This minor release includes some major updates to the pivot functions.
It also includes the addition of the Greynoise Community API
to our set of Threat Intel providers. Also
Warning - this includes some potentially breaking changes since we have
renamed a number of pivot functions to have shorter, friendlier names.
In particular a number of Azure Sentinel query functions have shortened names.
Updates
Pivot phase 3 with better joins, more pd accessor functions and short/friendly aliases for
pivot functions (especially queries) #140
- Added short names for many queries
- Adding shortcut functions to entities - these allow you to create links from pivot functions in containers
e.g. IpAddress.whois() -> IpAddress.util.whois()
The shortcut methods have the advantage of being easier to see and type in. They
have the further benefit of working as instance methods. So, given an an instance you
can do this:my_ip = IpAddress(Address="157.23.49.1") my_ip.whois() # previously you'd have to do IpAddress.util.whois(my_ip) - this still works
- Standard pivot functions now also support joins (previously these were implemented only for Data query and TI functions)
- joins now support
join_ignore_caseparameter to join case-insensitively - Added PD accessors for:
filter_cols- column filtering with patterns or lists of columnsfilter- string or regex will match against all columns (can also match on partial numbers with thenumeric_col=Trueoption)sort- sort on one or more columns or a pattern to match columnslist_to_rows- expand embedded lists in one or more cols to rowsparse_json- turn JSON strings in column into Python objects
- Updates to Pivot docs and notebooks for new pivot behavior
- Added remove_pivot_funcs method to pivot.pivot.py + unit test in test_pivot
Implemented Greynoise API as TI Provider
Entities
- Added additional entities from schema: iot_device, mail_cluster, mail_message, mailbox, submission_mail
- Adding str and repr to Edge in entity_graph.py
- Adding (not yet used) graph_property.py to handle automatic creation of edges
Other updates
- Added tilookup functions to allow enabling/disabling individual providers
- Add better timestamp conversion in vtlookup3.py.
- Added check for attribute name similarity in query_container - if trying to access an attribute that doesn't exist it will return likely matches in the exception
- Extracted dup code from pivot_data_queries to pivot_register.
- Updating blog articles links in docs with recent publications
- Capturing output from load_user_defaults in nbinit.py to display as HTML
- Adding find_anomaly_periods function and shorter alias for timeseries_anomalies_stl in timeseries.py
Fixes
- Fixed a problem with logon failure query parameters.
- Minor corrections to queries in kql_sent_az_network and kql_sent_azure
- Fixing path handling in file.py entity
- Fixing test in test_pivot_pd_accessor for renamed parameter.
- Updating notebooks for some pivot function renaming.
- Fix spelling errors in SettingsEditor.rst
- Remove unnecessary list comprehension in test_security_alert.py
- Add tests for list_to_rows and parse_json in pivot_pd_accessor.py - test_pivot_pd_accessor.py
- Fixed some errors in entities with description_str and identity fields
- Add missing FullName property to Host
- Fixed exception in IpAddress
- Fixing some test errors in test_mordor_driver (due to test file race conditions)
- Removing duplicate mp_config file
- Correcting problem with passing namespace argument to notebooklets in user_config.py
- Fixes to analyze_imports.py and import_analyzer.py that prevented use from commandline and use with other packages.
- Fix to list_to_rows pd accessor in pivot_pd_accessor.
- Changed timeline.py so that it doesn't error when no source_columns are supplied
- Fixing bug in calculating period in timespan.py
- Cosmetic fixes in eventcluster.py
- Fixing an issue in ti_browser if passed an empty dataframe.
- Updating requirements files for updated versions of lxml and aiohttp for security issues.