Release Summary
There are several cool new features in this release:
- Microsoft Sentinel Incident exploration
- RiskIQ Threat Intellligence provider and pivot functions
- Microsoft Defender 365 API/Data provider support
- Preview Azure Data Explorer/Kusto data provider support
- Microsoft graph provider now supports sovereign clouds
- ProcessTree visualization support for Microsoft Defender data in Microsoft Sentinel
Microsoft Sentinel Incident Exploration
0037dd6Merge pull request 211 from microsoft/pebryan/2021-8-18_IncidentTriage
Provides new features to support Incident Triage scenarios (as included in the new Microsoft Sentinel Incident Triage notebook https://github.com/Azure/Azure-Sentinel-Notebooks/pull/120).
Entity Graph Visualization
This new visualization allows for the graphing of an investigation including any alerts, incidents or entities associated with that investigation.
The graph can be created, updated and visualized either as a graph or with a graph and a timeline of the graph event times.
python
from msticpy.vis.entity_graph_tools import EntityGraph
graph = EntityGraph(incident)
graph.plot()
<img title="A sample entity graph" src="https://github.com/microsoft/msticpy/blob/e0b8c371c109d0d26115746192db589e40d70af9/docs/source/visualization/_static/entitygraph.png">
The Entity Graph can also be created from a dataframe of events, either by passing in the dataframe or as a Pandas accessor.
python
df.mp_plot.incident_graph(timeline=True)
<img title="A sample entity graph with timeline" src="https://github.com/microsoft/msticpy/blob/main/docs/source/visualization/_static/entitygraph_w_timeline.png">
Microsoft Sentinel Incident API support
---
RiskIQ PassiveTotal TI provider and Pivot provider
9353d9fRiskIQ threat intel provider & pivots (175)
Delivers a new "RiskIQ" threat intel provider, enabling access to RiskIQ Summary Card and Reputation
datasets for IPs and hostnames with the same syntax and response format used with other TI Providers.
python
ti_lookup = TILookup()
lookup_result = ti_lookup.lookup_ioc(observable="137.184.153.130", providers="RiskIQ")
ti_lookup.result_to_df(lookup_result).T
Introduces a new mechanism for registering MSTICPy Pivot Functions provided by threat intel providers,
then uses that code to register capabilities for nearly all RiskIQ API endpoints on hostnames, FQDN and
IPAddress entities. These pivot functions enable easy integration of RiskIQ-provided intelligence in
existing pivot pipelines, and makes it easy to build new pipelines leveraging unique RiskIQ datasets.
python
(
Dns.RiskIQ.resolutions("jquery.su")
.query("recordtype=='A'")
.mp_pivot.run(Dns.RiskIQ.reputation, column='resolve', join='left')
.mp_pivot.run(IpAddress.RiskIQ.resolutions, column='resolve', join='left')
)
More documentation on this will follow.
Authored by Mark Kendrick <mark.kendrickmicrosoft.com>
Co-authored-by: (some minor contribs!) Ian Hellen <ianhellemicrosoft.com>
---
Preview support for Kusto (Azure Data Explorer)
98864aaIanhelle/kusto and md365 support 2021 11 01 (225)
This release contains a preview (i.e. not fully baked) of support for Kusto cluster queryingand Microsoft Defender 365 data providers.
The Kusto/Azure Data Explorer support is based on the existing Microsoft Sentinel provider.
python
kusto_provider = QueryProvider("Kusto")
kusto_provider.connect(
"azure_data-Explorer://code;cluster='my_cluster';database='my_db';alias='my_alias'"
)
Some more documentation to follow about configuration in msticpyconfig and
how to build template queries for Kusto/Azure Data explorer.
Support for Microsoft 365 Defender data providers
This is slight expansion of our current support for MS Defender for endpoint. Using the new "M365D" provider name
will cause the provider to use the new combined Microsoft Defender APIs, giving you consolidated access
to data from multiple Defender services.
To create a provider for Microsoft 365 Defender:
python
m365d_provider = QueryProvider("M365D")
m365d_provider.connect()
All template queries for that were available for MDE are also loaded for M365D.
Using Microsoft Defender for Endpoint is still supported. To use only
the Microsoft Defender for Endpoint APIs use "MDE".
You can specify your connection parameters in msticpconfig.yaml
`yaml
DataProviders:
...
MicrosoftDefender:
Args:
ClientId: 66b9818a-26cd-4584-8eb0-7f7a499242aa
ClientSecret:
KeyVault:
TenantId: 8360dd21-0294-4240-9128-89611f415c53
`
This configuration expects to find the client secret in your configured Key Vault with the name
"DataProviders-MicrosoftDefender-Args-ClientSecret" - the msticpy config editor will create this for you.
