Msticpy

Latest version: v2.16.0

Safety actively analyzes 714860 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 4 of 16

2.4.0

Main changes for this release

There are no huge changes in this release but a good variety of important updates and fixes.
We're also delighted to welcome 3 new contributors to the MSTICPy family:
* ZeArioch
* ctoma73
* jllangley

Thanks so much!

New Threat Intel provider for Pulsedive from fr0gger 609

This includes a standard MSTICPy TI provider (so you can include it in you collection of providers used for
regular TI checks on IPs, URLs, etc. This provider also contain a few custom methods that let to query
some other facets of the Pulsedive data. For example, the `explore` function that allows you to use
the pulsedive query language
python
pddetail = pdlookup.explore(query="ioc=pulsedive.com or threat=AgentTesla")
pddetail

You can also request a can on a domain or URL
python
pdscan = pdlookup.scan(observable= "alvoportas.com.br")
pdscan

To use any of the Pulsedive features you'll need an account and API key from [Pulsedive](https://pulsedive.com/api/)
See more details of the usage in the [Pulsedive notebook](https://github.com/microsoft/msticpy/blob/main/docs/notebooks/PulsediveLookup.ipynb)

Process tree updates 637
- ZeArioch added Process Tree support for FireEye HX data so it should be automatically recognized and render correct
- We also added the ability to export a process tree as a text object - which is useful if you want to copy and paste
a tree or part of it into a non-HTML document. See the [Process Tree docs](https://msticpy.readthedocs.io/en/latest/visualization/ProcessTree.html#tree-to-text) for more details

+-- Process: C:Program FilesMicrosoft Monitoring AgentAgentMonitoringHost.exe
PID: 0x888
Time: 1970-01-01 00:00:00+00:00
Cmdline: nan
Account: nan LoginID: 0x3e7
+-- Process: C:WindowsSystem32cscript.exe PID: 0x364
Time: 2019-01-15 04:15:26+00:00
Cmdline: "C:Windowssystem32cscript.exe" /nologo
"MonitorKnowledgeDiscovery.vbs"
Account: WORKGROUPMSTICAlertsWin1$ LoginID: 0x3e7
+-- Process: C:Program FilesMicrosoft Monitoring AgentAgentHealth Service
StateCT_602681692NativeDSCDesiredStateConfigurationASMHost.exe PID:
0x1c4
Time: 2019-01-15 04:16:24.007000+00:00
Cmdline: "C:Program FilesMicrosoft Monitoring AgentAgentHealth
Service
StateCT_602681692NativeDSCDesiredStateConfigurationASMHost.exe"
GetInventory "C:Program FilesMicrosoft Monitoring
AgentAgentHealth Service
StateCT_602681692workServiceStateServiceState.mof" "C:Program
FilesMicrosoft Monitoring AgentAgentHealth Service
StateCT_602681692workServiceState"
Account: WORKGROUPMSTICAlertsWin1$ LoginID: 0x3e7


Miscellaneous fixes 644
This sounds like a small item but contain several important fixes:
- Azure authentication (az_connect) now avoids throwing exceptions if you ask it to use authentication types (e.g. clientsecret) where parameters are not passed (or available in environment variables). It will now just ignore those credential types and only throw an exception if no usable credential types remain.
- Updates to API documentation
- A new IPython magic "%save_to_cell" - this lets you save a Python object (e.g. a DataFrame to a base64-encoded blob in a new cell. The cell contains code to restore the original data. This is subject to the usual caveats about pickle - including the security ones. *Do Not* run a cell that unpickles some arbitrary data in notebooks that you do not trust.
- A bunch of changes/fixes to the Sentinel APIs
- Most of these are fixes related to the newly-supported Sentinel Dynamic Summaries feature
- Some minor fixes also to Sentinel core

Python Logging support 640
We should have had this from the beginning but it's never too late to start correcting your mistakes.
We've implemented a central logging module and started to instrument some of the code that is especially complex
and where people often get stuck with cryptic errors. E.g. the `init_notebook` function.
We also enabled in in the authentication modules (`az_connect`) in 644
Most of the time, this will be invisible. However, if you need it you can just do the following:
python
import msticpy as mp if not already imported
mp.set_logging_level("INFO")

Then re-run the function that you are having trouble with again.
You can also use the `MSTICPYLOGLEVEL` variable to control this. And, if you want to log to a file, set the env variable `MSTICPYLOGFILE` to the path of your log file. (You'll need to restart the kernel/python session and reload MSTICPy for this to take effect).

