We’ve decided that it’s time to bring MSTICPy out of beta and let it fend for itself in the big wide world.

The 1.0 release has some significant features that we’ll be testing and would like you to try out:

  1. Implementing pip “extras” to split dependencies into optional chunks
  2. Settings editor and management tools
  3. User defaults — preload data providers and other components automatically when you initialize MSTICPy at the start of each notebook
  4. SQL to KQL translator
  5. Pivot functions updates


Since this is currently a pre-release it won’t install with pip install msticpy You’ll need to specify the version

We recently just released a new version of MSTICPy with a feature called Pivot functions.

Pivot functions have three main goals:

  • Making it easy to discover and invoke MSTICPy functionality.
  • Creating a standardized way to call pivotable functions.
  • Letting you assemble multiple functions into re-usable pipelines.

The pivot functionality exposes operations relevant to a particular entity as methods (or functions) of that entity. These operations include: data queries, threat intelligence lookups, other data lookups (such as geo-location, whois and domain resolution) as well as other local functions.

Here are a couple of examples showing calling different kinds of enrichment functions…

We’re pleased to announce the release of MSTICPy 0.8.8 (which should have been 0.8.5 but a few hiccups caused us to do some hotfixes before announcing)

This release has a few new cool features (plus the usual share of fixes):

  • VirusTotal API V3 support — with notebook support for viewing and navigating the indicator relationships and the VT Graph.
  • Mordor data provider and browser — to view and import attack data sets directly into your notebook
  • Streamlined Azure authentication — you should only need to authenticate once!
  • Azure Sentinel APIs for retrieving data such as Incidents, Alert rules, bookmarks, etc…

We recently released 0.8.0 of MSTICPy. The significant features in the release are:

  • New widgets, a mechanism for selected widgets to persist and recall their state, and the ability to drive widget values from notebook parameters.
  • Data obfuscation functions — not something you’ll likely need during the average investigation but useful for disguising sensitive data if you are presenting it externally.
  • Interactive browsers for Data queries and Threat Intel results.

Widget Updates

New Widgets

We’ve added two new simple widgets.

GetText is a simple wrapper around the ipywidgets Text widget. Why would you use this rather than the Text widget? …

We’re very happy to announce, after a several months work, the release of a new Python/Jupyter notebooks package — MSTICnb, or MSTIC notebooklets.

MSTICnb is a companion package to MSTICpy. It is designed to be used in Jupyter notebooks by security operations engineers and analysts, to allow them to quickly, and easily, run common notebook patterns such as retrieving summary information about a host, an account or IP address.

Notebooklet browser UI

Each notebooklet is equivalent to multiple cells and many lines of code in a traditional notebook. By contrast, you can import and run a notebooklet in just two lines of code…

We have two exciting features for this release of MSTICpy: a Splunk data provider and data uploaders for Azure Sentinel and Splunk

Splunk Data Provider

We have added support for Splunk in our growing list of Data Providers/Connectors. The feature is built on top-of Splunk SDK for python with some customization and enhancements.

The provider allows you to connect to a Splunk instance (on-premise or cloud) and query data from Jupyter notebooks and MSTICpy using a pattern similar to our existing data providers. The results of each query are returned as a pandas DataFrame. …

This is mostly housekeeping release — we needed to do a bit of updating and testing for the new Azure Machine Learning nteract-based notebook environment. This is going to be the default execution environment for Azure Sentinel Notebooks. Read more about nteract and about the Azure ML Notebooks feature.

New Features

Friendly Exceptions

We’ve introduced a set of friendly exceptions for common configuration-related problems that users might encounter while using msticpy in notebooks. In most cases, the cause is lack of a config item such as an API key or setting. …

In the latest release of msticpy we have added a new data provider, called LocalData, that allows you to query and load locally stored data sets. It’s designed to assist you in testing, demonstrations, and creating example notebooks where querying of remote data sets is not practical.

Why do we need a data provider to read locally-stored data you might be asking? After all reading a pandas DataFrame from a comma-separated-variable (CSV) is as easy as:

The primary driver for this is to create a data provider that behaves in the same way as our online data providers.


We have released the latest version of MSTICpy to both GitHub and PyPI. This release includes a wide number of new features and capabilities that we wanted to showcase. All these features come with documentation that can be found on our ReadTheDocs site and the detailed release notes can be found here.

Anomaly Sequence Analysis

Karishma Dixit in the MSTIC team developed a Python package to detect unusual sequence of events in Office activity data. She repackaged the code for more generic use in MSTICpy. The anomalous_sequence package can be run against a variety of log events to look for…


This is the account of the Microsoft Threat Intelligence Center (MSTIC).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store