## MSTICPy and Notebooks in InfoSec

---

<h1 style="border: solid; padding:5pt; color:black; background-color:#909090">Session 2 - MSTICPy Configuration</h1>

---

## What this session covers:

- Viewing current settings
- Configuration tools
- Add a Sentinel Workspace
- Add a Kusto Cluster
- Configure KeyVault settings
- Add a Threat Intel Provider
- Add a GeoIP Provider
- Verifying Azure configuration


## Prerequisites
- Python >= 3.8 Environment
- Jupyter installed
- MSTICPy installed
- Azure CLI installed
- Run `az login`
- Account and API key for one or more TI providers
- Account and API key for MaxMind GeoLite


In [1]:
%env MSTICPYCONFIG=./msticpyconfig.yaml

import msticpy as mp
mp.init_notebook()

env: MSTICPYCONFIG=./msticpyconfig.yaml


---

# <a style="border: solid; padding:5pt; color:black; background-color:#909090"><i>msticpyconfig.yaml</i> Structure</a>

---

### [Reference: MSTICPy Package Configuration](https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html)
> Note this is a little out of date.


## msticpyconfig.yaml

```yaml
Azure:
  auth_methods: [cli, msi, devicecode]
  cloud: global
AzureSentinel:
  # Sentinel workspace configuration
  Workspaces:
    Workspace_Tag:
      # workspace ID, tenant, ext
    Workspace2_Tag:
      # ...
DataProviders:
  # Miscellaneous Data providers
  Browshot:
    Args:
      # AuthKey: [PLACHOLDER]
  Kusto-MDE:
    Args:
      # Cluster: https://wcdscrubbedservice.kusto.windows.net
      # IntegratedAuth: true
TIProviders:
  TorExitNodes:
    Primary: true
    Provider: Tor
  VirusTotal:
    Args:
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: VirusTotal
OtherProviders:
  # GeoIP providers - should be in DataProviders!
  GeoIPLite:
    Args:
      AuthKey:
        KeyVault: null
      DBFolder: ~/.msticpy
    Provider: GeoLiteLookup
KeyVault:
  # Optional - KV tenant, sub, vault name

```

---

# <a style="border: solid; padding:5pt; color:black; background-color:#909090">Show current settings</a>

---

You can print out current settings from `msticpy.settings.settings`

In [None]:
mp.settings.settings

---

# <a style="border: solid; padding:5pt; color:black; background-color:#909090">Settings Tools - MpConfigFile and MpConfigEdit</a>

---

### [Reference: MSTICPy Settings Editor](https://msticpy.readthedocs.io/en/latest/getting_started/SettingsEditor.html)

## MpConfigFile - settings utilities interactive and command line

In [3]:
config_file = mp.MpConfigFile()
config_file

VBox(children=(HTML(value='<h3>MSTICPy settings</h3>'), VBox(children=(VBox(children=(Label(value='Operations'…

In [4]:
config_file.view_settings()

VBox(children=(Textarea(value="{'Azure': {'auth_methods': ['cli', 'msi', 'devicecode'], 'cloud': 'global'},\n …

### MpConfigEdit - interactive settings editor

If you haven't authenticated using Azure CLI, do that now (in a console window) before running the next cell.

In [5]:
# We'll need to authenticate to Azure to use Workspace resolution in Task 1
mp.az_connect()

AzCredentials(legacy=<msticpy.auth.cred_wrapper.CredentialWrapper object at 0x000001D257D843A0>, modern=<azure.identity._credentials.chained.ChainedTokenCredential object at 0x000001D257D2C580>)

In [2]:
mp.MpConfigEdit()

Label(value='Loading. Please wait.')

VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…

## Example - Adding a Sentinel Workspace

We will: 

1. Add a new workspace with the following values:
```
    - WorkspaceID: 8ecf8077-cf51-4820-aadd-14040956f35d
    - TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47
```
2. Resolve all settings for the workspace
3. Set it as the Default Workspace
4. Update and Save Settings
5. Verify Settings have been re-read

In [None]:
mp.MpConfigEdit()

In [4]:
mp.MpConfigFile().view_settings()

VBox(children=(Textarea(value="{'Azure': {'auth_methods': ['cli', 'msi', 'devicecode'], 'cloud': 'global'},\n …

In [6]:
# test
sentinel_settings = mp.settings.settings["AzureSentinel"]["Workspaces"]
expected_keys = {"ResourceGroup", "SubscriptionId", "TenantId", "WorkspaceId", "WorkspaceName"}
assert "CyberSecuritySOC" in sentinel_settings
assert "Default" in sentinel_settings

assert all(key in expected_keys for key in sentinel_settings["CyberSecuritySOC"])
assert all(val is not None for val in sentinel_settings["CyberSecuritySOC"].values())


## <a style="border: solid; padding:5pt; color:black; background-color:#309030">Task 1 - Add a Kusto Cluster</a>

Add configuration for a Kusto cluster provider

1. Use the DataProviders tab
2. Pick the Kusto provider and add it
3. Fill in details for:
```
   - Cluster: https://msticpytraining.eastus.kusto.windows.net/
   - TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47
   - IntegratedAuth: True
   - Instance name: Firecon22
```
4. and save settings

> Note you do not need to enter values for ClientID or ClientSecret.
> If you get an error with no value for ClientID - enter a space

In [8]:
mp.MpConfigEdit()

Label(value='Loading. Please wait.')

VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…

In [None]:
mp.MpConfigFile().view_settings()

In [7]:
# test
dp_settings = mp.settings.settings["DataProviders"]
assert "Kusto-Firecon22" in ti_settings

assert "Cluster" in dp_settings["Kusto-Firecon22"]["Args"]
assert "TenantId" in dp_settings["Kusto-Firecon22"]["Args"]
assert "IntegratedAuth" in dp_settings["Kusto-Firecon22"]["Args"]
assert all(dp_settings["Kusto-Firecon22"]["Args"].values())


## <a style="border: solid; padding:5pt; color:black; background-color:#309030">Task 2 - KeyVault Settings</a>

Since we only need to read to and write from the KeyVault, we only need a subset of
the settings.
- Authority: global
- TenantId: <tenant-guid>
- UseKeyring: false
- VaultName: <name>

If we needed to create a vault from MSTICPy we would also need:
- AzureRegion, SubscriptionId, ResourceGroup

### Steps:
1. Use the Key Vault tab
2. Enter values for:
```
    - Authority: global
    - TenantId: 72f988bf-86f1-41af-91ab-2d7cd011db47
    - UseKeyring: False (unchecked)
    - VaultName: msticpy-training
```
3. Optional settings:
```
    - AzureRegion: East US
    - SubscriptionId: 40dcc8bf-0478-4f3b-b275-ed0a94f2c013
    - ResourceGroup: MSTICPy
```
4. Update and save settings


In [None]:
mp.MpConfigEdit()

Label(value='Loading. Please wait.')

VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…

In [None]:
mp.MpConfigFile().view_settings()

In [None]:
# test
kv_settings = mp.settings.settings["KeyVault"]

assert kv_settings["Authority"] == "global"
assert kv_settings["TenantId"] == "72f988bf-86f1-41af-91ab-2d7cd011db47"
assert kv_settings["UseKeyring"] == False
assert kv_settings["VaultName"] == "msticpy-training"


## <a style="border: solid; padding:5pt; color:black; background-color:#309030">Task 3 - Add a TI Provider</a>

Add configuration for a TI provider

1. Use the TI Providers tab
2. Pick a TI provider and add it
3. Fill in details (use the Text option) and Update
4. Save the settings

If you have API keys for other providers, add these.
You should have API keys for:
* VirusTotal
* AlientVault OTX
* IBM XForce\*

> \* Note XForce has both an API Key and and API Password<br>
> The API Key goes in the **ApiID** box, the password goes in the **AuthKey** box

Don't worry if you don't have accounts/keys for all of these providers - just one or two will be fine.

In [None]:
mp.MpConfigEdit()

Label(value='Loading. Please wait.')

VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…

In [None]:
mp.MpConfigFile().view_settings()

In [None]:
# test
ti_settings = mp.settings.settings["TIProviders"]
assert "VirusTotal" in ti_settings

assert ti_settings["VirusTotal"]["Primary"]
assert ti_settings["VirusTotal"]["Provider"] == "VirusTotal"
assert "AuthKey" in ti_settings["VirusTotal"]["Args"]


Settings for TI Providers should look like this
```
'TIProviders': {'TorExitNodes': {'Primary': True, 'Provider': 'Tor'},
                 'VirusTotal': {'Args': {'AuthKey': '[YOUR VT API KEY]',
                                         'UseVT3PrivateAPI': False},
                                'Primary': True,
                                'Provider': 'VirusTotal'}}}
```

In [None]:
# Test

mp.TILookup().lookup_iocs(["54.69.246.204"])


## Alternatives to storing keys
- You can use the **EnvironmentVar** option to store secrets in environment variables
- You can upload secrets to KeyVault and use them from there.
- You need to configure settings of your vault on the Key Vault tab to do this.
- You can use KeyRing on supported platforms without Key Vault backing (message me for details on this)

KeyVault secret names are built from the path of the value. E.g.:
```
    TIProviders-VirusTotal-Args-AuthKey
```

If you have a secret already in a Key Vault, uncheck `Def KV Path` and
type the name of your secret. 

You can also specify `Vaultname/Secretname` to 
us a secret from a named Vault rather than the default.

