{"id":18364,"date":"2022-02-25T10:00:36","date_gmt":"2022-02-25T18:00:36","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/25\/news-12097\/"},"modified":"2022-02-25T10:00:36","modified_gmt":"2022-02-25T18:00:36","slug":"news-12097","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/25\/news-12097\/","title":{"rendered":"MSTICPy January 2022 hackathon highlights"},"content":{"rendered":"

Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Fri, 25 Feb 2022 17:00:00 +0000<\/strong><\/p>\n

During the month of January 2022, the Microsoft Threat Intelligence Center (MSTIC) ran its inaugural hackathon for the open-source Jupyter and Python Security Tools library, MSTICPy<\/a>. We asked the security community for their contributions to expand and improve MSTICPy\u2019s features and capabilities, and we helped contributors shape and deliver their contributions. As MSTICPy is an open-source project, contributions from the community are highly valued and help to make the tools useful and effective. <\/p>\n

The response from the community was fantastic, with engagement and discussions on the future design and direction of MSTICPy, and many awesome contributions that ranged from updated documentation to completely new features. We are incredibly grateful for everyone\u2019s engagement and wanted to take a moment to highlight some of the contributions and extend our sincere thanks to the authors. <\/p>\n

Some of these contributions are already released in MSTICPy 1.6.1<\/a>, while most of the remaining items will make it into version 1.7.0, to be released in late February 2022. <\/p>\n

Contribution highlights<\/h2>\n

Data connector for Cybereason (Contributor: Florian Bracq, AXA)<\/h3>\n

This contribution added a new MSTICPy data provider for the Cybereason<\/em> endpoint detection and response (EDR) product. This enables Cybereason<\/em> users to query from a Jupyter Notebook and bring the data back for further analysis. The contribution also includes several pre-defined queries that users can select from.<\/p>\n

As part of this work, Florian also added several fixes and improvements to MSTICPy\u2019s core data provider features.<\/p>\n

Splunk queries and async support (Contributor: Joey Dreijer (d3vzer0<\/a>))<\/h3>\n

MSTICPy\u2019s existing Splunk<\/em> data provider was expanded with the addition of pre-defined Splunk queries for authentication and alert events, providing users with a much wider set of queries to select from. In addition, query performance was improved with the addition of support for Splunk\u2019s asynchronous query execution.<\/p>\n

Replaced Requests with HTTPX (Contributor: Grant Versfeld (@grantversfeld<\/a>))<\/h3>\n

MSTICPy has traditionally used the Python Requests package to handle HTTP based connections. However, active development on Requests ended some time ago, and it does not support Python\u2019s asynchronous architecture, so we needed to migrate to another package. Grant\u2019s contribution replaced Requests with HTTPX ensuring that MSTICPy can use the improved performance that async support brings.<\/p>\n

IntSights TI provider (Contributor: Florian Bracq, AXA)<\/h3>\n

Another contribution from Florian saw support for the IntSights Threat Intelligence (TI) platform added to MSTICPy. This feature allows users to see if indicators under investigation appear in the IntSights platform and obtain details about the indicators.<\/p>\n

Updated QueryTime widget (Contributor: Jakub Jirasek, Chr. Hansen)<\/h3>\n

This contribution updated MSTICPy\u2019s existing QueryTime widget to correctly accept time unit changes provided by the user.<\/p>\n

Updated Readme (Contributor: danielc-evans<\/a>)<\/h3>\n

The Readme file is often the first thing that new users to MSTICPy see, so ensuring it contains all the information they need is key. This update does just that, adding key additional information to the Readme.<\/p>\n

Support for Sysmon data in MSTICPy\u2019s process tree (Contributor: Nicolas Bareil (@nbareil<\/a>))<\/h3>\n

This update adds schema support that allows users to generate process trees from Sysmon ProcessCreate events. This allows Sysmon users to take advantage of one of MSTICPy\u2019s most powerful visualizations.<\/p>\n

Blob storage connection string support (Contributor: Luis Francisco Monge (@Lukky86<\/a>))<\/h3>\n

This contribution adds the ability for users to provide a connection string when using MSTICPy\u2019s AzureBlobStorage feature. This provides additional flexibility to users when connecting to the Azure Blog Storage containers.<\/p>\n

Our thanks<\/h2>\n

We would like to thank all the contributors for their efforts during the hackathon. These contributions are great additions to MSTICPy and will make the library more useful and usable.<\/p>\n

Wider impact <\/h2>\n

In addition, thanks to feedback received from these and others, we (the MSTICPy team) added several new features. These include: <\/p>\n

Pyproject.toml and Setup.cfg <\/h3>\n

Thanks to suggestions from Joey Dreijer (d3vzer0<\/a>), we moved MSTICPy into the modern era by implementing much of the project configuration into setup.cfg and pyproject.toml. This has the side benefit of making some of our tests that check for valid package configuration easier. <\/p>\n

As well as these external contributions, we also worked on a number of new features during the hackathon. Full details of these can be found in the MSTICPy release notes, but below is the summary of these additions: <\/p>\n