Workflow

Msticpy

Latest version: v2.14.0

Safety actively analyzes 706267 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 4 of 15

2.3.0

Some new data-related features in this release.
- Support for the new (still in preview at time of writing) Dynamic Summaries feature of MS Sentinel
- Added ability to create and use "ad-hoc" parameterized queries for data providers
- Simple search mechanism for finding queries
- Support for JSON queries for CyberReason

Support for Microsoft Sentinel Dynamic Summaries

Dynamic Summaries are a Sentinel feature that allow you to persist results of
query jobs in a summarized/serialized form. This might be useful for keeping
results of daily watch jobs, for example. We will be using it in MSTICPy notebooks
to publish more complex result sets from automated notebook runs.

MSTICPy operations available include:

- Retrieve list of current dynamic Summaries
- Retrieve a full dynamic summary
- Create a dynamic summary
- Delete a dynamic summary
- Update an existing dynamic summary

Examples:
python
list dynamic summaries
sentinel.list_dynamic_summaries()

create a dynamic summary in Sentinel
sentinel.connect()
sentinel.create_dynamic_summary(
name="My_XYZ_Summary",
description="Summarizing the running of the XYZ job.",
data=summary_df,
tactics=["discovery", "exploitation"],
techniques=["T1064", "T1286"],
search_key="host.domain.dom",
)


The MSTICPy support also includes a `DynamicSummary` class that lets you
manipulate dynamic summary objects more easily
python
can also import the class directly
from msticpy.context.azure.sentinel_dynamic import DynamicSummary
dyn_summary = DynamicSummary(....)
This example shows using the "factory" method - new_dynamic_summary
dyn_summary = sentinel.new_dynamic_summary(
summary_name="My new summary",
summary_description="Description of summary",
source_info={"TI Records": "misc"},
summary_items=ti_summary_df,
)
Add the local summary object to add to the Sentinel dynamic summaries.
sentinel.create_dynamic_summary(dyn_summary)

Retrieve a dynamic summary from Sentinel
dyn_summary = sentinel.get_dynamic_summary(
summary_id="cea27320-829c-4654-bbf0-b14367483418"
)
the return value is a DynamicSummary object
dyn_summary


DynamicSummary(id=cea27320-829c-4654-bbf0-b14367483418, name=test2, items=0)

By default `get_dynamic_summary` returns the header data for the summary.

The next example shows how you can also fetch full data for the dynamic
summary (by adding `summary_items=True`). From the returned object,
you can convert the summary items to a pandas DataFrame.

> Note: fetching summary items is done via the Sentinel QueryProvider
> since the APIs do not support retrieving these.

python
dyn_summary = sentinel.get_dynamic_summary(
summary_id="cea27320-829c-4654-bbf0-b14367483418",
summary_items=True
)

dyn_summary.to_df()


<html><body>
<!--StartFragment-->

index | Ioc | IocType | QuerySubtype | Provider | Result | Severity | Details | TimeGenerated
-- | -- | -- | -- | -- | -- | -- | -- | --
OTX | hXXp://38[.]75[.]37[.]1/static/encrypt.min.js | url |   | OTX | True | 2 | {‘pulse_count’: 3, ‘names’: [‘Underminer EK’ | 2022-12-15 01:55:15.135136+00:00
VirusTotal | hXXp://38[.]75[.]37[.]1/static/encrypt.min.js | url |   | VirusTotal | False | 0 | Request forbidden. Allowed query rate may ha | 2022-12-15 01:55:15.135136+00:00
XForce | hXXp://38[.]75[.]37[.]1/static/encrypt.min.js | url |   | XForce

<!--EndFragment-->
</body>
</html>

You can also create dynamic summaries from a DataFrame and append
DataFrame records to an existing dynamic summary.

Read the full documentation in [MSTICPy Sentinel Dynamic Summaries doc](https://msticpy.readthedocs.io/en/latest/data_acquisition/SentinelDynamicSummaries.html)

New QueryProvider API to dynamically add a parameterized query.

