## MSTICPy and Notebooks in InfoSec

---

# Session 3 - MSTICPy Configuration

---

## What this session covers:


## Prerequisites
- Python >= 3.8 Environment
- Jupyter installed
- MSTICPy installed
- Azure CLI installed
- Run `az login`


In [1]:
%env MSTICPYCONFIG=./msticpyconfig.yaml

import msticpy as mp
mp.init_notebook()

env: MSTICPYCONFIG=./msticpyconfig.yaml


## 1. msticpyconfig.yaml structure

```yaml
Azure:
  auth_methods: [cli, msi, devicecode]
  cloud: global
AzureSentinel:
  # Sentinel workspace configuration
  Workspaces:
    Workspace_Tag:
      # workspace ID, tenant, ext
    Workspace2_Tag::
      # ...
DataProviders:
  # Miscellaneous Data providers
  Browshot:
    Args:
      # AuthKey: [PLACHOLDER]
  Kusto-MDE:
    Args:
      # Cluster: https://wcdscrubbedservice.kusto.windows.net
      # IntegratedAuth: true
TIProviders:
  RiskIQ:
    Args:
      ApiID: ianhelle@microsoft.com
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: RiskIQ
  TorExitNodes:
    Primary: true
    Provider: Tor
  VirusTotal:
    Args:
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: VirusTotal
OtherProviders:
  # GeoIP providers - should be in DataProviders!
  GeoIPLite:
    Args:
      AuthKey:
        KeyVault: null
      DBFolder: ~/.msticpy
    Provider: GeoLiteLookup

KeyVault:
  # Optional - KV tenant, sub, vault name

```

In [2]:
mp.settings.settings

{'msticpy': {'FriendlyExceptions': True},
 'QueryDefinitions': {'Default': ['queries'], 'Custom': ['./data']},
 'Azure': {'auth_methods': ['cli', 'msi', 'devicecode'], 'cloud': 'global'},
 'AzureSentinel': {'Workspaces': None},
 'TIProviders': {'TorExitNodes': {'Primary': True, 'Provider': 'Tor'}},
 'DataProviders': {}}

## 2. Settings Tools - MpConfigFile and MpConfigEdit

### MpConfigFile - settings utilities interactive and command line

In [3]:
mp.MpConfigFile()

VBox(children=(HTML(value='<h3>MSTICPy settings</h3>'), VBox(children=(VBox(children=(Label(value='Operations'…

In [10]:
mp.MpConfigFile().view_settings()

VBox(children=(Textarea(value="{'Azure': {'auth_methods': ['cli', 'msi', 'devicecode'], 'cloud': 'global'},\n …

### MpConfigEdit - interactive settings editor

In [4]:
mp.az_connect()

AzCredentials(legacy=<msticpy.auth.cred_wrapper.CredentialWrapper object at 0x000002967FFC03A0>, modern=<azure.identity._credentials.chained.ChainedTokenCredential object at 0x000002967FFB1D60>)

In [5]:
mp.MpConfigEdit()

Label(value='Loading. Please wait.')

VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…

Connected


StopIteration: 

## Task 1 - Add a Microsoft Sentinel Workspace

1. Add a new workspace with the following values
    - WorkspaceID: 8ecf8077-cf51-4820-aadd-14040956f35d
    - TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47

2. Resolve all settings for the workspace
3. Set it as the Default Workspace
4. Update and Save Settings
5. Verify Settings have been re-read

In [6]:
mp.MpConfigFile().view_settings()

VBox(children=(Textarea(value="{'Azure': {'auth_methods': ['cli', 'msi', 'devicecode'], 'cloud': 'global'},\n …

