Msticpy

Latest version: v2.14.0

Safety actively analyzes 681881 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 2 of 15

2.9.0

Some of the highlights of this release:

IPQualityScore
New TI provider submitted by petebryan - provides a lot of interesting stats on IPs.

Defender Advanced Hunting API
Thanks to d3vzer0 our MS Defender client is now able to use the support Graph-based API rather than the legacy
APIs. To use this, for the moment use the DataEnvironment name `M365DGraph` when you create
query provider. In the next 0.x release we will switch the other aliases for M365D, MDE, MDATP to use this
new interface and deprecate the existing ones.

Startup errors when running in unexpected environments.
`init_notebook` made some (incorrect) assumptions about when it would be running in a Synapse environment.
Azure Machine Learning have recently changed their default compute to be a Synapse environment.
Fixes here will correct failures due to faulty detection of environment type.

Startup fixes and perf improvements
We've optimized some of the imports done within the package at startup so msticpy should be quicker to
load.

Azure env credentials fix
Although we previously supported the Azure EnvironmentCredential credential type, our implementation allowed
you to use only with ClientID + ClientSecret. The changes allow it to be used with other supported
credential formats - notably username + password and certificate authentication using a certificate file.

Improvements to Entities
Although these are not visible to most people, we try to keep our Entity definitions in sync with the official
Microsoft "V3" entity definitions. We've added a few entity types and updated some of the attributes
to bring this in line, while still allowing backwards compatible attributes to be used.

What's Changed
* Ianhelle/entity updates 2023 09 01 by ianhelle in https://github.com/microsoft/msticpy/pull/718
* Ianhelle/lazy-import-init-2023-09-26 by ianhelle in https://github.com/microsoft/msticpy/pull/717
* Fix Azure env credential authentication by ianhelle in https://github.com/microsoft/msticpy/pull/722
* Update documentation for installing in isolated env by ccianelli22 in https://github.com/microsoft/msticpy/pull/724
* Bump isort to 5.12.0 in pre-commit config by 2xyo in https://github.com/microsoft/msticpy/pull/723
* Remove stack trace from logging by FlorianBracq in https://github.com/microsoft/msticpy/pull/729
* fix: init_notebook and entities by ianhelle in https://github.com/microsoft/msticpy/pull/730
* Fix time span values by FlorianBracq in https://github.com/microsoft/msticpy/pull/728
* Added additional DataProvider for Advanced Hunting via Graph by d3vzer0 in https://github.com/microsoft/msticpy/pull/725
* Allow POST HTTP method by 2xyo in https://github.com/microsoft/msticpy/pull/726
* Bump readthedocs-sphinx-ext from 2.2.2 to 2.2.3 by dependabot in https://github.com/microsoft/msticpy/pull/716
* Added new TI Provider - IPQualityScore by petebryan in https://github.com/microsoft/msticpy/pull/733

New Contributors
* 2xyo made their first contribution in https://github.com/microsoft/msticpy/pull/723

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.8.0...v2.9.0

2.8.0

A few bugs had crept in over the last couple of releases: some due to buggy coding, some due the world moving forward. So, many items in this release are to address these.

Among the feature improvements are the following:
* Documentation and scripts from ccianelli22 for creating a MSTICPy install for use in isolated (no Internet) environments. This is super useful for customers operating in sovereign clouds or other air-gapped high-security environments.
* Added Splunk authentication method using security token rather than username/password - thanks Tatsuya-hasegawa
* Query yaml file validation by FlorianBracq
* Paging for large CyberReason queries by FlorianBracq
* Modern method to obtain cloud-specific URL endpoints for Azure services. Previously, we were relying on msrestazure, which is now deprecated for this purpose. Many thanks to ccianelli22 for the work to do this.
* Fix (by me) for a bug I'd introduced with the switch to using Azure-monitor-query library for MS Sentinel. When using a connection string with this new driver, the logic failed to parse and extract details from this correctly. Many thanks to cindraw for reporting this bug.


What's Changed
* Update mde_proc_pub.pkl by FlorianBracq in https://github.com/microsoft/msticpy/pull/709
* Update Introduction.rst by praveenjutur in https://github.com/microsoft/msticpy/pull/700
* Update methodology of getting endpoints for cloud environment by ccianelli22 in https://github.com/microsoft/msticpy/pull/704
* Validation of the YAML structure of query files by FlorianBracq in https://github.com/microsoft/msticpy/pull/660
* Intsights api update by FlorianBracq in https://github.com/microsoft/msticpy/pull/710
* Fix m365d/mde hunting query options by Tatsuya-hasegawa in https://github.com/microsoft/msticpy/pull/702
* Cybereason pagination support + multi-threading by FlorianBracq in https://github.com/microsoft/msticpy/pull/707
* Add bearer token auth to splunk driver by Tatsuya-hasegawa in https://github.com/microsoft/msticpy/pull/708
* fix wl bug when creating a new wl when wl count is 0 by ccianelli22 in https://github.com/microsoft/msticpy/pull/719
* Update installation docs to include installation for isolated envs by ccianelli22 in https://github.com/microsoft/msticpy/pull/715
* Fixing regular expression error for connection string in WorkspaceConfig by ianhelle in https://github.com/microsoft/msticpy/pull/706
* Fix documentation formatting, update steps for downloading msticpy by ccianelli22 in https://github.com/microsoft/msticpy/pull/720

New Contributors
* praveenjutur made their first contribution in https://github.com/microsoft/msticpy/pull/700
* ccianelli22 made their first contribution in https://github.com/microsoft/msticpy/pull/704

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.7.0...v2.8.0

2.8.0.pre1

Updated method to dynamically fetch Azure endpoints (rather than relying on deprecated msrestazure).
Updated version of Insight data provider

2.7.0

More detailed release notes in the full release.

