Aetuner

Table of Contents

Client

class Aetuner.Client

A client object representing ‘Aetuner’ Service:

import almdrlib

client = almdrlib.client('aetuner')

Available methods:

get_analytic(**kwargs)

Returns an analytic for a specific customer

Request Syntax

response = client.get_analytic(
    account_id='string'
    audit_events_limit='integer'
    enable_new='False|True'
    explain='False|True'
    handling_key='string'
    include_audit_events='False|True'
    include_stacktrace='False|True'
    key='string'
    path='string'
    severity_key='string'
    sql_field_values={}
    tuning_tagset_key='string'
    tuning_tagset_path='string'
    tuning_tagset_value='string'
    visibility_key='string'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • audit_events_limit (integer) – Limit the number of audit events to this number

  • enable_new (boolean) –

  • explain (boolean) – Explain how tunings are calculated or updates

  • handling_key (string) – Handling tagset tuning key. Used for getting tuning tagset value instead of default.

  • include_audit_events (boolean) – When set to true returns audit events for the tuning tagsets in the analytic

  • include_stacktrace (boolean) –

  • key (string) – Tuning tagset key, defaults to the analytic name

  • path (string) –

    [REQUIRED]

    Analytic Name

  • severity_key (string) – Severity tagset tuning key. Used for getting tuning tagset value instead of default.

  • sql_field_values (dict) – A map of values for SQL fields, example {“bf_protocol”:”windows”}

  • tuning_tagset_key (string) –

  • tuning_tagset_path (string) –

  • tuning_tagset_value (string) –

  • visibility_key (string) – Visiblity tagset tuning key. Used for getting tuning tagset value instead of default.

Return type

dict

Returns

Response Syntax

{
    'data_type': 'logmsgs'|'observation'|'telemetry',
    'display_name': 'string',
    'inherited': 'False|True',
    'name': 'string',
    'observation': {
        'generate': 'string',
        'keys': {},
        'parents': 'string',
        'scope': 'string',
        'scope_type': 'string',
        'severity': 'string',
        'visibility': 'string'
    },
    'path': 'string',
    'severity': 'string',
    'sql': 'string',
    'visibility': 'string'
}

Response Definitions

  • data_type (string) –

    Data Type used to generate analytic outcome.

    Valid values: logmsgs, observation, telemetry

  • display_name (string) –

  • inherited (boolean) –

  • name (string) –

  • observation (dict) –

    Observation Information

    • generate (string) –

    • keys (dict) –

    • parents (string) –

    • scope (string) –

    • scope_type (string) –

    • severity (string) –

      Tagset name for severity tags

    • visibility (string) –

      Tagset name for visibility tags

  • path (string) –

  • severity (string) –

  • sql (string) –

  • visibility (string) –

get_healthcheck(**kwargs)

Check health status of the service.

Request Syntax

response = client.get_healthcheck(
)
Returns

None

get_incident_handling(**kwargs)

Return incident type handling setting

Request Syntax

response = client.get_incident_handling(
    account_id='string'
    path='string'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • path (string) –

    [REQUIRED]

    Incident Type Fully Qualified Name

Return type

dict

Returns

Response Syntax

{
    'path': 'string',
    'settings': [
        'auto_soc_close'|'auto_escalate'|'auto_customer_close'
    ]
}

Response Definitions

  • path (string) –

    Handling preferences path.

  • settings (list) –

    List of applicable handling settings

    • (string) –

      • auto_soc_close - is only relevant to incident being shown to SOC or not, no other behaviour or values are affected.

        If True, will bypass the SOC and become available in the Customer Console.

      • auto_escalate - is only relevant to whether the customer receives an email notification or not, no other behaviour or values are affected.

        If an incident is escalated, and becomes soc-closed, a notification will be generated with the escalations flag set to True.

      • auto_customer_close - is only relevant to whether the customer sees the incident as “Closed” in the Customer Console or not, no other behaviour or values are affected.

        If True, the incident will only show in the Customer Console under the ‘Closed’ filter.

      Valid values: auto_soc_close, auto_escalate, auto_customer_close

get_incident_tunables(**kwargs)

Returns a list of all the tags that can be tuned and sample alcli commands to tune them.

