search

microsoft / msticpy

Microsoft Threat Intelligence Security Tools
Other
1.72k stars 310 forks source link

The sentinel "list_alert_rules" function uses an old API version that doesn't include newer rule types e.g. NRT rules in the output. #788

Closed BWC-TomW closed 1 day ago

BWC-TomW commented 3 days ago

Is your feature request related to a problem? Please describe.

The sentinel "list_alert_rules" function uses an old API version that doesn't include newer rule types e.g. NRT rules in the output.

Describe the solution you'd like Update the API version for list_alert_rules to use 2024-01-01-preview, NRT rules are not included in the non-preview REST API.

Describe alternatives you've considered

Allow the function to take an override of API version

Additional context

We've created an override for the class which gives us the expected output. 

class MicrosoftSentinelOverides(MicrosoftSentinel):
    """ Function to overide functionality of MicrosoftSentinel class"""
    def __init__(self, **kwargs) -> None:
        super().__init__(**kwargs)

    def list_alert_rules(self) -> pd.DataFrame:
        """
        Return all Microsoft Sentinel alert rules for a workspace.

        Returns
        -------
        pd.DataFrame
            A table of the workspace's alert rules.

        """
        return self._list_items(  # type: ignore
            item_type="alert_rules", api_version="2024-01-01-preview"
        )
ianhelle commented 1 day ago

Thanks for that. I've merged the PR