsight SDK for Python provides tools for managing Azure Sentinel (Microsoft Sentinel) resources, including incidents, alert rules, data connectors, bookmarks, watchlists, and other security-related resources.

Installation

pip install azure-mgmt-securityinsight

Authentication

from azure.identity import DefaultAzureCredential
from azure.mgmt.securityinsight import SecurityInsights

# Initialize the client
client = SecurityInsights(
    credential=DefaultAzureCredential(),
    subscription_id="your-subscription-id"
)

Client Class

SecurityInsights

Primary client class for interacting with Microsoft Sentinel.

SecurityInsights(credential, subscription_id, base_url="https://management.azure.com", **kwargs)

Parameter	Type	Description
`credential`	TokenCredential	Required. Azure authentication credential.
`subscription_id`	str	Required. Azure subscription ID.
`base_url`	str	Optional. Service URL. Default is "https://management.azure.com".

Method	Description
`close()`	Closes the client connection.

Operation Groups

The client exposes various operation groups as properties, each focusing on a specific resource type.

Alert Rules Management

AlertRulesOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, rule_id, alert_rule)`	Creates or updates an alert rule.
`delete(resource_group_name, workspace_name, rule_id)`	Deletes an alert rule.
`get(resource_group_name, workspace_name, rule_id)`	Gets a specific alert rule.
`list(resource_group_name, workspace_name)`	Lists all alert rules.

AlertRuleTemplatesOperations

Method	Description
`get(resource_group_name, workspace_name, template_id)`	Gets a specific alert rule template.
`list(resource_group_name, workspace_name)`	Lists all alert rule templates.

ActionsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, rule_id, action_id, action)`	Creates or updates an action.
`delete(resource_group_name, workspace_name, rule_id, action_id)`	Deletes an action.
`get(resource_group_name, workspace_name, rule_id, action_id)`	Gets a specific action.
`list(resource_group_name, workspace_name, rule_id)`	Lists all actions for an alert rule.

AutomationRulesOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, rule_id, automation_rule)`	Creates or updates an automation rule.
`delete(resource_group_name, workspace_name, rule_id)`	Deletes an automation rule.
`get(resource_group_name, workspace_name, rule_id)`	Gets a specific automation rule.
`list(resource_group_name, workspace_name)`	Lists all automation rules.

Bookmarks Management

BookmarksOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, bookmark_id, bookmark)`	Creates or updates a bookmark.
`delete(resource_group_name, workspace_name, bookmark_id)`	Deletes a bookmark.
`get(resource_group_name, workspace_name, bookmark_id)`	Gets a specific bookmark.
`list(resource_group_name, workspace_name)`	Lists all bookmarks.

BookmarkRelationsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, bookmark_id, relation_name, relation)`	Creates or updates a bookmark relation.
`delete(resource_group_name, workspace_name, bookmark_id, relation_name)`	Deletes a bookmark relation.
`get(resource_group_name, workspace_name, bookmark_id, relation_name)`	Gets a specific bookmark relation.
`list(resource_group_name, workspace_name, bookmark_id)`	Lists all relations for a bookmark.

Data Sources Management

DataConnectorsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, connector_id, connector)`	Creates or updates a data connector.
`delete(resource_group_name, workspace_name, connector_id)`	Deletes a data connector.
`get(resource_group_name, workspace_name, connector_id)`	Gets a specific data connector.
`list(resource_group_name, workspace_name)`	Lists all data connectors.

DataConnectorsCheckRequirementsOperations

Method	Description
`check(resource_group_name, workspace_name, connector_kind)`	Checks requirements for a connector kind.

Entity Management

EntitiesOperations

Method	Description
`expand(resource_group_name, workspace_name, entities)`	Expands entity information.
`get(resource_group_name, workspace_name, entity_id, entity_types=None)`	Gets a specific entity.

EntitiesGetTimelineOperations

Method	Description
`post(resource_group_name, workspace_name, entity_id, parameters)`	Gets a timeline for an entity.

EntitiesRelationsOperations

Method	Description
`get(resource_group_name, workspace_name, entity_id, relation_name)`	Gets a specific entity relation.
`list(resource_group_name, workspace_name, entity_id)`	Lists all relations for an entity.

