Msticpy

User Session Configuration
Do you always have one or more data providers or other components that you need to load for every notebook you create?
I do, and got a bit fed up with typing the same lines of code over and over again.

User session configuration lets you specify which providers are loaded, whether or not to connect and which parameters
to supply at load and connect time. You put all of this into a straightforward YAML file and load it using the following:
python3
import msticpy as mp you likely will already be doing this
mp.init_notebook() and this

mp.load_user_session("my_config.yaml") if you have a "mp_user_session.yaml" in the current directory
you can skip the parameter

This example shows the structure of the YAML:
yaml
QueryProviders:
qry_prov_sent:
DataEnvironment: MSSentinel
InitArgs:
debug: True
Connect: True
ConnectArgs:
workspace: MySoc
auth_methods: ['cli', 'device_code']
qry_prov_md:
DataEnvironment: M365D
Components:
mssentinel:
Module: msticpy.context.azure
Class: MicrosoftSentinel
InitArgs:
Connect: True
ConnectArgs:
workspace: MySoc
auth_methods: ['cli', 'device_code']

The providers/components created (e.g. `qry_prov_sent` in this example)
are published back to your notebook Python namespace, so you'll see
these available as variables ready to use.

This configuration file is equivalent to the following code:
python3
qry_prov_sent = mp.QueryProvider("MSSentinel")
qry_prov_sent.connect(workspace="MySoc", auth_methods=['cli', 'device_code'])
qry_prov_md = mp.QueryProvider("M365D")

from msticpy.context.azure import MicrosoftSentinel
mssentinel = MicrosoftSentinel()
mssentinel.connect(workspace="MySoc", auth_methods=['cli', 'device_code'])

Not a huge saving, on the face of it, but if you create a lot of notebooks or want to use
msticpy in an automation scenario, it can be very helpful.
Include a `verbose=True` parameter to `load_user_session` to see more detailed logging of what is going on.
[See the full documentation here](https://msticpy.readthedocs.io/en/latest/getting_started/UserSessionConfig.html)

Maxmind GeoIPLite fix

Sometime recently (not too sure when) Maxmind changed their download procedure to use
a different URL and authentication mechanism. This was causing auto-update to fail. To use
the new mechanism you need to get your Maxmind User Account ID (login and look at your
account properties) and add that to your `msticpyconfig.yaml` as shown below.
yaml
OtherProviders:
GeoIPLite:
Args:
AccountID: "1234567"
AuthKey:
EnvironmentVar: "MAXMIND_AUTH"
DBFolder: "~/.msticpy"
Provider: "GeoLiteLookup"


Extract nested dictionaries from pandas column to multiple rows/columns

pioneerHitesh has added this as a new method in the `mp_pivot` pandas extension:
python
data_df.mp_pivot.dict_to_dataframe(col="my_nested_column")

It returns a dataframe with the column recursively expanded:
- lists become new rows
- dictionaries become new columns

So a column with the following structure:


| | NCol |
|---:|:-------------------------------------------------------------|
| 0 | {'A': ['A1', 'A2', 'A3'], 'B': {'B1': 'B1-1', 'B2': 'B2-1'}} |
| 1 | {'A': ['A3', 'A4', 'A5'], 'B': {'B3': 'B3-1', 'B4': 'B4-1'}} |


python
my_df = src_df.mp_pivot.dict_to_dataframe(col="NCol")
my_df

Would be unpacked to:

| | A.0 | A.1 | A.2 | B.B1 | B.B2 | B.B3 | B.B4 |
|---:|:------|:------|:------|:-------|:-------|:-------|:-------|
| 0 | A1 | A2 | A3 | B1-1 | B2-1 | nan | nan |
| 1 | A3 | A4 | A5 | nan | nan | B3-1 | B4-1 |


What's Changed
* Authentication module unit test by ianhelle in https://github.com/microsoft/msticpy/pull/800
* Use sessions config and GeoIP download failure by ianhelle in https://github.com/microsoft/msticpy/pull/801
* Added Inbuilt function to extract nested JSON by pioneerHitesh in https://github.com/microsoft/msticpy/pull/798
* Add max retry parameter to the execution prevent HTTP 429 by vx3r in https://github.com/microsoft/msticpy/pull/802

New Contributors
* pioneerHitesh made their first contribution in https://github.com/microsoft/msticpy/pull/798
* vx3r made their first contribution in https://github.com/microsoft/msticpy/pull/802

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.13.1...v2.14.0

We introduced a bug in azure_auth_core that caused Azure authentication to fail.

What's Changed
* Provider and lookup typing by FlorianBracq in https://github.com/microsoft/msticpy/pull/795
* Fix for bug in azure_core_auth that fails authentication by ianhelle in https://github.com/microsoft/msticpy/pull/799


**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.13.0...v2.13.1

We've been quietly doing some work to introduce LLM/GPT/AI capabilities into msticpy.
EileenG02 has helped us in that direction by building a document Q&A agent using Autogen.

