Skip to content

Splunk and Sentinel Updates

Compare
Choose a tag to compare
@ianhelle ianhelle released this 10 May 23:25
· 29 commits to main since this release
07a2f0d

Sentinel updates

WorkspaceConfig and Sentinel QueryProvider (azure_monito_driver) have had a few updates:

  • handle both old (Kqlmagic) and standard connection string formats in WorkspaceConfig
  • removing a lot of legacy code from WorkspaceConfig
  • Allow additional connection parameters to be used with MSSentinel QueryProvider for
    authentication parameters (e.g. you can now supply authentication parameters like "client_id", "client_secret" to query_provider.connect())
  • msticpyconfig.yaml now supports using an "MSSentinel" key in place of "AzureSentinel"
  • Workspace entries in msticpyconfig.yaml support an Args subkey, where you can add authentication parameters - these will be supplied to the connect() method if not overridden on the command line. Like Args sections for other providers, the values here can be text or references to environment variables or Azure Key Vault secrets.
  • Fix to MSSentinel API update_incident to add full properties

Splunk Updates

  • Added jwt authentication token expiry check.

Other fixes

Fix for vtlookup3.py

  • Fixed problematic way of using nestasyncio - this was causing failures when run from a langchain agent.
    Fix for lookup/tilookup
  • If the progress parameter was not passed it would still try to cancel a non-existent progress task and cause an exception.
    QueryProviders
  • Fix split query time-ranges calculation - thanks to @pjain90 for spotting this.

What's Changed

  • Set up CI with 1ES Azure Pipelines by @ianhelle in #763
  • Update ws_config to handle kqlmagic connection strings by @ianhelle in #767
  • Fix split query time-ranges calculation by @ianhelle in #762
  • Add support for ruff and u/p devcontainer by @ianhelle in #765
  • Add jwt auth token expire check and modify some messages when connecting Splunk by @Tatsuya-hasegawa in #770
  • WSConfig updates by @ianhelle in #771
  • Pass true for props into _build_sent_data when calling update_incident by @kylelol in #774
  • Changing cert thumbprint from Sha1 to Sha256 in Az Kusto driver by @ianhelle in #775

New Contributors

Full Changelog: v2.11.0...v2.12.0