Articles by Ian
-
Security Analysis Using Windows Defender ATP APIs with Jupyter Notebooks
Security Analysis Using Windows Defender ATP APIs with Jupyter Notebooks
Nice post and example notebook from John Lambert. Subject matter close to my heart as I am spending a lot of time…
Activity
3K followers
-
Ian Hellen shared this🎉 Announcing MSTICPy 3.0 🚀 (although, it is older than it looks) Excited to share the release of MSTICPy 3.0 — a major step forward for our security investigation and threat hunting Python library. As well as reaching a major version milestone, we also passed the 1 million downloads mark late last year!🍾 This release is mainly focused on house-cleaning: deprecating old APIs, Python versions and dependencies and bringing support for Python 3.13. (It's amazing how much junk you accumulate over the years!) Highlights: - Support OAuth2 in Defender XDR data provider - Certificate-based authentication support for Microsoft Sentinel provider - New/updated providers for @OpenObserve and CyberReason. - Overhaul of APIs and documentation - This release also reflects growing integration with AI-assisted development workflows, including the use of coding agents to accelerate innovation and maintenance. Release notes: https://lnkd.in/gkt3zfex From investigation notebooks to detection engineering, MSTICPy remains a powerful toolkit for analyzing security data and building advanced analytics. Huge thanks to everyone who contributed code, reviews, feedback, and ideas to make this release possible. We’re excited to see what the future has in store with MSTICPy 3.0. 🚀 #Security #ThreatHunting #Python #OpenSource #MSTICPy #CyberSecurity
-
Ian Hellen shared thisAnnouncing MSTICPy 3.0 Release Candidate 1 🎆 🍾 Have been doing some work to tidy up msticpy a little (with the help of Florian Bracq and Ryan Marcotte Cobb 🙏 ). Not much in the way of new features but a *lot* of code clean-up, support for Python 3.13, moving to the awesome Ruff as main code linter. In the cleanup we are removing support for a few things: - Python 3.8 and 3.9 (both have passed the end of security support and should be considered dangerous to use in polite society 👾) - The deprecated Sentinel and Kusto data drivers using KqlMagic (new ones based on Azure SDK are obviously still there) - A heap of modules (30+) that were just glue code to support long-deprecated paths. Due to these breaking changes, we're leaping a whole version number to 3.0. Expect the full release in a few weeks while we wait to see if any screams. https://lnkd.in/g8J8cyRh
-
Ian Hellen shared thisMSTICPy v2.17.0 Released This release delivers new analytics capability (RRCF outlier detection), expanded cloud detection coverage (Prisma Cloud AWS), and a modernization of authentication by moving Defender data providers to OAuth2 with corrected scopes. It also fixes several reliability issues (MSI auth logic, KQL timezone handling, query value escaping), updates visualization and widget code for Bokeh 3.7 and Python 3.12, tightens typing (mypy/key vault), and refreshes CI/publish infrastructure and supported Python versions. Users of Defender integrations should review and update scopes/config before upgrading. https://lnkd.in/gf2AE_npRelease M365 authn, Bokeh fixes, RRCF Outliers, Prisma Cloud... · microsoft/msticpyRelease M365 authn, Bokeh fixes, RRCF Outliers, Prisma Cloud... · microsoft/msticpy
-
Ian Hellen posted thisMSTICPy 2.16.2 released Minor update with some fixes for: - Bokeh 3.7 compatibility - VirusTotal library update compatibility - Using AzureCliCredential or ManagedIdentityCredential fixes - Changing requirements to avoid vulnerabilities in some packages. https://lnkd.in/grFaBVAJ https://lnkd.in/gYbcg8S #msticpy
-
Ian Hellen shared this#MSTICPy 2.16.0 Released Features include data provider for Prisma Cloud (Palo Alto) and TI provider for Cyberint TI service. Also support for certificate authentication for OData drivers (Defender and MSGraph). There's an experimental (but currently broken) driver for LogAnalytics to allow you to query custom tables. If there are any coders working with Sentinel/Log Analytics who would like to help out on this, I'd be grateful for your support. Details of changes (and bugs) in the Release Notes: https://lnkd.in/gqKbGA-9
-
Ian Hellen shared thisMSTICPy Training resources Following the 2.14 release announcement, I had a few inquiries about training content. We don't have a lot but I thought it might be helpful to others to post some resources here: 💡*Content on YouTube* - Look on YouTube for some of the more recent things (steer clear of anything pre-msticpy2.0) https://lnkd.in/gMNh2WpQ 💡One of these specifically is pretty broad and up-to-date https://lnkd.in/ghezp2NH 💡There is an *Intro/overview of msticpy* here https://lnkd.in/gUZkzm9j This is part of a series of workshops we did at Jupyterthon 2021. 💡For more in-depth material we have *MSTICPy Training* Github repo. https://lnkd.in/g9G6VjYc If you look at the Workshops/Jun2023 folder, this has a set of notebooks that cover a lot of the functionality. There's also a docker setup to create a notebook environment. This was mainly an internal MS event so a small amount of the content won't be runnable, but the majority is self-contained and runnable by anyone. 💡Also, if you have access to *Pluralsight* I did a course for them on threat hunting using msticpy. https://lnkd.in/gKxfk7_h.