Support for Bokeh 3.0 630 642 and 650
ctoma73 did some awesome work to track down problems with compatibility with Bokeh 3.0 and fix all of them (a lot were tedious mypy/linting fixes due to some of the more dynamic nature of the Bokeh 3.0 object model).
You'll notice in 650 that we still have Bokeh 2.4.3 in the MSTICPy requirements. We're not going to change that just yet since we want compatibility with [PyViz/HoloViz panel](https://panel.holoviz.org/) - you will likely see some panel-related features in the next minor release.
Despite this (and assuming you can ignore some pip warning about MSTICPy not being compatible with Bokeh 3.x) you can install Bokeh 3.0 after MSTICPy and enjoy the delights of the new release. All of our code should be compatible (tested with 3.0.0 and 3.1.0).

That's all for this release.
We'll likely be doing a follow-on 2.5.0 release that will include several contributions from our 2023 Hackmonth (which turned into a HackNMonths event).


What's Changed
* Add support for FireEye HX acquisition packages in `process_tree` by ZeArioch in https://github.com/microsoft/msticpy/pull/616
* Adding Pulsedive as Threat Intel provider by fr0gger in https://github.com/microsoft/msticpy/pull/609
* Fix error when latest version 3.0.3 of bokeh is installed by ctoma73 in https://github.com/microsoft/msticpy/pull/630
* Adding logging and updating settings access by ianhelle in https://github.com/microsoft/msticpy/pull/640
* ProcTree and init_notebook fixes by ianhelle in https://github.com/microsoft/msticpy/pull/637
* Adding data query paths test for DEX support by ianhelle in https://github.com/microsoft/msticpy/pull/638
* Fixing RangeTool with bokeh 3.1.0 not a GestureTool by ctoma73 in https://github.com/microsoft/msticpy/pull/642
* Modified the upload_df method to split the data into batches of 10,00… by jllangley in https://github.com/microsoft/msticpy/pull/633
* Misc updates for 2.3.2 release: by ianhelle in https://github.com/microsoft/msticpy/pull/644
* Reverting to bokeh version 2.4.3 for default install by ianhelle in https://github.com/microsoft/msticpy/pull/650

New Contributors
* ZeArioch made their first contribution in https://github.com/microsoft/msticpy/pull/616
* ctoma73 made their first contribution in https://github.com/microsoft/msticpy/pull/630
* jllangley made their first contribution in https://github.com/microsoft/msticpy/pull/633

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.3.1...v2.4.0

2.3.1

This is minor release with mostly fixes.

Some higlights from the 631 PR

629 - You can now suppress progress bar for Threat Intel lookups (useful to avoid screen mess
when running multiple lookups from other code)
python
tilookup.lookup_iocs(data, progress=False)


572 - We've had a long-running issue in Azure Machine Learning where the UI does not correctly
handle javascript written by the notebook. This results in JS code in the output cells. While we're waiting
for AML to re-adopt the latest Azure Notebooks package and get rid of this bug altogether we've
added a fix to suppress javascript text for out Kqlmagic data provider

* Fix to Azure ML use - automatic creation of msticpyconfig.yaml was writing the file to
the wrong place, so users always got the message that no config file was found.

* We had a request (again for batch jobs) to remove automatic display of license information in the geoip module.

* Using MSTICPy offline or in isolated environment - it has always been our goal to support this but
we recently discovered that we were running a `check_version` call from `init_notebook`. This function
did not handle network failure and crashed the entire init_notebook process. This has been fixed
so should be runnable offline or in air-gapped networks.

* Related to this we've also cleaned up remaining units tests that make outbound network requests.

Full Changelist
* Adding job to file issue if main build fails. by ianhelle in https://github.com/microsoft/msticpy/pull/613
* Removing prospector from CI build by ianhelle in https://github.com/microsoft/msticpy/pull/619
* Reverting PR 496 - Removing blank sub-id from resource graph list by ianhelle in https://github.com/microsoft/msticpy/pull/621
* Resolved issues with nextLink following in Sentinel API calls by petebryan in https://github.com/microsoft/msticpy/pull/617
* Fix MDE procschema by rrevuelta in https://github.com/microsoft/msticpy/pull/626
* Bump sphinx-rtd-theme from 1.1.1 to 1.2.0 by dependabot in https://github.com/microsoft/msticpy/pull/628
* Bump sphinx from 5.3.0 to 6.1.3 by dependabot in https://github.com/microsoft/msticpy/pull/610
* Ianhelle/misc fixes 2023 02 17 by ianhelle in https://github.com/microsoft/msticpy/pull/631

