Msticpy

Overview

We've finally decided that we're ready to put a 1.0.0 release number
on MSTICPy and move out of the Beta world.

There are three new features in this release and one major update.

- Flexible dependencies with pip extras
- Settings management and auto-load of components
- An experimental SQL to KQL translator
- Significant updates to the pivoting library.

New Features

MSTICPY Dependencies - Implementing Extras 128

We've split MSTICPy dependencies into "extras". This means that the
base install of MSTICPy does not install every dependency. Previously,
many rarely-used dependencies were installed regardless of whether
they were going to be used or not.
This is couple with a refactoring of the code so that, should you try
to use functionality that does not have a dependency installed, an informative
exception message is displayed telling you which extra you need to install.

- Implemented pip "extras" for msticpy install - drastically reduces
install time for core msticpy.
- Refactored many modules to emit informative warning if user tries to load functionality
that requires a different "extra"
- Refactored unit tests to work with missing extras.
- Added pyperclip to pkg dependencies exceptions.
- Added extras documentation to [Installing documentation](https://msticpy.readthedocs.io/en/latest/getting_started/Installing.html)
- Added requirements-all.txt - that will always install *all* dependencies.
- Added pre-commit hook to generate requirements-all.txt

MSTICPY config settings management 136

The MSTICPy configuration file has grown to be quite complex. We've tried
to address this by creating some interactive tools to let you create and edit
settings using a simple GUI and creating a notebook that walks you through
creating your settings file for the first time.

MSTICPy itself has a number of initialization/loading steps that you need to carry out
before starting to use it in a notebook. The other part of this feature
is the ability to specify, in settings, what to load at initialization.
Components that can be auto-loaded include: DataProviders, TI Providers,
Notebooklets and Pivot functions. These are specified in the msticpyconfig.yaml
(you can edit these settings with the Settings editor) and auto-loaded
when you run `init_notebook()` at the start of your notebook.

- Flexible UI for configuring MSTICPy settings
- User environment configuration for notebooks - lets you specify (in
settings), which providers/modules, etc. that should be loaded automatically.
- Added minimal output from nbinit to show imported modules
- Added check_version in init_notebook function to indicate if
a new version of MSTICPy has been released.
- Added a function to retrieve and show current KV secrets
- Updated [MSTICPy Configuration documentation](https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html)
- Added [MSTICPy Settings Editor documenation](https://msticpy.readthedocs.io/en/latest/getting_started/SettingsEditor.html)
- Added [MSTICPy Settings notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/MPSettingsEditor.ipynb)
- Added [documentation diagram](https://github.com/microsoft/msticpy/blob/master/docs/diagrams/MPSettingsConfig.png)
Config editor, auto-load, dependencies and Sql2Kql translator

SQL to KQL Translator 132

- Core feature implemented as msticpy.data.sql_to_kql using moz_sql_parser
- Support for limited SparkSQL extensions
- [SQL TO KQL Conversion Documentation](https://msticpy.readthedocs.io/en/latest/data_acquisition/SqlToKql.html)
- [SQLToKql Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/SqlToKql.ipynb)

Updated Features

Pivot Functions 131

The pivot functionality has been updated with several usability and
documentation improvements. Notable features include:

- Pivot browser, letting you browse/search for pivot functions.
- Persistent Pipelines - you can save pipelined pivot operations in a
YAML file and run them on input DataFrames

Full list of changes

- Made AzureSentinel and MDE the preferred names for LogAnalytics and MDE drivers.
- Added pivot_browser UI - pivot_browser.py
- Added ability to read pipeline definitions from yaml files - pivot_pipeline.py
- Adding pivot.tee_exec pipeline function - in pivot_pd_accessor.py
- Add ability to add arbitrary/ad hoc functions as pivots - in pivot.py
- Exposing get_timespan function in Pivot class as public function - in pivot.py.
- Added DNS entity to several pivot functions - mp_pivot_reg.yaml
- Fixed some queries for more consistency.
- Pivot data query functions now prefixed with table name.
- Added ability for pivot functions to return raw output.
- Add joins for pivot data queries in pivot_data_queries.py
- Add "print" query debug parameter in data_providers.py
- Add find_entity function in entities __init__.py
- Add "pivots" attribute (an alias for get_pivot_list) in entity.py
- Add ability to set timespan more flexibly. Calling set_timespan() no longer resets the timespan.
- Add PivotBrowser method to Pivot class - in pivot.py
- Switched engine to "Python" for pd.read_csv in pivot_magic_core.py to handle more formatting types.
- Add positional parameters to pipeline step and cleaned up code in pivot_pipeline.py
- Updated [PivotFunctions documentation](https://msticpy.readthedocs.io/en/latest/data_analysis/PivotFunctions.html)
- Updated [PivotFunctions Notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/PivotFunctions.ipynb)
- Added [PivotFunctions-Introduction notebook](https://github.com/microsoft/msticpy/blob/master/docs/notebooks/PivotFunctions-Introduction.ipynb)

Miscellaneous Updates and Additions

- added [SplunkProvider documentation](https://msticpy.readthedocs.io/en/latest/data_acquisition/SplunkProvider.html)
- Updated [README](https://github.com/microsoft/msticpy/blob/master/README.md) and [package summary](https://msticpy.readthedocs.io/en/latest/getting_started/PackageSummary.html) section of MSTICPy to align with current features

