forked from Azure/Azure-Sentinel-Notebooks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmsticpyconfig.yaml.sample
124 lines (124 loc) · 3.61 KB
/
msticpyconfig.yaml.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
## For details of how to configure settings in this file, please
## see https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html
##
AzureSentinel:
Workspaces:
# Workspace used if you don't explicitly name a workspace when creating WorkspaceConfig
# Specifying values here overrides config.json settings unless you explictly load
# WorkspaceConfig with config_file parameter (WorkspaceConfig(config_file="../config.json")
Default:
WorkspaceId: "d973e3d2-28e6-458e-b2cf-d38876fb1ba4"
TenantId: "4cdf87a8-f0fc-40bb-9d85-68bcf4ac8e61"
# To use these launch with an explicit name - WorkspaceConfig(workspace_name="Workspace2")
Workspace2:
WorkspaceId: "c88dd3c2-d657-4eb3-b913-58d58d811a41"
TenantId: "f1f64e65-ff7c-4d71-ad5b-091b6ab39d51"
Workspace3:
WorkspaceId: "17e64332-19c9-472e-afd7-3629f299300c"
TenantId: "4ea41beb-4546-4fba-890b-55553ce6003a"
QueryDefinitions:
# Add paths to folders containing custom query definitions here
Custom:
- /var/global-queries
- /home/myuser/queries
- c:/users/myuser/documents
TIProviders:
# If a provider has Primary: True it will be run by default on IoC lookups
# Secondary providers can be
OTX:
Args:
AuthKey: "4ea41beb-4546-4fba-890b-55553ce6003a"
Primary: True
Provider: "OTX"
VirusTotal:
Args:
AuthKey: "4ea41beb-4546-4fba-890b-55553ce6003a"
Primary: False
Provider: "VirusTotal"
XForce:
# You can store items in an environment variable using this syntax
Args:
ApiID:
EnvironmentVar: "XFORCE_ID"
AuthKey:
EnvironmentVar: "XFORCE_KEY"
Primary: True
Provider: "XForce"
AzureSentinel:
# Note this can be a different workspace/tenant from your main workspace
# This only controls where the Microsoft Sentinel TI provider looks for the
# ThreatIndicator table.
Args:
WorkspaceID: "c88dd3c2-d657-4eb3-b913-58d58d811a41"
TenantID: "f1f64e65-ff7c-4d71-ad5b-091b6ab39d51"
Primary: True
Provider: "AzSTI"
OpenPageRank:
Args:
AuthKey: "c88dd3c2-d657-4eb3-b913-58d58d811a41"
Primary: False
Provider: "OPR"
TorExitNodes:
Primary: True
Provider: "Tor"
OtherProviders:
GeoIPLite:
Args:
AuthKey: c88dd3c2-d657-4eb3-b913-58d58d811a41
Provider: GeoLiteLookup
IPStack:
Args:
AuthKey:c88dd3c2-d657-4eb3-b913-58d58d811a41
Provider: IPStackLookup
DataProviders:
AzureCLI:
Args:
auth_methods: cli # options=[env; msi; cli; interactive]
Splunk:
Args:
host: my-splunk-srv
username: sp_user
LocalData:
data_paths: /home/myuser/.local_data
Mordor:
save_folder: /home/myuser/.mordor_cache
use_cached: True
KeyVault:
Authority: global
AzureRegion: Azure region name
ResourceGroup: MyResourceGroup
SubscriptionId: c88dd3c2-d657-4eb3-b913-58d58d811a41
TenantId: c88dd3c2-d657-4eb3-b913-58d58d811a41
UseKeyring: true
VaultName: my-vault-name
UserDefaults:
# List of query providers to load
QueryProviders:
AzureSentinel:
Default:
alias: asi
connect: False
CyberSoc:
alias: soc
connect: False
Splunk:
connect: False
LocalData:
alias: local
# List of other providers/components to load
LoadComponents:
TILookup:
GeoIpLookup:
provider: GeoLiteLookup
Notebooklets:
query_provider:
LocalData:
workspace: CyberSoc
some_param: some_value
Pivot:
AzureData:
auth_methods: ['cli','interactive']
connect: False
AzureSentinelAPI:
auth_methods: ['env','interactive']
connect: False