Notebooklet Class - AccountSummary
Retrieves account summary for the selected account.
Main operations:
Searches for matches for the account name in Active Directory,
Windows and Linux host logs.
If one or more matches are found it will return a selection
widget that you can use to pick the account.
Selecting the account displays a summary of recent activity and
retrieves any alerts and hunting bookmarks related to the account
The alerts and bookmarks are browseable using the
browse_alerts
and browse_bookmarks
methods
You can call the
get_additional_data
method to retrieve and
display more detailed activity information for the account.
All of the returned data items are stored in the results class
as entities, pandas DataFrames or Bokeh visualizations.
Run help(nblt) on the notebooklet class to see usage.
Run help(result) on the result class to see documentation of its
properties.
Run the print_options() method on either the notebooklet or
results class to see information about the options
parameter
for the run() method.
Default Options
get_alerts: Retrieve alerts and display timeline for the account.
get_bookmarks: Retrieve investigation bookmarks for the account
Other Options
None
Display Sections
Account Summary
This function searches Active Directory, Azure, Office365, Windows and Linux logs for matching accounts. If any matches are found you can choose an account to explore, viewing the times of recent event types, any alerts and hunting bookmarks that relate to the account name. You can also retrieve recent details of the logon activity or cloud activity for the account. For further investigation use the host_logons_summary notebooklet for Windows and Linux host logons.
Host logon attempt timeline
Hover over each timeline event to see details.
IP Address details summary
Number of operations detected by IP Address. The table shows WhoIs ASN Description and Country Code. If UserAgent is contained in the data, operations are also grouped by this.
Querying for account matches.
Searching through Active Directory, Windows and Linux events. This may take a few moments to complete.
Summary of azure activity for AAD, Azure resource and O365
Shows the total number of operations, the list of unique operations, the list of unique resource IDs and the first and last operation recorded in the selected time range. The data is grouped by: - Data source - User - Type - Azure activity type/source - Client IP Address - Application resource provider - User type
Summary of host logon activity.
Shows the total number of logons attempts by host. FailedLogons shows the breakdown of successfully and failed logons. IPAddresses is a list of distinct source IP addresses for the logons. LogonTypeCount breaks down the logon type used by count. First and LastLogon shows the earliest and latest logons on each host by this account in the selected time range.
Results Class
AccountSummaryResult
Account Summary Result.
Attributes
- account_activity : pd.DataFrameDataFrame of most recent activity.
- account_selector : msticpy.nbtools.nbwidgets.SelectStringSelection widget for accounts.
- related_alerts : pd.DataFrameAlerts related to the account.
- alert_timeline : LayoutDOMTimeline of alerts.
- related_bookmarks : pd.DataFrameInvestigation bookmarks related to the account.
- host_logons : pd.DataFrameHost logon attemtps for selected account.
- host_logon_summary : pd.DataFrameHost logon summary for selected account.
- azure_activity : pd.DataFrameAzure Account activity for selected account.
- account_activity_summary : pd.DataFrameAzure activity summary.
- azure_timeline_by_provider : LayoutDOMAzure activity timeline grouped by provider
- account_timeline_by_ip : LayoutDOMHost or Azure activity timeline by IP Address.
- azure_timeline_by_operation : LayoutDOMAzure activity timeline grouped by operation
- ip_address_summary : pd.DataFrameSummary of IP address properties and usage for the current activity.
- ip_all_data : pd.DataFrameFull details of operations with IP WhoIs and GeoIP data.
Methods
Instance Methods
Inherited methods
attrib
contains data.Other Methods
search_terms
.result [property] Return result of the most recent notebooklet run.
silent [property] Get the current instance setting for silent running.
<hr>
run
function documentation
Return account activity summary.
Parameters
- valuestr
Account name to search for.
- dataOptional[pd.DataFrame], optional
Not used.
- timespanTimeSpan
Timespan for queries
- optionsOptional[Iterable[str]], optional
List of options to use, by default None. A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class.
- account_typesIterable[AccountType], Optional
A list of account types to search for, by default all types.
Returns
- AccountSummaryResult
Result object with attributes for each result type.
Raises
- MsticnbMissingParameterError
If required parameters are missing
Default Options
get_alerts: Retrieve alerts and display timeline for the account.
get_bookmarks: Retrieve investigation bookmarks for the account
Other Options
None