Cyber Security Investigations with Jupyter Notebooks

**Jupyter notebooks** are growing in popularity among CyberSec analysts. For threat hunting and incident investigations, notebooks give you flexibility not found in most *Security Operations Center* (SOC) toolsets.

However, threat hunting requires specialized tools, analytics and visualizations that aren't part of the typical data science libraries. We'll show some of the features of the **MSTICPy** CyberTools library that we built to address these gaps.

The focus of the talk will be on Python techniques (incl code examples) that we used to build extensible and discoverable tools for large-scale CyberSec operations. The techniques are applicable to many fields - no previous cybersecurity knowledge is required to watch the talk or use the techniques.

Overview:

- What's the appeal of notebooks in SOCs? and what is missing?

- Making data querying/acquisition simple - creating dynamic functions from config.

- Data enrichment: getting more context on IP Address, Hosts, etc. - using decorators to create a consistent API.

- Visualizations - quick tour of MSTICPy visualizations using *pandas* accessors and **Bokeh**.

- Composability - assembling multiple operations into a *pandas* execution pipeline.

About Ian Hellen

I work as principal developer in Microsoft Threat Intelligence Center. I spent most of my time building and maintaining MSTICPy - our CyberSec hunting Python tool library - and creating Jupyter notebooks for threat hunting and investigations.
Prior to that I worked on Azure Security Center (now Defender for Azure), security assessments for Microsoft services and multiple security reviews/pen tests of Windows (as far back as Vista!).
I love skiing, snorkeling & scuba (recently), music and occasional messing around with Raspberry PIs and micropython devices.