-
Notifications
You must be signed in to change notification settings - Fork 304
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* ip utils and heartbeat queries * fix pylint and import errors * fix pylint errors and kql heartbeat queries * missing project columns in heartbeat queries * adding KQL time series queries * fix yaml parsing error in timeseries kql * add scoreanomolies query * fixes in time series kql queries * refactor timeseries kql queries * changes to mv-expand in kql query * replace queryproject values * Miscellaneous fixes from notebook testing: - Query templates - Doc updates (new doc page on msticpyconfig.yaml) - Changed param_extractor to always prefer supplied params over defaults - Several linter/mypy errors - wsconfig throws meaningful error if config values are not found - tilookup fix - exception thrown if an empty IoCs list sent to it - geoip - fixed multiple problems with the DF lookup version of the API * pkg and whois function addition * Typo in wsconfig.py * logic change to check for missing packages * added tqdm dependency * fix black formatting and add ipwhois dependency * pylint warning fix * fixing more pylint warnings * user option for missing package installation * docstring update * Updated Pandas requirement * Updates to version and requirements/setup.py * Merge fixes * Linting warnings in ip_utils * ip_utils linting fixes (post-black)
- Loading branch information
1 parent
d55c033
commit 05b705d
Showing
32 changed files
with
851 additions
and
165 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
|
||
msticpy Package Configuration | ||
============================= | ||
|
||
Some elements of msticpy require configuration parameters. An | ||
example is the Threat Intelligence providers. Values for these | ||
and other parameters can be set in the `msticpyconfig.yaml` file. | ||
|
||
The package has a default configuration file, which is stored in the | ||
package directory. You should not need to edit this file directly. | ||
Instead you can create a custom file with your own parameters - these | ||
settings will combine with or override the settings in the default file. | ||
|
||
By default, the custom `msticpyconfig.yaml` is read from the current | ||
directory. You can specify an explicit location using an environment | ||
variable ``MSTICPYCONFIG``. | ||
|
||
Configuration sections | ||
---------------------- | ||
|
||
AzureSentinel | ||
~~~~~~~~~~~~~ | ||
Here you can specify your default workspace and tenant IDs and add additional | ||
workspaces if needed. | ||
|
||
QueryDefinitions | ||
~~~~~~~~~~~~~~~~ | ||
This allows you to specify paths to additional yaml query template files. | ||
|
||
TIProviders | ||
~~~~~~~~~~~ | ||
This allows you to configure which providers are run by default and to | ||
supply any authorization keys needed to access the service. | ||
|
||
Comment configuration file sample | ||
--------------------------------- | ||
|
||
|
||
.. code:: yaml | ||
AzureSentinel: | ||
Workspaces: | ||
# Workspace used if you don't explicitly name a workspace when creating WorkspaceConfig | ||
# Specifying values here overrides config.json settings unless you explictly load | ||
# WorkspaceConfig with config_file parameter (WorkspaceConfig(config_file="../config.json") | ||
Default: | ||
WorkspaceId: "d973e3d2-28e6-458e-b2cf-d38876fb1ba4" | ||
TenantId: "4cdf87a8-f0fc-40bb-9d85-68bcf4ac8e61" | ||
# To use these launch with an explicit name - WorkspaceConfig(workspace_name="Workspace2") | ||
Workspace2: | ||
WorkspaceId: "c88dd3c2-d657-4eb3-b913-58d58d811a41" | ||
TenantId: "f1f64e65-ff7c-4d71-ad5b-091b6ab39d51" | ||
Workspace3: | ||
WorkspaceId: "17e64332-19c9-472e-afd7-3629f299300c" | ||
TenantId: "4ea41beb-4546-4fba-890b-55553ce6003a" | ||
QueryDefinitions: | ||
# Add paths to folders containing custom query definitions here | ||
Custom: | ||
- /var/global-queries | ||
- /home/myuser/queries | ||
- c:/users/myuser/documents | ||
TIProviders: | ||
# If a provider has Primary: True it will be run by default on IoC lookups | ||
# Secondary providers can be | ||
OTX: | ||
Args: | ||
AuthKey: "4ea41beb-4546-4fba-890b-55553ce6003a" | ||
Primary: True | ||
Provider: "OTX" # WARNING - Do not change Provider values! | ||
VirusTotal: | ||
Args: | ||
AuthKey: "4ea41beb-4546-4fba-890b-55553ce6003a" | ||
Primary: False | ||
Provider: "VirusTotal" | ||
XForce: | ||
# You can store items in an environment variable using this syntax | ||
Args: | ||
ApiID: | ||
EnvironmentVar: "XFORCE_ID" | ||
AuthKey: | ||
EnvironmentVar: "XFORCE_KEY" | ||
Primary: True | ||
Provider: "XForce" | ||
AzureSentinel: | ||
# Note this can be a different workspace/tenant from your main workspace | ||
# This only controls where the Azure Sentinel TI provider looks for the | ||
# ThreatIndicator table. | ||
Args: | ||
WorkspaceID: "c88dd3c2-d657-4eb3-b913-58d58d811a41" | ||
TenantID: "f1f64e65-ff7c-4d71-ad5b-091b6ab39d51" | ||
Primary: True | ||
Provider: "AzSTI" | ||
OpenPageRank: | ||
Args: | ||
AuthKey: "c88dd3c2-d657-4eb3-b913-58d58d811a41" | ||
Primary: False | ||
Provider: "OPR" | ||
TorExitNodes: | ||
Primary: True | ||
Provider: "Tor" | ||
See also | ||
-------- | ||
|
||
:doc:`The Threat Intelligence Providers documention <TIProviders>` | ||
|
||
:py:mod:`msticpy.nbtools.wsconfig` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,3 +14,5 @@ Other Documents | |
|
||
EventTimeline.rst | ||
|
||
msticpyconfig.rst | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
"""Version file.""" | ||
VERSION = "0.2.6" | ||
VERSION = "0.2.7" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.