Request Syntax

response = client.get_incident_tunables(
    account_id='string'
    incident_id='string'
)
Parameters

  • account_id (string) – [REQUIRED]

  • incident_id (string) – [REQUIRED]

Return type

dict

Returns

Response Syntax

{
    'tunings': [
        {
            'keys': [
                {
                    'name': 'string',
                    'type': 'string'
                }
            ],
            'name': 'string',
            'tuning_command': 'string',
            'type': 'string',
            'value': {}
        }
    ]
}

Response Definitions

  • tunings (list) –

    • (dict) –

      • keys (list) –

        • (dict) –

          • name (string) –

          • type (string) –

      • name (string) –

        tagset name

      • tuning_command (string) –

        alcli sample command

      • type (string) –

      • value (dict) –

get_incident_type(**kwargs)

Return incident type for a specific customer by it’s name

Request Syntax

response = client.get_incident_type(
    account_id='string'
    path='string'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • path (string) –

    [REQUIRED]

    Incident Type Fully Qualified Name

Return type

dict

Returns

Response Syntax

{
    'analytics': [
        'string'
    ],
    'incident_handling': 'auto_soc_close'|'auto_escalate'|'auto_customer_close',
    'path': 'string',
    'severity': 'info'|'low'|'medium'|'high'|'critical',
    'visibility': 'observation'|'incident'|'test'
}

Response Definitions

  • analytics (list) –

    List of Analytics that can generate this incident type

    • (string) –

  • incident_handling (string) –

    • auto_soc_close - is only relevant to incident being shown to SOC or not, no other behaviour or values are affected.

      If True, will bypass the SOC and become available in the Customer Console.

    • auto_escalate - is only relevant to whether the customer receives an email notification or not, no other behaviour or values are affected.

      If an incident is escalated, and becomes soc-closed, a notification will be generated with the escalations flag set to True.

    • auto_customer_close - is only relevant to whether the customer sees the incident as “Closed” in the Customer Console or not, no other behaviour or values are affected.

      If True, the incident will only show in the Customer Console under the ‘Closed’ filter.

    Valid values: auto_soc_close, auto_escalate, auto_customer_close

  • path (string) –

    Fully qualifed name of an incident type

  • severity (string) –

    Severity of an incident

    Valid values: info, low, medium, high, critical

  • visibility (string) –

    Visibility of an incident

    Valid values: observation, incident, test

get_tagset(**kwargs)

Returns an analytic for a specific customer

Request Syntax

response = client.get_tagset(
    account_id='string'
    audit_events_limit='integer'
    explain='False|True'
    include_audit_events='False|True'
    key='string'
    path='string'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • audit_events_limit (integer) – Limit of audit events to include

  • explain (boolean) – Explain how tunings are calculated or updates

  • include_audit_events (boolean) – Include audit events

  • key (string) – Key in the tagset

  • path (string) – Name of a tagset

Return type

dict

Returns

Response Syntax

{
    'data_type': 'logmsgs'|'observation'|'telemetry',
    'display_name': 'string',
    'inherited': 'False|True',
    'name': 'string',
    'observation': {
        'generate': 'string',
        'keys': {},
        'parents': 'string',
        'scope': 'string',
        'scope_type': 'string',
        'severity': 'string',
        'visibility': 'string'
    },
    'path': 'string',
    'severity': 'string',
    'sql': 'string',
    'visibility': 'string'
}

Response Definitions

  • data_type (string) –

    Data Type used to generate analytic outcome.

    Valid values: logmsgs, observation, telemetry

  • display_name (string) –

  • inherited (boolean) –

  • name (string) –

  • observation (dict) –

    Observation Information

    • generate (string) –

    • keys (dict) –

    • parents (string) –

    • scope (string) –

    • scope_type (string) –

    • severity (string) –

      Tagset name for severity tags

    • visibility (string) –

      Tagset name for visibility tags

  • path (string) –

  • severity (string) –

  • sql (string) –

  • visibility (string) –

get_version(**kwargs)

Get the AEtuner version

Request Syntax

response = client.get_version(
)
Returns

None

list_analytics(**kwargs)

List analytics for an account

Request Syntax

response = client.list_analytics(
    account_id='string'
    datatype='logsmsgs'|'observations'|'telemetry'
    output='all'|'correlations'|'analytics'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • datatype (string) –

    Data type used for analytics generation. If this parameter omitted, analytics for all data types are returned.

