MSTICPy Package Configuration

Some elements of MSTICPy require configuration parameters. An example is the Threat Intelligence providers. Values for these and other parameters can be set in the msticpyconfig.yaml file. This file uses a YAML format.

Warning

MSTICPy has a msticpyconfig.yaml included as part of the package itself. This is used to supply some default settings and should not be modified. Any settings that you include in your own msticpyconfig.yaml will override the default settings.

You should also read the MSTICPy Settings Editor document to see how to configure settings using and interactive User Interface from a Jupyter notebook.

Important

The settings in msticpyconfig.yaml are case sensitive. If you specify a setting in the config file with a different case to the setting name in the code, the setting will not be found.

How MSTICPy finds the config file

MSTICPy uses the following logic to discover a configuration file.

  1. If the environment variable MSTICPYCONFIG is set, MSTICPy will use the value of this variable as the path to the config file.

  2. If the environment variable MSTICPYCONFIG is not set, MSTICPy will look for a file named msticpyconfig.yaml in the current directory.

  3. If neither of these is successful, MSTICPy will look for a file named msticpyconfig.yaml in a folder named “.mstipcy” in the user’s home directory. This is typically ~/.msticpy on Linux and Mac and C:\Users\username\.msticpy on Windows.

If you are using the init_notebook function to initialize MSTICPy, you can specify the path to a config file as the config parameter to this function. This will override the logic above.

Configuration sections

AzureSentinel

Here you can specify your default workspace IDs and tenant IDs and add additional workspaces if needed. If you wish to use the Microsoft Sentinel API features you can also specify Subscription Ids, Subscription names and Workspace names here.

Note

Although Microsoft Sentinel is no longer called “AzureSentinel” the configuration section is still called AzureSentinel to ensure compatibility with existing code.

Sample entry for MS Sentinel workspaces

AzureSentinel:
  Workspaces:
    Default:
      # An entry named "Default" allows authentication without
      # having to specify a workspace name
      WorkspaceId: "52b1ab41-869e-4138-9e40-2a4457f09bf3"
      TenantId: "72f988bf-86f1-41af-91ab-2d7cd011db49"
      SubscriptionId: "cd928da3-dcde-42a3-aad7-d2a1268c2f48"
      ResourceGroup: ABC
      WorkspaceName: Workspace1
    Workspace1:
      # You can also duplicate entries with different keys
      # that refer to the same workspace settings
      WorkspaceId: "52b1ab41-869e-4138-9e40-2a4457f09bf3"
      TenantId: "72f988bf-86f1-41af-91ab-2d7cd011db49"
      SubscriptionId: "cd928da3-dcde-42a3-aad7-d2a1268c2f48"
      ResourceGroup: ABC
      WorkspaceName: Workspace1
    MyTestWS:
      # minimal workspace configuration for queries
      WorkspaceId: "a927809c-8142-43e1-96b3-4ad87cfe95a3"
      TenantId: "69d28fd7-42a5-48bc-a619-af56397b9f28"

QueryDefinitions

This allows you to specify paths to additional yaml query template files.

Sample

QueryDefinitions:
  Custom:
    - ./working
    - ~/.msticpy/queries

TIProviders

This allows you to configure which providers are run by default and to supply any authorization keys needed to access the service.

Specifying Primary: True means that the TI Provider will be included in lookups by default. If this is False you must specifically include the provider name in the optional providers parameter when you make a TI lookup call.

Currently supported provider names are:

  • OTX - AlienVault OTX

  • VirusTotal

  • XForce - IBM XForce

  • AzureSentinel - Microsoft Sentinel TI

  • GreyNoise

  • IntSights

  • TorExitNodes

  • OpenPageRank

  • CrowdSec

  • AbuseIPDB

TIProviders:
  OTX:
    Args:
      AuthKey: 1234567890
    Primary: True
    Provider: "OTX"
  VirusTotal:
    Args:
      AuthKey:
        EnvironmentVar: "VIRUSTOTAL_AUTH"
    Primary: True
    Provider: "VirusTotal"
  OpenPageRank:
    Args:
      AuthKey:
        KeyVault:
    Primary: False
    Provider: "OPR"
  CrowdSec:
    Args:
      AuthKey: [PLACEHOLDER]
    Primary: True
    Provider: "CrowdSec"
  AbuseIPDB:
    Args:
      AuthKey: 1234567890
    Primary: True
    Provider: "AbuseIPDB"

Note

You store values in the Args section as simple strings, as names of environment variables containing the value, or as references to Azure Key Vault (see the later sections Specifying secrets as Environment Variables and Specifying secrets as Key Vault secrets).

OtherProviders

This section is similar to the TIProviders section, allowing you specify configuration options for specialist data providers such as geo-location providers.

OtherProviders:
  GeoIPLite:
    Args:
      AuthKey:
        EnvironmentVar: "MAXMIND_AUTH"
      DBFolder: "~/.msticpy"
    Provider: "GeoLiteLookup"

Autogen

This section allows you to specify settings for the autogen module <https://microsoft.github.io/autogen/docs/topics/llm_configuration>. Autogen is a top-level section in the configuration file. This section is used as the llm_config argument when instantiating an agent from the autogen package.

When using Entra ID authentication with Autogen, you an specify the azure_ad_token_provider as the string token_provider. This will automatically use DefaultAzureCredential to obtain bearer tokens rather than using an API key. This is the preferred method of authenticating to Azure OpenAI endpoints because there are no secrets to manage.

If using an API key, you can specify api_key as the name of an environment variable.

Here is an example of authenticating to an Azure OpenAI endpoint using both Entra ID and an API key:

Autogen:
  config_list:
    - model: gpt-4o
      api_type: azure
      api_version: 2024-02-15-preview
      base_url: https://my-aoai-endpoint.openai.azure.com/
      azure_ad_token_provider: token_provider
    - model: gpt-4o
      api_type: azure
      api_version: 2024-02-15-preview
      base_url: https://my-aoai-endpoint.openai.azure.com/
      api_key: SOME_ENVIRONMENT_VARIABLE

DataProviders

This section is similar to the previous two sections, allowing you specify configuration options for other data providers.

DataProviders:
  MicrosoftDefender:
    Args:
      TenantId: 8360dd21-0294-4240-9128-89611f415c53
      ClientId: 66b9818a-26cd-4584-8eb0-7f7a499242aa
      ClientSecret:
        KeyVault:
  Cybereason:
    Args:
      TenantId: 8360dd21-0294-4240-9128-89611f415c53
      ClientId: 1234
      ClientSecret:
        EnvironmentVar: "CYBEREASON_AUTH"

Key Vault

This section contains Azure Key Vault settings. This is only used if you choose to store secrets (e.g. API keys) in Key Vault. See the section Specifying secrets as Key Vault secrets for more details.

Azure

This section provides configuration settings for Azure authentication, including the Azure cloud.

Legal values for cloud are:

  • global

  • usgov - US government cloud

  • cn - China national cloud

  • de - German national cloud (no longer used)

The auth_methods key lists the types of authentication methods that you want to enable.

Important

In some cases MSTICPy may find a valid credential type but is unable to authenticate with this type due to Conditional access policies or other restrictions. If you find issues authenticating, edit the `auth_methods list to use specific credential types that can be authorized with the service that you are using.

Possible credential types (auth_methods) are:

  • env - Use credentials set in environment variables

  • cli - Use credentials available in an local AzureCLI logon

  • msi - Use the Managed Service Identity (MSI) credentials of the machine you are running the notebook kernel on

  • devicecode - use browser-based device code authentication flow

  • vscode - Use credentials from your authenticated VS Code session

  • powershell - Use credentials from an authenticated Azure Powershell session

  • clientsecret - Use an Azure AppID and client secret

  • certificate - Use client certificate authentication.

  • interactive - Interactive browser logon

Warning

Some environments (such as Azure Machine Learning notebooks) do not allow notebooks to open browser windows, so “interactive” credentials will fail. We have found Azure CLI to be reliable and maintains authentication tokens between notebook sessions.

The resource_manager_url setting allows you to specify the Azure Resource Manager Url to use. This is only needed if you are using a cloud outside of global, usgov, cn, and de. Example: https://management.azure.com

Warning

Setting resource_manager_url will overwrite the cloud setting. For example, if you set the cloud to be global and then set the resource_manager_url to be https://management.usgovcloudapi.net then the cloud will utilize the usgov endpoints which maybe incorrect for your needs.

Azure:
  cloud: "global"
  auth_methods: ["cli", "msi", "interactive"]

For more details on Azure authentication/credential types see Azure Authentication in MSTICPy

User Defaults

Warning

This feature is being deprecated. Please avoid using this. If you have a use case that requires this, please contact the MSTICPy team - msticpy@microsoft.com. We’d love to hear how you are using it and how we might be able to improve it.

This section controls loading of default providers when using the package in a notebook. The settings here are loaded by the init_notebook function.

See the User Defaults Section below.

MSTICPy Global Settings

There are miscellaneous settings that control the behavior of MSTICPy and some of the underlying libraries used by MSTICPy.

msticpy:
  FriendlyExceptions: True
  QueryDefinitions:
    - ./queries
    - ~/.msticpy/queries
  http_timeout: 30
  Proxies:
    https:
      Url: https://proxy:8080
      UserName: user
      Password:
        EnvironmentVar: "PROXY_PASSWORD"

FriendlyExceptions controls whether MSTICPy will catch and re-raise exceptions with a more user-friendly message. This is mainly applicable to use in Jupyter notebooks. Most of the MSTICPy exceptions are displayable as an HTML message with details such as links to relevant documentation and drop-down details of the exception.

If this is set to False then the exception will be raised as a standard Python exception with details printed as simple text.

QueryDefinitions is a list of paths to folders containing query definition files. You can add any number of these and MSTICPy will search these for queries to add to QueryProviders.

http_timeout controls the default timeout for the httpx library used by MSTICPy. This can be simple integer or float that sets the global timeout values for connections. You can also specify this as a dictionary or tuple of individual timeout components:

  • ConnectTimeout: Float

  • ReadTimeout

  • WriteTimeout

  • PoolTimeout

You can also specify as a Tuple or of (default_timeout, connect_timeout). For more details on httpx timeouts see the HTTPX documentation.

Proxies is a dictionary of proxy settings. You can specify different proxies for different protocols (although only the https one is currently used in MSTICPy). We are gradually rolling out support for this setting to components in MSTICPy - not all yet support this setting. If your proxy requires authentication you can specify a username and password. These are combined into a single URL of the form https://username:password@proxy:port.

Note

If you are using a proxy that requires authentication you should consider using the KeyVault setting to store the password (and optionally the username) rather than specifying it in the config file. You can also use the EnvironmentVar to reference an environment variable that contains the password (and username).

Specifying secrets as Environment Variables

Some configuration values can be references to environment Variables rather than have a value explicitly stored within the configuration file. You might want secrets such as API keys to be supplied this way. The Args subsection of TIProvider and OtherProvider entries supports storing values as simple strings or as references to named environment variables. You can see examples of both in the sample file below.

Specifying secrets as Key Vault secrets

MSTICPy can read secret values from Key Vault for use with TI and other providers. To use this you need to specify settings for your keyvault.

KeyVault:
  TenantId: 5d6a50cf-b1b6-4bfd-ad54-b9822b06ff92
  SubscriptionId: 40dcc8bf-0478-4f3b-b275-ed0a94f2c013
  ResourceGroup: YourResourceGroup
  AzureRegion: RegionToCreateKV
  VaultName: "myvault"
  UseKeyring: True
  Authority: global
  AuthnType: device

Under the top level KeyVault section the following entries are accepted. Some of these are only required if you plan to use MSTICPy to create a new Key Vault vault.

Required Settings

TenantId

the Identifier of your Azure tenant

VaultName

the name of the vault to use (note this can be overridden in the individual secret specifications

Authority

You should use the cloud setting in the Azure configuration section unless you need to override this setting for Key Vault

Required to Create a Key Vault

SubscriptionId

the Azure subscription holding the Key Vault

ResourceGroup

the Azure resource group in which to create the vault

AzureRegion

the Azure region in which to create the vault

Optional Settings

UseKeyring

if True (default) uses the Python keyring package to securely cache Key Vault secrets in your client session.

VaultName

the name of the vault to use (note this can be overridden in the individual secret specifications)

AuthnType

You should use the auth_methods setting of the Azure section - see Azure above. unless you need to override the Azure defaults.

Specifying Key Vault Secrets in Provider Settings

There are three ways to specify the Key Vault vault and secret names to use for a given setting.

TIProviders:

  OpenPageRank:
    Args:
      AuthKey:
        KeyVault:

Adding an empty subkey named KeyVault will cause MSTICPy to generate a name for the secret, built from the path of the setting. This is the default usage. In the example below, the secret name will be “TIProviders-OpenPageRank-Args-AuthKey”. The vault name is taken from the setting in the KeyVault settings section.

OtherProviders:
  IPStack:
    Args:
      AuthKey:
        KeyVault: my_secret

This example specifies “my_secret” as the secret name. The vault name is taken from the setting in the KeyVault settings section.

OtherProviders:
  Contoso-GeopIp:
    Args:
      AuthKey:
        KeyVault: my_vault/my_secret

The final example specifies both a vault name and a secret name. The VaultName setting in the KeyVault section is ignored for this setting.

Populating Key Vault secrets from an existing msticpyconfig.yaml

You can use the MSTICPy settings editor to upload secrets to a Key Vault one-by-one. This is described in in the in the Key Vault Secrets section of MSTICPy Settings Editor document.

There is also a command line tool to move your secrets to Key Vault - config2ky.py. This tool is available in the MSTICPy GitHub repo. You can find it in the tools folder.

Running config2kv.py --help shows the usage of this utility.

The simplest way to use this tool is to populate your existing secrets as strings in your msticpyconfig.yaml. (as shown in some of the provider settings in the example at the end of this page).

You can specify this as the input file using the --path parameter. Alternatively, the tool will look for a msticpyconfig.yaml in the location specified by the MSTICPYCONFIG environment variable.

Create a KeyVault configuration section in the file, supplying the values described earlier. If you already have a vault that you want to use, put the name of the vault in the VaultName setting and run config2kv.py with the --exists parameter. This will bypass the Key Vault Management client section and the extra authentication step that this requires. If you do not have a vault or wish to create a new one, omit the --exists parameter and you will be prompted to create one.

The tool will read secrets and create secret names based on the path of the secret (as described above).

Warning

config2ky will only read and convert items in the provider Args sections. Currently, only ApiID and AuthKey values will be used.

The tool will then write the secret values to the vault. Finally a replacement msticpyconfig.yaml is written to the location specified in the --path argument. You can then delete or securely store your old configuration file and replace it with the one output by config2kv.

Tip

you can run config2ky with the --show parameter to perform a rehearsal. This will show you the Key Vault secrets that will be created and show the text of the msticpyconfig.yaml file that would have been created.

Using keyring to cache secrets

keyring is available on most Python platforms: Windows, Linux and MacOS. On Linux it requires the installation of optional components - either KWallet or Secret Service. See the Keyring Readme for more information.

Warning

keyring caching is enabled by default. If you are working in an environment that does not have one of the supported keyring backends installed you should disable keyring caching by adding Keyring: false to you configuration settings.

The advantage of using keyring is that you do not need to re-authenticate to Key Vault for each notebook that you use in each session. If you have UseKeyring: true in your msticpyconfig.yaml file, the first time that you access a Key Vault secret the secret value is stored as a keyring password with the same name as the Key Vault secret.

Unfortunately, the keyring package provides no way to list or delete stored secrets. If you need to remove the locally-stored secrets use the platform utility for the appropriate backend. For example, on Windows, cmdkey lets you list and manipulate local stored credentials.

Warning

keyring secrets are not automatically synchronized with the Key Vault secret values. If you change the value of a secret in Key Vault you must delete the keyring secret so that the new value will be re-read from Key Vault.

You can use the refresh_keyring and clear_keyring to control these automatically-cached Key Vault values.

Manually managing your Key Vault secrets

You can use the Azure portal to create and manage your secrets. If you prefer to do this, simply enter the name of the secret in the corresponding section for the AuthKey or ApiID of your providers.

You can also use powershell or Python to manage these programmatically. MSTICPy has some convenience wrappers around the Azure SDK functions.

The documentation for these is available here: keyvault_client secrets_settings

User Defaults Section

Warning

This feature is being deprecated. Please avoid using this. If you have a use case that requires this, please contact the MSTICPy team - msticpy@microsoft.com. We’d love to hear how you are using it and how we might be able to improve it.

This section specifies the query and other providers that you want to load by default. It is triggered from the init_notebook although you can call the load_user_defaults function to do this manually.

If you do not have this section in your configuration init_notebook will bypass auto-loading any components.

QueryProviders

This is a list of query providers that you want to load. Most of the providers have a single namespace/environment associated with them but in the case of Azure Sentinel, you can load multiple copies of the query provider for different workspaces. The example below shows three different formats that you can used. Each workspace name under QueryProviders must exist as a workspace definition in the AzureSentinel section of this file (see Commented configuration file sample below)

Note

Single-string entries in this and other sections (e.g. MyWorkspace: below) must be specified as empty dictionaries. This is done by adding a trailing “:” to the entry but no value on the other side of the colon. This is simply to make the settings parsing code a little easier. This is only when you are specifying a setting key - i.e. the first item on a line. The key values (“azsent”, “sco” and “False” in this example) should be entered without a trailing colon.

Note also that False is a boolean value, not a string. You should always enter True and False with proper capitalization.

UserDefaults
  QueryProviders:
    AzureSentinel:
      MyWorkspace:
      Default:
        alias: azsent
      CyberSoc:
        alias: soc
        connect: False

MyWorkspace is loaded as-is - equivalent to calling:

from msticpy.data import QueryProvider
from msticpy.common.wsconfig import WorkspaceConfig

qry_myworkspace = QueryProvider("AzureSentinel")
ws_config = WorkspaceConfig(workspace="MyWorkspace")
qry_myworkspace.connect(ws_config.code_connect_str)

The Default entry has a few differences. The name “Default” refers to the default workspace definition in the AzureSentinel section of the msticpyconfig file. The alias: azsent element is an alias that will be used to rename the provider. It is equivalent to the following code:

from msticpy.data import QueryProvider
from msticpy.common.wsconfig import WorkspaceConfig

qry_azsent = QueryProvider("AzureSentinel")
ws_config = WorkspaceConfig()
qry_azsent.connect(ws_config.code_connect_str)

The final CyberSoc entry has multiple key-value pairs under it. The “alias” entry works exactly the same as the previous example. The “connect” item tells the code not to automatically connect (authenticate) to Azure Sentinel. It is equivalent to the following code:

from msticpy.data import QueryProvider

qry_soc = QueryProvider("AzureSentinel")

In all three cases the query provider object (qry_soc in the last example) is stored in the global namespace of the notebook so you can always refer to it using this variable name.

Query providers for non-Azure Sentinel data sources use the same syntax for aliasing and suppressing connect/authenticate. For example:

UserDefaults
  QueryProviders:
    AzureSentinel:
      ...
    Splunk:
      connect: false
    LocalData:
      alias: local

LoadComponents

This section controls the loading and instantiation of a number of other data providers and components.

UserDefaults
  ...
  LoadComponents:
    TILookup:
    GeoIpLookup:
      provider: GeoLiteLookup
    Notebooklets:
      query_provider:
        AzureSentinel:
          workspace: CyberSoc
    AzureData:
      auth_methods=['cli','interactive']
    AzureSentinelAPI:

Some of these accept additional parameters and some do not. Most of the configuration parameters for GeoIP providers, for example, are loaded from other sections of the configuration file.

GeoIpLookup - requires one parameter - the name of the provider that you want to use for GeoIP location resolution.

TILookup - no parameters, simply creates an instance of TILookup using the settings in the TIProviders section.

Notebooklets - to use this you must have MSTIC Notebooklets (msticnb see MSTICNB documentation). This has a required configuration setting, which MSTICPy passes to the notebooklets init function as the query_provider parameter. Other key/pair values included under the “query_provider” key are passed to the notebooklets initialization. Each parameter name is prefixed with the provider name so that it knows which parameters to send to which provider. In the example above notebooklets nbinit would be passed the following parameters:

nbinit(query_provider="AzureSentinel", AzureSentinel_workspace="CyberSoc")

The notebooklets package is loaded after most of the other providers (but before Pivot if that is included in the list) and is also sent the names of other providers (query and others such as TILookip) as its providers parameter. For more details see data_providers.init.

AzureData and AzureSentinel load the Azure resource API and Azure Sentinel API libraries respectively. Any key/pair values defined under either of these entries are passed to the provider connect method. In the AzureData example above this is equivalent to the following code.

from msticpy.context.azure_data import AzureData
az_data = AzureData()
az_data.connect(auth_methods=['cli','interactive'])

The components in the LoadProviders section have built-in friendly names for each component. These currently cannot be overridden from the configuration settings:

  • geoip

  • ti_lookup

  • nb

  • az_data

  • azs_api

MSTICPy current_providers Attribute

If you have loaded providers using the UserDefaults configuration the provider instances created are also stored in an attribute of the msticpy top level module.

>>> msticpy.current_providers

{'qry_azsent': <msticpy.data.data_providers.QueryProvider at 0x21604110ac8>,
'qry_myworkspace': <msticpy.data.data_providers.QueryProvider at 0x216041459c8>,
'qry_cybersoc': <msticpy.data.data_providers.QueryProvider at 0x21660d41308>,
'qry_splunk': <msticpy.data.data_providers.QueryProvider at 0x21661127208>,
'qry_local': <msticpy.data.data_providers.QueryProvider at 0x216605a7c48>,
'ti_lookup': <msticpy.context.tilookup.TILookup at 0x216611c7908>,
'geoip': <msticpy.context.geoip.GeoLiteLookup at 0x21660659c88>,
'az_data': <msticpy.context.azure_data.AzureData at 0x21668aaf708>,
'azs_api': <msticpy.context.azure_sentinel.AzureSentinel at 0x21603f42388>,
'nb': <module 'msticnb' from 'e:\\src\\msticnb\\msticnb\\__init__.py'>}

You can use this to reference any of these loaded components. Although these values are normally also populated in the notebook global namespace you can re-populate them if needed. To write them back into the notebook namespace execute the following:

>>> globals().update(msticpy.current_providers)

Warning

This will overwrite any global variable with the same name as any of the items in the current_providers dictionary.

Using msticpyconfig.yaml in code

Settings are read using get_config method of the refresh_config module. You can specify a setting path in dotted notation. For example:

from msticpy.common.settings import get_config
qry_prov = get_config("QueryProviders.MicrosoftGraph")

You can also set configuration settings using the set_config method. This also supports dotted notation for the setting path. Any changes made here are not persisted to the configuration file and only available for the current Python session.

To force settings to be re-read after the package has been imported, call refresh_config.

The settings exposed in these attributes are python dictionaries that reflect the underlying YAML data in the configuration file.

Note

the wsconfig module, TIProviders, OtherProviders and the data libraries use additional functionality to provide higher-level views of the configuration data. An example of this is the using environment variable references to replace the actual configuration value with the secret stored in the environment variables.

If you are building a component for MSTICPy or work alongside MSTICPy, you can extend msticpyconfig to include additional sections to support your component.

Commented configuration file sample

# msticpy global settings
msticpy:
  FriendlyExceptions: True
  QueryDefinitions:
    - ./queries
    - ~/.msticpy/queries
  http_timeout: 30
  Proxies:
    https:
      Url: https://proxy:8080
      UserName: user
      Password:
        EnvironmentVar: "PROXY_PASSWORD"
AzureSentinel:
  Workspaces:
    # Workspace used if you don't explicitly name a workspace when creating WorkspaceConfig
    # Specifying values here overrides config.json settings unless you explictly load
    # WorkspaceConfig with config_file parameter (WorkspaceConfig(config_file="../config.json")
    Default:
      WorkspaceId: "d973e3d2-28e6-458e-b2cf-d38876fb1ba4"
      TenantId: "4cdf87a8-f0fc-40bb-9d85-68bcf4ac8e61"
      SubscriptionId: "2e0acf9c-b2c4-4c9b-8f34-9899b9588492"
      WorkspaceName: "MyWorkspace"
      ResourceGroup: "MyResourceGroup"
    # To use these launch with an explicit name - WorkspaceConfig(workspace_name="Workspace2")
    Workspace2:
      WorkspaceId: "c88dd3c2-d657-4eb3-b913-58d58d811a41"
      TenantId: "f1f64e65-ff7c-4d71-ad5b-091b6ab39d51"
    Workspace3:
      WorkspaceId: "17e64332-19c9-472e-afd7-3629f299300c"
      TenantId: "4ea41beb-4546-4fba-890b-55553ce6003a"
KustoClusters:

QueryDefinitions:
  # Add paths to folders containing custom query definitions here
  Custom:
    - /var/global-queries
    - /home/myuser/queries
    - c:/users/myuser/documents
TIProviders:
  # If a provider has Primary: True it will be run by default on IoC lookups
  # Secondary providers can be
  OTX:
    Args:
      AuthKey: "4ea41beb-4546-4fba-890b-55553ce6003a"
    Primary: True
    Provider: "OTX" # WARNING - Do not change Provider values!
  VirusTotal:
    Args:
      AuthKey: "4ea41beb-4546-4fba-890b-55553ce6003a"
    Primary: False
    Provider: "VirusTotal"
  XForce:
    # You can store items in an environment variable using this syntax
    Args:
      ApiID:
        EnvironmentVar: "XFORCE_ID"
      AuthKey:
        EnvironmentVar: "XFORCE_KEY"
    Primary: True
    Provider: "XForce"
  AzureSentinel:
    # Note this can be a different workspace/tenant from your main workspace
    # This only controls where the Azure Sentinel TI provider looks for the
    # ThreatIndicator table.
    Args:
      WorkspaceID: "c88dd3c2-d657-4eb3-b913-58d58d811a41"
      TenantID: "f1f64e65-ff7c-4d71-ad5b-091b6ab39d51"
    Primary: True
    Provider: "AzSTI"
  OpenPageRank:
    Args:
      AuthKey:
        KeyVault:
    Primary: False
    Provider: "OPR"
  TorExitNodes:
    Primary: True
    Provider: "Tor"
  RiskIQ:
    Args:
      ApiID: "user@host.com"
      AuthKey: "aaaa-bbbb-cccc-dddd-eeee"
    Provider: "RiskIQ"
    Primary: True
OtherProviders:
  GeoIPLite:
    Args:
      AuthKey:
        EnvironmentVar: "MAXMIND_AUTH"
      DBFolder: "~/.msticpy"
    Provider: "GeoLiteLookup"
  IPStack:
    Args:
      AuthKey:
        KeyVault: my_secret
    Provider: "IPStackLookup"
  Contoso-GeopIp:
    Args:
      AuthKey:
        KeyVault: my_vault/my_secret
    Provider: "ContosoLookup"
DataProviders:
  AzureCLI:
    Args:
      clientId: "69d28fd7-42a5-48bc-a619-af56397b1111"
      tenantId: "69d28fd7-42a5-48bc-a619-af56397b2222"
      clientSecret: "69d28fd7-42a5-48bc-a619-af56397b3333"
# DEPRECATED
UserDefaults:
  # DEPRECATED - List of query providers to load
  QueryProviders:
    - AzureSentinel:
      - Default: asi
      - CyberSoc:
        alias: soc
        connect: false
    - Splunk:
        connect: false
    - LocalData: local
  # DEPRECATED - List of other providers/components to load
  LoadComponents:
    - TILookup
    - GeoIpLookup: GeoLiteLookup
    - Notebooklets:
        query_provider:
          AzureSentinel: CyberSoc
    - Pivot
    - AzureData:
      auth_methods=['cli','interactive']
    - AzureSentinelAPI

See also

The Threat Intelligence Providers documentation Settings Editor

wsconfig provider_settings wsconfig