New Features

A notebook containing some of the features of MSTICPy 2.0
is available at What's new in MSTICPy 2.0

Dropping Python 3.6 Support

As of this release we only officially support Python 3.8 and above.
We will try to support Python 3.6 if the fixes required are small
and contained but make no guarantees of it working completely on
Python prior to 3.8

DataFrame to Graph/Network

You can convert a pandas DataFrame into a NetworkX graph or
plot directly as a graph using Bokeh interactive plotting.

You pass the functions the column names for the source and target nodes to build a basic graph. You can also name other columns to be node or edge attributes. When displayed these attributes are visible as popup details courtesy of Bokeh’s Hover tool.

    proc_df.head(100).mp_plot.network(
        source_col="SubjectUserName",
        target_col="Process",
        source_attrs=["SubjectDomainName", "SubjectLogonId"],
        target_attrs=["NewProcessName", "ParentProcessName", "CommandLine"],
        edge_attrs=["TimeGenerated"],
    )

Pivots without initialization/dynamic data query import

The pivot functionality has been overhauled - it is now initialized
automatically in init_notebook.

Previously queries from
data providers were added at initialization - meaning that you had
to create your query providers before starting pivot or re-initialize
pivot. Data providers now dynamically add relevant queries as pivot
functions when you authenticate. Also for some providers, such
as Azure Sentinel, that support multiple instances, pivot now
supports separate instance naming so that each Workspace has a
separate instance of a given pivot query.

The naming of the Threat Intelligence pivot functions has been
simplified considerably.

VirusTotal and RiskIQ relationships should now be available as
pivot functions (you need the VT 3 and PassiveTotal packages installed
respectively to enable this functionality).

Simplify imports in msticpy

The root module in msticpy now has several modules and
classes that can be directly accessed from it (rather than
having to import them)

    import msticpy as mp
    mp.init_notebook()
    qry_prov = mp.QueryProvider("MDE")
    ti = mp.TILookup()

Also a number of commonly-used classes are imported by default
by init_notebook, notable all of the entity classes.
This makes it easier to use pivot functions without any initialization
or import steps.

• entities

    import msticpy as mp
    mp.init_notebook()

    IpAddress.whois("123.45.6.78")

Consolidation of Pandas accessors

Pandas accessors are extensions to DataFrames allowing you to
call custom functionality as a DataFrame method.

Almost all of the core MSTICPy functions previously available in
various accessors (plus a few new ones) are accessible in:

• df.mp - analysis and transform functions
• df.mp_plot - visualization functions

    df.mp.ioc_extract(...)
    df.mp.to_graph(...)
    df.mp.mask(...)

    df.mp_plot.timeline(...)
    df.mp_plot.timeline_values(...)
    df.mp_plot.process_tree(...)
    df.mp_plot.network(...)
    df.mp_plot.folium_map(...)

MS Defender Queries available to MS Sentinel Query Provider

Since Sentinel now has the ability to import Microsoft data, we've
made the Defender queries usable from the MS Sentinel provider.

Many of these queries are now available as Pivot functions.

ContiLeaks notebook added to MSTICPy Repo

We are privileged to host Thomas's awesome ContiLeaks notebook.
Thanks @fr0gger

New Queries added

Several new Sentinel and MS Defender queries have been added.

See the new built-in query list

Documentation Additions and Updates

The documentation for V2.0 is now live and available at https://msticpy.readthedocs.io
(Previous versions are still online and can be accessed through
the ReadTheDocs interface).

• New MSTICPy Quickstart Guide
• Updated Installing guide
• Updated Threat Intel Lookup documentation
• Updated Time Series analysis documentation
• New Plot Network Graph from DataFrame
• Updated Plotting Folium maps
• Updated Pivot functions
• Updated Jupyter and Sentinel

The API documentation has been split into separate modules to
make it easier to navigate. The API docs also now support "InterSphinx".
This means that MSTICPy references to objects in other packages (e.g. Python
standard library, pandas, Bokeh) have active links that will take you
to the native documentation for that item.

