Active Hackathon

Meet Msticpy, A Python Defender Tool For Security Investigations & Hunting

Microsoft Threat Intelligence Python Security Tools (msticpy), a package of tools which is meant to be used for security investigations and hunting, was released earlier this month. In this package, most of the tools were inspired by Jupyter notebooks which are repackaged into Python modules. Msticpy is OS-independent and requires Python packages such as pandas, bokeh, matplotlib, seaborn, urllib3, ipywidgets, numpy, iPython and scikit_learn, among others.


Sign up for your weekly dose of what's up in emerging technology.

There are two main purposes of this package: 

  • Reduce the clutter of code in notebooks making them easier to use and read.
  • Provide building blocks for future notebooks to make authoring them simpler and quicker.

Msticpy is organised into three main sub-packages, they are mentioned below


This is the security tools sub-package which is a Python security tool. It is used to provide help with data analysis or any other investigation. These are all focused on data transformation, data analysis or data enrichment. This subpackage contains several data processing modules and classes which are helpful for working on security investigations. Some of the modules are mentioned below

  • base64unpack: This is a Base64 and archive (gz, zip, tar) extractor which is designed to help decode obscured attack command lines along with HTTP request strings. The module basically identifies any base64 encoded strings and decode them.
  • iocextract: This module uses a set of built-in regular expressions to look for an Indicator of Compromise (IoC) patterns. The input can be a single string or a pandas dataframe with one or more columns specified as input.
  • vtlookup: This module is a Wrapper class around Virus Total API. Input can be a single IoC observable or a pandas DataFrame containing multiple observables.
  • geoip: This module is the geographic location lookup for IP addresses which is implemented as a generic class with support for different data providers. The model has two classes for different services, GeoLiteLookup and IPStackLookup.
  • eventcluster: This module is designed to be used to summarise large numbers of events into clusters of different patterns. The module contains functions to generate clusterable features from string data.
  • auditdextract: This module is used to load and decode Linux audit logs.


This is the Jupyter-specific UI tools such as widgets and data display which are mostly presentation-layer tools concentrating on how to view or interact with the data. The modules are nbwidgets: This module groups common functionality such as list pickers, time boundary settings, saving and retrieving environment variables into a single line callable command.

  • nbdisplay: This module functions in implementing the common display of things like alerts.


This subpackage is used for data interfaces and query library for log and alert APIs including Azure Sentinel/Log Analytics, Microsoft Graph Security API and Microsoft Defender Advanced Threat Protection (MDATP). 


This package requires Python version 3.6 or more.

To install type:

pip install msticpy

Or for the latest dev build, type:

pip install git+


Msticpy is an open source package and was initially developed to support Jupyter Notebook authoring for Azure Sentinel. This package is still in an early preview mode, so there are most likely to be bugs and possible API changes. Also, it is not yet fully optimised for performance.

Read more from here.

More Great AIM Stories

Ambika Choudhury
A Technical Journalist who loves writing about Machine Learning and Artificial Intelligence. A lover of music, writing and learning something out of the box.

Our Upcoming Events

Conference, in-person (Bangalore)
Cypher 2022
21-23rd Sep

Conference, in-person (Bangalore)
Machine Learning Developers Summit (MLDS) 2023
19-20th Jan

Conference, in-person (Bangalore)
Data Engineering Summit (DES) 2023
21st Apr, 2023

3 Ways to Join our Community

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Telegram Channel

Discover special offers, top stories, upcoming events, and more.

Subscribe to our newsletter

Get the latest updates from AIM

Ouch, Cognizant

The company has reduced its full-year 2022 revenue growth guidance to 8.5% – 9.5% in constant currency from the 9-11% in the previous quarter

The curious case of Google Cloud revenue

Porat had earlier said that Google Cloud was putting in money to make more money, but even with the bucket-loads of money that it was making, profitability was still elusive.