Host notebooklets¶

`msticnb.nb.azsent.host.host_logons_summary`	logons_summary - provides overview of host logon events.
`msticnb.nb.azsent.host.host_network_summary`	Notebooklet for Host Summary.
`msticnb.nb.azsent.host.host_summary`	Notebooklet for Host Summary.
`msticnb.nb.azsent.host.win_host_events`	Notebooklet for Windows Security Events.

Submodules¶

msticnb.nb.azsent.host.host_logons_summary module¶

logons_summary - provides overview of host logon events.

class msticnb.nb.azsent.host.host_logons_summary.HostLogonsSummary(data_providers: Optional[msticnb.data_providers.DataProviders] = None, **kwargs)¶

Bases: msticnb.notebooklet.Notebooklet

Host Logons Summary Notebooket class.

Queries and displays information about logons to a host including:

Summary of sucessfull logons
Visualizations of logon event times
Geolocation of remote logon sources
Visualizations of various logon elements depending on host type
Data on users with failed and sucessful logons

Intialize a new instance of the notebooklet class.

Parameters:	data_providers (DataProviders, Optional) – Optional DataProviders instance to query data. Most classes require this.
Raises:	`MsticnbDataProviderError` – If DataProviders has not been initialized. If required providers are specified by the notebooklet but are not available.

classmethod all_options() → List[str]¶

Return supported options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

check_table_exists(table: str) → bool¶

Check to see if the table exists in the provider.

Parameters:	table (str) – Table name
Returns:	True if the table exists, otherwise False.
Return type:	bool

check_valid_result_data(attrib: str = None, silent: bool = False) → bool¶

Check that the result is valid and attrib contains data.

Parameters:	attrib (str) – Name of the attribute to check, if None this function only checks for a valid _last_result. silent (bool) – If True, suppress output.
Returns:	Returns True if valid data is available, else False.
Return type:	bool

classmethod default_options() → List[str]¶

Return default options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod description() → str¶

Return description of the Notebooklet.

Returns:	Description
Return type:	str

classmethod entity_types() → List[str]¶

Entity types supported by the notebooklet.

Returns:	Entity names
Return type:	List[str]

classmethod get_help(fmt='html') → str¶: Return HTML document for class.

get_methods() → Dict[str, Callable[[Any], Any]]¶: Return methods available for this class.

get_pivot_run(get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])¶: Return Pivot-wrappable run function.

get_provider(provider_name: str)¶

Return data provider for the specified name.

Parameters:	provider_name (str) – Name of the provider
Returns:	Provider instance.
Return type:	Any
Raises:	`MsticnbDataProviderError` – If provider is not found.

classmethod get_settings(print_settings=True) → Optional[str]¶

Print or return metadata for class.

Parameters:	print_settings (bool, optional) – Print to standard, by default True or return the str formatted content.
Returns:	If print_settings is True, returns None. If False, returns LF-delimited string of metadata settings.
Return type:	Optional[str]

Notes

Use metadata attribute to retrieve the metadata directly.

classmethod import_cell()¶: Import the text of this module into a new cell.

classmethod keywords() → List[str]¶

Return search keywords for Notebooklet.

Returns:	Keywords
Return type:	List[str]

list_methods() → List[str]¶: Return list of methods with descriptions.

classmethod list_options() → str¶

Return options document for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod match_terms(search_terms: str) → Tuple[bool, int]¶

Search class definition for search_terms.

Parameters:	search_terms (str) – One or more search terms, separated by spaces or commas. Terms can be simple strings or regular expressions.
Returns:	Returns a tuple of bool (True if all terms match) and int (count of matched terms)
Return type:	Tuple[bool, int]

metadata = NBMetadata(name='HostLogonsSummary', mod_name='msticnb.nb.azsent.host.host_logons_summary', description='Host logons summary', default_options=[{'map': 'Display a map of logon attempt locations.'}, {'timeline': 'Display a timeline of logon atttempts.'}, {'charts': 'Display a range of charts depicting different elements of logon events.'}, {'failed_success': 'Displays a DataFrame of all users with both successful and failed logons.'}], other_options=[], inputs=['value'], entity_types=['host'], keywords=['host', 'computer', 'logons', 'windows', 'linux'], req_providers=['LogAnalytics|LocalData'])¶

module_path = PosixPath('/home/docs/checkouts/readthedocs.org/user_builds/msticnb/checkouts/stable/msticnb/nb/azsent/host/host_logons_summary.py')¶

classmethod name() → str¶

Return name of the Notebooklet.