    Valid values: logsmsgs, observations, telemetry

  • output (string) –

    What to include in the response

    Valid values: all, correlations, analytics

    Default: all

Return type

dict

Returns

Response Syntax

{
    'logmsgs': [
        'string'
    ],
    'observations': [
        'string'
    ],
    'telemetry': [
        'string'
    ]
}

Response Definitions

  • logmsgs (list) –

    List of log-based analytics

    • (string) –

  • observations (list) –

    • (string) –

  • telemetry (list) –

    • (string) –

list_incident_handlings(**kwargs)

Returns a list of all incident handling settings for a given customer

Request Syntax

response = client.list_incident_handlings(
    account_id='string'
)
Parameters

account_id (string) –

[REQUIRED]

AIMS Account ID

Return type

list

Returns

Response Syntax

[
    {
        'path': 'string',
        'settings': [
            'auto_soc_close'|'auto_escalate'|'auto_customer_close'
        ]
    }
]

Response Definitions

  • (dict) –

    Incident Type Handling information.

    • path (string) –

      Handling preferences path.

    • settings (list) –

      List of applicable handling settings

      • (string) –

        • auto_soc_close - is only relevant to incident being shown to SOC or not, no other behaviour or values are affected.

          If True, will bypass the SOC and become available in the Customer Console.

        • auto_escalate - is only relevant to whether the customer receives an email notification or not, no other behaviour or values are affected.

          If an incident is escalated, and becomes soc-closed, a notification will be generated with the escalations flag set to True.

        • auto_customer_close - is only relevant to whether the customer sees the incident as “Closed” in the Customer Console or not, no other behaviour or values are affected.

          If True, the incident will only show in the Customer Console under the ‘Closed’ filter.

        Valid values: auto_soc_close, auto_escalate, auto_customer_close

list_incident_types(**kwargs)

List all incident types for a specific customer

Request Syntax

response = client.list_incident_types(
    account_id='string'
)
Parameters

account_id (string) – [REQUIRED]

Return type

list

Returns

Response Syntax

[
    'string'
]

Response Definitions

  • (string) –

reset_all_analytics_handling(**kwargs)

Reset all Analytics handling

Request Syntax

response = client.reset_all_analytics_handling(
    account_id='string'
    dry_run='False|True'
    reason='string'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • dry_run (boolean) – DRY RUN only

  • reason (string) –

    [REQUIRED]

    Reason for the performing the reset. This information is used for auditing purposes.

Return type

dict

Returns

Response Syntax

{
    'handling_update': 'dict|list'
}

Response Definitions

  • handling_update (dict) –

reset_all_analytics_severity(**kwargs)

Reset all Analytics severity

Request Syntax

response = client.reset_all_analytics_severity(
    account_id='string'
    dry_run='False|True'
    reason='string'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • dry_run (boolean) – DRY RUN only

  • reason (string) –

    [REQUIRED]

    Reason for the performing the reset. This information is used for auditing purposes.

Return type

dict

Returns

Response Syntax

{
    'severity_update': 'dict|list'
}

Response Definitions

  • severity_update (dict) –

reset_all_analytics_visibility(**kwargs)

Reset all Analytics visibility

Request Syntax

response = client.reset_all_analytics_visibility(
    account_id='string'
    dry_run='False|True'
    reason='string'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • dry_run (boolean) – DRY RUN only

  • reason (string) –

    [REQUIRED]

    Reason for the performing the reset. This information is used for auditing purposes.

Return type

dict

Returns

Response Syntax

{
    'handling_update': 'dict|list'
}

Response Definitions

  • handling_update (dict) –

reset_analytic(**kwargs)

Reset an analytic

Request Syntax

response = client.reset_analytic(
    account_id='string'
    path='string'
    reason='string'
    severity='False|True'
    tuning=[
        'string'
    ]
    visibility='False|True'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • path (string) –

    [REQUIRED]

    Analytic Fully Qualified Name

  • reason (string) –

    [REQUIRED]

    Reason for the performing the reset. This information is used for auditing purposes.

  • severity (boolean) –

  • tuning (list) –

    List of tuning keys to reset

    • (string) –

  • visibility (boolean) –

Returns

None

reset_incident_handling(**kwargs)

Reset Incident Handling setting

Request Syntax

response = client.reset_incident_handling(
    account_id='string'
    path='string'
    reason='string'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • path (string) –

    [REQUIRED]

    Incident Type Fully Qualified Name

  • reason (string) –

    [REQUIRED]

    Reason for a change

Returns

None

reset_incident_type(**kwargs)

Reset Incident Type properties

Request Syntax

response = client.reset_incident_type(
    account_id='string'
    exclude='severity'|'visibility'
    path='string'
    reason='string'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • exclude (string) – Valid values: severity, visibility

  • path (string) –

    [REQUIRED]

    Incident Type Fully Qualified Name

  • reason (string) –

    [REQUIRED]

    Reason for a change.

