Splunk and Sentinel Updates
Sentinel updates
WorkspaceConfig and Sentinel QueryProvider (azure_monito_driver) have had a few updates:
- handle both old (Kqlmagic) and standard connection string formats in WorkspaceConfig
- removing a lot of legacy code from WorkspaceConfig
- Allow additional connection parameters to be used with MSSentinel QueryProvider for
authentication parameters (e.g. you can now supply authentication parameters like "client_id", "client_secret" toquery_provider.connect()
) msticpyconfig.yaml
now supports using an "MSSentinel" key in place of "AzureSentinel"- Workspace entries in msticpyconfig.yaml support an
Args
subkey, where you can add authentication parameters - these will be supplied to theconnect()
method if not overridden on the command line. Like Args sections for other providers, the values here can be text or references to environment variables or Azure Key Vault secrets. - Fix to MSSentinel API update_incident to add full properties
Splunk Updates
- Added jwt authentication token expiry check.
Other fixes
Fix for vtlookup3.py
- Fixed problematic way of using nestasyncio - this was causing failures when run from a langchain agent.
Fix for lookup/tilookup - If the progress parameter was not passed it would still try to cancel a non-existent progress task and cause an exception.
QueryProviders - Fix split query time-ranges calculation - thanks to @pjain90 for spotting this.
What's Changed
- Set up CI with 1ES Azure Pipelines by @ianhelle in #763
- Update ws_config to handle kqlmagic connection strings by @ianhelle in #767
- Fix split query time-ranges calculation by @ianhelle in #762
- Add support for ruff and u/p devcontainer by @ianhelle in #765
- Add jwt auth token expire check and modify some messages when connecting Splunk by @Tatsuya-hasegawa in #770
- WSConfig updates by @ianhelle in #771
- Pass
true
for props into_build_sent_data
when callingupdate_incident
by @kylelol in #774 - Changing cert thumbprint from Sha1 to Sha256 in Az Kusto driver by @ianhelle in #775
New Contributors
Full Changelog: v2.11.0...v2.12.0