New Contributors
* rrevuelta made their first contribution in https://github.com/microsoft/msticpy/pull/626

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.2.3...v2.3.1

2.3.0

Some new data-related features in this release.
- Support for the new (still in preview at time of writing) Dynamic Summaries feature of MS Sentinel
- Added ability to create and use "ad-hoc" parameterized queries for data providers
- Simple search mechanism for finding queries
- Support for JSON queries for CyberReason

Support for Microsoft Sentinel Dynamic Summaries

Dynamic Summaries are a Sentinel feature that allow you to persist results of
query jobs in a summarized/serialized form. This might be useful for keeping
results of daily watch jobs, for example. We will be using it in MSTICPy notebooks
to publish more complex result sets from automated notebook runs.

MSTICPy operations available include:

- Retrieve list of current dynamic Summaries
- Retrieve a full dynamic summary
- Create a dynamic summary
- Delete a dynamic summary
- Update an existing dynamic summary

Examples:
python
list dynamic summaries
sentinel.list_dynamic_summaries()

create a dynamic summary in Sentinel
sentinel.connect()
sentinel.create_dynamic_summary(
name="My_XYZ_Summary",
description="Summarizing the running of the XYZ job.",
data=summary_df,
tactics=["discovery", "exploitation"],
techniques=["T1064", "T1286"],
search_key="host.domain.dom",
)


The MSTICPy support also includes a `DynamicSummary` class that lets you
manipulate dynamic summary objects more easily
python
can also import the class directly
from msticpy.context.azure.sentinel_dynamic import DynamicSummary
dyn_summary = DynamicSummary(....)
This example shows using the "factory" method - new_dynamic_summary
dyn_summary = sentinel.new_dynamic_summary(
summary_name="My new summary",
summary_description="Description of summary",
source_info={"TI Records": "misc"},
summary_items=ti_summary_df,
)
Add the local summary object to add to the Sentinel dynamic summaries.
sentinel.create_dynamic_summary(dyn_summary)

Retrieve a dynamic summary from Sentinel
dyn_summary = sentinel.get_dynamic_summary(
summary_id="cea27320-829c-4654-bbf0-b14367483418"
)
the return value is a DynamicSummary object
dyn_summary


DynamicSummary(id=cea27320-829c-4654-bbf0-b14367483418, name=test2, items=0)

By default `get_dynamic_summary` returns the header data for the summary.

The next example shows how you can also fetch full data for the dynamic
summary (by adding `summary_items=True`). From the returned object,
you can convert the summary items to a pandas DataFrame.

> Note: fetching summary items is done via the Sentinel QueryProvider
> since the APIs do not support retrieving these.

python
dyn_summary = sentinel.get_dynamic_summary(
summary_id="cea27320-829c-4654-bbf0-b14367483418",
summary_items=True
)

dyn_summary.to_df()


<html><body>
<!--StartFragment-->

index | Ioc | IocType | QuerySubtype | Provider | Result | Severity | Details | TimeGenerated
-- | -- | -- | -- | -- | -- | -- | -- | --
OTX | hXXp://38[.]75[.]37[.]1/static/encrypt.min.js | url |   | OTX | True | 2 | {‘pulse_count’: 3, ‘names’: [‘Underminer EK’ | 2022-12-15 01:55:15.135136+00:00
VirusTotal | hXXp://38[.]75[.]37[.]1/static/encrypt.min.js | url |   | VirusTotal | False | 0 | Request forbidden. Allowed query rate may ha | 2022-12-15 01:55:15.135136+00:00
XForce | hXXp://38[.]75[.]37[.]1/static/encrypt.min.js | url |   | XForce

<!--EndFragment-->
</body>
</html>

You can also create dynamic summaries from a DataFrame and append
DataFrame records to an existing dynamic summary.

Read the full documentation in [MSTICPy Sentinel Dynamic Summaries doc](https://msticpy.readthedocs.io/en/latest/data_acquisition/SentinelDynamicSummaries.html)

New QueryProvider API to dynamically add a parameterized query.

MSTICPy has always supported the ability to run ad hoc text queries for different providers
and return the results as a DataFrame. Using a static query string like this is quick and easy
if you only want to run a query once but what if you want to re-run with different time
range or host name? A lot of tedious editing or string search/replace!