Returns:	Name
Return type:	str

classmethod print_options()¶: Print options for Notebooklet run function.

result¶

Return result of the most recent notebooklet run.

Returns:	Notebooklet result class or None if nothing has been run.
Return type:	Optional[NotebookletResult]

run(value: Any = None, data: Optional[pandas.core.frame.DataFrame] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, options: Optional[Iterable[str]] = None, **kwargs) → msticnb.nb.azsent.host.host_logons_summary.HostLogonsSummaryResult¶

Return host summary data.

Parameters:	value (str) – Host name data (Optional[pd.DataFrame], optional) – Optionally pass raw data to use for analysis, by default None timespan (TimeSpan) – Timespan over which operations such as queries will be performed, by default None. This can be a TimeStamp object or another object that has valid start, end, or period attributes. Alternatively you can pass start and end datetime objects. options (Optional[Iterable[str]], optional) – List of options to use, by default None A value of None means use default options.
Returns:	Result object with attributes for each result type.
Return type:	HostLogonsSummaryResults
Raises:	`MsticnbMissingParameterError` – If required parameters are missing `MsticnbDataProviderError` – If data is not avaliable

classmethod show_help()¶: Display Documentation for class.

silent¶

Get the current instance setting for silent running.

Returns:	Silent running is enabled.
Return type:	Optional[bool]

class msticnb.nb.azsent.host.host_logons_summary.HostLogonsSummaryResult(description: Optional[str] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, notebooklet: Optional[Notebooklet] = None)¶

Bases: msticnb.notebooklet_result.NotebookletResult

Host Logons Summary Results.

logon_sessions¶

A Dataframe summarizing all sucessfull and failed logon attempts observed during the specified time period.

Type:	pd.DataFrame

logon_map¶

A map showing remote logon attempt source locations. Red points represent failed logons, green successful.

Type:	FoliumMap

plots¶

A collection of Bokeh plot figures showing various aspects of observed logons. Keys are a descriptive name of the plot and values are the plot figures.

Type:	Dict

Create new Notebooklet result instance.

Parameters:	description (Optional[str], optional) – Result description, by default None timespan (Optional[TimeSpan], optional) – TimeSpan for the results, by default None notebooklet (Optional[, optional) – Originating notebooklet, by default None

data_properties(empty: bool = False) → List[str]¶: Return list of attributes with populated data.

prop_doc(name) → Tuple[str, str]¶: Get the property documentation for the property.

properties¶: Return names of all properties.

view_events(summary_cols: List[str] = None, attrib: Optional[str] = None, data: Optional[pandas.core.frame.DataFrame] = None, **kwargs) → msticpy.nbtools.nbwidgets.select_item.SelectItem¶

Return simple data view for DataFrame/result attribute.

Parameters:	summary_cols (List[str], optional) – [description] attrib (Optional[str], optional) – [description], by default None data (Optional[pd.DataFrame], optional) – [description], by default None kwargs – Additional keyword arguments passed to the SelectItem widget.
Returns:	Browser for events in DataFrame.
Return type:	SelectItem
Raises:	`AttributeError` – Attribute name not in results class. `TypeError` – Input data or attribute is not a DataFrame `MsticnbMissingParameterError` – One of data or attrib parameters must be supplied `KeyError` – Summary column name specified that isn’t in the DataFrame

vis_properties() → List[str]¶: Return list of properties with visualizations.

msticnb.nb.azsent.host.host_summary module¶

Notebooklet for Host Summary.

class msticnb.nb.azsent.host.host_summary.HostSummary(data_providers: Optional[msticnb.data_providers.DataProviders] = None, **kwargs)¶

Bases: msticnb.notebooklet.Notebooklet

HostSummary Notebooklet class.

Queries and displays information about a host including:

IP address assignment
Related alerts
Related hunting/investigation bookmarks
Azure subscription/resource data.

heartbeat: Query Heartbeat table for host information.
azure_net: Query AzureNetworkAnalytics table for host network topology information.
alerts: Query any alerts for the host.
bookmarks: Query any bookmarks for the host.
azure_api: Query Azure API for VM information.

None

Intialize a new instance of the notebooklet class.

