Sentinel Search API, Azure Authentication, Settings management, HTTPX timeouts
Summary
There are some feature changes and fixes in this release:
- MS Sentinel Search API support in the Sentinel package - allowing you to create, check status and delete automated search jobs.
- Authentication updates to
- support wider range of Azure authentication types (incl VSCode and Powershell)
- specify tenantID at auth time (this was a specific issue for Azure Data explorer users)
- lets you use MSAL token caching
- Fixes to httpx timeouts (we recently switch from using requests to httpx and have
changed the default timeout to be none (like requests). You can also set this in configuration
and specify while calling a function that makes a network request, e.g.mde_prov.my_query(...params, timeout=30)
- MpConfigEdit now behaves better when no existing
msticpyconfig.yaml
exists - making it easier to create a
config file from scratch.
What's Changed
- Ianhelle/mp config edit load fix 2022 03 28 by @ianhelle in #352
Also fixes to multiple widgets for papermill/automation. Can now set QueryTime timespan programmatically.
Fix to Sentinel data provider to prevent re-auth for every query. - Pebryan/2022 3 29 auth updates by @petebryan in #351
- Re-implemented using DefaultCredential
- Added support for MSAL token cache
- Bump sphinx from 4.4.0 to 4.5.0 by @dependabot in #350
- Fixes for GeoLiteLookup and MpConfigEdit by @ianhelle in #356
- GeoIPLite no longer tries to update DB during initialization - only on first query
- Fixes to MpConfigEdit and MpConfig file for msticpyconfig path handling.
- Some fixes to Kusto common_imports by @ianhelle in #358
- Kusto queries now support "database" element in query file. This controls DB usage rather than having to
encode inside the datafamily. Read more here https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProv-Kusto.html
- Kusto queries now support "database" element in query file. This controls DB usage rather than having to
- Changing the pattern for httpx timeout to default to Timeout(None). by @ianhelle in #378
- config based setting for http timeouts
- can be overridden in calls in several providers - OData (MSGraph, MDE) and HTTP-based TI providers.
- Add Workflow to Tweet by @petebryan in #369
- testing to automatically tweet status on PR completion
- Fixed minor issues by @petebryan in #371
- some issues with incident exploration having incomplete information
- Fixing bug in local_data_driver.py if CSV with no TimeGenerated field by @ianhelle in #374
- also added new Sentinel query list_logon_attempts_by_ip
- Ianhelle/nb fixes 2022 04 20 by @ianhelle in #379
- Added new Sentinel Search Features: by @petebryan in #376
- Sentinel Search API - can create, delete and check status of an automated search
- Also added feature to treat cases where you only have one Sentinel workspace configured - this will be treated as the default
even if it is not marked as the default.
Full Changelog: v1.7.5...v1.8.0