You can store the secret in your config file but, obviously, we would not recommend this.
You can also specify configuration/secret values in the call to m365d_provider.connect().
For more information see the [Defender provider MSTICPy documentation](https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProviders.html#microsoft-365-defender)
Other improvements
The Graph provider now supports sovereign clouds as well as the Azure global cloud.
You can configure settings for MS Defender and MS Graph via the MSTICPy settings editor.
If you have configured settings for these you can now connect with a simplified
syntax, with no parameters required.
python
graph_prov = QueryProvider("SecurityGraph")
graph_prov .connect()
The schema for the configuration is the same format as the Defender format described above.
`yaml
DataProviders:
...
MicrosoftGraph:
Args:
ClientId: 66b9818a-26cd-4584-8eb0-7f7a499242aa
ClientSecret:
KeyVault:
TenantId: 8360dd21-0294-4240-9128-89611f415c53
`
Process Tree visualization supports MS Sentinel schema for MDE process data
The schema of the DeviceProcessEvents table in Microsoft Sentinel is different
from the data queried directly from the MS Defender advance hunting API. This
update allows you to query MS Defender process data from Azure Sentinel and
display in the Process Tree visualization.
New CI Pipelines using GitHub Actions and Azure Pipelines
The old Azure DevOps pipeline has been decommissioned and replaced by two new ones - GitHub actions and an improved version of the Azure DevOps pipeline.
The main advantage of the GitHub actions pipeline is that the results
of tests and code checks are visible to external contributors.
However, there are some component governance and security checks that
we are required to run by Microsoft but which are not currently available
in GitHub actions. We've opted to run both in parallel.
The new Azure DevOps pipeline is more sophisticated and comprehensive than
the previous one. It allows us to run builds and tests on Windows, Linux and
Mac platforms and to cover Python versions 3.6 and 3.8.
(Note: we will likely switch to 3.8 and 3.10 in the near future)
Other changes and fixes
98864aaIanhelle/kusto and md365 support 2021 11 01 (225)
- Fixing issue in odata_driver.py where api_root would keep getting suffix appended if you connected multiple times.
- Adding mutli-cloud support for MS Graph API in security_graph_driver.py
- Fixing syntax errors in graph_alerts.yaml
- Updating tests for test_drivers and test_kql_driver
- Fixed an issue in kql_driver with Kusto returning a different status code format
1c2c1beDisabling IPstack tests because of restricted API allowance (224)*
- Disabling IPstack tests because of restricted API allowance
- Fixing incorrect assignment in test_geoip.py
- 56fcb81Updating readme badge to reflect new build pipeline
- cdff1ffUpdate sphinx requirements in azure-pipelines.yml for Azure Pipelines
- ce8cbe1Update README.md to include downloads
- 0cb20fdUpdated way of getting instance and domain name for azure_ml_tools.py (217)
- Updated checking for version of msticpy using setuptools/pkg_resources in azure_ml_tools.py
- Added warning if running with stale import of newly updated msticpy.
- 8043207Ianhelle/timeline args check 2020 09 21 (219)* Adding some error checking of column names to timeline_values and timeline_duration
- a7498a3Ianhelle/azure pipelines yaml 2021 09 09 (201)*
- Pylint and mypy fixes in:
- anomalous_sequence/model.py
- anomalous_sequence/utils/cmds_params_values.py
- common/pkg_config.py
- common/wsconfig.py
- config/comp_edit.py
- config/mp_config_file.py
- data/data_providers.py
- data/data_query_reader.py
- data/query_store.py
- data/sql_to_kql.py
- datamodel/entities/host.py
- datamodel/entities/ip_address.py
- datamodel/pivot_register_reader.py
- nbtools/morph_charts.py
- nbtools/nbdisplay.py
- nbtools/security_alert.py
- nbtools/security_base.py
- sectools/auditdextract.py
- sectools/base64unpack.py
- sectools/cmd_line.cmd_line.py
- Adding pylint --disable=duplicate-code
- Updating pylint requirements in requirements-dev.txt and .pre-commit-config.yaml
- Add [with_pyroma] to prospector install
- Duplicating noqa MC0001 suppressions since prospector/McCabe now seem to ignore decorators an locate the offending line as the "def" line rather than the decorator line.