File Management

FileImportsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, file_import_id, file_import)`	Creates or updates a file import.
`delete(resource_group_name, workspace_name, file_import_id)`	Deletes a file import.
`get(resource_group_name, workspace_name, file_import_id)`	Gets a specific file import.
`list(resource_group_name, workspace_name)`	Lists all file imports.

Incident Management

IncidentsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, incident_id, incident)`	Creates or updates an incident.
`create_team(resource_group_name, workspace_name, incident_id, team_properties)`	Creates a Microsoft Team for incident collaboration.
`delete(resource_group_name, workspace_name, incident_id)`	Deletes an incident.
`get(resource_group_name, workspace_name, incident_id)`	Gets a specific incident.
`list(resource_group_name, workspace_name, filter=None, orderby=None, top=None, skip_token=None)`	Lists all incidents.
`list_alerts(resource_group_name, workspace_name, incident_id)`	Gets all alerts related to an incident.
`list_bookmarks(resource_group_name, workspace_name, incident_id)`	Gets all bookmarks related to an incident.
`list_entities(resource_group_name, workspace_name, incident_id)`	Gets all entities related to an incident.
`run_playbook(resource_group_name, workspace_name, incident_identifier, request_body=None)`	Triggers a playbook on an incident.

IncidentCommentsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, incident_id, incident_comment_id, incident_comment)`	Creates or updates a comment.
`delete(resource_group_name, workspace_name, incident_id, incident_comment_id)`	Deletes a comment.
`get(resource_group_name, workspace_name, incident_id, incident_comment_id)`	Gets a specific comment.
`list(resource_group_name, workspace_name, incident_id)`	Lists all comments for an incident.

IncidentTasksOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, incident_id, incident_task_id, incident_task)`	Creates or updates a task.
`delete(resource_group_name, workspace_name, incident_id, incident_task_id)`	Deletes a task.
`get(resource_group_name, workspace_name, incident_id, incident_task_id)`	Gets a specific task.
`list(resource_group_name, workspace_name, incident_id)`	Lists all tasks for an incident.

IncidentRelationsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, incident_id, relation_name, relation)`	Creates or updates a relation.
`delete(resource_group_name, workspace_name, incident_id, relation_name)`	Deletes a relation.
`get(resource_group_name, workspace_name, incident_id, relation_name)`	Gets a specific relation.
`list(resource_group_name, workspace_name, incident_id)`	Lists all relations for an incident.

Threat Intelligence Management

ThreatIntelligenceIndicatorsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, indicator_name, indicator)`	Creates or updates an indicator.
`delete(resource_group_name, workspace_name, indicator_name)`	Deletes an indicator.
`get(resource_group_name, workspace_name, indicator_name)`	Gets a specific indicator.
`list(resource_group_name, workspace_name)`	Lists all threat intelligence indicators.

ThreatIntelligenceIndicatorMetricsOperations

Method	Description
`collect(resource_group_name, workspace_name, filtering_criteria=None)`	Collects metrics for threat intelligence indicators.

Watchlists Management

WatchlistsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, watchlist_alias, watchlist)`	Creates or updates a watchlist.
`delete(resource_group_name, workspace_name, watchlist_alias)`	Deletes a watchlist.
`get(resource_group_name, workspace_name, watchlist_alias)`	Gets a specific watchlist.
`list(resource_group_name, workspace_name)`	Lists all watchlists.

WatchlistItemsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, watchlist_alias, watchlist_item_id, watchlist_item)`	Creates or updates a watchlist item.
`delete(resource_group_name, workspace_name, watchlist_alias, watchlist_item_id)`	Deletes a watchlist item.
`get(resource_group_name, workspace_name, watchlist_alias, watchlist_item_id)`	Gets a specific watchlist item.
`list(resource_group_name, workspace_name, watchlist_alias)`	Lists all items in a watchlist.

Additional Operations

DomainWhoisOperations

Method	Description
`get(resource_group_name, workspace_name, domain)`	Gets WHOIS data for a domain.

IPGeodataOperations

Method	Description
`get(resource_group_name, workspace_name, ip)`	Gets geolocation data for an IP address.

MetadataOperations

Method	Description
`delete(resource_group_name, workspace_name, metadata_id)`	Deletes metadata.
`get(resource_group_name, workspace_name, metadata_id)`	Gets specific metadata.
`list(resource_group_name, workspace_name)`	Lists all metadata.
`patch(resource_group_name, workspace_name, metadata_id, metadata_patch)`	Updates metadata.
`put(resource_group_name, workspace_name, metadata_id, metadata)`	Creates or updates metadata.

OfficeConsentsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, consent_id, office_consent)`	Creates or updates an office consent.
`delete(resource_group_name, workspace_name, consent_id)`	Deletes an office consent.
`get(resource_group_name, workspace_name, consent_id)`	Gets a specific office consent.
`list(resource_group_name, workspace_name)`	Lists all office consents.

SecurityMLAnalyticsSettingsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, setting_name, setting)`	Creates or updates an ML analytics setting.
`delete(resource_group_name, workspace_name, setting_name)`	Deletes an ML analytics setting.
`get(resource_group_name, workspace_name, setting_name)`	Gets a specific ML analytics setting.
`list(resource_group_name, workspace_name)`	Lists all ML analytics settings.

SentinelOnboardingStatesOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, sentinel_onboarding_state_id, onboarding_state)`	Creates or updates an onboarding state.
`delete(resource_group_name, workspace_name, sentinel_onboarding_state_id)`	Deletes an onboarding state.
`get(resource_group_name, workspace_name, sentinel_onboarding_state_id)`	Gets a specific onboarding state.
`list(resource_group_name, workspace_name)`	Lists all onboarding states.

SourceControlsOperations

Method	Description
`create_or_update(resource_group_name, workspace_name, source_control_id, source_control)`	Creates or updates a source control.
`delete(resource_group_name, workspace_name, source_control_id)`	Deletes a source control.
`get(resource_group_name, workspace_name, source_control_id)`	Gets a specific source control.
`list(resource_group_name, workspace_name)`	Lists all source controls.

Key Model Classes

Incident

Property	Type	Description
`classification`	IncidentClassification	Incident classification (Undetermined, TruePositive, BenignPositive, FalsePositive).
`classification_comment`	str	Comment explaining the classification.
`classification_reason`	str	Reason for the classification.
`description`	str	The description of the incident.
`etag`	str	ETag for optimistic concurrency control.
`first_activity_time_utc`	datetime	Time of the first activity in the incident.
`labels`	List[IncidentLabel]	List of labels relevant to the incident.
`last_activity_time_utc`	datetime	Time of the last activity in the incident.
`owner`	IncidentOwnerInfo	Information about the incident assignee.
`severity`	IncidentSeverity	Incident severity (High, Medium, Low, Informational).
`status`	IncidentStatus	Incident status (New, Active, Closed).
`title`	str	The title of the incident.

AlertRule Types

Alert Rule Type	Description
`FusionAlertRule`	Rules that use Fusion technology to detect advanced threats.
`MLBehaviorAnalyticsAlertRule`	Machine learning-based behavioral analytics.
`MicrosoftSecurityIncidentCreationAlertRule`	Creates incidents from Microsoft security alerts.
`NrtAlertRule`	Near-real-time alert rules for faster detection.
`ScheduledAlertRule`	Rules that run on a schedule with KQL queries.
`ThreatIntelligenceAlertRule`	Rules based on threat intelligence.

Entity Types

Entity Type	Description
`AccountEntity`	User account entities.
`AzureResourceEntity`	Azure resource entities.
`CloudApplicationEntity`	Cloud application entities.
`FileEntity`	File entities.
`FileHashEntity`	File hash entities.
`HostEntity`	Computer/device entities.
`IoTDeviceEntity`	IoT device entities.
`IPEntity`	IP address entities.
`MailboxEntity`	Email mailbox entities.
`MailClusterEntity`	Email cluster entities.
`MailMessageEntity`	Email message entities.
`MalwareEntity`	Malware entities.
`ProcessEntity`	Running process entities.
`RegistryKeyEntity`	Registry key entities.
`RegistryValueEntity`	Registry value entities.
`SecurityGroupEntity`	Security group entities.
`UrlEntity`	URL entities.

DataConnector Types

Data Connector Type	Description
`AADDataConnector`	Azure Active Directory data connector.
`ASCDataConnector`	Azure Security Center data connector.
`AwsCloudTrailDataConnector`	AWS CloudTrail data connector.
`AwsS3DataConnector`	AWS S3 data connector.
`CodelessApiPollingDataConnector`	Codeless API polling data connector.
`CodelessUiDataConnector`	Codeless UI data connector.
`Dynamics365DataConnector`	Dynamics 365 data connector.
`MDATPDataConnector`	Microsoft Defender ATP data connector.
`MCASDataConnector`	Microsoft Cloud App Security data connector.
`OfficeDataConnector`	Office 365 data connector.
`TIDataConnector`	Threat Intelligence data connector.
`TiTaxiiDataConnector`	TAXII Threat Intelligence data connector.