MSTICPy has always supported the ability to run ad hoc text queries for different providers
and return the results as a DataFrame. Using a static query string like this is quick and easy
if you only want to run a query once but what if you want to re-run with different time
range or host name? A lot of tedious editing or string search/replace!

Adding a full query template to MSTICPy, on the other hand, is overkill for this kind of thing.
Dynamic parameterized queries are especially suited for notebooks - you can create an
in-line parameterized query and have it update with the new parameters every time
you run the notebook.

To use dynamic queries - define the query with parameter placeholders (delimited
with curly braces "{" and "}"), then create parameter objects (these handle any special
formatting for datetimes, lists, etc.).
You add the list of parameter objects along with the replaceable parameter values
when you run the query, as shown below.

python
intialize a query provider
qry_prov = mp.QueryProvider("MSSentinel")

define a query
query = """
SecurityEvent
| where EventID == {event_id}
| where TimeGenerated between (datetime({start}) .. datetime({end}))
| where Computer has "{host_name}"
"""
define the query parameters
qp_host = qry_prov.Param("host_name", "str", "Name of Host")
qp_start = qry_prov.Param("start", "datetime")
qp_end = qry_prov.Param("end", "datetime")
qp_evt = qry_prov.Param("event_id", "int", None, 4688)

add the query
qry_prov.add_custom_query(
name="get_host_events",
query=query,
family="Custom",
parameters=[qp_host, qp_start, qp_end, qp_evt]
)

query is now available as
qry_prov.Custom.get_host_events(host_name="MyPC"....)

[See Dynamically Adding Queries in MSTICPy Docs](https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProviders.html#dynamically-adding-new-queries)

QueryProvider - Query Search

As the number of queries for some providers grows, it has become more difficult to quickly
find the right query. We've implemented a simple search capability that lets you search
over the names or properties of queries. It takes four parameters:

- `search` - search terms to look for in the
query name, description, parameter names, table and query text.
- `table` - search terms to match on the target table of the query.
(note: not all queries have the table parameter defined in their metadata)
- `param` - search terms to match on a parameter name
- `case` - boolean to force case-sensitive matching (default is case-sensitive).

The first three parameters can be a simple string or an iterable (e.g. list, tuple)
of search terms. The search terms are treated as regular expressions. This
means that a the search terms are treated as substrings (if no other
regular expression syntax is included).

Find all queries that have the term "syslog" in their properties

python
qry_prov.search("syslog")
equivalent to qry_prov.search(search="syslog")


['LinuxSyslog.all_syslog',
'LinuxSyslog.cron_activity',
'LinuxSyslog.list_account_logon_failures',
...

[See Search queries in MSTICPY Docs](https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProviders.html#searching-for-a-query)

Support for JSON queries in Data Providers
FlorianBracq has updated the CyberReason data provider so that it supports JSON queries. The
mechanism that we used for KQL and SQL queries breaks JSON since it is a simple string substitution.
Other data sources that use JSON queries include Elastic - we are planning to leverage the same
mechanism to support parameterized Elastic queries in a future release.
Thanks FlorianBracq!

What Else has Changed?
* Kql query formatting by FlorianBracq in https://github.com/microsoft/msticpy/pull/595
* Fix minor linting issues in main by petebryan in https://github.com/microsoft/msticpy/pull/604
* Updated M365D and MDE data connectors with correct scopes when using delegated auth. by petebryan in https://github.com/microsoft/msticpy/pull/580
* Ianhelle/remove extranous nb 2022 11 28 by ianhelle in https://github.com/microsoft/msticpy/pull/588
* Enable native JSON support for Data Providers + move Cybereason driver to native JSON by FlorianBracq in https://github.com/microsoft/msticpy/pull/584
* Adding query search to data_providers.py by ianhelle in https://github.com/microsoft/msticpy/pull/587
* Fix typo by FlorianBracq in https://github.com/microsoft/msticpy/pull/606
* Ianhelle/mypy cache 2023 01 17 by ianhelle in https://github.com/microsoft/msticpy/pull/608
* Added API to QueryProvider to add a custom query at runtime by ianhelle in https://github.com/microsoft/msticpy/pull/586
* Bump sphinx from 5.3.0 to 6.1.3 by dependabot in https://github.com/microsoft/msticpy/pull/605
* Bump httpx from 0.23.0 to 0.23.3 by dependabot in https://github.com/microsoft/msticpy/pull/607
* Dynamic Summaries Sentinel API and DynamicSummary class. by ianhelle in https://github.com/microsoft/msticpy/pull/593
* Update sentinel_analytics.py list_alert_rules API version. by pensivepaddle in https://github.com/microsoft/msticpy/pull/592


