msticpy 0.9.0 — Pivot Functions

  • Making it easy to discover and invoke MSTICPy functionality.
  • Creating a standardized way to call pivotable functions.
  • Letting you assemble multiple functions into re-usable pipelines.
Image of five calls to pivot functions. 1 obtain the type of IP Address (public, private, etc.). 2. Lookup ownership information with WhoIs. 3. Try to resolve the address to a domain. 4. Find the geo-location of the address. 5. Lookup any Threat Intelligence reports on the IP address.
Simple pivot functions

What is “pivoting”?

What was life like before pivot functions?

  1. know which modules contained the functions you wanted,
  2. import the functions,
  3. maybe do some initialization — such as creating a class,
  4. probably look up the help strings to check on the arguments.

Pivot functions to the rescue

  • Being accessible via the entity class relevant to the job in hand (e.g. all URL-related functions are exposed as members of the Url entity class).
  • Normalizing input formats— every pivot function can accepts input in the form of a string, a list (or other Python “iterable”), or a pandas DataFrame.
  • Regularizing parameter signatures — you can usually just pass a single positional parameter to the functions. If you need to use a parameter name, you can use a generic term such as “value” (in the case of DataFrames you use “data” and “column” to specify the DataFrame and column name respectively.
  • Normalizing output — all pivot functions return results as DataFrames. In addition, you can join input to the output using inner, left, right or outer joins.

Getting started

from msticpy.nbtools.nbinit import init_notebook
init_notebook(namespace=globals());
az_provider = QueryProvider("AzureSentinel")from msticpy.datamodel.pivot import Pivot
pivot = Pivot(namespace=globals())
>>> IpAddress.get_pivot_list()
['AzureSentinel.SecurityAlert_list_alerts_for_ip',
'AzureSentinel.SigninLogs_list_aad_signins_for_ip',
'AzureSentinel.AzureActivity_list_azure_activity_for_ip',
'AzureSentinel.AzureNetworkAnalytics_CL_list_azure_network_flows_by_ip',
...
'ti.lookup_ip',
'ti.lookup_ipv4',
'ti.lookup_ipv4_OTX',
...
'ti.lookup_ipv6_OTX',
'util.whois',
'util.ip_type',
'util.ip_rev_resolve',
'util.geoloc_mm',
'util.geoloc_ips']
Typing an entity class name and hitting the tab key will show you a list of possible member functions and containers in the class.
Tab completion of pivot functions in MSTICPy

Query and Processing Pipelines

A pipeline of pivot functions processing input from a pandas DataFrame. It shows summarized output from one of the steps and ends with plotting an interactive timeline of the relevant events.
Creating and running a pivot pipeline

Read More

Feedback

--

--

--

This is the account of the Microsoft Threat Intelligence Center (MSTIC).

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

working of factorial

Generate Cryptographic Hashes in your Browser Side Javascript

Interviewing at PlushCare

Generic types.

Data Warehousing: A Beginner’s Perspective (Part 1)

Ansible is a radically simple IT automation engine that automates cloud provisioning…

Cloud, DevOps, Programming, Relationship, Learning Path, Resources & Cheatsheets

Prevent the secret/password from being stored on disk in your Bash history

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
MSTIC

MSTIC

This is the account of the Microsoft Threat Intelligence Center (MSTIC).

More from Medium

Grasp and Lift EEG classification using CWT of Electroencephalography (EEG) signals in Python, A…

Journey on My First Web Application for Geoscience. Things I Learned So Far (Part-2)

How to access Google Sheets on Google Colaboratory

Cloud GeoServer in 20 minutes