MSTICPy has several extensibility points, where you can create your own modules to support data and enrichment sources.
These currently include:
- Data Providers
- Threat Intelligence Providers
- Context Providers
If you create one of these and think that it would be useful to other users, please consider contributing it to MSTICPy.
You can also create and keep local provider modules and have them loaded into MSTICPy to work alongside the built-in providers. This might be useful if you are creating something that is very specific to your organization, for example.
For either of these cases, your classes must be derived from the corresponding MSTICPy base classes. To read more about building data, TI and context providers see the following pages:
Create a class attribute PROVIDER_NAME
and assign
a friendly name to your provider. This is not mandatory -
if the class has no PROVIDER_NAME
attribute, the
friendly name will default to the name of the class.
class TIProviderTest(HttpTIProvider):
"""Custom IT provider TI Base."""
PROVIDER_NAME = "MyProvider"
When you load a Data provider in MSTICPy you need to
pass the name of the DataEnvironment
to the
:py:class:`QueryProvider <msticpy.data.core.data_providers.QueryProvider>`
class. E.g.
qry_prov = mp.QueryProvider("MyDataSource")
By default, the name used to load your provider will be
name of your provider class. You can customize this by adding
a DATA_ENVIRONMENTS
(list or tuple) attribute to your class. This should
be a list of strings. You can load your driver in the QueryProvider
by supplying any of the names in this list or tuple.
If you also want to use the name of the class, add it to the list.
class CustomDataProvB(CustomDataProvA):
"""Custom provider."""
DATA_ENVIRONMENTS = ["SQLTestProvider", "SQLProdProvider"]
The provider will be registered to load when any of the strings assigned here is passed as the QueryProvider identifier.
Using multiple identifiers allows you to use aliases for the provider.
Additionally, because the Data Environment identifier is
passed to your provider class (as the parameter data_environment
)
when it is loaded, you can also
have alternative behavior coded into the __init__
and other
methods of your class. For example, you might have a single provider class
that can work with two different versions of an API.
Assuming that you have created one or more DataProvider or Context/TI Provider classes, you should put these modules in one or more folders accessible to your notebook or python environment.
You can load modules interactively or add these paths
to your msticpyconfig.yaml
to have them loaded automatically
each time you import MSTICPy.
To load modules from a folder run the :py:func:`load_plugins <msticpy.load_plugins>` function.
import msticpy as mp
mp.load_plugins(plugin_paths="/my_modules")
# or multiple paths
mp.load_plugins(
plugin_paths=["./my_modules", "./my_other_modules"]
)
Add plugin module paths to msticpyconfig.yaml
you can
tell MSTICPy to always try to load plugins from these paths.
Add the following entry to msticpyconfig.yaml
:
...
Custom:
- "testdata"
PluginFolders:
- tests/testdata/plugins
Azure:
cloud: "global"
auth_methods: ["cli", "msi", "interactive"]
You can include multiple paths under the PluginFolders
key.