Returns

None

tuning_report(**kwargs)

Returns a shell command that can be run to produce the desired report.

Example:

bash -c “$(alcli aetuner tuning_report –command get_tuning_for_tagset –path IncidentVisibilityMap)”

Request Syntax

response = client.tuning_report(
    cid='string'
    command='get_tuning_for_tagset'|'get_tuning_for_analytic'|'get_tuning_for_account_id'
    exclude='string'
    observation_path='string'
    path='string'
    return_values='False|True'
)
Parameters

  • cid (string) –

    [REQUIRED]

    Customer Account ID

  • command (string) –

    [REQUIRED]

    Command to run

    Valid values: get_tuning_for_tagset, get_tuning_for_analytic, get_tuning_for_account_id

  • exclude (string) –

    [REQUIRED]

    Comma separated list of paths to exclude for get_tuning_for_analytic command

  • observation_path (string) –

    [REQUIRED]

    Path or Name of the observation generated by the analytic, defaults to the name of the Analytic

  • path (string) –

    [REQUIRED]

    Path or Name of an analytic or tagset

  • return_values (boolean) –

    [REQUIRED]

    If true return the values of the tagsets, otherwise just return the keys

Returns

None

update_analytic(**kwargs)

Update an analytic

Request Syntax

response = client.update_analytic(
    account_id='string'
    audit_events_limit='integer'
    disable_validation='False|True'
    dry_run='False|True'
    enable_new='False|True'
    explain='False|True'
    handling=[
        'auto_soc_close'|'auto_escalate'|'auto_customer_close'
    ]
    handling_key='string'
    include_audit_events='False|True'
    include_stacktrace='False|True'
    key='string'
    path='string'
    reason='string'
    severity='info'|'low'|'medium'|'high'|'critical'
    severity_key='string'
    sql_field_values={}
    tuning={
        'threshold': 'integer'
    }
    tuning_list={
        'key': 'string',
        'name': 'string',
        'operation': 'add'|'subtract',
        'values': [
            'string'
        ]
    }
    tuning_tagset_key='string'
    tuning_tagset_path='string'
    tuning_tagset_value='string'
    visibility='observation'|'incident'|'test'
    visibility_key='string'
    xtuning=[
        {
            'key': 'string',
            'operation': 'add'|'subtract'|'write'|'delete',
            'path': 'string',
            'type': 'severity'|'visibility'|'threshold'|'handling'|'whitelist'|'blacklist',
            'value': 'list|integer|string'
        }
    ]
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • audit_events_limit (integer) – Limit the number of audit events to this number

  • disable_validation (boolean) –

    Disable the check that tuning referes to a tagset referenced by the analytic. Use if there is a tuning tagset that is not detected to be refernced by an analytic

    Default: False

  • dry_run (boolean) – DRY RUN only

  • enable_new (boolean) –

  • explain (boolean) – Explain how tunings are calculated or updates

  • handling (list) –

    • (string) –

      • auto_soc_close - is only relevant to incident being shown to SOC or not, no other behaviour or values are affected.

        If True, will bypass the SOC and become available in the Customer Console.

      • auto_escalate - is only relevant to whether the customer receives an email notification or not, no other behaviour or values are affected.

        If an incident is escalated, and becomes soc-closed, a notification will be generated with the escalations flag set to True.

      • auto_customer_close - is only relevant to whether the customer sees the incident as “Closed” in the Customer Console or not, no other behaviour or values are affected.

        If True, the incident will only show in the Customer Console under the ‘Closed’ filter.

      Valid values: auto_soc_close, auto_escalate, auto_customer_close

  • handling_key (string) – Handling tagset tuning key. Used for setting tuning tagset value instead of default incident type. If observation tuning specifies custom key value - this parameter is needed if handling is updated.

  • include_audit_events (boolean) – When set to true returns audit events for the tuning tagsets in the analytic

  • include_stacktrace (boolean) –

  • key (string) – Tuning tagset key, defaults to the analytic name

  • path (string) –

    [REQUIRED]

    Analytic Name

  • reason (string) –

    [REQUIRED]

    Reason for the performing the update. This information is used for auditing purposes.

  • severity (string) –

    Severity of an incident

    Valid values: info, low, medium, high, critical

  • severity_key (string) – Severity tagset tuning key. Used for setting tuning tagset value instead of default incident type. If observation tuning specifies custom key value - this parameter is needed if severity is updated.

