Merge branch 'main' into provider-and-driver-typing

microsoft · Sep 12, 2024 · f6b9d45 · f6b9d45
2 parents ed72de1 + 2a81450
commit f6b9d45
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/.azurepipelines/azure-pipelines-release.yml b/.azurepipelines/azure-pipelines-release.yml
@@ -1,6 +1,7 @@
 # MSTICPy Release pipeline
 
-trigger: none
+trigger:
+- main
 name: 1ES-MSTICPy-Rel-$(date:yyyyMMdd)$(rev:.r)
 
 resources:

diff --git a/msticpy/context/tiproviders/kql_base.py b/msticpy/context/tiproviders/kql_base.py
@@ -42,6 +42,8 @@
 __version__ = VERSION
 __author__ = "Ian Hellen"
 
+logger = logging.getLogger(__name__)
+
 
 @export
 class KqlTIProvider(TIProvider):
@@ -163,9 +165,12 @@ def lookup_iocs(
         """
         if not self._connected:
             self._connect()
-        if any(
+        if self._query_provider.schema and any(
             table not in self._query_provider.schema for table in self._REQUIRED_TABLES
         ):
+            logger.error(
+                "Required tables not found in schema: %s", self._REQUIRED_TABLES
+            )
             return pd.DataFrame()
 
         # We need to partition the IoC types to invoke separate queries
@@ -176,6 +181,9 @@ def lookup_iocs(
             result = self._check_ioc_type(ioc, ioc_type, query_type)
 
             if result["Status"] != LookupStatus.NOT_SUPPORTED.value:
+                logger.info(
+                    "Check ioc type for %s (%s): %s", ioc, ioc_type, result["Status"]
+                )
                 ioc_groups[result["IocType"]].add(result["Ioc"])
 
         all_results: list[pd.DataFrame] = []
@@ -188,13 +196,15 @@ def lookup_iocs(
                     query_type=query_type,
                 )
             if not query_obj:
+                logger.info("No query found for %s", ioc_type)
                 warnings.warn(
                     f"Could not find query for {ioc_type}, {query_type}",
                     stacklevel=1,
                 )
                 continue
 
             # run the query
+            logger.info("Running query for %s with params %s", ioc_type, query_params)
             data_result: pd.DataFrame = query_obj(**query_params)
 
             src_ioc_frame: pd.DataFrame = pd.DataFrame(obs_set, columns=["Ioc"])
@@ -227,7 +237,9 @@ def lookup_iocs(
             all_results.append(combined_results_df)
 
         if all_results:
+            logger.info("Combining results from %d queries", len(all_results))
             return pd.concat(all_results, ignore_index=True, sort=False, axis=0)
+        logger.info("No results found in data for any iocs.")
         return pd.DataFrame()
 
     @staticmethod
@@ -319,12 +331,14 @@ def _create_query_provider(self: Self, **kwargs: str) -> tuple[QueryProvider, st
             WORKSPACE_ID=workspace_id,
         )
         query_provider: QueryProvider = QueryProvider("LogAnalytics")
+        logging.info("Connection string: %s", connect_str)
         return query_provider, connect_str
 
     def _connect(self: Self) -> None:
         """Connect to query provider."""
         logger.info("MS Sentinel TI query provider needs authenticated connection.")
         self._query_provider.connect(self._connect_str)
+        logging.info("Connected to Sentinel. (%s)", self._connect_str)
 
     @staticmethod
     def _get_spelled_variants(name: str, **kwargs: str) -> str | None:

diff --git a/tests/test_pkg_imports.py b/tests/test_pkg_imports.py
@@ -29,6 +29,7 @@
     "pyperclip",
     "autogen",
     "importlib_resources",
+    "notebookutils",
 }
 CONDA_PKG_EXCEPTIONS = {
     "vt-py",