Description
Jupyter notebooks are growing in popularity among CyberSec analysts. For threat hunting and incident investigations, notebooks give you flexibility not found in most Security Operations Center (SOC) toolsets.
However, threat hunting requires specialized tools, analytics and visualizations that aren't part of the typical data science libraries. We'll show some of the features of the MSTICPy CyberTools library that we built to address these gaps.
The focus of the talk will be on Python techniques (incl code examples) that we used to build extensible and discoverable tools for large-scale CyberSec operations. The techniques are applicable to many fields - no previous cybersecurity knowledge is required to watch the talk or use the techniques.
Overview: - What's the appeal of notebooks in SOCs? and what is missing? - Making data querying/acquisition simple - creating dynamic functions from config. - Data enrichment: getting more context on IP Address, Hosts, etc. - using decorators to create a consistent API. - Visualizations - quick tour of MSTICPy visualizations using pandas accessors and Bokeh. - Composability - assembling multiple operations into a pandas execution pipeline.