Main Changes

Two new TI Providers:
* CrowdSec (thanks to sbs2001)
* AbuseIPDB (thanks to rrevuelta)

Updated Data providers for Sentinel/Azure Monitor/Log Analytics and Kusto/Azure Data Explorer
These were introduced in v2.5.0 but are now the default drivers for these providers.

Query Editor
ipywidgets based query template editor - this is somewhat provisional so please be sure to test and
report bugs.

Updates to Authentication - esp for the AzureData and MicrosoftSentinel API modules
- You can now authenticate by supplying an AzureCredential as a `credential` parameter
- The connect methods for these support `cloud` parameter to specify different sovreign clouds
- The init and connect methods are instrumented with logging to help debug issues:

python3
import msticpy as mp
from msticpy.context.azure.sentinel_core import MicrosoftSentinel

mp.set_logging_level("INFO")
mssentinel = MicrosoftSentinel()
mssentinel.connect()


Other items
- MS Sentinel delete watchlist API added by mbabinski
- Splunk fixes added by Tatsuya-hasegawa

What's Changed
* Add CrowdSec TIProvider by sbs2001 in https://github.com/microsoft/msticpy/pull/673
* Added delete_watchlist_item method by mbabinski in https://github.com/microsoft/msticpy/pull/682
* Update pandas requirement from <2.0.0,>=1.4.0 to >=1.4.0,<3.0.0 by dependabot in https://github.com/microsoft/msticpy/pull/653
* Bump sphinx from 6.1.3 to 7.1.0 by dependabot in https://github.com/microsoft/msticpy/pull/686
* Add AbuseIPDB TIProvider by rrevuelta in https://github.com/microsoft/msticpy/pull/687
* Typo corrections in queries by ianhelle in https://github.com/microsoft/msticpy/pull/684
* Ianhelle/query editor 2023 04 21 by ianhelle in https://github.com/microsoft/msticpy/pull/685
* Few fix splunk driver by Tatsuya-hasegawa in https://github.com/microsoft/msticpy/pull/688
* Ianhelle/mssentinel auth 2023 08 01 by ianhelle in https://github.com/microsoft/msticpy/pull/690
* Updating timeline docs to prioritize pd accessors by ianhelle in https://github.com/microsoft/msticpy/pull/691
* Fix splunk uploader create index option by Tatsuya-hasegawa in https://github.com/microsoft/msticpy/pull/692
* v2.7.0 - changing new kql/sentinel drivers to be defaults by ianhelle in https://github.com/microsoft/msticpy/pull/696

New Contributors
* sbs2001 made their first contribution in https://github.com/microsoft/msticpy/pull/673
* mbabinski made their first contribution in https://github.com/microsoft/msticpy/pull/682

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.6.0...v2.7.0.pre1

2.7.0.pre1

2.6.0

The three big changes in this release are:
* Executing MS Sentinel and Kusto queries in parallel across multiple instance
* Threaded (parallel) execution of time-split queries
* Addition of data provider to query local (exported) Velociraptor logs

Many thanks to d3vzer0 for inspiration and early work on the threaded query feature.
Many thanks juju4 for inspiration and work on the Velociraptor support.

Support for running a query across multiple connections (with optional threaded operation)

It is common for data services to be spread across multiple tenants or workloads. E.g., multiple Sentinel workspaces,
Microsoft Defender subscriptions or Splunk instances. You can use the MSTICPy `QueryProvider` to run a query across multiple connections and return the results in a single DataFrame.

To create a multi-instance provider:
* Create an instance of a QueryProvider for your data source and execute the `connect()` method to connect to the first instance of your data service.
* Then use the `add_connection()` method. This takes the same parameters as the `connect()` method (the parameters for this method vary by data provider) to add additional instance connections.