- Fixing MyPy-discovered error in nbwidgets.AlertSelector
9f122eerefactored code in test_geoip
907e486Remove un-needed code in test_geoip
8ae01f7Updated test_geoip to fix failure case
e5aadacAdded missing parameters to list_all_signins_geo
v.1.5.0pre3
Release Summary
There are several cool new features in this release:
- Microsoft Sentinel Incident exploration
- RiskIQ Threat Intellligence provider and pivot functions
- Microsoft Defender 365 API/Data provider support
- Preview Azure Data Explorer/Kusto data provider support
- Microsoft graph provider now supports sovereign clouds
- ProcessTree visualization support for Microsoft Defender data in Microsoft Sentinel
Microsoft Sentinel Incident Exploration
0037dd6Merge pull request 211 from microsoft/pebryan/2021-8-18_IncidentTriage
Provides new features to support Incident Triage scenarios (as included in the new Microsoft Sentinel Incident Triage notebook https://github.com/Azure/Azure-Sentinel-Notebooks/pull/120).
Entity Graph Visualization
This new visualization allows for the graphing of an investigation including any alerts, incidents or entities associated with that investigation.
The graph can be created, updated and visualized either as a graph or with a graph and a timeline of the graph event times.
python
from msticpy.vis.entity_graph_tools import EntityGraph
graph = EntityGraph(incident)
graph.plot()
<img title="A sample entity graph" src="https://github.com/microsoft/msticpy/blob/e0b8c371c109d0d26115746192db589e40d70af9/docs/source/visualization/_static/entitygraph.png">
The Entity Graph can also be created from a dataframe of events, either by passing in the dataframe or as a Pandas accessor.
python
df.mp_plot.incident_graph(timeline=True)
<img title="A sample entity graph with timeline" src="https://github.com/microsoft/msticpy/blob/main/docs/source/visualization/_static/entitygraph_w_timeline.png">
Microsoft Sentinel Incident API support
---
RiskIQ PassiveTotal TI provider and Pivot provider
9353d9fRiskIQ threat intel provider & pivots (175)
Delivers a new "RiskIQ" threat intel provider, enabling access to RiskIQ Summary Card and Reputation
datasets for IPs and hostnames with the same syntax and response format used with other TI Providers.
python
ti_lookup = TILookup()
lookup_result = ti_lookup.lookup_ioc(observable="137.184.153.130", providers="RiskIQ")
ti_lookup.result_to_df(lookup_result).T
Introduces a new mechanism for registering MSTICPy Pivot Functions provided by threat intel providers,
then uses that code to register capabilities for nearly all RiskIQ API endpoints on hostnames, FQDN and
IPAddress entities. These pivot functions enable easy integration of RiskIQ-provided intelligence in
existing pivot pipelines, and makes it easy to build new pipelines leveraging unique RiskIQ datasets.
python
(
Dns.RiskIQ.resolutions("jquery.su")
.query("recordtype=='A'")
.mp_pivot.run(Dns.RiskIQ.reputation, column='resolve', join='left')
.mp_pivot.run(IpAddress.RiskIQ.resolutions, column='resolve', join='left')
)
More documentation on this will follow.
Authored by Mark Kendrick <mark.kendrickmicrosoft.com>
Co-authored-by: (some minor contribs!) Ian Hellen <ianhellemicrosoft.com>
---
Preview support for Kusto (Azure Data Explorer)
98864aaIanhelle/kusto and md365 support 2021 11 01 (225)
This release contains a preview (i.e. not fully baked) of support for Kusto cluster queryingand Microsoft Defender 365 data providers.
The Kusto/Azure Data Explorer support is based on the existing Microsoft Sentinel provider.
python
kusto_provider = QueryProvider("Kusto")
kusto_provider.connect(
"azure_data-Explorer://code;cluster='my_cluster';database='my_db';alias='my_alias'"
)
Some more documentation to follow about configuration in msticpyconfig and
how to build template queries for Kusto/Azure Data explorer.
Support for Microsoft 365 Defender data providers
This is slight expansion of our current support for MS Defender for endpoint. Using the new "M365D" provider name
will cause the provider to use the new combined Microsoft Defender APIs, giving you consolidated access
to data from multiple Defender services.
To create a provider for Microsoft 365 Defender:
python
m365d_provider = QueryProvider("M365D")
m365d_provider.connect()
All template queries for that were available for MDE are also loaded for M365D.
Using Microsoft Defender for Endpoint is still supported. To use only
the Microsoft Defender for Endpoint APIs use "MDE".
You can specify your connection parameters in msticpconfig.yaml
`yaml
DataProviders:
...
MicrosoftDefender:
Args:
ClientId: 66b9818a-26cd-4584-8eb0-7f7a499242aa
ClientSecret:
KeyVault:
TenantId: 8360dd21-0294-4240-9128-89611f415c53
`
This configuration expects to find the client secret in your configured Key Vault with the name
"DataProviders-MicrosoftDefender-Args-ClientSecret" - the msticpy config editor will create this for you.