## Appendix - Sample msticpyconfig.yaml

```yaml
Azure:
  auth_methods:
  - cli
  - interactive
  cloud: global
AzureSentinel:
  Workspaces:
    ASIHuntOMSWorkspaceV4:
      ResourceGroup: asihuntomsworkspacerg
      SubscriptionId: 40dcc8bf-0478-4f3b-b275-ed0a94f2c013
      TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47
      Workspace Name: ASIHuntOMSWorkspaceV4
      WorkspaceId: 52b1ab41-869e-4138-9e40-2a4457f09bf0
    CCIS:
      TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47
      WorkspaceId: d2a20a39-c646-4783-a490-59899e3a6591
    Centrica:
      TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47
      WorkspaceId: 1ab17267-66c0-473e-8a80-da21cc7a0828
    CyberSecuritySoc:
      ResourceGroup: soc
      SubscriptionId: d1d8779d-38d7-4f06-91db-9cbc8de0176f
      TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47
      Workspace Name: CyberSecuritySOC
      WorkspaceId: 8ecf8077-cf51-4820-aadd-14040956f35d
    Default:
      ResourceGroup: soc
      SubscriptionId: d1d8779d-38d7-4f06-91db-9cbc8de0176f
      TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47
      WorkspaceId: 8ecf8077-cf51-4820-aadd-14040956f35d
    GovCyberSecuritySOC:
      ResourceGroup: USGov Arizona
      SubscriptionId: 04110ca7-4fe3-4c2d-9ff7-23aa92b86c79
      TenantId: 61611e58-abbd-4826-9d63-f23b5a919686
      WorkspaceId: b6834116-d716-4ac6-8c37-586faaf66d01
    NationalGrid:
      SubscriptionId: 74d15849-ba7b-4be6-8ba1-330a178ba88d
      TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47
      WorkspaceId: affed4b9-3762-4cba-8826-d1bf7e515771
      WorkspaceName: ng-pd-eus-claw-01
    RedmondSentinelDemoEnvironment:
      TenantId: 35a9e601-82db-42da-b521-efc4a2f6783c
      WorkspaceId: a927809c-8142-43e1-96b3-4ad87cfe95a3
DataProviders:
  Kusto-MDE:
    Args:
      Cluster: https://wcdscrubbedservice.kusto.windows.net
      IntegratedAuth: true
  Kusto-MSTICTI:
    Args:
      Cluster: https://msticti.kusto.windows.net
      IntegratedAuth: true
  MicrosoftDefender:
    Args:
      ClientId: 66b9818a-26cd-4584-8eb0-7f7a499242aa
      ClientSecret:
        KeyVault: null
      TenantId: 8360dd21-0294-4240-9128-89611f415c53
  MicrosoftGraph:
    Args:
      ClientId: 66b9818a-26cd-4584-8eb0-7f7a499242aa
      ClientSecret:
        KeyVault: null
      TenantId: 8360dd21-0294-4240-9128-89611f415c53
  Mordor:
    save_folder: ~/.msticpy/mordor
    use_cached: true
KeyVault:
  Authority: global
  AzureRegion: East US
  ResourceGroup: ASIHuntOMSWorkspaceRG
  SubscriptionId: 40dcc8bf-0478-4f3b-b275-ed0a94f2c013
  TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47
  UseKeyring: false
  VaultName: mstic-ianhelle
OtherProviders:
  GeoIPLite:
    Args:
      AuthKey:
        KeyVault: null
      DBFolder: ~/.msticpy
    Provider: GeoLiteLookup
  IPStack:
    Args:
      AuthKey:
        KeyVault: null
    Provider: IPStackLookup
TIProviders:
  GreyNoise:
    Args:
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: GreyNoise
  OTX:
    Args:
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: OTX
  OpenPageRank:
    Args:
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: OPR
  RiskIQ:
    Args:
      ApiID: ianhelle@microsoft.com
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: RiskIQ
  TorExitNodes:
    Primary: true
    Provider: Tor
  VirusTotal:
    Args:
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: VirusTotal
  XForce:
    Args:
      ApiID:
        KeyVault: null
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: XForce
```

# Bugs

## MpConfigEdit
```python
---------------------------------------------------------------------------
StopIteration                             Traceback (most recent call last)
e:\src\msticpy\msticpy\config\ce_azure_sentinel.py in _resolve_settings(***failed resolving arguments***)
    246             return
    247         if workspace_id:
--> 248             self._update_settings(
    249                 MicrosoftSentinel.get_workspace_settings(workspace_id=workspace_id)
    250             )

e:\src\msticpy\msticpy\config\ce_azure_sentinel.py in _update_settings(self, ws_settings)
    227         _get_named_control(self.edit_ctrls, "Name").value = ws_name
    228         for setting, value in ws_settings[ws_name].items():
--> 229             ctrl = _get_named_control(self.edit_ctrls, setting)
    230             if ctrl.value:
    231                 # don't overwrite existing settings

e:\src\msticpy\msticpy\config\ce_azure_sentinel.py in _get_named_control(edit_ctrls, name)
    288 def _get_named_control(edit_ctrls, name):
    289     """Get the control with matching name."""
--> 290     return next(ctrl for ctrl in edit_ctrls.children if ctrl.description == name)
    291 
    292 

StopIteration: 
```