Extending MSTICPy

Introduction to MSTICPy extensibility

MSTICPy has several extensibility points. These range from adding parameterized queries to writing your own data provider or context provider.

Some of these require coding, while others can be done by creating YAML configuration files. For Data Providers and Context/TI providers there is also a plugin model that allows you to create private providers and load them from a local path.

Contributing

If you decide to extend MSTICPy in one of these ways and think that this would be useful to other users of the package, please consider contributing them into the package.

Extension points documentation

• Adding Queries to MSTICPy
  • The metadata section
  • The defaults section
  • The sources section
  • Using known parameter names
  • How parameter substitution works
  • Using yaml aliases and macros in your queries
  • Guidelines for creating and debugging queries
  • Adding a new set of queries and running them
• Query File Editor
  • Loading the Query File Editor
  • Query File Controls
  • Query Selection Controls
  • Query Details Editor Controls
  • Adding Query Parameters to the Query
  • Adding Query Parameters to the Query Definition
  • Query Collection Metadata
  • Query-specific metadata
• Adding Pivot functions
  • Information needed to define a pivot function
  • Adding ad hoc pivot functions in code
  • Creating a persistent pivot function definition
  • Creating and deleting shortcut pivot functions
  • Removing pivot functions from an entity or all entities
• Writing and Contributing a Data Provider
  • Implementing a data provider
  • 1. Write the driver class
  • 2. Customize the driver
  • 3. Register the driver
  • 4. Add queries
  • 5. Add settings definition
  • 6. Add provider documentation
  • 7. Create driver unit tests
• Writing Threat Intelligence and Context Providers
  • Threat Intelligence Providers
  • Context Providers
• MSTICPy Plugin Framework
  • Specific Guidelines for plugin types
  • Loading plugin classes