MDATP, Azure, ProcessTree
Overview
Note: This release is consolidation of v0.2.8 and some additional features and fixes. Adding everything to the release notes for this version since the previous one did not get published to PyPi.
This release contains three important features:
- Query support for Microsoft Defender ATP
- Interactive Process Tree browser.
- Support for querying Azure properties for subscriptions and resources
New Features
- Microsoft Defender Query Support. Added a query provider/driver to
query Defender alerts, machines, processes and arbitrary KQL queries of
the Hunting data - Template queries for MDATP for hunting and standard entities
- Process Tree Viewer - Bokeh interactive graphical view for one or
more Process Trees in a data set. Supports both Windows and Linux. - Process tree utilities - data library to create and query process trees.
- Azure properties of subscriptions and resources such as VMs can be
queried from Notebooks. - Query providers now accept ISO-string format for datetime fields
for queries (in addition to datetime and timedelta) - Added Progress widget to nbwidgets.
- Added config support for GeoIP providers from msticpyconfig.yaml
- GeoIP classes try to obtain API key from config if not supplied
- Refactored ti_provider_settings to generic provider_settings module
Fixes
- Miscellaneous linting/checker bugs
- Spelling and path errors in docs
- Fixing paths for https://github/Azure/Azure-Sentinel-Notebooks repo.
- Updating dependency to Bokeh 1.40
- Fixed timeline legend bug
- Fix for Maxmind requiring authentication for GeoLite DB download (GeoIP classes
are no longer loaded by default. - Added missing pytz and pyyaml packages to requirements.txt and setup.py.
- GeoLite2 url and archive extraction changes