**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.2.0...v2.3.0

2.2.0

Highlights

Re-architected context and TI providers
The biggest feature of this release is not directly visible but has involved a huge amount of work by FlorianBracq.
Florian spotted that our HTTP TI provider (used for several TI services such as VirusTotal, OTX, XForce) could be used more generically, specifically for non-TI sources that provided valuable context, such as ServiceNow. So, he re-worked the TI providers sub-package to pull out generic context provider capabilities used by both TI and non-TI sources.
The immediate benefit of this is the next highlight

ServiceNow context provider
This is yet to be full documented but if you have a ServiceNow instance and want to hook up MSTICPy to query it try the following.
1. Add your ServiceNow configuration to msticpyconfig.yaml
yaml
ContextProviders:
ServiceNow:
Primary: True
Args:
TenantId: 8360dd21-0294-4240-9128-89611f415c53
AuthKey: "authkey"
AuthId: "authid"
Provider: "ServiceNow"

Note: you can store the secrets in KeyVault in the same way as TI and other Providers - see the [Key Vault Secrets section of MSTICPy Settings Editor](https://msticpy.readthedocs.io/en/latest/getting_started/SettingsEditor.html#key-vault-secrets)

Import and instantiate a ContextProvider and look things up
python
from msticpy.context.contextlookup import ContextLookup

context_lookup = ContextLookup()
result = context_lookup.lookup_observable("10.0.0.1", providers=["ServiceNow"])
result2 = context_lookup.lookup_observable("usersome.dom", providers=["ServiceNow"])


Defanging support for IoCExtract and TI Providers

In threat reports, IoCs are often de-fanged to make IP addresses, URLs, etc, not clickable. An example
de-fanged IP address would look something like this `17[.]34[.]21[.]195`

Previously these would not be matched by the IoCExtract patterns due to the "escaped" dots.
IoCExtract now supports common de-fanged markup such as
* "[.]" to escape dots in IP addresses and domains,
* "" replaced by "AT"
* "http(s)" and "(s)ftp(s)" replaced by "hXXp(s)" and "(s)fXp(s)" respectively.

We have also added support for email address patterns to IoCExtract.

TI providers will also accept de-fanged IoCs, removing the de-fanging before submitting them to the provider for lookup.

We've also supplied a couple of utility functions `defang_ioc` and `refang_ioc` in `msticpy.common.utility`. These are not yet added as Pivot functions to IpAddress, Url, Dns, Account but will be added in a future release.

Added GCC support to MDE/M365 data providers
This allows customers working with government clouds to query the correct Defender endpoints.

Python 3.11 officially supported
Although there wasn't anything in our code that was a Py 3.11 blocker, some of our dependencies took
a little while to publish 3.11-compatible wheels. That was all done with SciPy, Statsmodels and ScikitLearn
and our build pipeline now in includes a full test pass on Python 3.11. Many thanks to tonybaloney for
pushing us through this.

