Notebooklet Class - NetworkFlowSummary
Network Flow Summary Notebooklet class.
Queries network data and plots time lines for network
traffic to/from a host or IP address.
Plot flows events by protocol and direction
Plot flow count by protocol
Display flow summary table
Display flow summary by ASN
Display results on map
Methods
run: main method for notebooklet.
select_asns: Open an interactive dialog to choose which ASNs to
investigate further.
lookup_ti_for_asn_ips: For selected ASNs, lookup Threat Intelligence
data for the IPs belonging to those ASNs.
show_selected_asn_map: Show IP address locations for selected IP
(including any threats highlighted)
Default Options
plot_flows: Create plots of flows by protocol and direction.
plot_flow_values: Plot flow county by protocol.
flow_summary: Create a summarization of all flows and all flows grouped by ASN.
resolve_host: Try to resolve the host name before other operations.
Other Options
geo_map: Plot a map of all IP address locations in communication with the host (see the method below for plotting selected IPs only).
Display Sections
Host Network Summary
This shows a summary of network flows for this endpoint. Data and plots are stored in the result class returned by this function.
Map of geographic location of selected IPs communicating with host
Numbered circles indicate multiple items - click to expand these. Hovering over a location shows brief details, clicking on an IP location shows more detail. Location marker key - Blue = outbound - Purple = inbound - Green = Host - Red = Threats
Map of geographic location of all IPs communicating with host
Numbered circles indicate multiple items - click to expand these. Hovering over a location shows brief details, clicking on an IP location shows more detail. Location marker key - Blue = outbound - Purple = inbound - Green = Host
Flow Index.
List of flows grouped by source, dest, protocol and direction.
Flow Summary with ASN details.
Gets the ASN details from WhoIs. The data shows flows grouped by source and destination ASNs. All protocol types and all source IP addresses are grouped into lists for each ASN.
TI Lookup for IP Addresses in selected ASNs.
The remote IPs from each selected ASN are are searched for your selected Threat Intelligence providers. Check the results to see if there are indications of malicious activity associated with these IPs.
Timeline of network flows quantity.
Each protocol is plotted as a separate colored series. The vertical axis indicates the number for flows recorded for that time slot.
Timeline of network flows by direction.
I = inbound, O = outbound.
Timeline of network flows by protocol type.
Select the ASNs to process.
Choose any unusual looking ASNs that you want to examine. The remote IPs from each selected ASN will be sent to your selected Threat Intelligence providers to check if there are indications of malicious activity associated with these IPs. By default, the most infrequently accessed ASNs are selected.
Results Class
NetworkFlowResult
Network Flow Details Results.
Attributes
- host_entity : msticpy.datamodel.entities.HostThe host entity object contains data about the host such as name, environment, operating system version, IP addresses and Azure VM details. Depending on the type of host, not all of this data may be populated.
- network_flows : pd.DataFrameThe raw network flows recorded for this host.
- plot_flows_by_protocol : FigureBokeh timeline plot of flow events by protocol.
- plot_flows_by_direction : FigureBokeh timeline plot of flow events by direction (in/out).
- plot_flow_values : FigureBokeh values plot of flow events by protocol.
- flow_index : pd.DataFrameSummarized DataFrame of flows
- flow_index_data : pd.DataFrameRaw summary data of flows.
- flow_summary : pd.DataFrameSummarized flows grouped by ASN
- ti_results : pd.DataFrameThreat Intelligence results for selected IP Addreses.
- geo_map : foliummap.FoliumMapFolium map showing locations of all IP Addresses.
- geo_map_selected : foliummap.FoliumMapFolium map showing locations of selected IP Addresses.
Methods
Instance Methods
__init__
lookup_ti_for_asn_ips
run
select_asns
show_selected_asn_map
Inherited methods
check_table_exists
check_valid_result_data
attrib
contains data.get_methods
get_pivot_run
get_provider
list_methods
run_nb_func
run_nb_funcs
Other Methods
add_nb_function
all_options
default_options
description
entity_types
get_help
get_settings
import_cell
keywords
list_options
match_terms
search_terms
.name
print_options
result
result [property] Return result of the most recent notebooklet run.
show_help
silent
silent [property] Get the current instance setting for silent running.
<hr>
run
function documentation
Return host summary data.
Parameters
- valuestr
Host entity, hostname or host IP Address
- dataOptional[pd.DataFrame], optional
Not used, by default None
- timespanTimeSpan
Timespan over which operations such as queries will be performed, by default None. This can be a TimeStamp object or another object that has valid start, end, or period attributes.
- optionsOptional[Iterable[str]], optional
List of options to use, by default None A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class.
Other Parameters
- startUnion[datetime, datelike-string]
Alternative to specifying timespan parameter.
- endUnion[datetime, datelike-string]
Alternative to specifying timespan parameter.
Returns
- HostNetworkResult
Result object with attributes for each result type.
Raises
- MsticnbMissingParameterError
If required parameters are missing
Default Options
plot_flows: Create plots of flows by protocol and direction.
plot_flow_values: Plot flow county by protocol.
flow_summary: Create a summarization of all flows and all flows grouped by ASN.
resolve_host: Try to resolve the host name before other operations.
Other Options
geo_map: Plot a map of all IP address locations in communication with the host (see the method below for plotting selected IPs only).