Notebooklet Class - NetworkFlowSummary¶
Network Flow Summary Notebooklet class.
Queries network data and plots time lines for network
traffic to/from a host or IP address.
- Plot flows events by protocol and direction
- Plot flow count by protocol
- Display flow summary table
- Display flow summary by ASN
- Display results on map
Methods
- run: main method for notebooklet.
- select_asns: Open an interactive dialog to choose which ASNs to
investigate further.
- lookup_ti_for_asn_ips: For selected ASNs, lookup Threat Intelligence
data for the IPs belonging to those ASNs.
- show_selected_asn_map: Show IP address locations for selected IP
(including any threats highlighted)
Default Options
- plot_flows: Create plots of flows by protocol and direction.
- plot_flow_values: Plot flow county by protocol.
- flow_summary: Create a summarization of all flows and all flows grouped by ASN.
- resolve_host: Try to resolve the host name before other operations.
Other Options
- geo_map: Plot a map of all IP address locations in communication with the host (see the method below for plotting selected IPs only).
Display Sections¶
Host Network Summary¶
This shows a summary of network flows for this endpoint. Data and plots are stored in the result class returned by this function.
Map of geographic location of selected IPs communicating with host¶
Numbered circles indicate multiple items - click to expand these. Hovering over a location shows brief details, clicking on an IP location shows more detail. Location marker key - Blue = outbound - Purple = inbound - Green = Host - Red = Threats
Map of geographic location of all IPs communicating with host¶
Numbered circles indicate multiple items - click to expand these. Hovering over a location shows brief details, clicking on an IP location shows more detail. Location marker key - Blue = outbound - Purple = inbound - Green = Host
Flow Index.¶
List of flows grouped by source, dest, protocol and direction.
Flow Summary with ASN details.¶
Gets the ASN details from WhoIs. The data shows flows grouped by source and destination ASNs. All protocol types and all source IP addresses are grouped into lists for each ASN.
TI Lookup for IP Addresses in selected ASNs.¶
The remote IPs from each selected ASN are are searched for your selected Threat Intelligence providers. Check the results to see if there are indications of malicious activity associated with these IPs.
Timeline of network flows quantity.¶
Each protocol is plotted as a separate colored series. The vertical axis indicates the number for flows recorded for that time slot.
Timeline of network flows by direction.¶
I = inbound, O = outbound.
Timeline of network flows by protocol type.¶
Select the ASNs to process.¶
Choose any unusual looking ASNs that you want to examine. The remote IPs from each selected ASN will be sent to your selected Threat Intelligence providers to check if there are indications of malicious activity associated with these IPs. By default, the most infrequently accessed ASNs are selected.
Results Class¶
NetworkFlowResult¶
Network Flow Details Results.
Attributes¶
- host_entity : msticpy.datamodel.entities.HostThe host entity object contains data about the host such as name, environment, operating system version, IP addresses and Azure VM details. Depending on the type of host, not all of this data may be populated.
- network_flows : pd.DataFrameThe raw network flows recorded for this host.
- plot_flows_by_protocol : FigureBokeh timeline plot of flow events by protocol.
- plot_flows_by_direction : FigureBokeh timeline plot of flow events by direction (in/out).
- plot_flow_values : FigureBokeh values plot of flow events by protocol.
- flow_index : pd.DataFrameSummarized DataFrame of flows
- flow_index_data : pd.DataFrameRaw summary data of flows.
- flow_summary : pd.DataFrameSummarized flows grouped by ASN
- ti_results : pd.DataFrameThreat Intelligence results for selected IP Addreses.
- geo_map : foliummap.FoliumMapFolium map showing locations of all IP Addresses.
- geo_map_selected : foliummap.FoliumMapFolium map showing locations of selected IP Addresses.
Methods¶
Instance Methods¶
__init__¶
lookup_ti_for_asn_ips¶
run¶
select_asns¶
show_selected_asn_map¶
Inherited methods¶
check_table_exists¶
check_valid_result_data¶
attrib
contains data.get_methods¶
get_pivot_run¶
get_provider¶
list_methods¶
run_nb_func¶
run_nb_funcs¶
Other Methods¶
add_nb_function¶
all_options¶
default_options¶
description¶
entity_types¶
get_help¶
get_settings¶
import_cell¶
keywords¶
list_options¶
match_terms¶
search_terms
.name¶
print_options¶
result¶
result [property] Return result of the most recent notebooklet run.
show_help¶
run
function documentation¶
Return host summary data.
Parameters¶
- value : str
- Host entity, hostname or host IP Address
- data : Optional[pd.DataFrame], optional
- Not used, by default None
- timespan : TimeSpan
- Timespan over which operations such as queries will be performed, by default None. This can be a TimeStamp object or another object that has valid start, end, or period attributes.
- options : Optional[Iterable[str]], optional
- List of options to use, by default None A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class.
Other Parameters¶
- start : Union[datetime, datelike-string]
- Alternative to specifying timespan parameter.
- end : Union[datetime, datelike-string]
- Alternative to specifying timespan parameter.
Returns¶
- HostNetworkResult
- Result object with attributes for each result type.
Raises¶
- MsticnbMissingParameterError
- If required parameters are missing
Default Options¶
- plot_flows: Create plots of flows by protocol and direction.
- plot_flow_values: Plot flow county by protocol.
- flow_summary: Create a summarization of all flows and all flows grouped by ASN.
- resolve_host: Try to resolve the host name before other operations.
Other Options¶
- geo_map: Plot a map of all IP address locations in communication with the host (see the method below for plotting selected IPs only).