What's Changed
* Add base for Context Providers by FlorianBracq in https://github.com/microsoft/msticpy/pull/511
* Adding skip and warning to test_vt_pivot.py by ianhelle in https://github.com/microsoft/msticpy/pull/560
* Improved bug template getting rid of irrelevant sections by ianhelle in https://github.com/microsoft/msticpy/pull/559
* Intsights endpoint update. by FlorianBracq in https://github.com/microsoft/msticpy/pull/526
* Added support for GCC and Regional Clouds to MDE driver by petebryan in https://github.com/microsoft/msticpy/pull/525
* Resourcegraph - Incomplete list returned by pensivepaddle in https://github.com/microsoft/msticpy/pull/496
* Bump sphinx-rtd-theme from 1.0.0 to 1.1.0 by dependabot in https://github.com/microsoft/msticpy/pull/553
* Sumologic driver: custom dtypes options+fix, add paging, remove days duration int casting by juju4 in https://github.com/microsoft/msticpy/pull/481
* New mypy failures in kql_base, elastic_driver, splunk_driver, sumolog… by ianhelle in https://github.com/microsoft/msticpy/pull/564
* Bump sphinx-rtd-theme from 1.1.0 to 1.1.1 by dependabot in https://github.com/microsoft/msticpy/pull/563
* Add 3.11 to test matrix by tonybaloney in https://github.com/microsoft/msticpy/pull/546
* Update dnspython requirement from <=2.0.0 to <3.0.0 by dependabot in https://github.com/microsoft/msticpy/pull/289
* Inability to fetch "all" incidents, only 50 by pensivepaddle in https://github.com/microsoft/msticpy/pull/565
* Add de-fanging support for iocextract and TI providers by ianhelle in https://github.com/microsoft/msticpy/pull/536
* Implementing isort for context classes, adding missing docs by ianhelle in https://github.com/microsoft/msticpy/pull/567
* Add support for context provider Service Now by FlorianBracq in https://github.com/microsoft/msticpy/pull/556
* Added Sentinel TI integration features. by petebryan in https://github.com/microsoft/msticpy/pull/532
* Ianhelle/pygeohash and exceptions 2022 11 11 by ianhelle in https://github.com/microsoft/msticpy/pull/566
* Removing debug prints and duplicate code. by petebryan in https://github.com/microsoft/msticpy/pull/570
* Moving ASN http lookup to execute at runtime, when whois lookup happens. by ianhelle in https://github.com/microsoft/msticpy/pull/568
* Added a new set of Sentinel queries related to network activity using the CommonSecurityLog data source. by petebryan in https://github.com/microsoft/msticpy/pull/524
* Fixed issues with dataprovider instances by ianhelle in https://github.com/microsoft/msticpy/pull/549
* Adding AzureAuthentication.rst by ianhelle in https://github.com/microsoft/msticpy/pull/578


**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.1.5...v2.2.0

2.1.5

The main driver for this release is to restrict versions of bokeh, ipywidgets and pandas.
* Version 3.0.0 of bokeh plots has some breaking changes that prevent it working with MSTICPy
* Version 8.0.0 of ipywidgets has changes that prevent some of the MSTICPy compound widgets displaying correctly.

We also decided to start restricting versions of some of our other dependencies to the current major version - to prevent unexpected breaking changes stopping MSTICPy from working. We have included pandas in this list and will expand it to cover more packages in future. We will combine this with an automated build job that has no version restrictions so that we're aware of version changes that we need to address. The intent here is to have MSTICPy have as broad a version range as possible for its dependencies while still avoiding failures due to breaking changes.

Another small but important change is an update to the Process Tree viewer to allow process GUIDs as process IDs (rather than just hex or decimal format integers). Thanks to nbareil for this change!

What's Changed
* process_tree: Accept GUID format for ProcessID and ParentProcessID by nbareil in https://github.com/microsoft/msticpy/pull/542
* Bump sphinx from 5.1.1 to 5.3.0 by dependabot in https://github.com/microsoft/msticpy/pull/540
* Bump readthedocs-sphinx-ext from 2.1.9 to 2.2.0 by dependabot in https://github.com/microsoft/msticpy/pull/545
* Update AzureBlobStorage.rst by garybushey in https://github.com/microsoft/msticpy/pull/539
* Adding upper version restrictions to bokeh, pandas and ipywidgets deps by ianhelle in https://github.com/microsoft/msticpy/pull/552