-
Ian Hellen shared thisMSTICPy 2.14.0 released. New features/fixes include: - Automating loading of query providers/MSTICPy components - Fixing Maxmind GeoIPLite auto-update for MSTICPy - Recursive unpacking of nested dictionary columns in pandas dataframes Other features/fixes include: - Restoring the "progress" parameter for TILookup (inadvertently removed in a recent code cleanup - Adding max_retry parameter to CyberReason exec_query function. Full release notes are here https://lnkd.in/gk9BBEmP Package update: pip install msticpy==2.14.0Release User Session Management, MaxMind Geolit fix, Extract nested dicts from Pandas · microsoft/msticpyRelease User Session Management, MaxMind Geolit fix, Extract nested dicts from Pandas · microsoft/msticpy
-
Ian Hellen shared thisSome exciting work from Anthony Shaw and Aaron Powell on making it possible to call Python functions from the .Net/C# world. https://lnkd.in/gJkFysYMEmbedding Python into your .NET project with CSnakesEmbedding Python into your .NET project with CSnakes
-
Ian Hellen shared thisOur team is hiring! If you're a senior security researcher with people management experience and looking for a change - we're looking for a Principal Security Research Manager. Our team is part of MS Security Research doing leading-edge research for Microsoft security products and services. https://lnkd.in/giH7wUHy
-
Ian Hellen reacted on thisIan Hellen reacted on thisUsing Copilot Agent Mode + Claude Sonnet to verify System Designs Recently I experimented with using VS Code + GitHub Copilot (Agent mode) as a design validation partner for an engine architecture I’ve been working on. Instead of starting from code, I approached it as a system design review: Provided my architecture diagram Shared projected ingestion volume Defined SLA targets (latency, throughput) Asked the LLM to evaluate performance, scalability, and cost (COGs) I used Claude Sonnet 4.6 as the model behind the agent. What worked surprisingly well The LLM was able to: Reason about end-to-end data flow Identified potential pressure points in ingestion and transformation stages Validate scalability assumptions Highlighted where horizontal scaling might not be sufficient due to coordination or state constraints Surface performance risks early Flagged components likely to become bottlenecks under peak load Most importantly, it didn’t just critique—it proposed concrete alternatives. Where it added real value A few examples where the agent helped: Suggested platform-level adjustments Identified hidden coupling across components that could impact latency Raised cost efficiency considerations I hadn’t explicitly modeled (especially around sustained high-volume ingestion) This felt less like “chatting with an LLM” and more like having a design review partner that can rapidly iterate with you. Key takeaway We’re starting to see LLMs evolve from: code generation tools → system-level reasoning assistants For architecture-heavy work (like data pipelines, large-scale ingestion systems, or security data platforms), this is particularly powerful: Faster iteration on design trade-offs Earlier detection of scaling risks Better alignment between performance goals and cost efficiency Final thought It’s not a replacement for deep engineering judgment—but as a first-pass design validator and thought partner, it’s already incredibly useful. Curious if others are using Copilot/LLMs this way for architecture validation—would love to compare notes.
