Account notebooklets¶

msticnb.nb.azsent.account.account_summary Notebooklet for Account Summary.

Submodules¶

msticnb.nb.azsent.account.account_summary module¶

Notebooklet for Account Summary.

class msticnb.nb.azsent.account.account_summary.AccountSummary(*args, **kwargs)¶

Bases: msticnb.notebooklet.Notebooklet

Retrieves account summary for the selected account.

Main operations: - Searches for matches for the account name in Active Directory,

Windows and Linux host logs.

If one or more matches are found it will return a selection widget that you can use to pick the account.
Selecting the account displays a summary of recent activity and retrieves any alerts and hunting bookmarks related to the account
The alerts and bookmarks are browseable using the browse_alerts and browse_bookmarks methods
You can call the get_additional_data method to retrieve and display more detailed activity information for the account.

All of the returned data items are stored in the results class as entities, pandas DataFrames or Bokeh visualizations. Run help(nblt) on the notebooklet class to see usage. Run help(result) on the result class to see documentation of its properties. Run the print_options() method on either the notebooklet or results class to see information about the options parameter for the run() method.

get_alerts: Retrieve alerts and display timeline for the account.
get_bookmarks: Retrieve investigation bookmarks for the account

None

Initialize the Account Summary notebooklet.

ACCOUNT_TYPE¶: alias of AccountType

classmethod all_options() → List[str]¶

Return supported options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

az_activity_timeline_by_ip()¶: Display Azure activity timeline by IP address.

az_activity_timeline_by_operation()¶: Display Azure activity timeline by operation.

az_activity_timeline_by_provider()¶: Display Azure activity timeline by provider.

browse_accounts() → msticpy.nbtools.nbwidgets.select_item.SelectItem¶: Return the accounts browser/viewer.

browse_alerts() → msticpy.nbtools.nbwidgets.select_alert.SelectAlert¶: Return alert browser/viewer.

browse_bookmarks() → msticpy.nbtools.nbwidgets.select_item.SelectItem¶: Return bookmark browser/viewer.

check_table_exists(table: str) → bool¶

Check to see if the table exists in the provider.

Parameters:	table (str) – Table name
Returns:	True if the table exists, otherwise False.
Return type:	bool

check_valid_result_data(attrib: str = None, silent: bool = False) → bool¶

Check that the result is valid and attrib contains data.

Parameters:	attrib (str) – Name of the attribute to check, if None this function only checks for a valid _last_result. silent (bool) – If True, suppress output.
Returns:	Returns True if valid data is available, else False.
Return type:	bool

classmethod default_options() → List[str]¶

Return default options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod description() → str¶

Return description of the Notebooklet.

Returns:	Description
Return type:	str

display_alert_timeline()¶: Display the alert timeline.

classmethod entity_types() → List[str]¶

Entity types supported by the notebooklet.

Returns:	Entity names
Return type:	List[str]

get_additional_data() → pandas.core.frame.DataFrame¶

Find additional data for the selected account.

Returns:	Results with expanded columns.
Return type:	pd.DataFrame

get_geoip_map()¶: Return Folium map of IP activity.

classmethod get_help(fmt='html') → str¶: Return HTML document for class.

get_methods() → Dict[str, Callable[[Any], Any]]¶: Return methods available for this class.

get_pivot_run(get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])¶: Return Pivot-wrappable run function.

get_provider(provider_name: str)¶

Return data provider for the specified name.

Parameters:	provider_name (str) – Name of the provider
Returns:	Provider instance.
Return type:	Any
Raises:	`MsticnbDataProviderError` – If provider is not found.

classmethod get_settings(print_settings=True) → Optional[str]¶

Print or return metadata for class.

Parameters:	print_settings (bool, optional) – Print to standard, by default True or return the str formatted content.
Returns:	If print_settings is True, returns None. If False, returns LF-delimited string of metadata settings.
Return type:	Optional[str]

Notes

Use metadata attribute to retrieve the metadata directly.

host_logon_timeline()¶: Display IP address summary.

classmethod import_cell()¶: Import the text of this module into a new cell.

classmethod keywords() → List[str]¶

Return search keywords for Notebooklet.

Returns:	Keywords
Return type:	List[str]

list_methods() → List[str]¶: Return list of methods with descriptions.

classmethod list_options() → str¶

Return options document for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod match_terms(search_terms: str) → Tuple[bool, int]¶

Search class definition for search_terms.

Parameters:	search_terms (str) – One or more search terms, separated by spaces or commas. Terms can be simple strings or regular expressions.
Returns:	Returns a tuple of bool (True if all terms match) and int (count of matched terms)
Return type:	Tuple[bool, int]

metadata = NBMetadata(name='AlertSummary', mod_name='msticnb.nb.azsent.account.account_summary', description='Account Summary notebooklet', default_options=[{'get_alerts': 'Retrieve alerts and display timeline for the account.'}, {'get_bookmarks': 'Retrieve investigation bookmarks for the account'}], other_options=[], inputs=['value'], entity_types=['account'], keywords=['account', 'azure', 'office', 'windows', 'linux', 'aad', 'o365'], req_providers=['AzureSentinel|LocalData'])¶

module_path = PosixPath('/home/docs/checkouts/readthedocs.org/user_builds/msticnb/checkouts/stable/msticnb/nb/azsent/account/account_summary.py')¶

classmethod name() → str¶

Return name of the Notebooklet.

