MSTICPy Plugin Framework
MSTICPy has several extensibility points, where you can create your own modules to support data and enrichment sources.
These currently include:
Threat Intelligence Providers
If you create one of these and think that it would be useful to other users, please consider contributing it to MSTICPy.
You can also create and keep local provider modules and have them loaded into MSTICPy to work alongside the built-in providers. This might be useful if you are creating something that is very specific to your organization, for example.
For either of these cases, your classes must be derived from the corresponding MSTICPy base classes. To read more about building data, TI and context providers see the following pages:
Specific Guidelines for plugin types
TI and Context Providers
Create a class attribute
PROVIDER_NAME and assign
a friendly name to your provider. This is not mandatory -
if the class has no
PROVIDER_NAME attribute, the
friendly name will default to the name of the class.
class TIProviderTest(HttpTIProvider): """Custom IT provider TI Base.""" PROVIDER_NAME = "MyProvider"
When you load a Data provider in MSTICPy you need to
pass the name of the
DataEnvironment to the
qry_prov = mp.QueryProvider("MyDataSource")
By default, the name used to load your provider will be
name of your provider class. You can customize this by adding
DATA_ENVIRONMENTS (list or tuple) attribute to your class. This should
be a list of strings. You can load your driver in the QueryProvider
by supplying any of the names in this list or tuple.
If you also want to use the name of the class, add it to the list.
class CustomDataProvB(CustomDataProvA): """Custom provider.""" DATA_ENVIRONMENTS = ["SQLTestProvider", "SQLProdProvider"]
The provider will be registered to load when any of the strings assigned here is passed as the QueryProvider identifier.
Using multiple identifiers allows you to use aliases for the provider.
Additionally, because the Data Environment identifier is
passed to your provider class (as the parameter
when it is loaded, you can also
have alternative behavior coded into the
__init__ and other
methods of your class. For example, you might have a single provider class
that can work with two different versions of an API.
Loading plugin classes
Assuming that you have created one or more DataProvider or Context/TI Provider classes, you should put these modules in one or more folders accessible to your notebook or python environment.
You can load modules interactively or add these paths
msticpyconfig.yaml to have them loaded automatically
each time you import MSTICPy.
Loading modules interactively
To load modules from a folder run the
import msticpy as mp mp.load_plugins(plugin_paths="/my_modules") # or multiple paths mp.load_plugins( plugin_paths=["./my_modules", "./my_other_modules"] )
Loading modules from configuration
Add plugin module paths to
msticpyconfig.yaml you can
tell MSTICPy to always try to load plugins from these paths.
Add the following entry to
... Custom: - "testdata" PluginFolders: - tests/testdata/plugins Azure: cloud: "global" auth_methods: ["cli", "msi", "interactive"]
You can include multiple paths under the