New Contributors
* garybushey made their first contribution in https://github.com/microsoft/msticpy/pull/539

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.1.4...v2.1.5

2.1.4

Some minor fixes and improvements:

* MicrosoftSentinel class now defaults to "Default" workspace or workspace name supplied as `workspace` parameter
when connecting.
python
sentinel = MicrosoftSentinel()
sentinel.connect() connect to "Default" workspace
sentinel.connect(workspace="MyWorkspace") connect to named workspace

* Sentinel `create_*` APIs now return ID of new item (incident, bookmark, analytic, watchlist)
* init_notebook - now accepts `config` parameter to use custom `msticpyconfig.yaml` for notebook session (overrides enviromnent variable and other defaults
python
import msticpy as mp
mp.init_notebook(config="~/configs/all_ti_provs.yaml") use a custom msticpy config file.

* Sentinel configuration editor no longer throws an exception if named control not found
* Sentinel TI provider will not attempt lookups if `ThreatIntelligenceIndicator` table not found in the Sentinel data provider schema
* Support for Kusto/Azure Data explorer settings in Settings editor
* Added checked_kwargs decorator to utility/types.py

What's Changed
* Ianhelle/training hotfixes 2022 10 13 by ianhelle in https://github.com/microsoft/msticpy/pull/543
* Updated ReadMe with Blackhat Arsenal Tag by petebryan in https://github.com/microsoft/msticpy/pull/521


**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.1.3...v2.1.4

2.1.3

Highlights

This is a minor release with some fixes and additions that enable broader functionality.
The biggest-impacting changes apply to the
[Process Tree visualization](https://msticpy.readthedocs.io/en/latest/visualization/ProcessTree.html).
These changes allow it to work with broader types of Windows or Linux process data:

* Removed the following columns that were previously **required**: host_name, logon_id, user_name, cmd_line.
* Added auto-coloring by level if no legend is supplied.
* Fixed process sorting so that tree and peer groups in the tree are sorted by level, then timestamp.
* Added ability to supply schema as dictionary to the process tree APIs.

The changes are described in more detail below.

We've also added support for a new MS Sentinel API to retrieve queries stored in a Sentinel workspace
and fixed some issues in IP WhoIs lookups.

Process Tree changes

Reduced required column set
This allows you to use the process tree visualization and utilities with a minimal set of data fields:
* process_id
* parent_id
* process_name
* time_stamp

python

cust_schema = {
"process_name": "ImageFileName",
"process_id": "PID",
"parent_id": "PPID",
"time_stamp": "CreateTime",
}
df.mp_plot_process(schema=cust_schema)


Auto-coloring of tree plot

If you do not supply a `legend_col` parameter, the process objects will be
automatically colored by level in the hierarchy. This makes a basic tree more colorful and easier to navigate.
![Proctree-default-color](https://user-images.githubusercontent.com/13070017/190937462-6c592c4c-709f-4386-b476-850351b5b39e.png)

Processes are correctly sorted by process time
Previously, the code that builds the process tree left individual processes in an unintuitive order.
For a given level (e.g. parents) all of the processes will be displayed in time created order.

For example:

A \
- A.1
- A.2
B \
- B.1
- B.2

A will always have a timestamp less than or equal to B. All children of A (A.1, A.2...) and B will be shown in
time created order. However, across different levels and peer groups, there is no guarantee of time-ordering. In the above example, even though timestamp A is less than timestamp B, B.1 and B.2 could have timestamps earlier than either A.1 or A.2.