Returns:	Name
Return type:	str

classmethod print_options()¶: Print options for Notebooklet run function.

result¶

Return result of the most recent notebooklet run.

Returns:	Notebooklet result class or None if nothing has been run.
Return type:	Optional[NotebookletResult]

run(value: Any = None, data: Optional[pandas.core.frame.DataFrame] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, options: Optional[Iterable[str]] = None, **kwargs) → msticnb.nb.azsent.account.account_summary.AccountSummaryResult¶

Return account activity summary.

Parameters:	value (str) – Account name to search for. data (Optional[pd.DataFrame], optional) – Not used. timespan (TimeSpan) – Timespan for queries options (Optional[Iterable[str]], optional) – List of options to use, by default None. A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class. account_types (Iterable[AccountType], Optional) – A list of account types to search for, by default all types.
Returns:	Result object with attributes for each result type.
Return type:	AccountSummaryResult
Raises:	`MsticnbMissingParameterError` – If required parameters are missing

classmethod show_help()¶: Display Documentation for class.

show_ip_summary()¶: Display Azure activity timeline by operation.

silent¶

Get the current instance setting for silent running.

Returns:	Silent running is enabled.
Return type:	Optional[bool]

class msticnb.nb.azsent.account.account_summary.AccountSummaryResult(description: Optional[str] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, notebooklet: Optional[Notebooklet] = None)¶

Bases: msticnb.notebooklet_result.NotebookletResult

Account Summary Result.

account_activity¶

DataFrame of most recent activity.

Type:	pd.DataFrame

account_selector¶

Selection widget for accounts.

Type:	msticpy.nbtools.nbwidgets.SelectString

related_alerts¶

Alerts related to the account.

Type:	pd.DataFrame

alert_timeline¶

Timeline of alerts.

Type:	LayoutDOM

related_bookmarks¶

Investigation bookmarks related to the account.

Type:	pd.DataFrame

host_logons¶

Host logon attemtps for selected account.

Type:	pd.DataFrame

host_logon_summary¶

Host logon summary for selected account.

Type:	pd.DataFrame

azure_activity¶

Azure Account activity for selected account.

Type:	pd.DataFrame

account_activity_summary¶

Azure activity summary.

Type:	pd.DataFrame

azure_timeline_by_provider¶

Azure activity timeline grouped by provider

Type:	LayoutDOM

account_timeline_by_ip¶

Host or Azure activity timeline by IP Address.

Type:	LayoutDOM

azure_timeline_by_operation¶

Azure activity timeline grouped by operation

Type:	LayoutDOM

ip_address_summary¶

Summary of IP address properties and usage for the current activity.

Type:	pd.DataFrame

ip_all_data¶

Full details of operations with IP WhoIs and GeoIP data.

Type:	pd.DataFrame

Create new Notebooklet result instance.

Parameters:	description (Optional[str], optional) – Result description, by default None timespan (Optional[TimeSpan], optional) – TimeSpan for the results, by default None notebooklet (Optional[, optional) – Originating notebooklet, by default None

data_properties(empty: bool = False) → List[str]¶: Return list of attributes with populated data.

prop_doc(name) → Tuple[str, str]¶: Get the property documentation for the property.

properties¶: Return names of all properties.

view_events(summary_cols: List[str] = None, attrib: Optional[str] = None, data: Optional[pandas.core.frame.DataFrame] = None, **kwargs) → msticpy.nbtools.nbwidgets.select_item.SelectItem¶

Return simple data view for DataFrame/result attribute.

Parameters:	summary_cols (List[str], optional) – [description] attrib (Optional[str], optional) – [description], by default None data (Optional[pd.DataFrame], optional) – [description], by default None kwargs – Additional keyword arguments passed to the SelectItem widget.
Returns:	Browser for events in DataFrame.
Return type:	SelectItem
Raises:	`AttributeError` – Attribute name not in results class. `TypeError` – Input data or attribute is not a DataFrame `MsticnbMissingParameterError` – One of data or attrib parameters must be supplied `KeyError` – Summary column name specified that isn’t in the DataFrame

vis_properties() → List[str]¶: Return list of properties with visualizations.

class msticnb.nb.azsent.account.account_summary.AccountType¶

Bases: enum.Flag

Account types.

All = 31¶

Azure = 7¶

AzureActiveDirectory = 1¶

AzureActivity = 2¶

Linux = 16¶

Office365 = 4¶

Windows = 8¶

in_list(acct_types: Iterable[Union[AccountType, str]])¶: Is the current value in the acct_types list.

parse = <bound method AccountType.parse of <enum 'AccountType'>>¶