  • sql_field_values (dict) – A map of values for SQL fields, example {“bf_protocol”:”windows”}

  • tuning (dict) –

    Tuning Parameters. The list of tuning parameters depends on the analytic being tuned. Tunable options can be seen in tuning_properties property of the analytic object returned by get_analytic for the analytic.

    • threshold (integer) –

      Example of property name

  • tuning_list (dict) –

    Object to update a tuning with a list of values

    • key (string) –

      Key in the tuning tagset

    • name (string) –

      Name of the tuning tagset

    • operation (string) –

      Name of the Operation

      Valid values: add, subtract

    • values (list) –

      Values to add or remove

      • (string) –

  • tuning_tagset_key (string) –

  • tuning_tagset_path (string) –

  • tuning_tagset_value (string) –

  • visibility (string) –

    Visibility of an incident

    Valid values: observation, incident, test

  • visibility_key (string) – Visibility tagset tuning key. Used for setting tuning tagset value instead of default incident type. If observation tuning specifies custom key value - this parameter is needed if visibility is updated.

  • xtuning (list) –

    A list of tunings for the analytic.

    For visiblity, severity, threshold and handling when the default tagsets are not used it is possible to expliclity provide a tagset path and key in the tagset for tuning. For blacklist and whitelist tuning a tagset path and key must be provided. Examples explain how to use it.

    NOTE: Spaces are not allowed between the items of a list.

    Examples:

    Severity

    • {“type”:”severity”,”value”:”low”}

    • {“type”:”severity”,”path”:”CustomSeverityMap”,”key”:”windows”,”value”:”low”} Visibity to incident

    • {“type”:”visiblity”,”value”:”incident”}

    • {“type”:”visiblity”,”path”:”CustomVisibilityMap”,”key”:”windows”,”value”:”incident”} Threshold

    • threshold:100 Handling

    • {“type”:”handling”,”operation”:”add”,”value”:”auto_soc_close”}

    • {“type”:”handling”,”operation”:”subtract”,”value”:”auto_escalate”}

    • {“type”:”handling”,”operation”:”add”,”path”:”CustomHandlingMap”,”key”:”windows”,”value”:”auto_soc_close”} Whitelist

    • {“type”:”whitelist”,”operation”:”add”,”path”:”tuning/SomeWhitelist”,”key”:”windows”,”value”:[“1.0.0.0”]}

    • {“type”:”whitelist”,”operation”:”subtract”,”path”:”tuning/SomeWhitelist”,”key”:”windows”,”value”:[“1.0.0.0”,”2.0.0.0”]} Blacklist

    • {“type”:”blacklist”,”operation”:add”,”path”:”tuning/SomeBlacklist”,”key”:”windows”,”value”:[“1.0.0.0”]}

    • {“type”:”blacklist”,”operation”:subtract,”path”:”tuning/SomeBlacklist”,”key”:”windows”,”value”:[“1.0.0.0”,”2.0.0.0”]}

      To specify more than one tuning provide them in list like

      ’[{“type”:”severity”,”value”:”incident”},{“type”:”visibility”,”value”:”high”},{“type”:”threshold”,”value”:”100”}]’

    • (dict) –

      Tuning specification

      • key (string) –

        Explicit tuning tagset key

      • operation (string) –

        Operation to perform

        Valid values: add, subtract, write, delete

      • path (string) –

        Explicit tuning tagset path

      • type (string) –

        Type of the tuning

        Valid values: severity, visibility, threshold, handling, whitelist, blacklist

      • value (dict) –

        Value string or a list of string

Returns

None

update_incident_handling(**kwargs)

Set Incident Type handling setting

Request Syntax

response = client.update_incident_handling(
    account_id='string'
    path='string'
    reason='string'
    setting=[
        'auto_soc_close'|'auto_escalate'|'auto_customer_close'
    ]
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • path (string) –

    [REQUIRED]

    Incident Type Fully Qualified Name

  • reason (string) –

    [REQUIRED]

    Reason for a change

  • setting (list) –

    [REQUIRED]

    • (string) –

      • auto_soc_close - is only relevant to incident being shown to SOC or not, no other behaviour or values are affected.

        If True, will bypass the SOC and become available in the Customer Console.

      • auto_escalate - is only relevant to whether the customer receives an email notification or not, no other behaviour or values are affected.

        If an incident is escalated, and becomes soc-closed, a notification will be generated with the escalations flag set to True.

      • auto_customer_close - is only relevant to whether the customer sees the incident as “Closed” in the Customer Console or not, no other behaviour or values are affected.