You can store the secret in your config file but, obviously, we would not recommend this.
You can also specify configuration/secret values in the call to m365d_provider.connect().
For more information see the [Defender provider MSTICPy documentation](https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProviders.html#microsoft-365-defender)
Other improvements
The Graph provider now supports sovereign clouds as well as the Azure global cloud.
You can configure settings for MS Defender and MS Graph via the MSTICPy settings editor.
If you have configured settings for these you can now connect with a simplified
syntax, with no parameters required.
python
graph_prov = QueryProvider("SecurityGraph")
graph_prov .connect()
The schema for the configuration is the same format as the Defender format described above.
`yaml
DataProviders:
...
MicrosoftGraph:
Args:
ClientId: 66b9818a-26cd-4584-8eb0-7f7a499242aa
ClientSecret:
KeyVault:
TenantId: 8360dd21-0294-4240-9128-89611f415c53
`
Process Tree visualization supports MS Sentinel schema for MDE process data
The schema of the DeviceProcessEvents table in Microsoft Sentinel is different
from the data queried directly from the MS Defender advance hunting API. This
update allows you to query MS Defender process data from Azure Sentinel and
display in the Process Tree visualization.
New CI Pipelines using GitHub Actions and Azure Pipelines
The old Azure DevOps pipeline has been decommissioned and replaced by two new ones - GitHub actions and an improved version of the Azure DevOps pipeline.
The main advantage of the GitHub actions pipeline is that the results
of tests and code checks are visible to external contributors.
However, there are some component governance and security checks that
we are required to run by Microsoft but which are not currently available
in GitHub actions. We've opted to run both in parallel.
The new Azure DevOps pipeline is more sophisticated and comprehensive than
the previous one. It allows us to run builds and tests on Windows, Linux and
Mac platforms and to cover Python versions 3.6 and 3.8.
(Note: we will likely switch to 3.8 and 3.10 in the near future)
Other changes and fixes
98864aaIanhelle/kusto and md365 support 2021 11 01 (225)
- Fixing issue in odata_driver.py where api_root would keep getting suffix appended if you connected multiple times.
- Adding mutli-cloud support for MS Graph API in security_graph_driver.py
- Fixing syntax errors in graph_alerts.yaml
- Updating tests for test_drivers and test_kql_driver
- Fixed an issue in kql_driver with Kusto returning a different status code format
1c2c1beDisabling IPstack tests because of restricted API allowance (224)*
- Disabling IPstack tests because of restricted API allowance
- Fixing incorrect assignment in test_geoip.py
- 56fcb81Updating readme badge to reflect new build pipeline
- cdff1ffUpdate sphinx requirements in azure-pipelines.yml for Azure Pipelines
- ce8cbe1Update README.md to include downloads
- 0cb20fdUpdated way of getting instance and domain name for azure_ml_tools.py (217)
- Updated checking for version of msticpy using setuptools/pkg_resources in azure_ml_tools.py
- Added warning if running with stale import of newly updated msticpy.
- 8043207Ianhelle/timeline args check 2020 09 21 (219)* Adding some error checking of column names to timeline_values and timeline_duration
- a7498a3Ianhelle/azure pipelines yaml 2021 09 09 (201)*
- Pylint and mypy fixes in:
- anomalous_sequence/model.py
- anomalous_sequence/utils/cmds_params_values.py
- common/pkg_config.py
- common/wsconfig.py
- config/comp_edit.py
- config/mp_config_file.py
- data/data_providers.py
- data/data_query_reader.py
- data/query_store.py
- data/sql_to_kql.py
- datamodel/entities/host.py
- datamodel/entities/ip_address.py
- datamodel/pivot_register_reader.py
- nbtools/morph_charts.py
- nbtools/nbdisplay.py
- nbtools/security_alert.py
- nbtools/security_base.py
- sectools/auditdextract.py
- sectools/base64unpack.py
- sectools/cmd_line.cmd_line.py
- Adding pylint --disable=duplicate-code
- Updating pylint requirements in requirements-dev.txt and .pre-commit-config.yaml
- Add [with_pyroma] to prospector install
- Duplicating noqa MC0001 suppressions since prospector/McCabe now seem to ignore decorators an locate the offending line as the "def" line rather than the decorator line.
- Fixing MyPy-discovered error in nbwidgets.AlertSelector
9f122eerefactored code in test_geoip
907e486Remove un-needed code in test_geoip
8ae01f7Updated test_geoip to fix failure case
e5aadacAdded missing parameters to list_all_signins_geo