In [None]:
import os
import pandas as pd
from datetime import datetime

pd.set_option('display.max_columns', None)
pd.set_option('display.max_rows', None)
pd.set_option('display.max_colwidth', 1000)

In [None]:
file_list = sorted(os.listdir('datalib/sentinel/'), reverse=True)
print("Current Rule List: " , file_list[1])
print("Prior Rule List: " , file_list[2])


In [None]:
current_data_df = pd.read_csv('datalib/sentinel/' + str(file_list[1]), index_col='name')
prior_data_df = pd.read_csv('datalib/sentinel/' + str(file_list[2]), index_col='name')

## Check the Rule Count

> - This check will let you know if you need to validate any adds or removes

In [None]:
print("Current Rule Count: " + str(len(current_data_df)))
print("Prior Rule Count: " + str(len(prior_data_df)))

## Alert Per Result Not Set
> - Very few Rules should not be set to AlertPerResult
> - Majority of Sentinel Logic will be AlertPerResult

In [None]:
print("Alert Per Result Not Set")
print("#######################")
apr = current_data_df.loc[current_data_df['aggregationKind'] != 'AlertPerResult']
apr['displayName']

## Quick Config Checks for Rules Not Going to Console
> - Decrease/Increase in counts
> - Setting the rule to disabled
> - Setting the rule to informational
> - Setting the rule to alert only and not setting Incident Creation


In [None]:
current_disabled_df = current_data_df.loc[current_data_df['enabled'] == False]
print("Current Disabled Count: " + str(len(current_disabled_df)))

prior_disabled_df = prior_data_df.loc[prior_data_df['enabled'] == False]
print("Prior Disabled Count: " + str(len(prior_disabled_df)))

print("Rule Set to Disabled")
print("#######################")
current_disabled_df[['displayName', 'lastModifiedUtc']]

In [None]:
current_info_df = current_data_df.loc[current_data_df['severity'] == 'Informational']
print("Current Info Count: " + str(len(current_info_df)))

prior_info_df = prior_data_df.loc[prior_data_df['severity'] == 'Informational']
print("Prior Info Count: " + str(len(prior_info_df)))

print("Rule Severity Set to Informational")
print("#######################")

current_info_df[['displayName', 'lastModifiedUtc']]

In [None]:
current_incident_df = current_data_df.loc[current_data_df['createIncident'] == False]
print("Current No Incident Count: " + str(len(current_incident_df)))

prior_incident_df = prior_data_df.loc[prior_data_df['createIncident'] == False]
print("Prior No Incident Count: " + str(len(prior_incident_df)))

print("Incident Create Set to False")
print("#######################")

current_incident_df[['displayName', 'lastModifiedUtc']]

## Rule Changes Last 14 Days
> - Spot check all rules that have changed

In [None]:
current_data_df['lastModifiedUtc'] = pd.to_datetime(current_data_df['lastModifiedUtc'])
today = datetime.utcnow().timetuple().tm_yday
current_data_df['doy'] = current_data_df['lastModifiedUtc'].dt.dayofyear
change_df = current_data_df.loc[today - current_data_df['doy'] <= 14]
print("Rule Changes Last 14 Days")
print("###########################")
change_df[['lastModifiedUtc' , 'displayName']]

## Diff Checks
> - Check Specific Items


In [None]:
diff_a_df = current_data_df[['displayName', 'query', 'enabled', 'severity', 'createIncident']]
diff_b_df = prior_data_df[['displayName', 'query', 'enabled', 'severity', 'createIncident']]


combo_df = pd.concat([diff_a_df, diff_b_df])
diff_df = combo_df.drop_duplicates(keep=False)

diff_df