Fixes

- Updated formatting for new black version
- Remove unneeded code from keyvault_client.py
- Fixed pivot_register_reader to skip classes that cannot be instantiated (e.g. IPStack if user doesn't have API key)
- Additions/corrections to Installing.rst
- Correction to FoliumMap.ipynb - removing `dropna` from read_csv in FoliumMap notebook
- Adding vt, vt_graph to Sphinx mock list
- Fixed some problems and renamed module locations in notebooks and RST docs.
- Some corrections to documentation in AzureSentinel and DataAcquisition docs.
- some fixes to tests for test_pkg_imports and import_analyzer.py
- fix to config2kv.py to correct some problems
- fix for ipwidgets warning about deprecated on_submit() method
- multiple fixes for typos and duplicate section names in: DataProviders.rst, UploadData.rst, PivotFunctions.rst
- fixed issue in nbinit.py where extra_imports were being lost.
- fix for QueryTime in nbwidgets.py - exception if user types invalid value into date field.
- fixed several issues in test_mp_release.cmd with messed up folders/current folder.
- Bandit warning on use of random.randint()
- Removing test "secret" from MPSettingsEditor.ipynb triggering credscan warning

Test pre-release

The big feature update for this release is *pivot functions*. These link much of the functionality of MSTICPy to entities (like IP Address, Host, URL). This includes queries, TI and GeoIP lookups and a number of other utility functions. It means that, if you have a function that you want to run (e.g. a WhoIs lookup) you don't need to remember which module to install or what the function syntax is - you can find this function as an attribute of the IpAddress entity class.
The second advantage that pivot functions bring is consistency. All the functions have a wrapper layer that normalizes both input and output.
All functions can take input as a string, a list (or other iterable) or a pandas Dataframe. They all return the results as a Dataframe as well, making it easier to display/read the output and use the output as input to further functions.

New Features 127
* Pivot functions
* Refactored entities into separate modules and added graphing extensions
* Update MordorData.rst doc with better intro section
* Added function to AzureResource entity to break up resource string and expose individual elements
* Adding hash_account as separate item type to data_obfus.py
* Making hash_ip more flexible - ignoring things like localhost

Fixes
* Fixing the credscan suppression for test_splunk_uploader
* Correction to FoliumMap.ipynb
* Added flexible import to deal with azure-mgmt-monitor version changes.
* Bug fix and nasty workaround for old test setup removed in pkg_config.py
* PR updates adding comments, some grammar fixes and obfuscation of names.
* Fixed a bug in path construction for download file.
* 7b0b0d5Mypy warning in new release of mypy. (134)
* Fixing lint/formatting errors in vtlookupv3.

New Features/Updates
- Azure Sentinel API Support (122) including:
- Retrieve Security Incidents, Queries
- New authentication options to chain Kqlmagic auth from Azure auth
- Improved vtlookup3 performance improvements (117)
- Add get_object function and some date formatting to vtlookupv3.py
- Adding vtlookupv3 module to API docs.
- Data obfuscation updates (123)
- Adding hash_account as separate item type to data_obfus.py
- Making hash_ip more flexible - ignoring masking of localhost and private IPs
- Updating documentation, tests and mapping file.

Fixes
- 2f2dcc2Updating for new version of Azure monitor (2.0.0) (133)
- 47be893Bump azure-identity from 1.4.0 to 1.5.0 (129)
- efe2618Some miscellaneous fixes to Mordor driver (115)
- 413d289Pinning pip version to 20.2.4 (temporary move to avoid build break due to new dependency behavior)
- fcf5126Adding credscan suppressions and changing a few dummy passwords to prepare for BFG git history re-write (126)
- 0c557d5corrected timeline legend order (119) Authored-by: Noé Pion
- 1a04005Adding html5lib to requirements

Hotfix release

Fixes
- 08b048dIf AzureCLI section is not in msticpconfig.yaml, no longer throws exception
- Updated AzureSentinel API notebook so that it has data (obfuscated).
- 3384c87Updated .pre-commit-config.yaml to exclude tests from pylint and flake8 checks
7b276a3Adding azure-mgmt-core>=1.2.1 to requirements.txt
- Added exceptions to test_pkg_imports.py to skip vt and vt_graph_api (now extras)
- d3ad345 Fixing to mordor_driver for Mitre web site change and making web scraping from Mitre more resilient
- Adding two scripts for testing pre-release msticpy.
- Some additions to VTLookupV3.ipynb text and trapping for import of nest_asyncio without installing
- ReadTheDocs conf.py now retrieves version number from main package build
- d8cc378Updated ReadtheDocs requirements.txt
- db6e6f9Changes to requirements,txt to remove unneeded dependencies (114)*
- Added exclusions to conf.py and setup.py to skip install of some dependencies for ReadTheDocs (e.g. Kqlmagic).
These packages will be mocked in their build - previously they caused dependency conflict errors in pip install
- Bug in azure_auth_core.py - raise from should have been an exception object, not a class
- Bug in secret_settings.py - potential uninitialized variable
- Updated test_mordor_driver.py to remove files on completion, Also marked file download tests as CI-only
- Added pylint and flake8 as pre-commit hooks - should stop fewer errors getting into build
- Some tidying of code (Sourcery) in azure_auth_core and secret_settings.
- Updated version to 0.8.7
- Fixing some typos and linting warnings in the documentation. Clarifying language.
- 3c87222Updated vt-py version in requirements.txt (113)

Hotfix release for compatibility problem with Azure ML notebooks.