search

microsoft / msticpy

Microsoft Threat Intelligence Security Tools
Other
1.76k stars 318 forks source link

[Bug]: QueryProvider connect method fails to extract IDs from a connection string #703

Closed cindraw closed 1 year ago

cindraw commented 1 year ago

Describe the bug The function QueryProvider.connect() fails to grab tenant or workspace IDs given a valid connection string.

To Reproduce Steps to reproduce the behavior:

  1. Install the msticpy package - pip install msticpy[azsentinel]
  2. Import the QueryProvider - from msticpy.data.data_providers import QueryProvider
  3. Use the LogAnalytics environment - query_provider = QueryProvider(data_environment='LogAnalytics')
  4. Assign a valid connection string - la_connection_str = f"loganalytics://tenant='{tenant}';workspace='{workspace}';alias='{alias}';clientid='{client_id}';client_secret='{client_secret}'"
  5. Run query_provider.connect() - query_provider.connect(connection_str=la_connection_str)
  6. See a raised exception on tenant or workspace ID not found

Expected behavior Tenant or workspace IDs should have been extracted successfully from a valid connection string

Screenshots and/or Traceback

---------------------------------------------------------------------------
MsticpyKqlConnectionError                 Traceback (most recent call last)
Cell In[14], line 30
     27     print("is string")
     29 print(la_connection_string)
---> 30 query_provider.connect(connection_str=la_connection_string)

File /opt/conda/lib/python3.10/site-packages/msticpy/data/core/data_providers.py:188, in QueryProvider.connect(self, connection_str, **kwargs)
    178 """
    179 Connect to data source.
    180 
   (...)
    185 
    186 """
    187 logger.info("Calling connect on driver")
--> 188 self._query_provider.connect(connection_str=connection_str, **kwargs)
    190 # If the driver has any attributes to expose via the provider
    191 # add those here.
    192 for attr_name, attr in self._query_provider.public_attribs.items():

File /opt/conda/lib/python3.10/site-packages/msticpy/data/drivers/azure_monitor_driver.py:247, in AzureMonitorDriver.connect(self, connection_str, **kwargs)
    192 """
    193 Connect to data source.
    194 
   (...)
    244 
    245 """
    246 self._connected = False
--> 247 self._query_client = self._create_query_client(connection_str, **kwargs)
    249 # get the schema
    250 self._schema = self._get_schema()

File /opt/conda/lib/python3.10/site-packages/msticpy/data/drivers/azure_monitor_driver.py:387, in AzureMonitorDriver._create_query_client(self, connection_str, **kwargs)
    385 self._def_timeout = kwargs.get("timeout", self._DEFAULT_TIMEOUT)
    386 self._def_proxies = kwargs.get("proxies", self._def_proxies)
--> 387 self._get_workspaces(connection_str, **kwargs)
    389 credentials = az_connect(
    390     auth_methods=az_auth_types, tenant_id=self._az_tenant_id
    391 )
    392 logger.info(
    393     "Created query client. Auth type: %s, Url: %s, Proxies: %s",
    394     type(credentials.modern) if credentials else "None",
    395     self.url_endpoint,
    396     kwargs.get("proxies", self._def_proxies),
    397 )

File /opt/conda/lib/python3.10/site-packages/msticpy/data/drivers/azure_monitor_driver.py:444, in AzureMonitorDriver._get_workspaces(self, connection_str, **kwargs)
    442 if ws_config.workspace_id is None or ws_config.tenant_id is None:
    443     logger.warning("Unable to get workspace ID or tenant ID")
--> 444     raise MsticpyKqlConnectionError(
    445         "The workspace config or connection string did not have"
    446         "the required parameters to connect to a workspace.",
    447         "At least a workspace ID and tenant ID are required.",
    448         title="No connection details",
    449         help_uri=_HELP_URL,
    450     )
    451 self._ws_config = ws_config
    452 self._ws_name = workspace_name or ws_config.workspace_id

MsticpyKqlConnectionError: ('No connection details', 'The workspace config or connection string did not havethe required parameters to connect to a workspace.', 'At least a workspace ID and tenant ID are required.', 'https://msticpy.readthedocs.io/en/latest/data_acquisition/DataProv-MSSentinel.html')

Environment (please complete the following information):

Additional context It looks like the regex pattern matching for method from_connection_string in WorkspaceConfig fails to extract IDs from a connection string. See the screenshots below for more information.

image image

ianhelle commented 1 year ago

Thanks for reporting the bug. I didn't do a lot of testing with connection strings, since we try to move people towards configuring things in msticpyconfig and just connecting using a workspace name (ref to the config entry). I can fix this though.

cindraw commented 1 year ago

Thank you for your response. I read the docs and found out that the connection string feature is being deprecated and have successfully used a config yaml file instead