You can try it out in a notebook using the following:

Load the magic extension
ipython
%load_ext msticpy.aiagents.mp_docs_rag_magic


Ask a question in a separate cell using the %%ask cell magic
ipython
%%ask
What are the three things that I need to connect to Azure Query Provider?


Awesome work EileenG02!

There's also a new TI provider for BinaryEdge courtesy of petebryan.

Alongside this there have been quite a few contributions to fix and improve things like:
- Splunk improvements (thanks Tatsuya-hasegawa)
- Fixes for Sentinel provider get_alert_rules to use updated API (thanks BWC-TomW)
- A massive amount of type annotation work and fixes to context/TI providers by FlorianBracq
- Miscellaneous fixes to things like Sentinel TI provider, MSSentinel tidy-up to more consistently handle parameters,
correct use of the term CountryOrRegionName from CountryName in geolocation contexts.

The gory details of the PRs follow:

What's Changed
* Add extra tests and fixes to QueryProvider, DriverBase and (as)sync query handling by FlorianBracq in https://github.com/microsoft/msticpy/pull/777
* Fix incorrect ref to ip_utils module in docs by ianhelle in https://github.com/microsoft/msticpy/pull/779
* Fix some deprecation warnings by FlorianBracq in https://github.com/microsoft/msticpy/pull/781
* Fixing np.NaN error and build warnings by ianhelle in https://github.com/microsoft/msticpy/pull/785
* Removing data matching AV signatures by ianhelle in https://github.com/microsoft/msticpy/pull/786
* Create codeql_updated.yml by ianhelle in https://github.com/microsoft/msticpy/pull/787
* Update black requirement from <24.0.0,>=20.8b1 to >=20.8b1,<25.0.0 by dependabot in https://github.com/microsoft/msticpy/pull/742
* Update docutils requirement from <0.20.0 to <0.22.0 by dependabot in https://github.com/microsoft/msticpy/pull/768
* Add upload data styles to Splunk uploader by Tatsuya-hasegawa in https://github.com/microsoft/msticpy/pull/776
* Added BinaryEdge provider by petebryan in https://github.com/microsoft/msticpy/pull/780
* Update sentinel_analytics.py to update get_alert_rules to use new API version by BWC-TomW in https://github.com/microsoft/msticpy/pull/789
* Fixing MSSentinel to obey parameters by ianhelle in https://github.com/microsoft/msticpy/pull/791
* Add Autogen and RAG Agent to MSTICpy by EileenG02 in https://github.com/microsoft/msticpy/pull/793
* Update TILookup and ContextLookup by FlorianBracq in https://github.com/microsoft/msticpy/pull/794
* Fix sentinel TI provider by ianhelle in https://github.com/microsoft/msticpy/pull/797
* Updating CountryName to CountryOrRegionName by ianhelle in https://github.com/microsoft/msticpy/pull/796

New Contributors
* BWC-TomW made their first contribution in https://github.com/microsoft/msticpy/pull/789
* EileenG02 made their first contribution in https://github.com/microsoft/msticpy/pull/793

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.12.0...v2.13.0

Sentinel updates
WorkspaceConfig and Sentinel QueryProvider (azure_monito_driver) have had a few updates:
- handle both old (Kqlmagic) and standard connection string formats in WorkspaceConfig
- removing a lot of legacy code from WorkspaceConfig
- Allow additional connection parameters to be used with MSSentinel QueryProvider for
authentication parameters (e.g. you can now supply authentication parameters like "client_id", "client_secret" to `query_provider.connect()`)
- `msticpyconfig.yaml` now supports using an "MSSentinel" key in place of "AzureSentinel"
- Workspace entries in msticpyconfig.yaml support an `Args` subkey, where you can add authentication parameters - these will be supplied to the `connect()` method if not overridden on the command line. Like Args sections for other providers, the values here can be text or references to environment variables or Azure Key Vault secrets.
- Fix to MSSentinel API update_incident to add full properties

Splunk Updates
- Added jwt authentication token expiry check.

Other fixes
Fix for vtlookup3.py
- Fixed problematic way of using nestasyncio - this was causing failures when run from a langchain agent.
Fix for lookup/tilookup
- If the progress parameter was not passed it would still try to cancel a non-existent progress task and cause an exception.
QueryProviders
- Fix split query time-ranges calculation - thanks to pjain90 for spotting this.