        If True, the incident will only show in the Customer Console under the ‘Closed’ filter.

      Valid values: auto_soc_close, auto_escalate, auto_customer_close

Return type

dict

Returns

Response Syntax

{
    'stored': 'string'
}

Response Definitions

  • stored (uuid) –

    UUID of the stored record

update_incident_type(**kwargs)

Update Incident Type properties

Request Syntax

response = client.update_incident_type(
    account_id='string'
    path='string'
    reason='string'
    severity='info'|'low'|'medium'|'high'|'critical'
    visibility='observation'|'incident'|'test'
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • path (string) –

    [REQUIRED]

    Incident Type Fully Qualified Name

  • reason (string) –

    [REQUIRED]

    Reason for a change

  • severity (string) –

    Severity of an incident

    Valid values: info, low, medium, high, critical

  • visibility (string) –

    Visibility of an incident

    Valid values: observation, incident, test

Returns

None

update_tagset(**kwargs)

Update a tagset

Request Syntax

response = client.update_tagset(
    account_id='string'
    audit_events_limit='integer'
    dry_run='False|True'
    explain='False|True'
    include_audit_events='False|True'
    key='string'
    path='string'
    reason='string'
    xtuning=[
        {
            'key': 'string',
            'operation': 'add'|'subtract'|'write'|'delete',
            'path': 'string',
            'type': 'severity'|'visibility'|'threshold'|'handling'|'whitelist'|'blacklist',
            'value': 'list|integer|string'
        }
    ]
)
Parameters

  • account_id (string) –

    [REQUIRED]

    AIMS Account ID

  • audit_events_limit (integer) – Limit of audit events to include

  • dry_run (boolean) – DRY RUN only

  • explain (boolean) – Explain how tunings are calculated or updates

  • include_audit_events (boolean) – Include audit events

  • key (string) – Key in the tagset

  • path (string) – Name of a tagset

  • reason (string) –

    [REQUIRED]

    Reason for the performing the update. This information is used for auditing purposes.

  • xtuning (list) –

    A list of tunings for the analytic.

    For visiblity, severity, threshold and handling when the default tagsets are not used it is possible to expliclity provide a tagset path and key in the tagset for tuning. For blacklist and whitelist tuning a tagset path and key must be provided. Examples explain how to use it.

    NOTE: Spaces are not allowed between the items of a list.

    Examples:

    Severity

    • {“type”:”severity”,”value”:”low”}

    • {“type”:”severity”,”path”:”CustomSeverityMap”,”key”:”windows”,”value”:”low”} Visibity to incident

    • {“type”:”visiblity”,”value”:”incident”}

    • {“type”:”visiblity”,”path”:”CustomVisibilityMap”,”key”:”windows”,”value”:”incident”} Threshold

    • threshold:100 Handling

    • {“type”:”handling”,”operation”:”add”,”value”:”auto_soc_close”}

    • {“type”:”handling”,”operation”:”subtract”,”value”:”auto_soc_close”}

    • {“type”:”handling”,”operation”:”add”,”path”:”CustomHandlingMap”,”key”:”windows”,”value”:”auto_soc_close”} Whitelist

    • {“type”:”whitelist”,”operation”:”add”,”path”:”tuning/SomeWhitelist”,”key”:”windows”,”value”:[“1.0.0.0”]}

    • {“type”:”whitelist”,”operation”:”subtract”,”path”:”tuning/SomeWhitelist”,”key”:”windows”,”value”:[“1.0.0.0”,”2.0.0.0”]} Blacklist

    • {“type”:”blacklist”,”operation”:add”,”path”:”tuning/SomeBlacklist”,”key”:”windows”,”value”:[“1.0.0.0”]}

    • {“type”:”blacklist”,”operation”:subtract,”path”:”tuning/SomeBlacklist”,”key”:”windows”,”value”:[“1.0.0.0”,”2.0.0.0”]}

      To specify more than one tuning provide them in list like

      ’[{“type”:”severity”,”value”:”incident”},{“type”:”visibility”,”value”:”high”},{“type”:”threshold”,”value”:”100”}]’

    • (dict) –

      Tuning specification

      • key (string) –

        Explicit tuning tagset key

      • operation (string) –

        Operation to perform

        Valid values: add, subtract, write, delete

      • path (string) –

        Explicit tuning tagset path

      • type (string) –

        Type of the tuning

        Valid values: severity, visibility, threshold, handling, whitelist, blacklist

      • value (dict) –

        Value string or a list of string

Returns

None