MSTICPy v1.0.0 and Jupyter Notebooks for CyberSec

What is MSTICPy?

  1. Simplify the process of creating and using notebooks for security analysis by providing building-blocks of key functionality.
  2. Improve the usability of notebooks by reducing the amount of code needed in notebooks.
  3. Make the functionality open and available to all, to both use and contribute to.

1000 feet view

  • Data Acquisition — is all about getting security data into the notebook. It includes data providers and pre-built queries that allow easy access to several security data stores including Azure Sentinel, Microsoft Defender, Splunk and Microsoft Graph. There are also modules that deal with saving and retrieving files from Azure blob storage and uploading data to Azure Sentinel and Splunk.
  • Data Enrichment — focuses on components such as threat intelligence and geo-location lookups that provide additional context to events found in the data. It also includes Azure APIs to retrieve details about Azure resources such as virtual machines and subscriptions.
  • Data Analysis — packages here focus on more advanced data processing: clustering, time series analysis, anomaly identification, base64 decoding and Indicator of Compromise (IoC) pattern extraction. Another component that we include here but really spans all of the first three categories is pivot functions — these give access to many MSTICPy functions via entities (for example, all IP address related functions are accessible as methods of the IpAddress entity class.)
  • Visualization — this includes components to visualize data or results of analyses such as: event timelines, process trees, mapping, morph charts, and time series visualization. Also included under this heading are a large number of notebook widgets that help speed up or simplify tasks such as setting query date ranges and picking items from a list. Also included here are a number of browsers for complex data (like the threat intel and alert browsers) or to help you navigate internal functionality (like the query and pivot function browsers).

Companion Notebook

Notebook Initialization

  1. Checks the Python and MSTICPy versions and updates the latter if needed.
  2. Imports MSTICPy components.
  3. Loads and authenticates a query provider to be able to start querying data.

Wait! I don’t have a SIEM to query data from

Data Queries


  1. Most queries will take an optional parameter add_query_items which allows you to tack on (some might say “inject”!) arbitrary KQL (for Azure Sentinel queries) to the query.
  2. You can write a query from scratch as a string and just execute it.

Visualizing Data

Event Timelines

Process Tree

Alert Viewer

Data Enrichment with Threat Intelligence, WhoIs and GeoIP

Side note — Pivot functions

Back to Enrichment

Using advanced analysis (aka simple machine learning)

Documentation and Resources


Take-aways and actions.

  • The very obvious first action is go and start playing with notebooks for your CyberSec investigations.
  • Second would be install MSTICPy and kick the tires. We are always looking for feedback on what does and doesn’t work and are always open to requests or suggestions for new features.
  • Read the docs.
  • If you’re feeling adventurous, consider contributing to MSTICPy. These could be ideas that you have that you think would be helpful to the CyberSec community. If you’re a bit stuck for ideas but love security and Python coding, we have a few ideas of our own and way too few people to implement them.
  • File an issue, feature request, create a PR or just poke around the code on our GitHub repo.
  • Read a summary of the latest release.
  • Follow me (@ianhellen), Pete (@MSSPete) and Ashwin (@ashwinpatil) on Twitter.
  • You can also reach us at




This is the account of the Microsoft Threat Intelligence Center (MSTIC).

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to remove Restricted mode from chromecast

Proper handling of ‘make’ query terms in e-commerce search

Python Prerequisites for Data Science Part I : Python Data Structures

Ubuntu Operating System

Just another Google Onsite

mydash101 customer care number..8081067602 any problem call now 24 hours money refund..8081067602

Lifecycle Management with Applications in OCI Data Integration

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


This is the account of the Microsoft Threat Intelligence Center (MSTIC).

More from Medium

Arithmetic Operators in Python

What is in the eScience toolbox: Stef on his favourite meshing library

Installing Jupyter Lab on Windows Subsystem for Linux with Miniconda

Python 3.7 on Apple Silicon