Parameters:	data_providers (DataProviders, Optional) – Optional DataProviders instance to query data. Most classes require this.
Raises:	`MsticnbDataProviderError` – If DataProviders has not been initialized. If required providers are specified by the notebooklet but are not available.

classmethod all_options() → List[str]¶

Return supported options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

browse_alerts() → msticpy.nbtools.nbwidgets.select_alert.SelectAlert¶: Return alert browser/viewer.

check_table_exists(table: str) → bool¶

Check to see if the table exists in the provider.

Parameters:	table (str) – Table name
Returns:	True if the table exists, otherwise False.
Return type:	bool

check_valid_result_data(attrib: str = None, silent: bool = False) → bool¶

Check that the result is valid and attrib contains data.

Parameters:	attrib (str) – Name of the attribute to check, if None this function only checks for a valid _last_result. silent (bool) – If True, suppress output.
Returns:	Returns True if valid data is available, else False.
Return type:	bool

classmethod default_options() → List[str]¶

Return default options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod description() → str¶

Return description of the Notebooklet.

Returns:	Description
Return type:	str

display_alert_timeline()¶: Display the alert timeline.

classmethod entity_types() → List[str]¶

Entity types supported by the notebooklet.

Returns:	Entity names
Return type:	List[str]

classmethod get_help(fmt='html') → str¶: Return HTML document for class.

get_methods() → Dict[str, Callable[[Any], Any]]¶: Return methods available for this class.

get_pivot_run(get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])¶: Return Pivot-wrappable run function.

get_provider(provider_name: str)¶

Return data provider for the specified name.

Parameters:	provider_name (str) – Name of the provider
Returns:	Provider instance.
Return type:	Any
Raises:	`MsticnbDataProviderError` – If provider is not found.

classmethod get_settings(print_settings=True) → Optional[str]¶

Print or return metadata for class.

Parameters:	print_settings (bool, optional) – Print to standard, by default True or return the str formatted content.
Returns:	If print_settings is True, returns None. If False, returns LF-delimited string of metadata settings.
Return type:	Optional[str]

Notes

Use metadata attribute to retrieve the metadata directly.

classmethod import_cell()¶: Import the text of this module into a new cell.

classmethod keywords() → List[str]¶

Return search keywords for Notebooklet.

Returns:	Keywords
Return type:	List[str]

list_methods() → List[str]¶: Return list of methods with descriptions.

classmethod list_options() → str¶

Return options document for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod match_terms(search_terms: str) → Tuple[bool, int]¶

Search class definition for search_terms.

Parameters:	search_terms (str) – One or more search terms, separated by spaces or commas. Terms can be simple strings or regular expressions.
Returns:	Returns a tuple of bool (True if all terms match) and int (count of matched terms)
Return type:	Tuple[bool, int]

metadata = NBMetadata(name='HostSummary', mod_name='msticnb.nb.azsent.host.host_summary', description='Host summary', default_options=[{'heartbeat': 'Query Heartbeat table for host information.'}, {'azure_net': ' Query AzureNetworkAnalytics table for host network topology information.'}, {'alerts': 'Query any alerts for the host.'}, {'bookmarks': 'Query any bookmarks for the host.'}, {'azure_api': 'Query Azure API for VM information.'}], other_options=[], inputs=['value'], entity_types=['host'], keywords=['host', 'computer', 'heartbeat', 'windows', 'linux'], req_providers=['LogAnalytics|LocalData', 'azuredata'])¶

module_path = PosixPath('/home/docs/checkouts/readthedocs.org/user_builds/msticnb/checkouts/stable/msticnb/nb/azsent/host/host_summary.py')¶

classmethod name() → str¶

Return name of the Notebooklet.

Returns:	Name
Return type:	str

classmethod print_options()¶: Print options for Notebooklet run function.

result¶

Return result of the most recent notebooklet run.

Returns:	Notebooklet result class or None if nothing has been run.
Return type:	Optional[NotebookletResult]

run(value: Any = None, data: Optional[pandas.core.frame.DataFrame] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, options: Optional[Iterable[str]] = None, **kwargs) → msticnb.nb.azsent.host.host_summary.HostSummaryResult¶

Return host summary data.