Adding a full query template to MSTICPy, on the other hand, is overkill for this kind of thing.
Dynamic parameterized queries are especially suited for notebooks - you can create an
in-line parameterized query and have it update with the new parameters every time
you run the notebook.

To use dynamic queries - define the query with parameter placeholders (delimited
with curly braces "{" and "}"), then create parameter objects (these handle any special
formatting for datetimes, lists, etc.).
You add the list of parameter objects along with the replaceable parameter values
when you run the query, as shown below.

python
intialize a query provider
qry_prov = mp.QueryProvider("MSSentinel")

define a query
query = """
SecurityEvent
| where EventID == {event_id}
| where TimeGenerated between (datetime({start}) .. datetime({end}))
| where Computer has "{host_name}"
"""
define the query parameters
qp_host = qry_prov.Param("host_name", "str", "Name of Host")
qp_start = qry_prov.Param("start", "datetime")
qp_end = qry_prov.Param("end", "datetime")
qp_evt = qry_prov.Param("event_id", "int", None, 4688)

add the query
qry_prov.add_custom_query(
name="get_host_events",
query=query,
family="Custom",
parameters=[qp_host, qp_start, qp_end, qp_evt]
)

query is now available as
qry_prov.Custom.get_host_events(host_name="MyPC"....)

[See Dynamically Adding Queries in MSTICPy Docs](https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProviders.html#dynamically-adding-new-queries)

QueryProvider - Query Search

As the number of queries for some providers grows, it has become more difficult to quickly
find the right query. We've implemented a simple search capability that lets you search
over the names or properties of queries. It takes four parameters:

- `search` - search terms to look for in the
query name, description, parameter names, table and query text.
- `table` - search terms to match on the target table of the query.
(note: not all queries have the table parameter defined in their metadata)
- `param` - search terms to match on a parameter name
- `case` - boolean to force case-sensitive matching (default is case-sensitive).

The first three parameters can be a simple string or an iterable (e.g. list, tuple)
of search terms. The search terms are treated as regular expressions. This
means that a the search terms are treated as substrings (if no other
regular expression syntax is included).

Find all queries that have the term "syslog" in their properties

python
qry_prov.search("syslog")
equivalent to qry_prov.search(search="syslog")


['LinuxSyslog.all_syslog',
'LinuxSyslog.cron_activity',
'LinuxSyslog.list_account_logon_failures',
...

[See Search queries in MSTICPY Docs](https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProviders.html#searching-for-a-query)

Support for JSON queries in Data Providers
FlorianBracq has updated the CyberReason data provider so that it supports JSON queries. The
mechanism that we used for KQL and SQL queries breaks JSON since it is a simple string substitution.
Other data sources that use JSON queries include Elastic - we are planning to leverage the same
mechanism to support parameterized Elastic queries in a future release.
Thanks FlorianBracq!

What Else has Changed?
* Kql query formatting by FlorianBracq in https://github.com/microsoft/msticpy/pull/595
* Fix minor linting issues in main by petebryan in https://github.com/microsoft/msticpy/pull/604
* Updated M365D and MDE data connectors with correct scopes when using delegated auth. by petebryan in https://github.com/microsoft/msticpy/pull/580
* Ianhelle/remove extranous nb 2022 11 28 by ianhelle in https://github.com/microsoft/msticpy/pull/588
* Enable native JSON support for Data Providers + move Cybereason driver to native JSON by FlorianBracq in https://github.com/microsoft/msticpy/pull/584
* Adding query search to data_providers.py by ianhelle in https://github.com/microsoft/msticpy/pull/587
* Fix typo by FlorianBracq in https://github.com/microsoft/msticpy/pull/606
* Ianhelle/mypy cache 2023 01 17 by ianhelle in https://github.com/microsoft/msticpy/pull/608
* Added API to QueryProvider to add a custom query at runtime by ianhelle in https://github.com/microsoft/msticpy/pull/586
* Bump sphinx from 5.3.0 to 6.1.3 by dependabot in https://github.com/microsoft/msticpy/pull/605
* Bump httpx from 0.23.0 to 0.23.3 by dependabot in https://github.com/microsoft/msticpy/pull/607
* Dynamic Summaries Sentinel API and DynamicSummary class. by ianhelle in https://github.com/microsoft/msticpy/pull/593
* Update sentinel_analytics.py list_alert_rules API version. by pensivepaddle in https://github.com/microsoft/msticpy/pull/592