-
Ian Hellen reacted on thisIan Hellen reacted on this📢 Big personal update!! After almost 5 years, today was my last day at Microsoft. I had the chance to work with very talented people on complex AI and security research. It was a wild ride! Next week I will be at Black Hat Asia. Reach out if you want to catch up and talk about the latest in AI x Threat Intelligence. Ready for what is coming next! ✌️ (About 4 years between those two pictures… learned a few things since then, and got a haircut 😅)
-
Ian Hellen reacted on thisIan Hellen reacted on this🤩 It was a huge honor to receive the MRE award yesterday. Fun fact: when I landed in Australia four years ago, the MRE conference was one of the first conferences where I presented here. Thank you Paul S Pang and Dr Paul Black for the organization 🙏 Federation University Australia
Experience
Licenses & Certifications
Volunteer Experience
-
High School Chaperone - multiple Orchestra trips
Ballard High School
Languages
-
English
Native or bilingual proficiency
-
Spanish
Limited working proficiency
-
Italian
Limited working proficiency
Organizations
-
British Computer Society
-
- Present
Other similar profiles
Explore more posts
-
The Cyber Security Hub™
Download Pentera Labs Report - revealing three new critical injection points in the ingress-nginx controller, building on Wiz’s IngressNightmare CVE. These overlooked vulnerabilities could let attackers hijack traffic, spoof headers, or reach unauthorized backend services - They exist in one of the most widely used ingress controllers in Kubernetes, putting countless environments at risk. This research highlights how small misconfigurations can lead to major exposure in modern cloud-native architectures. What’s Inside: ✅ 3 new injection vulnerabilities in ingress-nginx ✅ How attackers find and exploit CVEs in open source ✅ Actionable tips to secure your Kubernetes environment https://lnkd.in/eHtX6EdP
1 Comment -
Gonzalo Romero
Tackling DNS abuse requires targeted, proportional, and collaborative solutions. The latest policy blueprint by the NetBeacon Institute outlines concrete actions—such as limiting high-volume domain registrations for new accounts, addressing subdomain abuse, and improving coordination on DGA-based threats. These proposals reflect the kind of pragmatic, community-led thinking our industry needs to strengthen DNS trust and integrity. As part of the .CO SecOps team, I remain fully committed to advancing security, accountability, and responsible governance across the global domain name ecosystem. #DNSAbuse #InternetGovernance #DomainSecurity #NetBeacon #COInternet #TrustAndSafety #CyberPolicy
-
Daniel Young
Here’s a pattern I’m seeing more often: More sites. More assessments. More reporting expectations. Same headcount. Security teams are being asked to scale output without scaling structure. So what happens? Assessments become episodic. Reporting takes too long. Prioritization becomes subjective. And leaders spend more time translating risk than reducing it. This isn’t a capability issue. It’s an architecture issue. At some point, physical security has to operate with the same operational discipline as finance and IT. Otherwise it stays in permanent catch-up mode. For security people overseeing medium to large portfolios (20+ sites): What’s currently your biggest bottleneck volume, visibility, or validation? And why do you think this is?
1 Comment -
CYBER DEFENSE MAROC
Not all alerts are created equal. Master alert triage by focusing on context: asset criticality, attack vector, and threat intelligence. Prioritize what threatens your crown jewels first, then tackle the noise. Efficient triage = faster response, less burnout. Your SOC’s secret weapon? Smarter, not harder. 🔍 #Cybersecurity #AlertTriage
-
Kyle Kelly
IMO, Trusted Publishing (along with provenance attestations) has been the single-best advancement for securing public package repositories. Firstly, it rids the need for long-lived tokens, which I can hope we all agree suck. But also, most people didn't realize that until recently (and still today with certain registries), nothing has tied source code repositories to the artifact published. Yes, you could publish a package you created, and link the source repository of any project, instead of your own 🙃. With Trusted Publishing, authentication is performed by exchanging OIDC identity tokens for short-lived and tightly scoped API tokens to authenticate with package repository publishing APIs. Provenance attestation similarly leverages OIDC, so it makes sense to use them in unison. During a workflow, you can build an artifact, attest to its origins, and publish to a package registry all at once. Enabling the registry to verify the origins of the published artifact.
6 Comments -
Lea Snyder
With less than a month remaining to submit for the Seattle Bsides Security Conference, I'm hosting another AMA focused on CFPs. Feel free to ask any questions you've had about CFP submissions in the comments below. In the meantime, here are some quick tips to enhance your submission: 1. Read all the directions carefully. 2. Avoid generic submissions; a one-sentence description for your abstract won't suffice. Provide enough detail to give reviewers a detailed understanding of your topic. 3. Include outlines and learning objectives to clarify your message. While optional, they can significantly strengthen your submission. 4. If examples are provided, review them, but remember that simply mimicking them does not guarantee acceptance. 5. Seek feedback and be prepared to iterate on your submission. Looking forward to your questions! #bsidesseattle #cfp #ama
1 Comment
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top content