Other Parameters:
Parameters:	value (str) – Host name data (Optional[pd.DataFrame], optional) – Not used, by default None timespan (TimeSpan) – Timespan over which operations such as queries will be performed, by default None. This can be a TimeStamp object or another object that has valid start, end, or period attributes. options (Optional[Iterable[str]], optional) – List of options to use, by default None A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class.
	start (Union[datetime, datelike-string]) – Alternative to specifying timespan parameter. end (Union[datetime, datelike-string]) – Alternative to specifying timespan parameter.
Returns:	Result object with attributes for each result type.
Return type:	HostSummaryResult
Raises:	`MsticnbMissingParameterError` – If required parameters are missing

classmethod show_help()¶: Display Documentation for class.

silent¶

Get the current instance setting for silent running.

Returns:	Silent running is enabled.
Return type:	Optional[bool]

class msticnb.nb.azsent.host.host_summary.HostSummaryResult(description: Optional[str] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, notebooklet: Optional[Notebooklet] = None)¶

Bases: msticnb.notebooklet_result.NotebookletResult

Host Details Results.

host_entity¶

The host entity object contains data about the host such as name, environment, operating system version, IP addresses and Azure VM details. Depending on the type of host, not all of this data may be populated.

Type:	msticpy.datamodel.entities.Host

related_alerts¶

Pandas DataFrame of any alerts recorded for the host within the query time span.

Type:	pd.DataFrame

alert_timeline¶: Bokeh time plot of alerts recorded for host.

related_bookmarks¶

Pandas DataFrame of any investigation bookmarks relating to the host.

Type:	pd.DataFrame

events¶

Pandas DataFrame of any high severity events from the selected host.

Type:	pd.DataFrame

Create new Notebooklet result instance.

Parameters:	description (Optional[str], optional) – Result description, by default None timespan (Optional[TimeSpan], optional) – TimeSpan for the results, by default None notebooklet (Optional[], optional) – Originating notebooklet, by default None

data_properties(empty: bool = False) → List[str]¶: Return list of attributes with populated data.

prop_doc(name) → Tuple[str, str]¶: Get the property documentation for the property.

properties¶: Return names of all properties.

view_events(summary_cols: List[str] = None, attrib: Optional[str] = None, data: Optional[pandas.core.frame.DataFrame] = None, **kwargs) → msticpy.nbtools.nbwidgets.select_item.SelectItem¶

Return simple data view for DataFrame/result attribute.

Parameters:	summary_cols (List[str], optional) – [description] attrib (Optional[str], optional) – [description], by default None data (Optional[pd.DataFrame], optional) – [description], by default None kwargs – Additional keyword arguments passed to the SelectItem widget.
Returns:	Browser for events in DataFrame.
Return type:	SelectItem
Raises:	`AttributeError` – Attribute name not in results class. `TypeError` – Input data or attribute is not a DataFrame `MsticnbMissingParameterError` – One of data or attrib parameters must be supplied `KeyError` – Summary column name specified that isn’t in the DataFrame

vis_properties() → List[str]¶: Return list of properties with visualizations.

msticnb.nb.azsent.host.host_network_summary module¶

Notebooklet for Host Summary.

class msticnb.nb.azsent.host.host_network_summary.HostNetworkSummary(data_providers: Optional[msticnb.data_providers.DataProviders] = None, **kwargs)¶

Bases: msticnb.notebooklet.Notebooklet

HostSummary Notebooklet class.

Queries and displays information about a host including:

IP address assignment
Related alerts
Related hunting/investigation bookmarks
Azure subscription/resource data.

map: Display a map of remote IP addresses communicating with the host.
ti: Enrich network flow data with Threat Inteligence.
whois: Enrich network flow data with WhoIs information.

None

Intialize a new instance of the notebooklet class.

Parameters:	data_providers (DataProviders, Optional) – Optional DataProviders instance to query data. Most classes require this.
Raises:	`MsticnbDataProviderError` – If DataProviders has not been initialized. If required providers are specified by the notebooklet but are not available.

classmethod all_options() → List[str]¶

Return supported options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

check_table_exists(table: str) → bool¶

Check to see if the table exists in the provider.

Parameters:	table (str) – Table name
Returns:	True if the table exists, otherwise False.
Return type:	bool

check_valid_result_data(attrib: str = None, silent: bool = False) → bool¶

Check that the result is valid and attrib contains data.