Also, the sample notebooks for most of these features have been updated
along the same lines. See MSTICPy Sample notebooks

Miscellaneous Improvements

• The MS Sentinel provider now support a timeout parameter allowing you
  lengthen and shorten the default.
• MSTICPy network requests use a custom User Agent header so that you
  can identify or track requests from MSTICPy/Notebooks.

Plus a lot more that I can't recall at the moment.

What's Changed - The gory detail of the PRs

• Sync changes to main into v2 branch by @ianhelle in #330
• Ianhelle/msticpy v2.0.0 merge updates 2022 03 14 by @ianhelle in #338
• Ianhelle/implement isort 2022 02 15 by @ianhelle in #327
• Ianhelle/implement isort branch post-fixes 2022 03 21 by @ianhelle in #346
• Ianhelle/pivot dataprov selfload 2022 03 15 by @ianhelle in #343
• Ianhelle/main mergeback 2022 04 05 by @ianhelle in #355
• Merging changes from main for geoip.py, config editor and kusto_driver by @ianhelle in #359
• Pebryan/2022 4 14 auth merge by @petebryan in #368
• Fixed minor issues by @petebryan in #372
• Ianhelle/v2 reorg directories 2 2022 04 12 by @ianhelle in #377
• Ianhelle/mpconfigedit fix from main 2022 05 22 by @ianhelle in #396
• Added pd accessor for time series functions. by @ianhelle in #381
• Added new Sentinel Search Features - merge from main by @ianhelle in #380
• Ianhelle/ti async lookup 2022 04 27 by @ianhelle in #383
• Ianhelle/folium accessor 2022 04 30 by @ianhelle in #384
• Updated tweet action to include more details by @petebryan in #406
• Add Device Code fallback option for when interactive auth isn't avaliable. by @petebryan in #401
• Adding OData Delegated Auth Support into 2.0 by @petebryan in #410
• Removed plaintext token cache from MSAL auth and replaced it with fall back to in memory caching by @petebryan in #414
• Ianhelle/kql nbinit fixes merge2.0 2022 05 18 by @ianhelle in #412
• Ianhelle/geoip init fix 2022 05 27 by @ianhelle in #421
• Ianhelle/geoip init fix 2022 05 27 by @ianhelle in #422
• Ianhelle/geoip init fix 2022 05 27 by @ianhelle in #423
• Ianhelle/read the docs fixes 2022 05 29 by @ianhelle in #424
• Ianhelle/sentinel workspace lookup 2022 05 19 by @ianhelle in #419
• Fix for list_hunting_queries function by @pensivepaddle in #417
• Update calls to credential.modern.get_token by @FlorianBracq in #429
• Adding ContiLeaks Analysis by @fr0gger in #428
• Networkx graphs from dataframe by @ianhelle in #427
• Ianhelle/msticpy init imports and Quickstart doc by @ianhelle in #435
• Ianhelle/main updates to msticpy v2.0.0 2022 06 14 by @ianhelle in #444
• [fix] Revert to Py 3.7 build with typing-extensions by @ianhelle in #448
• [fix] if AuthKey or ApiID is None by @ianhelle in #449
• Ianhelle/query pivot naming 2022 06 06 by @ianhelle in #437
• Ianhelle/folium update docs 2022 05 29 by @ianhelle in #438
• Ianhelle/timeline updates 2022 06 14 by @ianhelle in #441
• Ianhelle/merge2.0 to main 2022 06 14 by @ianhelle in #443
• [fix] Fixing renamed y/value_col parameter by @ianhelle in #452
• [fix] Incorrect handling of kwargs in timeline_values.py by @ianhelle in #455
• Ianhelle/ti and graph doc update 2022 06 15 by @ianhelle in #453
• Ianhelle/mp user agent 2022 06 16 by @ianhelle in #454
• Added features to support new notebooklet development. by @petebryan in #456

New Contributors

• @pensivepaddle made their first contribution in #417
• @fr0gger made their first contribution in #428

Full Changelog: v1.8.2...v2.0.0.rc3