Notebooklet Class - WinHostEvents
Windows host Security Events Notebooklet class.
Queries and displays Windows Security Events including:
All security events summary
Extracting and displaying account management events
Account management event timeline
Optionally parsing packed event data into DataFrame columns
Process (4688) and Account Logon (4624, 4625) are not included
in the event types processed by this module.
Default Options
event_pivot: Display a summary of all event types.
acct_events: Display a summary and timeline of account management events.
Other Options
expand_events: parses the XML EventData column into separate DataFrame columns. This can be very expensive with a large event set. We recommend using the expand_events() method to select a specific subset of events to process.
Display Sections
Host Security Events Summary
This shows a summary of security events for the host. These are grouped by EventID and Account. Data and plots are stored in the result class returned by this function.
Summary of Account Management Events on host
This shows the subset of events related to account management, for example, creation/deletion of accounts, changes to group membership, etc. Yellow highlights indicate account with highest event count.
Timeline of Account Management Events on host
Summary of Security Events on host
This is a summary of Security events for the host (excluding process creation and account logon - 4688, 4624, 4625). Yellow highlights indicate account with highest event count for an EventID.
Parsing eventdata into columns
This may take some time to complete for large numbers of events. Since
event types have different schema, some of the columns will not be
populated for certain Event IDs and will show as NaN
.
Results Class
WinHostEventsResult
Windows Host Security Events Results.
Attributes
- all_events : pd.DataFrameDataFrame of all raw events retrieved.
- event_pivot : pd.DataFrameDataFrame that is a pivot table of event ID vs. Account
- account_events : pd.DataFrameDataFrame containing a subset of account management events such as account and group modification.
- acct_pivot : pd.DataFrameDataFrame that is a pivot table of event ID vs. Account of account management events
- account_timeline : Union[Figure, LayoutDOM]Bokeh plot figure or Layout showing the account events on an interactive timeline.
- expanded_events : pd.DataFrameIf
expand_events
option is specified, this will contain the parsed/expanded EventData as individual columns.
Methods
Instance Methods
__init__
expand_events
EventData
for event_ids
into separate columns.run
Inherited methods
check_table_exists
check_valid_result_data
attrib
contains data.get_methods
get_pivot_run
get_provider
list_methods
run_nb_func
run_nb_funcs
Other Methods
add_nb_function
all_options
default_options
description
entity_types
get_help
get_settings
import_cell
keywords
list_options
match_terms
search_terms
.name
print_options
result
result [property] Return result of the most recent notebooklet run.
show_help
silent
silent [property] Get the current instance setting for silent running.
<hr>
run
function documentation
Return Windows Security Event summary.
Parameters
- valuestr
Host name
- dataOptional[pd.DataFrame], optional
Not used, by default None
- timespanTimeSpan
Timespan over which operations such as queries will be performed, by default None. This can be a TimeStamp object or another object that has valid start, end, or period attributes.
- optionsOptional[Iterable[str]], optional
List of options to use, by default None. A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class.
Other Parameters
- startUnion[datetime, datelike-string]
Alternative to specifying timespan parameter.
- endUnion[datetime, datelike-string]
Alternative to specifying timespan parameter.
Returns
- HostSummaryResult
Result object with attributes for each result type.
Raises
- MsticnbMissingParameterError
If required parameters are missing
Default Options
event_pivot: Display a summary of all event types.
acct_events: Display a summary and timeline of account management events.
Other Options
expand_events: parses the XML EventData column into separate DataFrame columns. This can be very expensive with a large event set. We recommend using the expand_events() method to select a specific subset of events to process.