1.0.0 release (#31)

* Added fix to Pivot creation * testing * Revert "Added fix to Pivot creation" This reverts commit 672eb18. * Testing * AML testing * Fixed Pivot timespan issue * [fix] Fixed nb_pivot and failing host_summary unit tests - Fixing nb_pivot and Pivot class initialization - Splitting queries into separate sub-group yamls - Adding summarize_events to linux_queries.yaml and windows_queries.yaml * Fixed typo in outputs * Moved to version 1.0.0 Co-authored-by: Pete Bryan <pebryan@microsoft.com> Co-authored-by: Ian Hellen <ianhelle@microsoft.com>
microsoft · Jul 18, 2022 · 0562424 · 0562424
1 parent f329351
commit 0562424
Show file tree

Hide file tree

Showing 8 changed files with 280 additions and 4 deletions.
diff --git a/msticnb/_version.py b/msticnb/_version.py
@@ -1,2 +1,2 @@
 """Version file."""
-VERSION = "0.3.0"
+VERSION = "1.0.0"
diff --git a/msticnb/nb/azsent/url/url_summary.yaml b/msticnb/nb/azsent/url/url_summary.yaml
@@ -30,7 +30,7 @@ output:
       Each marker on the timeline indicates one or more alerts related to the
       host.
   browse_alerts:
-    title: Browse of related alerts
+    title: Browse related alerts
     text:
       Browse and select alerts related to
   show_domain_record:

diff --git a/msticnb/nb_pivot.py b/msticnb/nb_pivot.py
@@ -52,7 +52,7 @@ def add_pivot_funcs(pivot: Pivot = None, **kwargs):
         piv_kwargs = {
             key: arg for key, arg in kwargs.items() if key in ("namespace", "providers")
         }
-        pivot = Pivot.current or Pivot(**piv_kwargs)
+        pivot = Pivot.current() or Pivot(**piv_kwargs)
     for nb_name, nb_class in nblts.iter_classes():
         if not issubclass(nb_class, Notebooklet) or nb_name == "TemplateNB":
             continue
@@ -61,7 +61,9 @@ def add_pivot_funcs(pivot: Pivot = None, **kwargs):
             continue
         nb_obj = nb_class()
         run_func = getattr(nb_obj, "run")
-        wrp_func = _wrap_run_func(run_func, pivot.get_timespan)
+        pivot_timespan = pivot.get_timespan
+
+        wrp_func = _wrap_run_func(run_func, pivot_timespan)
         func_new_name = _to_py_name(nb_name)
         entity_map: Dict[str, str] = {}
         for entity in nb_class.metadata.entity_types:

