Notebooklet Class - IpAddressSummary
IP Address Summary Notebooklet class.
Queries and displays summary information about an IP address, including:
Basic IP address properties
IpAddress entity (and Host entity, if a host could be associated)
WhoIs and Geo-location
Azure activity and network data (optional)
Office activity summary (optional)
Threat intelligence reports
Related alerts and hunting bookmarks
Default Options
geoip: Get geo location information for IP address.
alerts: Get any alerts listing the IP address.
host_logons: Find any hosts with logons using this IP address as a source.
related_accounts: Find any accounts using this IP address in AAD or host logs.
device_info: Find any devices associated with this IP address.
device_network: Find any devices communicating with this IP address.
Other Options
bookmarks: Get any hunting bookmarks listing the IP address.
heartbeat: Get the latest heartbeat record for for this IP address.
az_net_if: Get the latest Azure network analytics interface data for this IP address.
vmcomputer: Get the latest VMComputer record for this IP address.
az_netflow: Get netflow information from AzureNetworkAnalytics table.
passive_dns: Force fetching passive DNS data from a TI Provider even if IP is internal.
az_activity: AAD sign-ins and Azure Activity logs.
office_365: Office 365 activity.
common_security: Get records from common security log.
ti: Force get threat intelligence reports even for internal public IPs.
Display Sections
Azure Sign-ins and audit activity from IP Address
(only available for Azure)
Azure Azure NSG Flow Logs for IP
(only available for if Azure network analytics net flow enabled.) This
is is a list of netflow events for the IP. Timeline by protocol is
available in the result.az_network_flows_timeline
property - Use
nblt.netflow_total_by_protocol()
method to view flow totals by
protocol - Use nblt.netflow_total_by_direction()
to view a timeline
grouped by direction of flow
Office 365 operations summary from IP Address
(only available for Office 365)
Public IP data (GeoIP, ThreatIntel, Passive DNS, VPS membership)
Azure Network Analytics Topology record for the IP
(only available for Azure VMs)
Common security log
The CommonSecurityLog contains log data from firewalls and network devices.
Defender device information
MS Defender device network and host information.
Network connections
MS Defender network connections to/from this IP address.
Azure Sentinel heartbeat record for the IP
(only available for IP addresses that belong to the subscription)
Host logons
List of hosts with logon attempts from this IP address.
Azure VMComputer record for the IP.
(only available for Azure VMs)
Summary of Azure NSG network flow data for this IP Address
(only available for if Azure network analytics net flow enabled.)
Results Class
IPSummary Results.
- ip_str : strThe input IP address as a string.
- ip_address : Optional[Union[IPv4Address, IPv6Address]]Ip Address Python object
- ip_entity : IpAddressIpAddress entity
- ip_origin : str“External” or “Internal”
- host_entities : HostHost entity or entities associated with IP Address
- ip_type : strIP address type - “Public”, “Private”, etc.
- geoip : Optional[Dict[str, Any]]Geo location information as a dictionary.
- location : Optional[GeoLocation]Location entity context object.
- whois : pd.DataFrameWhoIs information for IP Address
- whois_nets : pd.DataFrameList of networks definitions from WhoIs data
- heartbeat : pd.DataFrameHeartbeat record for IP Address or host
- az_network_if : pd.DataFrameAzure NSG analytics interface record, if available
- vmcomputer : pd.DataFrameVMComputer latest record
- az_network_flows : pd.DataFrameAzure NSG flows for IP, if available
- az_network_flows_timeline: FigureAzure NSG flows timeline, if data is available
- aad_signins : pd.DataFrame = NoneAAD signin activity
- azure_activity : pd.DataFrame = NoneAzure Activity log entries
- azure_activity_summary : pd.DataFrame = NoneAzure Activity (AAD and Az Activity) summarized view
- office_activity : pd.DataFrame = NoneOffice 365 activity
- common_security : pd.DataFrameCommon Security Log entries for source IP
- related_bookmarks : pd.DataFrameBookmarks related to IP Address
- alert_timeline : FigureTimeline plot of alerts
- ti_results: pd.DataFrameThreat intel lookup results
- passive_dns: pd.DataFramePassive DNS lookup results
- self.host_logons : pd.DataFrameHosts with logons from this IP Address
- self.related_accounts : pd.DataFrameAccounts with activity related to this IP Address
- self.associated_hosts : pd.DataFrameHosts using this IP Address
- self.device_info : pd.DataFrameDevice info of hosts using this IP Address
- self.network_connections : pd.DataFrame = NoneNetwork connections to/from this IP on other devices
Methods
__init__
browse_alerts
browse_ti_results
display_alert_timeline
netflow_by_direction
netflow_by_protocol
netflow_total_by_protocol
run
Inherited methods
check_table_exists
check_valid_result_data
attrib
contains data.get_methods
get_pivot_run
get_provider
list_methods
run_nb_func
run_nb_funcs
Other Methods
add_nb_function
all_options
default_options
description
entity_types
get_help
get_settings
import_cell
keywords
list_options
match_terms
search_terms
.name
print_options
result
result [property] Return result of the most recent notebooklet run.
show_help
silent
silent [property] Get the current instance setting for silent running.
<hr>
run
function documentation
Return IP Address activity summary.
- valuestr
IP Address - The key for searches
- dataOptional[pd.DataFrame], optional
Not supported for this notebooklet.
- timespanTimeSpan
Timespan for queries
- optionsOptional[Iterable[str]], optional
List of options to use, by default None. A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class.
- IpSummaryResult
Result object with attributes for each result type.
- MsticnbMissingParameterError
If required parameters are missing
geoip: Get geo location information for IP address.
alerts: Get any alerts listing the IP address.
host_logons: Find any hosts with logons using this IP address as a source.
related_accounts: Find any accounts using this IP address in AAD or host logs.
device_info: Find any devices associated with this IP address.
device_network: Find any devices communicating with this IP address.
bookmarks: Get any hunting bookmarks listing the IP address.
heartbeat: Get the latest heartbeat record for for this IP address.
az_net_if: Get the latest Azure network analytics interface data for this IP address.
vmcomputer: Get the latest VMComputer record for this IP address.
az_netflow: Get netflow information from AzureNetworkAnalytics table.
passive_dns: Force fetching passive DNS data from a TI Provider even if IP is internal.
az_activity: AAD sign-ins and Azure Activity logs.
office_365: Office 365 activity.
common_security: Get records from common security log.
ti: Force get threat intelligence reports even for internal public IPs.