`add_connection()` also supports an ``alias`` parameter to allow you to refer to the connection by a friendly name.

python3

qry_prov = QueryProvider("MSSentinel")
qry_prov.connect(workspace="Workspace1")
qry_prov.add_connection(workspace="Workspace2, alias="Workspace2")
qry_prov.list_connections()


When you now run a query for this provider, the query will be run on all of the connections and the results will be returned as a single dataframe.

python3

test_query = '''
SecurityAlert
| take 5
'''

query_test = qry_prov.exec_query(query=test_query)
query_test.head()


Some of the MSTICPy drivers support asynchronous execution of queries against multiple instances, so that the time taken to run the query is much reduced compared to running the queries sequentially. Drivers that support asynchronous queries will use this automatically. The initial set of multi-threaded drivers are:
- MSSentinel_New (the new version of the MSSentinel driver)
- Kusto_New (the new version of the Kusto/Azure Data Explorer driver)

By default, the queries will use at most 4 concurrent threads. You can override this by initializing the QueryProvider with the
`max_threads` parameter to set it to the number of threads you want. Although you should be cautious
about using too many simultaneous connections due to the potential impact on the cluster performance.

python3

qry_prov = QueryProvider("MSSentinel", max_threads=10)


Multi-threaded support for split/shared queries

MSTICPy has supported splitting large queries by time-slice for a while. This is documented here [Splitting a Query into time chunks](https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProviders.html#splitting-query-execution-into-chunks). With this release, we've added asynchronous support for this (if the driver supports threaded/async operation) so that multiple chunks of the query will run in parallel.

python3

qry_prov.SecurityAlert.list_alerts(start=start, end=end, split_by="1d")


Use the parameter `split_query_by` or `split_by` to specify a time range (the time unit uses the same syntax as pandas time intervals - e.g. "1D", "4h", etc. - the the pandas documentation for more details on this).

In this release sharding is also supported for ad hoc queries as long as you add "start" and "end" parameters to the query (this is still experimental, so let us know if you have issues with this).

Velociraptor Local Data Provider

The ``Velociraptor`` data provider can read Velociraptor log files and provide convenient query functions for each data set in the output logs.

The provider can read files from one or more hosts, stored in in separate folders. The files are read, converted to pandas DataFrames and grouped by table/event. Multiple log files of the same type (when reading in data from multiple hosts) are concatenated into a single DataFrame.

To use the Velociraptor provider, you need to create an `QueryProvider` instance, passing the string "Velociraptor" (or "VelociraptorLogs") as the `data_environment` parameter. You also need to add the `data_paths` parameter to specify specific folders that you want to search for log file (although you can set these paths in msticpyconfig.yaml, if you do this frequently).

You can specify multiple folders to have the logs from different hosts.

python3
qry_prov = mp.QueryProvider("VelociraptorLogs", data_paths=["~/my_logs"])

Calling the `connect` method triggers the provider to read the locations of the
log files (although the contents are not read until a query function is run).

python3

qry_prov.connect()


Listing Velociraptor tables

python3
qry_prov.list_queries()


['velociraptor.Custom_Windows_NetBIOS',
'velociraptor.Custom_Windows_Patches',
'velociraptor.Custom_Windows_Sysinternals_PSInfo',
'velociraptor.Custom_Windows_Sysinternals_PSLoggedOn',
....


Each query returns the table of data types retrieved from the logs.

python3

qry_prov.vc_prov.velociraptor.Windows_Forensics_ProcessInfo()


| Name | PebBaseAddress | Pid | ImagePathName | CommandLine | CurrentDirectory | Env |
| :------ | :--------------- | ----: | :----------- | :---------------- | :----------------- | :---- |
| LogonUI.exe | 0x95bd3d2000 | 804 | C:\Windows\system32\LogonUI.exe | "LogonUI.exe" /flags:0x2 /state0:0xa3b92855 /state1:0x41c64e6d | C:\Windows\system32\ | {'ALLUSERSP |
| dwm.exe | 0x6cf4351000 | 848 | C:\Windows\system32\dwm.exe | "dwm.exe" | C:\Windows\system32\ | {'ALLUSERSP |
| svchost.exe | 0x6cd64d000 | 872 | C:\Windows\System32\svchost.exe | C:\Windows\System32\svchost.exe -k termsvcs | C:\Windows\system32\ | {'ALLUSERSP |
| svchost.exe | 0x7d18e99000 | 912 | C:\Windows\System32\svchost.exe | C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted | C:\Windows\system32\ | {'ALLUSERSP |
| svchost.exe | 0x5c762eb000 | 920 | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe -k LocalService | C:\Windows\system32\ | {'ALLUSERSP |


What's Changed
* Ianhelle/velociraptor provider 2023 05 19 by ianhelle in https://github.com/microsoft/msticpy/pull/668
* Updating github checkout and upload-artifact to v3 by ianhelle in https://github.com/microsoft/msticpy/pull/669
* Added multithreading support for additional connections (+fixes) by d3vzer0 in https://github.com/microsoft/msticpy/pull/645
* Bump readthedocs-sphinx-ext from 2.2.0 to 2.2.2 by dependabot in https://github.com/microsoft/msticpy/pull/679
* Bump sphinx-rtd-theme from 1.2.0 to 1.2.2 by dependabot in https://github.com/microsoft/msticpy/pull/675
* Bump httpx from 0.24.0 to 0.24.1 by dependabot in https://github.com/microsoft/msticpy/pull/666
* Ianhelle/fix func query names 2023 06 30 by ianhelle in https://github.com/microsoft/msticpy/pull/680


**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.5.3...v2.6.0

Page 2 of 15

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.