Added run KQL query to azure sentinel

frikky · frikky · commit 59233ce77b3b · 2022-04-05T15:03:08.000+02:00
diff --git a/azure-sentinel/1.0.0/api.yaml b/azure-sentinel/1.0.0/api.yaml
@@ -238,4 +238,32 @@ actions:
     returns:
       schema:
         type: string
+  - name: run_query 
+    description: Runs a KQL query in your tenant
+    parameters:
+      - name: query 
+        description: The query to run
+        multiline: false
+        example: "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\""
+        required: true
+        schema:
+          type: string
+      - name: query_category 
+        description: The comment to add
+        multiline: false
+        example: "Hunting Queries"
+        required: true
+        schema:
+          type: string
+      - name: query_name 
+        description: The name to use for the query 
+        multiline: false
+        example: "HuntingRule02"
+        required: true
+        schema:
+          type: string
+    returns:
+    returns:
+      schema:
+        type: string
 large_image: data:image/svg+xml;base64,PHN2ZyBpZD0iYTc1ZTNmM2EtMjY2MS00MTBiLTgyZmItZDMwMGQzN2RlYTJkIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxOCIgaGVpZ2h0PSIxOCIgdmlld0JveD0iMCAwIDE4IDE4Ij48ZGVmcz48bGluZWFyR3JhZGllbnQgaWQ9ImFmZjYwZGRmLWVlYzEtNDBiZi04YmY1LWYzZTNiNTBlODgxOCIgeDE9IjkiIHkxPSIxNi4yMSIgeDI9IjkiIHkyPSIwLjYyIiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+PHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjMWI5M2ViIiAvPjxzdG9wIG9mZnNldD0iMC4yMSIgc3RvcC1jb2xvcj0iIzIwOTVlYiIgLz48c3RvcCBvZmZzZXQ9IjAuNDQiIHN0b3AtY29sb3I9IiMyZTljZWQiIC8+PHN0b3Agb2Zmc2V0PSIwLjY5IiBzdG9wLWNvbG9yPSIjNDVhN2VmIiAvPjxzdG9wIG9mZnNldD0iMC45NSIgc3RvcC1jb2xvcj0iIzY0YjZmMSIgLz48c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiM2YmI5ZjIiIC8+PC9saW5lYXJHcmFkaWVudD48L2RlZnM+PHRpdGxlPkljb24tc2VjdXJpdHktMjQ4PC90aXRsZT48cGF0aCBkPSJNMTYsOC40NGMwLDQuNTctNS41Myw4LjI1LTYuNzMsOWEuNDMuNDMsMCwwLDEtLjQ2LDBDNy41NywxNi42OSwyLDEzLDIsOC40NFYyLjk0YS40NC40NCwwLDAsMSwuNDMtLjQ0QzYuNzcsMi4zOSw1Ljc4LjUsOSwuNXMyLjIzLDEuODksNi41MywyYS40NC40NCwwLDAsMSwuNDMuNDRaIiBmaWxsPSIjMWI5M2ViIiAvPjxwYXRoIGQ9Ik0xNS4zOCw4LjQ4YzAsNC4yLTUuMDcsNy41Ny02LjE3LDguMjVhLjQuNCwwLDAsMS0uNDIsMGMtMS4xLS42OC02LjE3LTQuMDUtNi4xNy04LjI1di01QS40MS40MSwwLDAsMSwzLDNjMy45NC0uMTEsMy0xLjgzLDYtMS44M1MxMS4wNSwyLjkzLDE1LDNhLjQxLjQxLDAsMCwxLC4zOS40WiIgZmlsbD0idXJsKCNhZmY2MGRkZi1lZWMxLTQwYmYtOGJmNS1mM2UzYjUwZTg4MTgpIiAvPjxwYXRoIGQ9Ik05LDYuNTNBMi44OCwyLjg4LDAsMCwxLDExLjg0LDlhLjQ5LjQ5LDAsMCwwLC40OS40aDEuNGEuNDkuNDksMCwwLDAsLjUtLjUzLDUuMjYsNS4yNiwwLDAsMC0xMC40NiwwLC40OS40OSwwLDAsMCwuNS41M2gxLjRBLjQ5LjQ5LDAsMCwwLDYuMTYsOSwyLjg4LDIuODgsMCwwLDEsOSw2LjUzWiIgZmlsbD0iI2MzZjFmZiIgLz48Y2lyY2xlIGN4PSI5IiBjeT0iOS40IiByPSIxLjkxIiBmaWxsPSIjZmZmIiAvPjwvc3ZnPg==
diff --git a/azure-sentinel/1.0.0/src/app.py b/azure-sentinel/1.0.0/src/app.py
@@ -242,6 +242,43 @@ def add_comment(self, **kwargs):
 
         return res.text
 
+    def run_query(self, **kwargs):
+
+        # Get a client credential access token
+        auth = self.authenticate(
+            kwargs["tenant_id"], kwargs["client_id"], kwargs["client_secret"]
+        )
+        if not auth["success"]:
+            return {"error": auth["message"]}
+
+        query_url = f"{self.azure_url}/subscriptions/{kwargs['subscription_id']}/resourceGroups/{kwargs['resource_group_name']}/providers/Microsoft.OperationalInsights/workspaces/{kwargs['workspace_name']}/savedSearches"
+        
+        #providers/Microsoft.SecurityInsights/incidents/{kwargs['incident_id']}/comments"
+
+        #PUT https://management.azure.com/subscriptions/{subscriptionId} _
+        #/resourcegroups/{resourceGroupName} _
+        #/providers/Microsoft.OperationalInsights/workspaces/{workspaceName} _
+        #/savedSearches/{savedSearchId}?api-version=2020-03-01-preview
+
+
+        params = {"api-version": "2020-01-01"}
+
+        comment_id = str(uuid.uuid4())
+        comment_data = {
+            "properties": {
+                "Category": kwargs["query_category"],
+                "DisplayName": kwargs["query_name"],
+                "Query": {kwargs['query']},
+            }
+        }
+
+
+        res = self.s.put(f"{comment_url}/{comment_id}", json=comment_data, params=params)
+        if res.status_code != 200:
+            raise ConnectionError(res.text)
+
+        return res.text
+
 
 if __name__ == "__main__":
     AzureSentinel.run()