Parameters:	attrib (str) – Name of the attribute to check, if None this function only checks for a valid _last_result. silent (bool) – If True, suppress output.
Returns:	Returns True if valid data is available, else False.
Return type:	bool

classmethod default_options() → List[str]¶

Return default options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod description() → str¶

Return description of the Notebooklet.

Returns:	Description
Return type:	str

classmethod entity_types() → List[str]¶

Entity types supported by the notebooklet.

Returns:	Entity names
Return type:	List[str]

classmethod get_help(fmt='html') → str¶: Return HTML document for class.

get_methods() → Dict[str, Callable[[Any], Any]]¶: Return methods available for this class.

get_pivot_run(get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])¶: Return Pivot-wrappable run function.

get_provider(provider_name: str)¶

Return data provider for the specified name.

Parameters:	provider_name (str) – Name of the provider
Returns:	Provider instance.
Return type:	Any
Raises:	`MsticnbDataProviderError` – If provider is not found.

classmethod get_settings(print_settings=True) → Optional[str]¶

Print or return metadata for class.

Parameters:	print_settings (bool, optional) – Print to standard, by default True or return the str formatted content.
Returns:	If print_settings is True, returns None. If False, returns LF-delimited string of metadata settings.
Return type:	Optional[str]

Notes

Use metadata attribute to retrieve the metadata directly.

classmethod import_cell()¶: Import the text of this module into a new cell.

classmethod keywords() → List[str]¶

Return search keywords for Notebooklet.

Returns:	Keywords
Return type:	List[str]

list_methods() → List[str]¶: Return list of methods with descriptions.

classmethod list_options() → str¶

Return options document for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod match_terms(search_terms: str) → Tuple[bool, int]¶

Search class definition for search_terms.

Parameters:	search_terms (str) – One or more search terms, separated by spaces or commas. Terms can be simple strings or regular expressions.
Returns:	Returns a tuple of bool (True if all terms match) and int (count of matched terms)
Return type:	Tuple[bool, int]

metadata = NBMetadata(name='HostNetworkSummary', mod_name='msticnb.nb.azsent.host.host_network_summary', description='Host network summary', default_options=[{'map': 'Display a map of remote IP addresses communicating with the host.'}, {'ti': 'Enrich network flow data with Threat Inteligence.'}, {'whois': 'Enrich network flow data with WhoIs information.'}], other_options=[], inputs=['value'], entity_types=['host'], keywords=['host', 'computer', 'windows', 'linux'], req_providers=['LogAnalytics|LocalData'])¶

module_path = PosixPath('/home/docs/checkouts/readthedocs.org/user_builds/msticnb/checkouts/stable/msticnb/nb/azsent/host/host_network_summary.py')¶

classmethod name() → str¶

Return name of the Notebooklet.

Returns:	Name
Return type:	str

classmethod print_options()¶: Print options for Notebooklet run function.

result¶

Return result of the most recent notebooklet run.

Returns:	Notebooklet result class or None if nothing has been run.
Return type:	Optional[NotebookletResult]

run(value: Any = None, data: Optional[pandas.core.frame.DataFrame] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, options: Optional[Iterable[str]] = None, **kwargs) → msticnb.nb.azsent.host.host_network_summary.HostNetworkSummaryResult¶

Return host summary data.

Other Parameters:
Parameters:	value (str) – Host entity data (Optional[pd.DataFrame], optional) – Not used, by default None timespan (TimeSpan) – Timespan over which operations such as queries will be performed, by default None. This can be a TimeStamp object or another object that has valid start, end, or period attributes. options (Optional[Iterable[str]], optional) – List of options to use, by default None A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class.
	start (Union[datetime, datelike-string]) – Alternative to specifying timespan parameter. end (Union[datetime, datelike-string]) – Alternative to specifying timespan parameter.
Returns:	Result object with attributes for each result type.
Return type:	HostSummaryResult
Raises:	`MsticnbMissingParameterError` – If required parameters are missing

classmethod show_help()¶: Display Documentation for class.

silent¶

Get the current instance setting for silent running.

Returns:	Silent running is enabled.
Return type:	Optional[bool]

class msticnb.nb.azsent.host.host_network_summary.HostNetworkSummaryResult(description: Optional[str] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, notebooklet: Optional[Notebooklet] = None)¶

Bases: msticnb.notebooklet_result.NotebookletResult

Host Network Summary Results.

