Announcing MSTIC Notebooklets

Notebooklet browser UI

Notebooklets Background

What are notebooklets?

  • Get a host summary for a named host (IP address, cloud registration information, recent alerts)
  • Get account activity for an account (host and cloud logons and failures, summary of recent activity and any related alerts)
  • Triage alerts with Threat Intel data (prioritize your alerts by correlating with Threat intel sources) and browse through them.

Intended Audience

  • Cyber security investigators and hunters using Jupyter notebooks for their work
  • Security Ops Center (SOC) engineers/SecDevOps building reusable notebooks for SOC analysts

Why did we create notebooklets?

  1. Notebook code can quickly become complex and lengthy so that it:
  • obscures the information you are trying to display
  • can be intimidating to non-developers
  • You can copy and paste but how do you sync changes back to the original notebook?
  • Difficult to discover code snippets in notebooks
  • Often not parameterized or modular
  • Code blocks are frequently dependent on global values assigned earlier in the notebook.
  • Output data is not in any standard format
  • The code is difficult to test

Why aren’t notebooklets part of MSTICpy?

  • MSTICpy aims to be platform-independent, whereas most, if not all, notebooklets assume a data schema that is specific to their data provider/SIEM.
  • MSTICpy is mostly for discrete functions such as data acquisition, analysis and visualization. MSTICnb implements common SOC scenarios using this functionality.

Traditional Notebook vs. one using a notebooklets

Comparison of notebooks with and without using Notebooklets

Using Notebooklets

  • Install the package (obviously!) — pip install msticnb
  • Import — import msticnb as nb
  • Initialize — nb.init("AzureSentinel") (what you type here will depend on your data provider, you might also need some additional initialization info).
Running a notebooklet
Notebooklet run output

Current Notebooklets

AccountSummary

  • Searches for matches for the account name in Active Directory, Windows and Linux host logs.
  • If one or more matches are found it will return a selection widget that you can use to pick the account.
  • Selecting the account displays a summary of recent activity and retrieves any alerts and hunting bookmarks related to the account
  • The alerts and bookmarks are browsable using the browse_alerts and browse_bookmarks methods
  • You can call the find_additional_datamethod to retrieve and display more detailed activity information for the account.

EnrichAlerts

Alert enrichment notebooklet

HostSummary

  • IP address assignment
  • Related alerts
  • Related hunting/investigation bookmarks
  • Azure subscription/resource data.
HostSummary notebooklet output

HostLogonsSummary

  • Logon timeline — a timeline of all logon attempts (both failed and successful) to the host broken down by the logon result. This visual guide makes it easy to identify brute force attempts or other suspicious logon patterns.
  • Logon map — an interactive geospatial representation of logon events based on the IP geolocation of the remote IP addresses involved. This helps identify logon events from anomalous or suspicious locations.
  • User and process graphs — visual breakdowns of logon attempts by user and by process to help identify primary logon vectors.
  • Logon matrix — a heatmap of user, process, and logon results to help identify any specifically high or low volume logon cases for additional investigation.
HostLogonsSummary output

WinHostEvents

  • Summarized display of all security events and accounts that triggered them.
  • Extracting and displaying account management events
  • Account management event timeline
  • Optionally parsing packed XML event data into DataFrame columns for specific event types.

NetworkFlowSummary

  • Plot flows events by protocol and direction
  • Plot flow count by protocol
  • Display flow summary table
  • Display flow summary by ASN
  • Display IP location results on a map
Network flow summary

Conclusion

--

--

--

This is the account of the Microsoft Threat Intelligence Center (MSTIC).

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Engineering Journey at PhonePe

Facilitating virtual team collaboration event

Using a Computer Inside Your Computer

Setting up request ID logging for your FastAPI application

What are the Top 5 Software Development Challenges and Solutions?

Story of how a below-average developer built Scale 🚀

Laravel Create Roles With Route

Sending TLN Output to Sof-Elk

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
MSTIC

MSTIC

This is the account of the Microsoft Threat Intelligence Center (MSTIC).

More from Medium

9 Short links on Network Beacon Detection

How to Decide on a Dataset for Detecting Cyber-Attacks

6 Major IoT Communication Protocols for IoT Devices

Digital infrastructure for managing field polygons: AgStack’s Asset Registry @ The Linux Foundation