Sign in

With the recent release of v 1.0.0 of MSTICPy we thought it was a good time to do an overview article. This is based on an article in the Azure Sentinel Technical Community blog but since that one focuses on MSTICPy’s use in Azure Sentinel and MSTICPy is ostensibly SIEM-agnostic we thought it would be good to do another version of it here.

What is MSTICPy?

MSTICPy is a package of Python tools for security analysts to assist them in investigations and threat hunting. It is primarily designed for use in Jupyter notebooks. …


The 1.4.2 release of MSTICPy includes several major features/updates:

  • Support for Azure sovereign clouds for Azure Sentinel, Key Vault, Azure APIs, Azure Resource Graph and Azure Sentinel APIs
  • A new visualization — the Matrix plot visualizing interactions between two sets of data items.
  • Significant update to the Process Tree visualization allowing you to use process data from Microsoft Defender for Endpoint, and generic process data from other sources.
  • We have also consolidated our visualizations into a single pandas accessor to make them easier to invoke from any DataFrame.

Important Note:

If you’ve installed release 1.4.0 or 1.4.1, please upgrade to v1.4.2 —…


This release includes 3 new notebooklets: AccountSummary, IPAddressSummary and LogonSessionRarity.

It’s been a while since we updated any notebooklets but then three come along at once! For some background read the original announcement of notebooklets.

This release also integrates the notebooklets with MSTICPy’s pivot functions, so that you can call a notebook from a single-line pivot function. These functions are available in the Host, Account and IpAddress entities so far.

If you don’t have the notebooklets package (msticnb) installed, install it with pip.

pip install msticnb

MSTICnb depends on MSTICPy and will install this if you don’t have it installed.


(We skipped a 1.2.0 with a few last-minute fixes)

This release contains some interesting new features, two of which were contributed by community members Ryan Cobb and Julien Touche. These features are: two new data providers for Azure Resource Graph and Sumologic, and a DataViewer control for pandas dataframes.

Azure Resource Graph provider

The Azure Resource graph provider lets you query Azure resources using KQL queries. This works much like our other query providers offering both pre-defined queries in YAML and ad-hoc querying.

You can use this data connector to flexibly and quickly get details on deployed Azure resources within a subscription. It allows…


We recently released an update to MSTICPy that adds some cool new features as well as some minor fixes.

Warning — this release includes some potentially breaking changes since we have renamed several pivot functions to have shorter, friendlier names. Several Azure Sentinel query functions have shortened names.

Pivot improvements

Pivots are still a relatively new feature in MSTICPy and as such we are still working to improve and expand them, especially as we get feedback from users. …


MSTICPy has been around for nearly 2 and half years so we decided that it was time to bring it out of beta and let it roam free in the big wide world.

(This article is based on the earlier MSTICPy release candidate article but does contain some updates, so please scan through, even if you read the previous article).

The 1.0 release has some new features and some significant updates to existing features:

  1. Implementing pip “extras” to split dependencies into optional chunks for faster installation
  2. Settings editor and management tools for easier configuration
  3. User defaults — preload data providers…


We’ve decided that it’s time to bring MSTICPy out of beta and let it fend for itself in the big wide world.

The 1.0 release has some significant features that we’ll be testing and would like you to try out:

  1. Implementing pip “extras” to split dependencies into optional chunks
  2. Settings editor and management tools
  3. User defaults — preload data providers and other components automatically when you initialize MSTICPy at the start of each notebook
  4. SQL to KQL translator
  5. Pivot functions updates

Installing

Since this is currently a pre-release it won’t install with pip install msticpy You’ll need to specify the version


We recently just released a new version of MSTICPy with a feature called Pivot functions.

Pivot functions have three main goals:

  • Making it easy to discover and invoke MSTICPy functionality.
  • Creating a standardized way to call pivotable functions.
  • Letting you assemble multiple functions into re-usable pipelines.

The pivot functionality exposes operations relevant to a particular entity as methods (or functions) of that entity. These operations include: data queries, threat intelligence lookups, other data lookups (such as geo-location, whois and domain resolution) as well as other local functions.

Here are a couple of examples showing calling different kinds of enrichment functions…


We’re pleased to announce the release of MSTICPy 0.8.8 (which should have been 0.8.5 but a few hiccups caused us to do some hotfixes before announcing)

This release has a few new cool features (plus the usual share of fixes):

  • VirusTotal API V3 support — with notebook support for viewing and navigating the indicator relationships and the VT Graph.
  • Mordor data provider and browser — to view and import attack data sets directly into your notebook
  • Streamlined Azure authentication — you should only need to authenticate once!
  • Azure Sentinel APIs for retrieving data such as Incidents, Alert rules, bookmarks, etc…


We recently released 0.8.0 of MSTICPy. The significant features in the release are:

  • New widgets, a mechanism for selected widgets to persist and recall their state, and the ability to drive widget values from notebook parameters.
  • Data obfuscation functions — not something you’ll likely need during the average investigation but useful for disguising sensitive data if you are presenting it externally.
  • Interactive browsers for Data queries and Threat Intel results.

Widget Updates

New Widgets

We’ve added two new simple widgets.

GetText is a simple wrapper around the ipywidgets Text widget. Why would you use this rather than the Text widget? …

MSTIC

This is the account of the Microsoft Threat Intelligence Center (MSTIC).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store