我正在尝试使用 msticpy 更新 Azure Sentinel 事件标签。我可以成功修改其他属性,但标签不接受 API 调用。 有人可以提供见解吗?
环境Python 3.10
Azure 机器学习工作室笔记本
msticpy 2.11
from msticpy.data.azure import AzureData, MicrosoftSentinel
azs = MicrosoftSentinel()
azs.connect()
azs.update_incident(incident_id = "INCIDENTID8", update_items = {'labels':
[{'labelName': 'test', 'labelType': 'User'}]})
错误:
HTTPStatusError:URL“https://management.azure.com/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.OperationalInsights/workspaces/WORKSPACE/providers/Microsoft.SecurityInsights/incidents/INCIDENTID”的客户端错误“400 错误请求” ?api-version=2020-01-01' 有关更多信息,请检查:https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400
您需要先使用
get_incidentincident_id = "GUID HERE" # You can pass a name to get_incident, but it's not guaranteed to be unique
incident = azs.get_incident(incident_id)
new_label_name = "test"
new_label_type = "user"
new_label = IncidentLabel(label_name=new_label_name, label_type=new_label_type)
incident.labels[new_label_name] = new_label
azs.update_incident(incident)