msiempy.Alarm

class documentation

class msiempy.Alarm(NitroDict): (source)

View In Hierarchy

Dict-Like object. Represents a triggered alarm.

Common keys :
  • id : The ID of the triggered alarm
  • summary : The summary of the triggered alarm
  • assignee : The assignee for this triggered alarm
  • severity : The severity for this triggered alarm
  • triggeredDate : The date this alarm was triggered
  • acknowledgedDate : The date this triggered alarm was acknowledged
  • acknowledgedUsername : The user that acknowledged this triggered alarm
  • alarmName : The name of the alarm that was triggered
  • events : The events that triggered the alarm
  • And others
See:
Object AlarmManager
Method __init__ Create a new alarm representation
Class Variable POSSIBLE_ALARM_STATUS "Possible alarm statuses : "acknowledged", "unacknowledged" or ""
Class Variable ALARM_EVENT_FILTER_FIELDS Few Events fields names can be automatically added as event's filters when passing to AlarmManager()'s filter argument. See msiempy.event.Event.
Class Variable ALARM_DEFAULT_FIELDS Just a list of regular fields.
Method acknowledge Mark the alarm as acknowledged.
Method unacknowledge Mark the alarm as unacknowledge.
Method delete Delete the alarm.
Method ceate_case Not implemented : TODO
Method load_details Update the alarm with detailled data loaded from the SIEM.
Method refresh Update the alarm with detailled data loaded from the SIEM. Same as load_details
Method load_events Retreive the complete trigerring Event(s) objects from an Alarm. This methos is automatically called automatically by default when calling load_data().
Class Variable ALARM_FIELDS_MAP List of all Alarm possible fields. This is used only when the private API is used to retreive Alarm infos. To change genuine (UPPERCASE) key names to more explicit ones matching public API names.
Method map_alarm_int_fields Map the internal ESM field names to msiempy style with msiempy.alarm.Alarm.ALARM_FIELDS_MAP. Converts "T" and "F" to True and False and handle None values.
Method data_from_id Gets the alarm parameters based on an ID.
Method get_id Return the alarm ID.

Inherited from NitroDict:

Instance Variable data Underlying dict object
Method __str__ str(obj) -> return text string.
Method __repr__ repr(obj) -> return json string.
Method json JSON representation of a item
Method text Text list of item's values

Inherited from NitroObject (via NitroDict):

Class NitroJSONEncoder Custom JSON encoder that will use the approprtiate propertie depending of the type of NitroObject. TODO support json json dumping of QueryFilers, may be by making them inherits from NitroDict.
Instance Variable nitro msiempy.core.session.NitroSession object. Interface to the SIEM.
def __init__(self, *arg, **kwargs): (source)
overrides msiempy.core.types.NitroDict.__init__

Create a new alarm representation

Arguments:
  • adict: Alarm parameters
  • id: The alarm ID to instanciate. Will load informations
POSSIBLE_ALARM_STATUS = (source)
"Possible alarm statuses : "acknowledged", "unacknowledged" or ""
(type: List)
ALARM_EVENT_FILTER_FIELDS = (source)
Few Events fields names can be automatically added as event's filters when passing to AlarmManager()'s filter argument. See msiempy.event.Event.
(type: List[str])
ALARM_DEFAULT_FIELDS = (source)
Just a list of regular fields.
(type: List[str])
def acknowledge(self): (source)
Mark the alarm as acknowledged.
def unacknowledge(self): (source)
Mark the alarm as unacknowledge.
def delete(self): (source)

Delete the alarm.

Warning:
Destructive action
def ceate_case(self): (source)
Not implemented : TODO
def load_details(self): (source)
Update the alarm with detailled data loaded from the SIEM.
def refresh(self): (source)
overrides msiempy.core.types.NitroObject.refresh
Update the alarm with detailled data loaded from the SIEM. Same as load_details
def load_events(self, use_query=(False), extra_fields=[], workers=1): (source)

Retreive the complete trigerring Event(s) objects from an Alarm. This methos is automatically called automatically by default when calling load_data().

Arguments:
  • use_query (bool): Uses the query module to retreive the event(s) data. Only works with SIEM v 11.2 or greater.
    Default behaviour will call ipsGetAlertData to retreive the complete event definition.
  • extra_fields (list[str]): Only when use_query=True. Additionnal event fields to load in the query. See: EventManager
  • workers (int): The number of asynchronous workers.
Warning:
On SIEM v10.X This method will only load the details of the first triggering event.
ALARM_FIELDS_MAP = (source)
List of all Alarm possible fields. This is used only when the private API is used to retreive Alarm infos. To change genuine (UPPERCASE) key names to more explicit ones matching public API names.
(type: Dict)
def map_alarm_int_fields(self, alarm_details): (source)
Map the internal ESM field names to msiempy style with msiempy.alarm.Alarm.ALARM_FIELDS_MAP. Converts "T" and "F" to True and False and handle None values.
def data_from_id(self, id, use_priv=(False)): (source)
overrides msiempy.core.types.NitroDict.data_from_id

Gets the alarm parameters based on an ID.

Arguments:
  • use_priv: (bool): Use the private API methods to retreive the INFO, will use it anyway with ESM v10.x. because it's the only way to get the trigerring event ID. Will only load the details of the first triggering event.
Note:
It replace empty strings by None
def get_id(self): (source)
overrides msiempy.core.types.NitroDict.get_id
Return the alarm ID.
API Documentation for msiempy, generated by pydoctor 20.7.1 at 2020-11-18 14:02:21.