AutomationRule

Property	Type	Description
`actions`	List[AutomationRuleAction]	The actions to perform when the rule is triggered.
`display_name`	str	The display name of the automation rule.
`enabled`	bool	Whether the rule is enabled.
`order`	int	The order of the automation rule.
`triggering_logic`	AutomationRuleTriggeringLogic	The conditions that trigger the automation rule.

Watchlist

Property	Type	Description
`description`	str	The description of the watchlist.
`display_name`	str	The display name of the watchlist.
`items_search_key`	str	The key to search for items in the watchlist.
`provider`	str	The provider of the watchlist.
`source`	str	The source of the watchlist data.

Bookmark

Property	Type	Description
`created_by`	UserInfo	Information about who created the bookmark.
`display_name`	str	The display name of the bookmark.
`labels`	List[str]	Labels associated with the bookmark.
`notes`	str	Notes about the bookmark.
`query`	str	The query that defines the bookmark.
`query_result`	str	The result of the query.

Important Enums

IncidentSeverity

Value	Description
`High`	High severity.
`Informational`	Informational severity.
`Low`	Low severity.
`Medium`	Medium severity.

IncidentStatus

Value	Description
`Active`	Incident being investigated.
`Closed`	Resolved incident.
`New`	New incident.

IncidentClassification

Value	Description
`BenignPositive`	Suspicious but not malicious.
`FalsePositive`	False positive.
`TruePositive`	Confirmed malicious activity.
`Undetermined`	Undetermined classification.

AlertRuleKind

Value	Description
`Fusion`	Fusion alerts (advanced correlation).
`MLBehaviorAnalytics`	Machine learning behavior analytics alerts.
`MicrosoftSecurityIncidentCreation`	Microsoft security alerts.
`NRT`	Near-real-time alerts.
`Scheduled`	Scheduled query rules.
`ThreatIntelligence`	Threat intelligence alerts.

EntityKind

Value	Description
`Account`	User accounts.
`AzureResource`	Azure resources.
`CloudApplication`	Cloud applications.
`File`	Files.
`FileHash`	File hashes.
`Host`	Computers and devices.
`IP`	IP addresses.
`IoTDevice`	IoT devices.
`Mailbox`	Email mailboxes.
`MailCluster`	Email clusters.
`MailMessage`	Email messages.
`Malware`	Malware.
`Process`	Processes.
`RegistryKey`	Registry keys.
`RegistryValue`	Registry values.
`SecurityGroup`	Security groups.
`URL`	Web URLs.

DataConnectorKind

Value	Description
`AmazonWebServicesCloudTrail`	AWS CloudTrail connector.
`AmazonWebServicesS3`	AWS S3 connector.
`APIPolling`	API polling connector.
`AzureActiveDirectory`	Azure AD connector.
`AzureAdvancedThreatProtection`	Azure ATP connector.
`AzureSecurityCenter`	Azure Security Center connector.
`Dynamics365`	Dynamics 365 connector.
`GenericUI`	Generic UI connector.
`IOT`	IoT connector.
`MicrosoftCloudAppSecurity`	Microsoft Cloud App Security connector.
`MicrosoftDefenderAdvancedThreatProtection`	Microsoft Defender ATP connector.
`MicrosoftThreatIntelligence`	Microsoft Threat Intelligence connector.
`MicrosoftThreatProtection`	Microsoft Threat Protection connector.
`Office365`	Office 365 connector.
`Office365Project`	Office 365 Project connector.
`OfficeATP`	Office ATP connector.
`OfficeIRM`	Office IRM connector.
`OfficePowerBI`	Office Power BI connector.
`ThreatIntelligence`	Threat Intelligence connector.
`ThreatIntelligenceTaxii`	TAXII Threat Intelligence connector.

