forked from Azure/Azure-Sentinel-Notebooks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
msticpyconfig.yaml
63 lines (63 loc) · 2.1 KB
/
msticpyconfig.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
## For details of how to configure settings in this file, please see
## https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html
##
QueryDefinitions:
AzureSentinel:
Workspaces:
# # Add your default workspace and tenant here (uncomment next 3 lines)
# Default:
# WorkspaceId: your-workspace-id
# TenantId: your-tenant-id
# # Add additional named workspaces here - you can use these in the notebook
# # with the syntax ws_config = WorkspaceConfig(workspace="WorkspaceAlpha")
# # Each section must have a unique name. You can have any number of
# # workspace definitions
# WorkspaceAlpha:
# WorkspaceId: alpha-workspace-id
# TenantId: alpha-tenant-id
TIProviders:
# # Threat Intel service parameters are added here
# # The Args section usually includes the authentication
# # parameters: AuthKey (the API key) and in some cases others
# # (e.g. XForce requires an ApiID key as well). The "AuthKey" name
# # will be mapped onto the name used by the service, you should not
# # to change this - e.g. some providers call this ApiKey.
# OTX:
# Args:
# AuthKey: OTX-API-Key
# Primary: True
# Provider: "OTX"
# VirusTotal:
# Args:
# AuthKey: VT-API-Key
# Primary: False
# Provider: "VirusTotal"
# XForce:
# Args:
# ApiID: XForce-API-ID
# AuthKey: XForce-Auth-Key
# Primary: True
# Provider: "XForce"
# AzureSentinel:
# # The Microsoft sentinel TI data can be in a different workspace
# # to the workspace where your data is. If it is different,
# # both workspaces must be in the same tenant. This is a limitation
# # of the Log Analytics client library.
# Args:
# workspace_id: your-workspace-id
# tenant_id: your-tenant-id
# Primary: True
# Provider: "AzSTI"
OtherProviders:
# # Other data providers
# GeoIPLite:
# Args:
# AuthKey:
# EnvironmentVar: "MAXMIND_AUTH"
# DBFolder: "~/.msticpy"
# Provider: "GeoLiteLookup"
# IPStack:
# Args:
# AuthKey:
# EnvironmentVar: "IPSTACK_AUTH"
# Provider: "IPStackLookup"