**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.2.0...v2.3.0

2.2.0

Highlights

Re-architected context and TI providers
The biggest feature of this release is not directly visible but has involved a huge amount of work by FlorianBracq.
Florian spotted that our HTTP TI provider (used for several TI services such as VirusTotal, OTX, XForce) could be used more generically, specifically for non-TI sources that provided valuable context, such as ServiceNow. So, he re-worked the TI providers sub-package to pull out generic context provider capabilities used by both TI and non-TI sources.
The immediate benefit of this is the next highlight

ServiceNow context provider
This is yet to be full documented but if you have a ServiceNow instance and want to hook up MSTICPy to query it try the following.
1. Add your ServiceNow configuration to msticpyconfig.yaml
yaml
ContextProviders:
ServiceNow:
Primary: True
Args:
TenantId: 8360dd21-0294-4240-9128-89611f415c53
AuthKey: "authkey"
AuthId: "authid"
Provider: "ServiceNow"

Note: you can store the secrets in KeyVault in the same way as TI and other Providers - see the [Key Vault Secrets section of MSTICPy Settings Editor](https://msticpy.readthedocs.io/en/latest/getting_started/SettingsEditor.html#key-vault-secrets)

Import and instantiate a ContextProvider and look things up
python
from msticpy.context.contextlookup import ContextLookup

context_lookup = ContextLookup()
result = context_lookup.lookup_observable("10.0.0.1", providers=["ServiceNow"])
result2 = context_lookup.lookup_observable("usersome.dom", providers=["ServiceNow"])


Defanging support for IoCExtract and TI Providers

In threat reports, IoCs are often de-fanged to make IP addresses, URLs, etc, not clickable. An example
de-fanged IP address would look something like this `17[.]34[.]21[.]195`

Previously these would not be matched by the IoCExtract patterns due to the "escaped" dots.
IoCExtract now supports common de-fanged markup such as
* "[.]" to escape dots in IP addresses and domains,
* "" replaced by "AT"
* "http(s)" and "(s)ftp(s)" replaced by "hXXp(s)" and "(s)fXp(s)" respectively.

We have also added support for email address patterns to IoCExtract.

TI providers will also accept de-fanged IoCs, removing the de-fanging before submitting them to the provider for lookup.

We've also supplied a couple of utility functions `defang_ioc` and `refang_ioc` in `msticpy.common.utility`. These are not yet added as Pivot functions to IpAddress, Url, Dns, Account but will be added in a future release.

Added GCC support to MDE/M365 data providers
This allows customers working with government clouds to query the correct Defender endpoints.

Python 3.11 officially supported
Although there wasn't anything in our code that was a Py 3.11 blocker, some of our dependencies took
a little while to publish 3.11-compatible wheels. That was all done with SciPy, Statsmodels and ScikitLearn
and our build pipeline now in includes a full test pass on Python 3.11. Many thanks to tonybaloney for
pushing us through this.

What's Changed
* Add base for Context Providers by FlorianBracq in https://github.com/microsoft/msticpy/pull/511
* Adding skip and warning to test_vt_pivot.py by ianhelle in https://github.com/microsoft/msticpy/pull/560
* Improved bug template getting rid of irrelevant sections by ianhelle in https://github.com/microsoft/msticpy/pull/559
* Intsights endpoint update. by FlorianBracq in https://github.com/microsoft/msticpy/pull/526
* Added support for GCC and Regional Clouds to MDE driver by petebryan in https://github.com/microsoft/msticpy/pull/525
* Resourcegraph - Incomplete list returned by pensivepaddle in https://github.com/microsoft/msticpy/pull/496
* Bump sphinx-rtd-theme from 1.0.0 to 1.1.0 by dependabot in https://github.com/microsoft/msticpy/pull/553
* Sumologic driver: custom dtypes options+fix, add paging, remove days duration int casting by juju4 in https://github.com/microsoft/msticpy/pull/481
* New mypy failures in kql_base, elastic_driver, splunk_driver, sumolog… by ianhelle in https://github.com/microsoft/msticpy/pull/564
* Bump sphinx-rtd-theme from 1.1.0 to 1.1.1 by dependabot in https://github.com/microsoft/msticpy/pull/563
* Add 3.11 to test matrix by tonybaloney in https://github.com/microsoft/msticpy/pull/546
* Update dnspython requirement from <=2.0.0 to <3.0.0 by dependabot in https://github.com/microsoft/msticpy/pull/289
* Inability to fetch "all" incidents, only 50 by pensivepaddle in https://github.com/microsoft/msticpy/pull/565
* Add de-fanging support for iocextract and TI providers by ianhelle in https://github.com/microsoft/msticpy/pull/536
* Implementing isort for context classes, adding missing docs by ianhelle in https://github.com/microsoft/msticpy/pull/567
* Add support for context provider Service Now by FlorianBracq in https://github.com/microsoft/msticpy/pull/556
* Added Sentinel TI integration features. by petebryan in https://github.com/microsoft/msticpy/pull/532
* Ianhelle/pygeohash and exceptions 2022 11 11 by ianhelle in https://github.com/microsoft/msticpy/pull/566
* Removing debug prints and duplicate code. by petebryan in https://github.com/microsoft/msticpy/pull/570
* Moving ASN http lookup to execute at runtime, when whois lookup happens. by ianhelle in https://github.com/microsoft/msticpy/pull/568
* Added a new set of Sentinel queries related to network activity using the CommonSecurityLog data source. by petebryan in https://github.com/microsoft/msticpy/pull/524
* Fixed issues with dataprovider instances by ianhelle in https://github.com/microsoft/msticpy/pull/549
* Adding AzureAuthentication.rst by ianhelle in https://github.com/microsoft/msticpy/pull/578