Usage Examples

Example: Initialize the Client

from azure.identity import DefaultAzureCredential
from azure.mgmt.securityinsight import SecurityInsights

# Authenticate using default credentials
credential = DefaultAzureCredential()
subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

# Initialize the client
client = SecurityInsights(
    credential=credential,
    subscription_id=subscription_id
)

Example: List All Incidents

# List all incidents in a workspace
incidents = client.incidents.list(
    resource_group_name="myResourceGroup",
    workspace_name="myWorkspace"
)

for incident in incidents:
    print(f"Incident: {incident.name}, Status: {incident.properties.status}, Severity: {incident.properties.severity}")

Example: Create or Update an Incident

# Create or update an incident
response = client.incidents.create_or_update(
    resource_group_name="myResourceGroup",
    workspace_name="myWorkspace",
    incident_id="incident-guid",
    incident={
        "properties": {
            "title": "Security Incident",
            "description": "Suspicious activity detected",
            "severity": "High",
            "status": "New",
            "owner": {
                "objectId": "user-or-group-guid"
            },
            "firstActivityTimeUtc": "2023-01-01T00:00:00Z",
            "lastActivityTimeUtc": "2023-01-02T00:00:00Z",
        }
    }
)

Example: Create a Scheduled Alert Rule

# Create a scheduled alert rule
response = client.alert_rules.create_or_update(
    resource_group_name="myResourceGroup",
    workspace_name="myWorkspace",
    rule_id="rule-guid",
    alert_rule={
        "kind": "Scheduled",
        "properties": {
            "displayName": "Suspicious Activity Detection",
            "description": "Detects suspicious login attempts",
            "severity": "Medium",
            "enabled": True,
            "query": "SecurityEvent | where EventID == 4624",
            "queryFrequency": "PT1H",
            "queryPeriod": "PT1H",
            "triggerOperator": "GreaterThan",
            "triggerThreshold": 0,
            "tactics": ["InitialAccess", "Execution"],
            "incidentConfiguration": {
                "createIncident": True,
                "groupingConfiguration": {
                    "enabled": True,
                    "matchingMethod": "AllEntities",
                    "groupByEntities": ["Account", "IP"]
                }
            }
        }
    }
)

Example: Create an Office 365 Data Connector

# Create an Office 365 data connector
response = client.data_connectors.create_or_update(
    resource_group_name="myResourceGroup",
    workspace_name="myWorkspace",
    data_connector_id="connector-guid",
    connector={
        "kind": "Office365",
        "properties": {
            "tenantId": "tenant-guid",
            "dataTypes": {
                "exchange": {"state": "Enabled"},
                "sharePoint": {"state": "Enabled"},
                "teams": {"state": "Enabled"}
            }
        }
    }
)

Example: Create a Watchlist

# Create a watchlist
response = client.watchlists.create_or_update(
    resource_group_name="myResourceGroup",
    workspace_name="myWorkspace",
    watchlist_alias="HighValueAssets",
    watchlist={
        "properties": {
            "displayName": "High Value Assets",
            "source": "Local file",
            "itemsSearchKey": "Hostname",
            "description": "List of high value assets"
        }
    }
)

# Add an item to the watchlist
response = client.watchlist_items.create_or_update(
    resource_group_name="myResourceGroup",
    workspace_name="myWorkspace",
    watchlist_alias="HighValueAssets",
    watchlist_item_id="item-guid",
    watchlist_item={
        "properties": {
            "itemsKeyValue": "server001",
            "properties": {
                "Hostname": "server001",
                "IPAddress": "10.0.0.1",
                "Owner": "IT Department",
                "Classification": "Critical"
            }
        }
    }
)

Example: Work with Entities

# Get a specific entity
entity = client.entities.get(
    resource_group_name="myResourceGroup",
    workspace_name="myWorkspace",
    entity_id="entity-guid",
    entity_types=["Account", "Host"]
)

print(f"Entity: {entity.name}, Kind: {entity.kind}")

# Expand entity information
expanded_entity = client.entities.expand(
    resource_group_name="myResourceGroup",
    workspace_name="myWorkspace",
    entities={
        "entities": [
            {
                "id": "entity-guid",
                "kind": "Account"
            }
        ]
    }
)

Dependencies

Dependency	Description
`azure-core`	Core functionality and HTTP pipeline.
`azure-identity`	Authentication (recommended).
`azure-mgmt-core`	ARM client functionality.

dstreefkerk/azure-mgmt-securityinsight-api-reference.md