<table border="1" class="dataframe"><thead> <tr style="text-align: right;"> <th></th> <th>path</th> <th>ImageFileName</th> <th>CreateTime</th> </tr> <tr> <th>proc_key</th> <th></th> <th></th> <th></th> </tr></thead><tbody> <tr> <th>registry|88|2021-04-01 05:04:54.000000</th> <td>116/0</td> <td>Registry</td> <td>2021-04-01 05:04:54+00:00</td> </tr> <tr> <th>system|4|2021-04-01 05:04:58.000000</th> <td>117/1</td> <td>System</td> <td>2021-04-01 05:04:58+00:00</td> </tr> <tr> <th>smss.exe|404|2021-04-01 05:04:58.000000</th> <td>117/1/2</td> <td>smss.exe</td> <td>2021-04-01 05:04:58+00:00</td> </tr> <tr> <th>csrss.exe|640|2021-04-01 05:05:00.000000</th> <td>118/3</td> <td>csrss.exe</td> <td>2021-04-01 05:05:00+00:00</td> </tr> <tr> <th>winlogon.exe|700|2021-04-01 05:05:00.000000</th> <td>118/4</td> <td>winlogon.exe</td> <td>2021-04-01 05:05:00+00:00</td> </tr> <tr> <th>dwm.exe|1028|2021-04-01 05:05:02.000000</th> <td>118/4/17</td> <td>dwm.exe</td> <td>2021-04-01 05:05:02+00:00</td> </tr> <tr> <th>logonui.exe|512|2021-04-01 05:05:02.000000</th> <td>118/4/21</td> <td>LogonUI.exe</td> <td>2021-04-01 05:05:02+00:00</td> </tr> <tr> <th>fontdrvhost.ex|960|2021-04-01 05:05:01.000000</th> <td>118/4/7</td> <td>fontdrvhost.ex</td> <td>2021-04-01 05:05:01+00:00</td> </tr> <tr> <th>wininit.exe|632|2021-04-01 05:05:00.000000</th> <td>119/5</td> <td>wininit.exe</td> <td>2021-04-01 05:05:00+00:00</td> </tr> <tr> <th>lsass.exe|776|2021-04-01 05:05:01.000000</th> <td>119/5/10</td> <td>lsass.exe</td> <td>2021-04-01 05:05:01+00:00</td> </tr></tbody></table>

mp_plot.process_tree and mp.build_process_tree support schema as dictionary
Previously these accessors and the underlying functions `plot_process_tree` and
`build_process_tree` would only accept `msticpy.transform.process_tree_schema.ProcSchema`
instances. These will now accept dictionaries with at least the minimum required
attributes as keys.


What's Changed
* Sentinel - Return all saved queries by petebryan in https://github.com/microsoft/msticpy/pull/519
* Bump readthedocs-sphinx-ext from 2.1.8 to 2.1.9 by dependabot in https://github.com/microsoft/msticpy/pull/507
* Bump respx from 0.19.2 to 0.20.0 by dependabot in https://github.com/microsoft/msticpy/pull/512
* Allow process tree to work with more data sources. by ianhelle in https://github.com/microsoft/msticpy/pull/513
* Fixed error in cell using non-existing column name by ianhelle in https://github.com/microsoft/msticpy/pull/527
* Ianhelle/proc tree fixes 2022 09 16 by ianhelle in https://github.com/microsoft/msticpy/pull/530
* Fixed issue with whois lookups on only local IPs by petebryan in https://github.com/microsoft/msticpy/pull/506


**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.1.2...v2.1.3

2.1.2

A last-minute change before release of 2.1.0 introduced a critical bug in azure_auth_core.py.
This caused all azure authentication to fail. It would also cause `init_notebook()` to fail if the user had any Key Vault secrets referenced in their msticpyconfig.yaml.

Thanks to FlorianBracq for spotting this independently (and before us) and submitting a PR with the fix.
The PR below is essentially the same fix as Florian's with a subtle change to allow an EnvironmentCredential of None to appear in the list of creds sent to ChainedTokenCredential. This is to cover an edge case where EnvironmentCredential is requested but the required environment variables are not set.

What's Changed
* [fix] bug in call to ChainTokenCredential breaks all authentication by ianhelle in https://github.com/microsoft/msticpy/pull/505
* Rolling back change on _build_chained_creds by FlorianBracq in https://github.com/microsoft/msticpy/pull/504

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.1.1...v2.1.2

Page 4 of 15

Links

Releases

Has known vulnerabilities

Previous Next

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.