microsoft · ianhelle · Feb 6, 2025 · Feb 4, 2025 · Feb 5, 2025 · Feb 5, 2025
diff --git a/docs/source/api/msticpy.context.tiproviders.cyberint.rst b/docs/source/api/msticpy.context.tiproviders.cyberint.rst
@@ -0,0 +1,7 @@
+msticpy.context.tiproviders.cyberint module
+===========================================
+
+.. automodule:: msticpy.context.tiproviders.cyberint
+   :members:
+   :undoc-members:
+   :show-inheritance:
diff --git a/docs/source/api/msticpy.context.tiproviders.rst b/docs/source/api/msticpy.context.tiproviders.rst
@@ -17,6 +17,7 @@ Submodules
    msticpy.context.tiproviders.azure_sent_byoti
    msticpy.context.tiproviders.binaryedge
    msticpy.context.tiproviders.crowdsec
+   msticpy.context.tiproviders.cyberint
    msticpy.context.tiproviders.greynoise
    msticpy.context.tiproviders.ibm_xforce
    msticpy.context.tiproviders.intsights

diff --git a/docs/source/api/msticpy.data.drivers.azure_search_driver.rst b/docs/source/api/msticpy.data.drivers.azure_search_driver.rst
@@ -0,0 +1,7 @@
+msticpy.data.drivers.azure\_search\_driver module
+=================================================
+
+.. automodule:: msticpy.data.drivers.azure_search_driver
+   :members:
+   :undoc-members:
+   :show-inheritance:
diff --git a/docs/source/api/msticpy.data.drivers.rst b/docs/source/api/msticpy.data.drivers.rst
@@ -14,6 +14,7 @@ Submodules
 
    msticpy.data.drivers.azure_kusto_driver
    msticpy.data.drivers.azure_monitor_driver
+   msticpy.data.drivers.azure_search_driver
    msticpy.data.drivers.cybereason_driver
    msticpy.data.drivers.driver_base
    msticpy.data.drivers.elastic_driver

diff --git a/docs/source/data_acquisition/DataProv-MSDefender.rst b/docs/source/data_acquisition/DataProv-MSDefender.rst
@@ -109,6 +109,7 @@ When using a certificate with a private key, the configuration
 should be:
 
 .. code:: yaml
+
       MicrosoftDefender:
           Args:
             ClientId: "CLIENT ID"
@@ -123,14 +124,15 @@ to a Key Vault secret using the MSTICPy configuration editor.
 See :doc:`msticpy Settings Editor <../getting_started/SettingsEditor>`.
 
 .. code:: yaml
+
       MicrosoftDefender:
           Args:
             ClientId: "CLIENT ID"
             TenantId: "TENANT ID"
             PrivateKey: "Path to private key"
             Certificate: "Path to certificate"
             PrivateKeySecret:
-                KeyVault: 
+                KeyVault:
 
 Loading a QueryProvider for M365 Defender
 -----------------------------------------

diff --git a/docs/source/data_acquisition/DataProv-MSSentinel.rst b/docs/source/data_acquisition/DataProv-MSSentinel.rst
@@ -36,9 +36,40 @@ Changes from the previous implementation
   * ``mp_az_auth`` is replaced by ``auth_types`` (the former still works
     but will be removed in a future release).
   * ``mp_az_auth_tenant_id`` is replaced by ``tenant_id`` (the former
-    is no longer supported
+    is no longer supported).
 
 
+Querying Base and Auxilary tables in Sentinel
+----------------------------------------------
+
+The Azure Monitor Query SDK does not support querying Base or Auxilary table types.
+MSTICPy has an experimental driver that supports a subset of the operations
+below but uses the "search" endpoint to allow querying these table types.
+To use this, create a QueryProvider with the provider name "MSSentinelSearch",
+instead of "MSSentinel".
+
+.. code:: python3
+
+    qry_prov = QueryProvider("MSSentinelSearch")
+
+    qry_prov.connect()
+
+    qry_prov.exec_query(
+      "SecurityEvent | take 10",
+      start="2023-10-29T00:00:00Z",
+      end="2023-10-29T01:00:00Z"
+    )
+
+.. note:: There are several limitations when using this provider, including:
+  * The KQL query support only a single table - joins, unions, etc are not supported
+  * You **must** provide `start` and `end` times as parameters.
+  * You can only query a single workspace at a time.
+  * The provider only works with the Global Azure cloud
+  * The provider does not support HTTP proxies.
+
+For all other uses, we recommend using the standard "MSSentinel" provider
+as described in the rest of this document.
+
 Sentinel Configuration
 ----------------------
 

diff --git a/msticpy/_version.py b/msticpy/_version.py
@@ -1,3 +1,3 @@
 """Version file."""
 
-VERSION = "2.15.0"
+VERSION = "2.16.0"
diff --git a/msticpy/context/domain_utils.py b/msticpy/context/domain_utils.py
@@ -256,7 +256,7 @@ def in_abuse_list(self: Self, url_domain: str) -> tuple[bool, Certificate | None
                 cert.encode("ascii"),
             )
             cert_sha1: bytes = x509_cert.fingerprint(
-                SHA1()
+                SHA1()  # nosec
             )  # noqa: S303  # CodeQL [SM02167] Compatibility requirement for SSL abuse list
             result = bool(
                 self.ssl_abuse_list["SHA1"].str.contains(cert_sha1.hex()).any(),

diff --git a/msticpy/data/core/query_defns.py b/msticpy/data/core/query_defns.py
@@ -118,6 +118,8 @@ class DataEnvironment(Enum):
     Velociraptor = 18
     M365DGraph = 20
 
+    MSSentinelSearch = 25
+
     @classmethod
     def parse(cls, value: Union[str, int]) -> "DataEnvironment":
         """

diff --git a/msticpy/data/drivers/__init__.py b/msticpy/data/drivers/__init__.py
@@ -40,6 +40,7 @@
     DataEnvironment.MSSentinel_Legacy: ("kql_driver", "KqlDriver"),
     DataEnvironment.Kusto_Legacy: ("kusto_driver", "KustoDriver"),
     DataEnvironment.M365DGraph: ("mdatp_driver", "MDATPDriver"),
+    DataEnvironment.MSSentinelSearch: ("azure_search_driver", "AzureSearchDriver"),
 }
 
 CUSTOM_PROVIDERS: Dict[str, type] = {}