diff --git a/tests/testdata/azure_queries.yaml b/tests/testdata/azure_queries.yaml
@@ -0,0 +1,115 @@
+metadata:
+  version: 1
+  description: Local Data Alert Queries
+  data_environments: [LocalData]
+  data_families:
+    - AzureNetwork
+    - Network
+  tags: ['alert', 'securityalert', 'process', 'account', 'network', 'host']
+defaults:
+  metadata:
+    data_source: 'security_alert'
+  parameters:
+sources:
+  # AzureNetwork
+  list_azure_network_flows_by_ip:
+    description: List Azure Network flows by IP address
+    metadata:
+      data_families: [Network]
+    args:
+      query: az_net_comms_df.pkl
+    parameters:
+  list_azure_network_flows_by_host:
+    description: List Azure Network flows by host name
+    metadata:
+      data_families: [Network]
+    args:
+      query: az_net_comms_df.pkl
+    parameters:
+  get_heartbeat_for_ip:
+    description: Heartbeat record
+    metadata:
+      data_families: [Network]
+    args:
+      query: host_hb_df.pkl
+    parameters:
+  get_heartbeat_for_host:
+    description: Heartbeat record
+    metadata:
+      data_families: [Network]
+    args:
+      query: host_hb_df.pkl
+    parameters:
+  get_host_for_ip:
+    description: Azure network interface record
+    metadata:
+      data_families: [Network]
+    args:
+      query: az_net_if_df.pkl
+    parameters:
+  get_ips_for_host:
+    description: Azure network interface record
+    metadata:
+      data_families: [Network]
+    args:
+      query: az_net_if_df.pkl
+    parameters:
+  # AAD
+  list_aad_signins_for_account:
+    description: AAD Signin Logs
+    metadata:
+      data_families: [Azure]
+    args:
+      query: aad_signin_user.pkl
+    parameters:
+  list_aad_signins_for_ip:
+    description: AAD Signin Logs
+    metadata:
+      data_families: [Azure]
+    args:
+      query: aad_signin_random.pkl
+    parameters:
+  # Azure Activity
+  list_azure_activity_for_account:
+    description: Azure Activity
+    metadata:
+      data_families: [Azure]
+    args:
+      query: azure_activity_df.pkl
+    parameters:
+  list_azure_activity_for_ip:
+    description: Azure Activity
+    metadata:
+      data_families: [Azure]
+    args:
+      query: azure_activity_df.pkl
+    parameters:
+  get_vmcomputer_for_ip:
+    description: VMComputer table
+    metadata:
+      data_families: [Azure]
+    args:
+      query: vmcomputer_df.pkl
+    parameters:
+  get_vmcomputer_for_host:
+    description: VMComputer table
+    metadata:
+      data_families: [Azure]
+    args:
+      query: vmcomputer_df.pkl
+    parameters:
+  # O365
+  list_activity_for_account:
+    description: Office Activity
+    metadata:
+      data_families: [Office365]
+    args:
+      query: office_activity_user.pkl
+    parameters:
+  list_activity_for_ip:
+    description: Office Activity
+    metadata:
+      data_families: [Office365]
+    args:
+      query: office_activity_random.pkl
+    parameters:
diff --git a/tests/testdata/linux_queries.yaml b/tests/testdata/linux_queries.yaml
@@ -0,0 +1,33 @@
+metadata:
+  version: 1
+  description: Local Data Alert Queries
+  data_environments: [LocalData]
+  data_families:
+    - LinuxSyslog
+  tags: ['alert', 'securityalert', 'process', 'account', 'network', 'host']
+defaults:
+  metadata:
+    data_source: 'security_alert'
+    parameters:
+sources:
+  list_logons_for_account:
+    description: Linux logon Activity
+    metadata:
+      data_families: [LinuxSyslog]
+    args:
+      query: lx_host_logons.pkl
+    parameters:
+  list_logons_for_source_ip:
+    description: Linux logon Activity
+    metadata:
+      data_families: [LinuxSyslog]
+    args:
+      query: lx_host_logons.pkl
+    parameters:
+  summarize_events:
+    description: Linux Event summary
+    metadata:
+      data_families: [LinuxSyslog]
+    args:
+      query: lx_host_logons.pkl
+    parameters:
diff --git a/tests/testdata/local_data.yaml → tests/testdata/local_data.yaml_old b/tests/testdata/local_data.yaml → tests/testdata/local_data.yaml_old
@@ -94,6 +94,13 @@ sources:
     args:
       query: win_host_logons.pkl
     parameters:
+  summarize_events:
+    description: Summarize host events
+    metadata:
+      data_families: [WindowsSecurity]
+    args:
+      query: all_events_df.pkl
+    parameters:
   # AzureNetwork
   list_azure_network_flows_by_ip:
     description: List Azure Network flows by IP address
@@ -211,3 +218,10 @@ sources:
     args:
       query: lx_host_logons.pkl
     parameters:
+  summarize_events:
+    description: Linux Event summary
+    metadata:
+      data_families: [LinuxSyslog]
+    args:
+      query: lx_host_logons.pkl
+    parameters:
diff --git a/tests/testdata/sentinel_queries.yaml b/tests/testdata/sentinel_queries.yaml
@@ -0,0 +1,42 @@
+metadata:
+  version: 1
+  description: Local Data Alert Queries
+  data_environments: [LocalData]
+  data_families:
+    - SecurityAlert
+    - SecurityEvent
+  tags: ['alert', 'securityalert', 'sentinel']
+defaults:
+  metadata:
+    data_source: 'security_alert'
+  parameters:
+sources:
+  # Alerts
+  list_alerts:
+    description: Retrieves list of alerts
+    metadata:
+      data_families: [SecurityAlert]
+    args:
+      query: alerts_list.pkl
+    parameters:
+  list_related_alerts:
+    description: Retrieves list of related alerts
+    metadata:
+      data_families: [SecurityAlert]
+    args:
+      query: alerts_list.pkl
+    parameters:
+  list_alerts_for_ip:
+    description: Retrieves list of related alerts
+    metadata:
+      data_families: [SecurityAlert]
+    args:
+      query: alerts_list.pkl
+  # Azure Sentinel tables
+  list_bookmarks_for_entity:
+    description: Retrieves list of related bookmarks.
+    metadata:
+      data_families: [AzureSentinel]
+    args:
+      query: bookmarks.csv
+    parameters:
diff --git a/tests/testdata/windows_queries.yaml b/tests/testdata/windows_queries.yaml
@@ -0,0 +1,70 @@
+metadata:
+  version: 1
+  description: Local Data Alert Queries
+  data_environments: [LocalData]
+  data_families:
+    - SecurityEvent
+    - WindowsSecurity
+  tags: ['process', 'account', 'network', 'host']
+defaults:
+  metadata:
+    data_source: 'security_alert'
+  parameters:
+sources:
+  # Windows
+  list_host_processes:
+    description: List processes on host
+    metadata:
+      data_families: [WindowsSecurity]
+    args:
+      query: processes_on_host.pkl
+    parameters:
+  list_host_logons:
+    description: List logons on host
+    metadata:
+      data_families: [WindowsSecurity]
+    args:
+      query: host_logons.pkl
+    parameters:
+  list_host_logon_failures:
+    description: List logon failures on host
+    metadata:
+      data_families: [WindowsSecurity]
+    args:
+      query: failed_logons.pkl
+    parameters:
+  list_logon_attempts_by_account:
+    description: Success and failed
+    metadata:
+      data_families: [WindowsSecurity]
+    args:
+      query: win_logon_attempts.pkl
+    parameters:
+  list_host_events:
+    description: List events on host
+    metadata:
+      data_families: [WindowsSecurity]
+    args:
+      query: all_events_df.pkl
+    parameters:
+  get_process_tree:
+    description: Get process tree for a process
+    metadata:
+      data_families: [WindowsSecurity]
+    args:
+      query: process_tree.pkl
+    parameters:
+  list_all_logons_by_host:
+    description: Return Logon Events For A Host
+    metadata:
+      data_families: [WindowsSecurity]
+    args:
+      query: win_host_logons.pkl
+    parameters:
+  summarize_events:
+    description: Summarize host events
+    metadata:
+      data_families: [WindowsSecurity]
+    args:
+      query: all_events_df.pkl
+    parameters: