MSTIC Jupyter and Python Security Tools
msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to:
query log data from multiple sources
enrich the data with Threat Intelligence, geolocations and Azure resource data
extract Indicators of Activity (IoA) from logs and unpack encoded data
perform sophisticated analysis such as Anomalous session detection and time series decomposition
visualize data using interactive timelines, process trees and multi-dimensional Morph Charts
It also includes some time-saving notebook tools such as widgets to set query time boundaries, select and display items from lists, and configure the notebook environment.
Background - Why we created msticpy
The package was originally built for authoring notebooks in Azure Sentinel. While Azure Sentinel is still a big focus of our work, we are have extended the data query/acquisition components to pull log data from other sources (e.g. Splunk, Microsoft 365 Defender and Microsoft Graph, SumoLogic, and are actively working on support for data from other SIEM platforms). Most of the components can also be used with data from any source. Pandas dataframes are used as the ubiquitous input and output format of almost all components.
Most of the content of the package began life as inline code in a notebook. However, having a lot of code in your notebooks creates a few problems:
notebooks dominated by big code blocks make it difficult to see the results and text of your notebook - which is really what you want your audience to see
it makes the notebook especially intimidating for non-programmers
it makes code re-use very hard.
The philosophy behind this package is to create a repository for re-usable pieces of functionality that make it both quicker to author notebooks, and make resultant notebooks easier to read.
What is/who are MSTIC?
MSTIC == Microsoft Threat Intelligence Center. We are mostly security analysts and engineers working on:
authoring security detections for several Microsoft platforms
threat identification and investigation
Contents
- Getting Started
- Querying and Importing Data
- Common Data Provider Operations
- Individual Data Environments
- Microsoft Sentinel Provider
- Microsoft 365 Defender Provider
- Microsoft Graph API Provider
- The LocalData provider
- Splunk Provider
- Azure Resource Graph Provider
- Open Threat Research Security Datasets data provider and browser
- Sumologic Provider
- Azure Data Explorer/Kusto Provider
- Cybereason Provider
- The OSQuery provider
- The Velociraptor provider
- Microsoft Sentinel Provider - Legacy Version
- Azure Data Explorer/Kusto Provider - Legacy Version
- Built-in Data Queries
- Other Data Modules and Functions
- Contributing a Data Provider
- Enriching Data
- Threat Intel Lookup
- Notebook
- Features
- Introduction/Quickstart
- Configuring TI providers
- TILookup class
- Querying and Configuring the Pivot TILookup
- Listing Available Providers
- Loading TI Providers
- Looking up IoCs
- Looking up Multiple IoCs
- Inferring IoC type vs specifying explicitly
- Browsing and Selecting TI Results
- Advanced Provider Usage - Query types
- Specifying Time Ranges
- GeoIP Lookup
- Azure Data Enrichment
- Microsoft Sentinel APIs
- Microsoft Sentinel Analytics
- Microsoft Sentinel Bookmarks
- Microsoft Sentinel Dynamic Summaries
- Microsoft Sentinel Incidents
- Microsoft Sentinel Watchlists
- Microsoft Sentinel Search
- Microsoft Sentinel Workspaces
- Microsoft Sentinel Threat Intelligence
- Description
- Instantiating and Connecting the Microsoft Sentinel API Connector
- Get Microsoft Sentinel Workspaces
- Incidents
- Hunting Queries
- Analytics
- Bookmarks
- Watchlists
- Search
- IP Whois Enrichment
- Threat Intel Lookup
- Analyzing Data
- Displaying/Visualizing Data
- Event Timeline
- ProcessTree
- Notebook Widgets
- Folium Map Plotting
- Time Series Analysis and Anomalies Visualization
- Preparation
- Retrieving data to analyze
- Performing the Time Series analysis
- Displaying the time series anomalies
- Extracting anomaly periods
- Readjusting the anomaly threshold
- MSTICPy built-in Sentinel Queries
- Using MSTICPY functions - Seasonal-Trend decomposition using LOESS (STL)
- Time Series Anomalies Visualization
- Exporting Plots as PNGs
- Morph Charts
- Data Viewer
- Matrix Plot
- Sample data
- The basic matrix/interaction plot
- Sorting the X and Y values
- Using the
plot_matrix
function directly - Plotting interactions based on column value
- Log scaling the value/size column
- Size based on number of distinct values
- Inverting the size to show rare interactions
- Showing interactions only
- Entity Graph
- Plot a Network Graph from DataFrame
- msticpy API
- Extending MSTICPy
- MSTICPy Development Guidelines
- Notebook Examples
- Articles, Labs and other Resources
- Releases
- Contributing
- License