**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.1.5...v2.2.0

2.1.5

The main driver for this release is to restrict versions of bokeh, ipywidgets and pandas.
* Version 3.0.0 of bokeh plots has some breaking changes that prevent it working with MSTICPy
* Version 8.0.0 of ipywidgets has changes that prevent some of the MSTICPy compound widgets displaying correctly.

We also decided to start restricting versions of some of our other dependencies to the current major version - to prevent unexpected breaking changes stopping MSTICPy from working. We have included pandas in this list and will expand it to cover more packages in future. We will combine this with an automated build job that has no version restrictions so that we're aware of version changes that we need to address. The intent here is to have MSTICPy have as broad a version range as possible for its dependencies while still avoiding failures due to breaking changes.

Another small but important change is an update to the Process Tree viewer to allow process GUIDs as process IDs (rather than just hex or decimal format integers). Thanks to nbareil for this change!

What's Changed
* process_tree: Accept GUID format for ProcessID and ParentProcessID by nbareil in https://github.com/microsoft/msticpy/pull/542
* Bump sphinx from 5.1.1 to 5.3.0 by dependabot in https://github.com/microsoft/msticpy/pull/540
* Bump readthedocs-sphinx-ext from 2.1.9 to 2.2.0 by dependabot in https://github.com/microsoft/msticpy/pull/545
* Update AzureBlobStorage.rst by garybushey in https://github.com/microsoft/msticpy/pull/539
* Adding upper version restrictions to bokeh, pandas and ipywidgets deps by ianhelle in https://github.com/microsoft/msticpy/pull/552

New Contributors
* garybushey made their first contribution in https://github.com/microsoft/msticpy/pull/539

**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.1.4...v2.1.5

2.1.4

Some minor fixes and improvements:

* MicrosoftSentinel class now defaults to "Default" workspace or workspace name supplied as `workspace` parameter
when connecting.
python
sentinel = MicrosoftSentinel()
sentinel.connect() connect to "Default" workspace
sentinel.connect(workspace="MyWorkspace") connect to named workspace

* Sentinel `create_*` APIs now return ID of new item (incident, bookmark, analytic, watchlist)
* init_notebook - now accepts `config` parameter to use custom `msticpyconfig.yaml` for notebook session (overrides enviromnent variable and other defaults
python
import msticpy as mp
mp.init_notebook(config="~/configs/all_ti_provs.yaml") use a custom msticpy config file.

* Sentinel configuration editor no longer throws an exception if named control not found
* Sentinel TI provider will not attempt lookups if `ThreatIntelligenceIndicator` table not found in the Sentinel data provider schema
* Support for Kusto/Azure Data explorer settings in Settings editor
* Added checked_kwargs decorator to utility/types.py

What's Changed
* Ianhelle/training hotfixes 2022 10 13 by ianhelle in https://github.com/microsoft/msticpy/pull/543
* Updated ReadMe with Blackhat Arsenal Tag by petebryan in https://github.com/microsoft/msticpy/pull/521


**Full Changelog**: https://github.com/microsoft/msticpy/compare/v2.1.3...v2.1.4

Page 4 of 16

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.