microsoft/msticpy v3.0.0

MSTICPy 3.0.0 Release

Repository: microsoft/msticpy

Tag: v3.0.0

Published: 2026-04-28T21:56:57Z

Prerelease: no

Release notes:

MSTICPy v3.0.0 Release Notes

MSTICPy v3.0.0 is a major release that brings Python 3.13 support, drops legacy Python versions, replaces deprecated Azure SDK dependencies, adds a new OpenObserve data provider, and includes significant improvements to the Cybereason and Sentinel drivers.

---

⚡ Breaking Changes

Python Version Support

• Dropped: Python 3.8 and 3.9 are no longer supported.
• Added: Python 3.13 is now fully supported.
• Supported versions: Python 3.10, 3.11, 3.12, and 3.13.

Removed: msrestazure Dependency

The deprecated msrestazure package has been removed and replaced with azure-mgmt-core>=1.6.0. All Azure authentication and management code now uses azure-mgmt-core and azure.core.exceptions.

If you have code that catches msrestazure.azure_exceptions.CloudError, update it to use azure.core.exceptions.HttpResponseError instead:

# Before (v2.x)
from msrestazure.azure_exceptions import CloudError
try:
result = client.some_operation()
except CloudError as err:
...

# After (v3.0)
from azure.core.exceptions import HttpResponseError
try:
result = client.some_operation()
except HttpResponseError as err:
...

Removed: kql Extra

The kql install extra (pip install msticpy[kql]) has been removed. KqlmagicCustom is no longer a supported dependency.

Removed: aiagents Extra

The aiagents install extra (pip install msticpy[aiagents]) has been removed. The autogen-agentchat integration is no longer included.

Updated: sql2kql Extra

The sql2kql extra now requires mo-sql-parsing>=11,=8,=1.6.0.

Linting Toolchain: Ruff Replaces Black/Flake8/isort

The project now uses Ruff as the sole linter and formatter, replacing black, flake8, isort, pydocstyle, and pylint. If you contribute to MSTICPy, update your development setup:

pip install pre-commit
pre-commit install
# Ruff is configured in pyproject.toml

---

🚀 New Features

New Data Provider: OpenObserve

A new data driver for OpenObserve has been added, enabling querying of OpenObserve instances directly from MSTICPy.

Installation:

pip install msticpy[openobserve]

Configuration (in msticpyconfig.yaml):

DataProviders:
OpenObserve:
Args:
connection_str: "https://your-openobserve-host:5080"
user: "your-username"
password:
KeyVault:
verify: true
timeout: 300

Usage:

import msticpy as mp
mp.init_notebook()

qry_prov = mp.QueryProvider("OpenObserve")
qry_prov.connect(
connection_str="https://localhost:5080",
user="admin",
password="[PLACEHOLDER]",
verify=True,
)

# Query with time range
df = qry_prov.exec_query(
'search "error"',
days=1,
limit=100,
timeout=120,
)

The driver supports time-range parameters (days, start/end), result limits, timezone configuration, and custom timeouts.

Cybereason Driver Improvements

The Cybereason data driver has received significant enhancements:

• More query parameters exposed — additional control over pagination,

timeouts, and retry behavior:

qry_prov = mp.QueryProvider("Cybereason")
qry_prov.connect(
instance="cr1",
tenant_id="...",
client_id="...",
client_secret="[PLACEHOLDER]",
)

df = qry_prov.exec_query(
"{}",
page_size=100,
timeout=120,
retry_on_error=True,
)

• HTTP 429 rate-limit handling — automatic retry with backoff when

Cybereason returns rate-limit responses.

• Improved timeout handling — dedicated _handle_request_timeout method

for graceful recovery from request timeouts.

• Better error reporting — MsticpyDataQueryError now includes exception

name and args for clearer diagnostics.

• Improved data flattening — _flatten_simple_values and

_flatten_element_values have been reworked for more reliable output, with extra fields now mapped to the result DataFrame.

• Structural pattern matching — query response parsing now uses Python

match/case statements for cleaner, more maintainable code.

Sentinel Certificate Authentication

Microsoft Sentinel connections now support certificate-based authentication as an alternative to client secrets, providing enhanced security for automated pipelines and service accounts. See Sentinel Provider for details.

ThreatIntelIndicators: New Table Schema Support

The Azure Sentinel BYOTI (Bring Your Own Threat Intelligence) provider now supports both the old and new ThreatIntelIndicators table schemas. This enables seamless operation across Sentinel workspaces regardless of which schema version they use.

• Configurable confidence threshold — the TI confidence threshold is now

a class constant that can be overridden, rather than a hardcoded value.

Timeseries Anomaly Detection Fixes

• Fixed ts_anomalies_stl to correctly pass a Series (not raw values) to

the STL decomposition, resolving errors with certain input shapes.

• Fixed handling of the seasonal == 0 edge case in timeseries anomaly

detection.

KQL Timespan Conversion Utilities

New utility functions for converting KQL timespan strings to Python timedelta objects. Uses azure-kusto-data's parse_timedelta for accurate KQL-compatible timespan parsing.

AzureSearchDriver Fixes

Fixed the AzureSearchDriver to properly set the MSSentinelSearch environment and correctly override the query method.

---

📦 Dependency Changes

Added

| Package | Version | Notes | |---------|---------|-------| | azure-mgmt-core | >=1.6.0 | Replaces msrestazure | | python_openobserve | >=0.4.2 | New OpenObserve extra |

Removed

| Package | Notes | |---------|-------| | msrestazure | Replaced by azure-mgmt-core | | KqlmagicCustom | kql extra removed | | autogen-agentchat | aiagents extra removed |

Updated

| Package | Old | New | |---------|-----|-----| | azure-kusto-data | >=4.4.0, =4.4.0, =1.0.0, =1.0.0, =8, =11, =7.23.1 (simplified) |

Removed Python-Version-Conditional Dependencies

• importlib-resources conditional on Python ≤3.8 has been removed.
• Separate ipython version pins for Python =7.23.1` requirement.

---

🛠️ Developer & Tooling Changes

• Ruff is now the single linter and…