microsoft/msticpy v2.17.0

M365 authn, Bokeh fixes, RRCF Outliers, Prisma Cloud...

on GitHub

Summary

This release delivers new analytics capability (RRCF outlier detection), expanded cloud detection coverage (Prisma Cloud AWS), and a modernization of authentication by moving Defender data providers to OAuth2 with corrected scopes. It also fixes several reliability issues (MSI auth logic, KQL timezone handling, query value escaping), updates visualization and widget code for Bokeh 3.7 and Python 3.12, tightens typing (mypy/key vault), and refreshes CI/publish infrastructure and supported Python versions. Users of Defender integrations should review and update scopes/config before upgrading.

🚀 New Features

• RRCF Outlier Detection (random cut forest) adds a new anomaly detection method for telemetry analysis. (PR #846)
• Prisma Cloud AWS detection enhancement broadens cloud security coverage. (PR #847)

🔐 Authentication & Authorization Changes (Action Recommended)

• Defender APIs migrated to OAuth2 with corrected/normalized scopes. Update any legacy scope/resource configurations in msticpyconfig.yaml (e.g., adopt .default scopes) before upgrading. (PR #856)

🛠 Enhancements & Refactors

• Bokeh 3.7 compatibility adjustments. (PR #843)
• Query time widget: remove Python 3.12 deprecation warnings + richer typing. (PR #849)
• Key Vault client mypy/type fixes improving static analysis fidelity. (PR #852)

🐛 Bug Fixes

• MSI authentication logic corrected for Managed Identity scenarios. (PR #844)
• Proper escaping of single quotes inside list query elements to avoid malformed queries. (PR #851)
• KQL timezone handling fixed for accurate temporal queries. (PR #850)
• OAuth scope validation/normalization as part of Defender OAuth2 shift. (PR #856)

🧪 Analytics & Data Quality

• RRCF anomaly scoring (PR #846) enables ensemble-based outlier detection.
• Enhanced Prisma Cloud AWS detections (PR #847) improve coverage.

🧰 Developer Experience / Code Quality

• Typing and mypy cleanup (PRs #849, #852).
• Reduced deprecation warnings (PR #849).

🏗 CI / Build / Release Infrastructure

• Azure Pipelines PyPI publish workflow updated. (PR #845)
• Supported Python build versions refreshed. (PR #853)
• PyPI publish action bumped (1.5.1 → 1.13.0). (PR #854)

⚠️ Potential Breaking / Behavior Changes

• Defender provider auth: legacy non-OAuth2 or incorrect scope names will fail until configs updated. (PR #856)
• Timezone fix may adjust timestamp normalization. (PR #850)

📘 Upgrade Checklist

1. Update Defender provider scopes to OAuth2 .default values.
2. Test a minimal Defender query after reconnect.
3. Validate time range widgets for expected timezone behavior.
4. Integrate RRCF if desired.
5. Align local Python with updated CI matrix.
6. Run static checks to adjust for stricter typing.

🙌 Contributors

@ianhelle, @FlorianBracq, @Tatsuya-hasegawa, @raj-axe, @dependabot

PR Reference Index

• Bokeh 3.7 fixes – #843
• Fix logic issue with MSI auth – #844
• Update azure-pipelines-publish-pypi.yml – #845
• Add rrcf outlier – #846
• Prismacloud_aws_detection_enhancement – #847
• [nbwidgets] Querytime Python 3.12 deprecation + typing – #849
• Fix kql timezone support – #850
• Escape single quotes for list elements from queries – #851
• Addressing mypy errors in keyvault_client – #852
• Updating Python build versions – #853
• Bump pypa/gh-action-pypi-publish 1.5.1 → 1.13.0 – #854
• Move Defender APIs to OAuth2, fix invalid scopes – #856

Full Changelog: v2.16.2...v2.17.0