What's Changed
* Set up CI with 1ES Azure Pipelines by ianhelle in https://github.com/microsoft/msticpy/pull/763
* Update ws_config to handle kqlmagic connection strings by ianhelle in https://github.com/microsoft/msticpy/pull/767
* Fix split query time-ranges calculation by ianhelle in https://github.com/microsoft/msticpy/pull/762
* Add support for ruff and u/p devcontainer by ianhelle in https://github.com/microsoft/msticpy/pull/765
* Add jwt auth token expire check and modify some messages when connecting Splunk by Tatsuya-hasegawa in https://github.com/microsoft/msticpy/pull/770
* WSConfig updates by ianhelle in https://github.com/microsoft/msticpy/pull/771
* Pass `true` for props into `_build_sent_data` when calling `update_incident` by kylelol in https://github.com/microsoft/msticpy/pull/774
* Changing cert thumbprint from Sha1 to Sha256 in Az Kusto driver by ianhelle in https://github.com/microsoft/msticpy/pull/775

New Contributors
* kylelol made their first contribution in https://github.com/microsoft/msticpy/pull/774
* pjain90 made their first contribution in https://github.com/microsoft/msticpy/pull/762

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.11.0...v2.12.0

This is a minor release mainly to add a warning for Kusto/Sentinel queries that return partial results.
A close friend of MSTICPy (thx Cyb3r-Monk) had spotted that MSTICPy does not report partial results when doing split queries so it's possible to lose data from the query range silently.

Due to an unfortunate admin error, the fix for this was committed direct to main, so no PR for this is available. :-(

If you want the query to fail (throw an exception) rather than just warn you can supply a new parameter `fail_if_partial`.
This only affects the Sentinel query provider and works for standard as well as split queries.

NOTE: the documentation has a typo and calls this `fail_on_commit` - we'll fix that in the next release to support both `fail_if_partial` and `fail_on_partial`

Example
python3
qry_prov.exec_query(query_string, fail_if_partial=True)



What's Changed
* Missing PR for partial query warning and fixes for pandas deprecation warnings [See the diff for changes](https://github.com/microsoft/msticpy/compare/d1c0912b1bf6b2388fdb92193e8ae5a500549172...90bcd24a2a0230e8a189e6d607e3fb46f2226d66)
* Fixing group.apply for pandas < 2.2.1 by ianhelle in https://github.com/microsoft/msticpy/pull/759
* Added missing quotation in code block by ryan-aus in https://github.com/microsoft/msticpy/pull/753
* Bump httpx from 0.25.2 to 0.27.0 by dependabot in https://github.com/microsoft/msticpy/pull/754
* Bump readthedocs-sphinx-ext from 2.2.3 to 2.2.5 by dependabot in https://github.com/microsoft/msticpy/pull/743
* Updated conda reqs files for new packages by ianhelle in https://github.com/microsoft/msticpy/pull/758
* Build break fix for splunk SDK by ianhelle in https://github.com/microsoft/msticpy/pull/760

New Contributors
* ryan-aus made their first contribution in https://github.com/microsoft/msticpy/pull/753

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.10.0...v2.11.0

What's Changed
* Add nest_asyncio to run threaded queries by FlorianBracq in https://github.com/microsoft/msticpy/pull/737
* Bump sphinx-rtd-theme from 1.3.0 to 2.0.0 by dependabot in https://github.com/microsoft/msticpy/pull/738
* Bump httpx from 0.25.0 to 0.25.2 by dependabot in https://github.com/microsoft/msticpy/pull/736
* Adding Virus Total Search Capabilities by secops-account in https://github.com/microsoft/msticpy/pull/739
* Add security token auth and credential loading from msticpyconfig.yaml to SplunkUploader by Tatsuya-hasegawa in https://github.com/microsoft/msticpy/pull/731
* fix: updated _get_query_status in the azure monitor driver by aka0 in https://github.com/microsoft/msticpy/pull/745
* Added M365DGraph to the supported environments for existing queries by d3vzer0 in https://github.com/microsoft/msticpy/pull/748
* Small Typo correction in SentinelWatchlists.rst by Korving-F in https://github.com/microsoft/msticpy/pull/746
* Fix ibm_xforce TI provider for domain names and URLs by pcoccoli in https://github.com/microsoft/msticpy/pull/749
* Update python-package.yml by ianhelle in https://github.com/microsoft/msticpy/pull/750
* Ianhelle/aml updates 2024 01 31 by ianhelle in https://github.com/microsoft/msticpy/pull/751
* Ianhelle/warning fixes 2024 02 11 by ianhelle in https://github.com/microsoft/msticpy/pull/752

New Contributors
* secops-account made their first contribution in https://github.com/microsoft/msticpy/pull/739
* aka0 made their first contribution in https://github.com/microsoft/msticpy/pull/745
* Korving-F made their first contribution in https://github.com/microsoft/msticpy/pull/746
* pcoccoli made their first contribution in https://github.com/microsoft/msticpy/pull/749

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.9.0...v2.10.0