MSTICPy and Jupyter Notebooks in Azure Sentinel, an update
We recently the official release of MSTICPy. This is a good time to get an update on all that has changed in the world of Jupyter notebooks and MSTICPy in Azure Sentinel. In this (mainly) visual article we'll take you through a broad selection of the features and capabilities. Use the companion notebook to follow along at home!msticpy - Python Defender Tools
msticpy is a package of python tools intended to be used for security investigations and hunting (primarily in Jupyter notebooks). The article gives an overview of many of the modules and classes in msticpy with illustrations of how they are used. [Note - superseded by a newer version - please see "MSTICPy and Jupyter Notebooks in Azure Sentinel"]MSTIC Notebooklets - Fast Tracking CyberSec Jupyter Notebooks
MSTICnb is a companion package to MSTICpy. It is designed to be used in Jupyter notebooks by security operations engineers and analysts, to allow them to quickly, and easily, run common notebook patterns such as retrieving summary information about a host, an account or IP address.Using the VirusTotal V3 API with MSTICPy and Azure Sentinel
MSTICPy has, from its first release, supported lookups of VirusTotal (VT) data. The release of version 3 of the VT API brings a simpler way to discover relationships between indicators of compromise and to explore and manipulate these relationships in an interactive, graphical format. VT have brought some of these capabilities to MSTICPy to let you use these in Jupyter notebooks with Azure Sentinel or other data.Jupyter Notebook Pivot Functions
Pivot functions in MSTICPy and Azure Sentinel Notebooks Pivot functions attached to entities allow you to quickly find the query, threat intel or enrichment function you need. They support multiple input types and can be chained together to produce powerful pipelines.Explorer Notebook Series: The Linux Host Explorer
Azure Sentinel has integrated Azure Notebooks to allow security analysts to use Jupyter Notebooks to hunt and investigate threats. To support usage of Jupyter Notebooks Microsoft has produced a range of explorer notebooks to allow analysts to leverage the capabilities and power of Notebooks to investigate common entities including: Linux Host Windows Host Domains & URL IP Address Process Office 365 activity This blog will look in detail at the Linux Host Explorer Notebook, explain what each section of the Notebook is intended to do and how it should be used. Further blogs covering the other explorer Notebooks will be released over time.What am I looking at? - Using Notebooks to gain situational awareness.
Contextual knowledge can have a big impact on a security analysts decisions when triaging alerts and investigating threats. It can turn a seemingly innocuous logon event into a major incident. With Azure Sentinel’s integration with Azure Notebooks we have an ideal platform to collect and analyze contextual data to give analysts better situational awareness on the threats they are seeing.