## <a style="border: solid; padding:5pt; color:black; background-color:#309030">Task 4 - Add a GeoIP Provider</a>

1. Use the GeoIP Providers tab
2. Add an entry for GeoIPLite
   - API Key
   - DBFolder - "./.msticpy"
3. Save settings
4. View settings
5. Test that the settings work


In [None]:
# configure
mp.MpConfigEdit()

In [None]:
mp.MpConfigFile().view_settings()

Settings for OtherProviders should look like this
```
'OtherProviders': {'GeoIPLite': {'Args': {'AuthKey': 'YOUR_GEO_LITE_KEY',
                                           'DBFolder': './.msticpy'},
                                  'Provider': 'GeoLiteLookup'}},
```

In [None]:
# Test

IpAddress.geoloc("174.34.43.21")

## <a style="border: solid; padding:5pt; color:black; background-color:#309030">Task 5 - Confirm Azure Settings</a>

1. Use the Azure tab
2. Confirm cloud is set to global (or change it to this)
3. Confirm msi, cli and devicecode are selected


In [None]:
# configure
mp.MpConfigEdit()

In [None]:
mp.MpConfigFile().view_settings()

In [None]:
# test
az_settings = mp.settings.settings["Azure"]

assert az_settings["cloud"] == "global"
assert all(meth in az_settings["auth_methods"] for meth in ['cli', 'msi', 'devicecode'])


Settings for Azure section should look like this:
```
{'Azure': {'auth_methods': ['cli', 'msi', 'devicecode'], 'cloud': 'global'},
```

---

# <a style="border: solid; padding:5pt; color:black; background-color:#909090">Finding your msticpyconfig.yaml</a>

---

MSTICPy uses the following to find a configuration file:
- If you specify a path using the `config` parameter of `init_notebook`, it will use that
- If you specify a path using the `MSTICPYCONFIG` environment variable, it will use that
- If you have a msticpyconfig.yaml in ~/.msticpy, it will use that.
  - Note: - this is $HOME/.msticpy on Linux/Mac and %UserProfile%/.msticpy on Windows
- If there is a msticpyconfig.yaml in the current directory, it will use that

You can run without a config file but you will get warnings. 
<br>

You can supply
keys, connection strings, etc. to most components when you initialize them but...
#### ... who wants to do that?


---

# <a style="border: solid; padding:5pt; color:black; background-color:#909090">Appendix - Sample msticpyconfig.yaml</a>

---

```yaml
Azure:
  auth_methods:
  - cli
  - interactive
  cloud: global
AzureSentinel:
  Workspaces:
    MainWorkspace: &id001
      ResourceGroup: <ResGroup>
      SubscriptionId: <subscription-guid>
      TenantId: <tenant-guid>
      WorkspaceId: <workspace-guid>
      WorkspaceName: <ws-name>
    Default: *id001
    OtherWorkspace:
      ResourceGroup: ResGroup
      SubscriptionId: <subscription-guid>
      TenantId: <tenant-guid>
      WorkspaceId: <workspace-guid>
      WorkspaceName: <ws-name>
DataProviders:
  Kusto-ABC:
    Args:
      Cluster: <cluster-url>
      IntegratedAuth: true
  Kusto-XYZ:
    Args:
      Cluster: <cluster-url>
      IntegratedAuth: true
  MicrosoftDefender:
    Args:
      ClientId: <client-guid>
      ClientSecret:
        KeyVault: null
      TenantId: <tenant-guid>
  MicrosoftGraph:
    Args:
      ClientId: <client-guid>
      ClientSecret:
        KeyVault: null
      TenantId: <tenant-guid>
  Mordor:
    save_folder: ~/.msticpy/mordor
    use_cached: true
KeyVault:
  Authority: global
  AzureRegion: East US
  ResourceGroup: <ResGroup>
  SubscriptionId: <subscription-guid>
  TenantId: <tenant-guid>
  UseKeyring: false
  VaultName: <name>
OtherProviders:
  GeoIPLite:
    Args:
      AuthKey:
        KeyVault: null
      DBFolder: ~/.msticpy
    Provider: GeoLiteLookup
  IPStack:
    Args:
      AuthKey:
        KeyVault: null
    Provider: IPStackLookup
TIProviders:
  GreyNoise:
    Args:
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: GreyNoise
  OTX:
    Args:
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: OTX
  OpenPageRank:
    Args:
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: OPR
  RiskIQ:
    Args:
      ApiID: 
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: RiskIQ
  TorExitNodes:
    Primary: true
    Provider: Tor
  VirusTotal:
    Args:
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: VirusTotal
  XForce:
    Args:
      ApiID:
        KeyVault: null
      AuthKey:
        KeyVault: null
    Primary: true
    Provider: XForce
```