{"id":107646,"date":"2022-02-25T09:00:00","date_gmt":"2022-02-25T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=107646"},"modified":"2023-05-26T13:55:03","modified_gmt":"2023-05-26T20:55:03","slug":"msticpy-january-2022-hackathon-highlights","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/02\/25\/msticpy-january-2022-hackathon-highlights\/","title":{"rendered":"MSTICPy January 2022 hackathon highlights"},"content":{"rendered":"\n
During the month of January 2022, the Microsoft Threat Intelligence Center (MSTIC) ran its inaugural hackathon for the open-source Jupyter and Python Security Tools library, MSTICPy<\/a>. We asked the security community for their contributions to expand and improve MSTICPy\u2019s features and capabilities, and we helped contributors shape and deliver their contributions. As MSTICPy is an open-source project, contributions from the community are highly valued and help to make the tools useful and effective. <\/p>\n\n\n\n The response from the community was fantastic, with engagement and discussions on the future design and direction of MSTICPy, and many awesome contributions that ranged from updated documentation to completely new features. We are incredibly grateful for everyone\u2019s engagement and wanted to take a moment to highlight some of the contributions and extend our sincere thanks to the authors. <\/p>\n\n\n\n Some of these contributions are already released in MSTICPy 1.6.1<\/a>, while most of the remaining items will make it into version 1.7.0, to be released in late February 2022. <\/p>\n\n\n\n This contribution added a new MSTICPy data provider for the Cybereason<\/em> endpoint detection and response (EDR) product. This enables Cybereason<\/em> users to query from a Jupyter Notebook and bring the data back for further analysis. The contribution also includes several pre-defined queries that users can select from.<\/p>\n\n\n\n As part of this work, Florian also added several fixes and improvements to MSTICPy\u2019s core data provider features.<\/p>\n\n\n\n MSTICPy\u2019s existing Splunk<\/em> data provider was expanded with the addition of pre-defined Splunk queries for authentication and alert events, providing users with a much wider set of queries to select from. In addition, query performance was improved with the addition of support for Splunk\u2019s asynchronous query execution.<\/p>\n\n\n\n MSTICPy has traditionally used the Python Requests package to handle HTTP based connections. However, active development on Requests ended some time ago, and it does not support Python\u2019s asynchronous architecture, so we needed to migrate to another package. Grant\u2019s contribution replaced Requests with HTTPX ensuring that MSTICPy can use the improved performance that async support brings.<\/p>\n\n\n\n Another contribution from Florian saw support for the IntSights Threat Intelligence (TI) platform added to MSTICPy. This feature allows users to see if indicators under investigation appear in the IntSights platform and obtain details about the indicators.<\/p>\n\n\n\n This contribution updated MSTICPy\u2019s existing QueryTime widget to correctly accept time unit changes provided by the user.<\/p>\n\n\n\n The Readme file is often the first thing that new users to MSTICPy see, so ensuring it contains all the information they need is key. This update does just that, adding key additional information to the Readme.<\/p>\n\n\n\n This update adds schema support that allows users to generate process trees from Sysmon ProcessCreate events. This allows Sysmon users to take advantage of one of MSTICPy\u2019s most powerful visualizations.<\/p>\n\n\n\n This contribution adds the ability for users to provide a connection string when using MSTICPy\u2019s AzureBlobStorage feature. This provides additional flexibility to users when connecting to the Azure Blog Storage containers.<\/p>\n\n\n\n We would like to thank all the contributors for their efforts during the hackathon. These contributions are great additions to MSTICPy and will make the library more useful.<\/p>\n\n\n\n In addition, thanks to feedback received from these and others, we (the MSTICPy team) added several new features. These include: <\/p>\n\n\n\n Thanks to suggestions from Joey Dreijer (d3vzer0<\/a>), we moved MSTICPy into the modern era by implementing much of the project configuration into setup.cfg and pyproject.toml. This has the side benefit of making some of our tests that check for valid package configuration easier. <\/p>\n\n\n\n As well as these external contributions, we also worked on a number of new features during the hackathon. Full details of these can be found in the MSTICPy release notes, but below is the summary of these additions: <\/p>\n\n\n\n The MSTICPy package has evolved organically and we have been considering a restructure of the package for some time. Thanks to inspiration from Florian Bracq, we set about reorganizing the modules into more a logical structure. These changes will make the structure of MSTICPy more intuitive to users and make sure the package is more easily extensible and maintainable in the future. This restructure will be included in the v2.0.0 release of MSTICPy.<\/p>\n\n\n\n There are several other contributions still being worked on that we will incorporate as soon as they are ready. We will include these in a future release of MSTICPy. You can keep up to date with MSTICPy on GitHub<\/a> and by following @msticpy<\/a> on Twitter. <\/p>\n\n\n\n We plan to run more hackathons in the year, but contributions, ideas, and feedback are welcome at any time. <\/p>\n\n\n\nContribution highlights<\/h2>\n\n\n\n
Data connector for Cybereason (Contributor: Florian Bracq, AXA)<\/h3>\n\n\n\n
Splunk queries and async support (Contributor: Joey Dreijer (d3vzer0<\/a>))<\/h3>\n\n\n\n
Replaced Requests with HTTPX (Contributor: Grant Versfeld (@grantversfeld<\/a>))<\/h3>\n\n\n\n
IntSights TI provider (Contributor: Florian Bracq, AXA)<\/h3>\n\n\n\n
Updated QueryTime widget (Contributor: Jakub Jirasek, Chr. Hansen)<\/h3>\n\n\n\n
Updated Readme (Contributor: danielc-evans<\/a>)<\/h3>\n\n\n\n
Support for Sysmon data in MSTICPy\u2019s process tree (Contributor: Nicolas Bareil (@nbareil<\/a>))<\/h3>\n\n\n\n
Blob storage connection string support (Contributor: Luis Francisco Monge (@Lukky86<\/a>))<\/h3>\n\n\n\n
Our thanks<\/h2>\n\n\n\n
Wider impact <\/h2>\n\n\n\n
Pyproject.toml and Setup.cfg <\/h3>\n\n\n\n
MSTICPy restructure <\/h3>\n\n\n\n
Conclusion <\/h2>\n\n\n\n