v2.2 Release - Exposure Management, TI Update and more#181
Conversation
Adding friendly error to base module body input errors
IP Entity handling update
Updating IP comment logic
Exposure Module Integration
Exposure Management - Initial Feedback
Adding SID detection logic
Minor bug fixes with on prem only accounts, comment cleanup
Adding On prem enrichments
Exposure comments cleanup, test cases
Adding entities to output with no path found
There was a problem hiding this comment.
Pull Request Overview
This PR is a major release update (v2.2) focused on improving exposure management, enhancing the Threat Intelligence (TI) functionality, and migrating the TI module to new table formats while also deprecating the MDCA module. Key changes include:
- Addition of new tests and modules for user and device exposure.
- Updates to TI module queries and related alerts processing.
- Removal/deprecation of MDCA endpoint support across various modules.
Reviewed Changes
Copilot reviewed 21 out of 22 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/test_stat_exposure.py | New tests for user and device exposure modules added. |
| tests/test_rest.py | Deprecated MDCA endpoint tests commented out. |
| tests/test_data.py | Additional tests for new data helper functions added. |
| shared/rest.py | MDCA endpoint and related token logic now commented out. |
| shared/data.py | New helper functions (list_to_string, parse_kv_string) added. |
| modules/* | Updates for exposure, TI, UEBA and related alerts modules. |
| modules/mdca.py | MDCA module deprecation message updated. |
| modules/base.py | Updated EntitiesCount and IP enrichment logic. |
| classes/init.py | New properties for on-premises account data added. |
Files not reviewed (1)
- modules/version.json: Language not supported
Comments suppressed due to low confidence (1)
modules/base.py:551
- The word 'depreation' is misspelled. It should be 'deprecation'.
self.Warning = "The Sentinel Triage AssistanT's (STAT) Microsoft Defender for Cloud Apps module has been deprecated. This is due to Microsoft's depreation of the MDCA investigation score. Please remove the MDCA module from your STAT Analysis."
|
While we are at it, has an issue with unresolved entities. When IDs is a table of one empty string, it makes the query match all operations.perhaps using this logic to avoid getting record when all IDs are empty ...
| extend FilterIDs = IDs
| mv-apply FilterIDs on ( where isnotempty(FilterIDs) )
| where Parameters has_any (IDs) or UserId in~ (UPNs)
... |
|
@piaudonn good catch, I fixed it higher up in the KQL query: STAT-Function/modules/files/exchange-audit.kql Lines 2 to 3 in d12c6c1 |
|
@piaudonn the exposure modules will need an update due to the deprecation of the dot notation for variable length edges. |
|
To deploy: In advanced settings change the zip package to v2.1.7 and the deploy branch to exposure_module |
|
This now also fixes #182 |
|
@piaudonn I made an update to add the criticality rules that matched to the incident tags, also small update to the file module to add hyperlinks to the file page in security.microsoft.com |
There was a problem hiding this comment.
Pull Request Overview
This pull request implements several new features and updates around exposure management, threat intelligence queries, and related modules while deprecating support for the MDCA module. Key changes include new tests for the data parsing functions, modifications to REST endpoint handling to drop MDCA support, and several updates to the BaseModule and related exposure modules to support unsynced entities.
Reviewed Changes
Copilot reviewed 23 out of 24 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/test_data.py | New tests added for list-to-string and key-value parsing. |
| shared/rest.py | Removed MDCA endpoint and adjusted token caching logic. |
| shared/data.py | Updated utility functions with new parameters and features. |
| shared/coordinator.py | Extended module initiations with new exposure modules. |
| modules/* | Updated various modules (watchlist, ueba, ti, etc.) to support unsynced entity enrichment; MDCA deprecation message updated. |
| modules/files/*.kql | New KQL queries for exposure-user and exposure-device analysis. |
| modules/base.py | Several changes to IP enrichment, account enrichment, and inclusion of unsynced accounts. |
| debug/debug.py | Extended debug functionality to support incident comment debugging. |
| classes/init.py | Expanded BaseModule initialization and added new exposure module classes. |
Files not reviewed (1)
- modules/version.json: Language not supported
Major highlights include the User Exposure and Device Exposure modules, migration of TI module to the new tables, and support for enriching unsynced entities via the IdentityInfo table. That enrichment of unsynced entities includes downstream support in Related Alerts, Watchlist, KQL and UEBA modules.