Create new Notebooklet result instance.

data_properties(empty: bool = False) → List[str]¶: Return list of attributes with populated data.

prop_doc(name) → Tuple[str, str]¶: Get the property documentation for the property.

properties¶: Return names of all properties.

view_events(summary_cols: List[str] = None, attrib: Optional[str] = None, data: Optional[pandas.core.frame.DataFrame] = None, **kwargs) → msticpy.nbtools.nbwidgets.select_item.SelectItem¶

Return simple data view for DataFrame/result attribute.

Parameters:	summary_cols (List[str], optional) – [description] attrib (Optional[str], optional) – [description], by default None data (Optional[pd.DataFrame], optional) – [description], by default None kwargs – Additional keyword arguments passed to the SelectItem widget.
Returns:	Browser for events in DataFrame.
Return type:	SelectItem
Raises:	`AttributeError` – Attribute name not in results class. `TypeError` – Input data or attribute is not a DataFrame `MsticnbMissingParameterError` – One of data or attrib parameters must be supplied `KeyError` – Summary column name specified that isn’t in the DataFrame

vis_properties() → List[str]¶: Return list of properties with visualizations.

msticnb.nb.azsent.host.win_host_events module¶

Notebooklet for Windows Security Events.

class msticnb.nb.azsent.host.win_host_events.WinHostEvents(data_providers: Optional[msticnb.data_providers.DataProviders] = None, **kwargs)¶

Bases: msticnb.notebooklet.Notebooklet

Windows host Security Events Notebooklet class.

Queries and displays Windows Security Events including:

All security events summary
Extracting and displaying account management events
Account management event timeline
Optionally parsing packed event data into DataFrame columns

Process (4688) and Account Logon (4624, 4625) are not included in the event types processed by this module.

event_pivot: Display a summary of all event types.
acct_events: Display a summary and timeline of account management events.

expand_events: parses the XML EventData column into separate DataFrame columns. This can be very expensive with a large event set. We recommend using the expand_events() method to select a specific subset of events to process.

Intialize a new instance of the notebooklet class.

Parameters:	data_providers (DataProviders, Optional) – Optional DataProviders instance to query data. Most classes require this.
Raises:	`MsticnbDataProviderError` – If DataProviders has not been initialized. If required providers are specified by the notebooklet but are not available.

classmethod all_options() → List[str]¶

Return supported options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

check_table_exists(table: str) → bool¶

Check to see if the table exists in the provider.

Parameters:	table (str) – Table name
Returns:	True if the table exists, otherwise False.
Return type:	bool

check_valid_result_data(attrib: str = None, silent: bool = False) → bool¶

Check that the result is valid and attrib contains data.

Parameters:	attrib (str) – Name of the attribute to check, if None this function only checks for a valid _last_result. silent (bool) – If True, suppress output.
Returns:	Returns True if valid data is available, else False.
Return type:	bool

classmethod default_options() → List[str]¶

Return default options for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod description() → str¶

Return description of the Notebooklet.

Returns:	Description
Return type:	str

classmethod entity_types() → List[str]¶

Entity types supported by the notebooklet.

Returns:	Entity names
Return type:	List[str]

expand_events(event_ids: Union[int, Iterable[int], None] = None) → pandas.core.frame.DataFrame¶

Expand EventData for event_ids into separate columns.

Parameters:	event_ids (Optional[Union[int, Iterable[int]]], optional) – Single or interable of event IDs (ints). If no event_ids are specified all events will be expanded.
Returns:	Results with expanded columns.
Return type:	pd.DataFrame

Notes

For a specific event ID you can expand the EventProperties values into their own columns using this function. You can do this for the whole data set but it will time-consuming and result in a lot of sparse columns in the output data frame.

classmethod get_help(fmt='html') → str¶: Return HTML document for class.

get_methods() → Dict[str, Callable[[Any], Any]]¶: Return methods available for this class.

get_pivot_run(get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])¶: Return Pivot-wrappable run function.

get_provider(provider_name: str)¶

Return data provider for the specified name.

Parameters:	provider_name (str) – Name of the provider
Returns:	Provider instance.
Return type:	Any
Raises:	`MsticnbDataProviderError` – If provider is not found.

classmethod get_settings(print_settings=True) → Optional[str]¶

Print or return metadata for class.

Parameters:	print_settings (bool, optional) – Print to standard, by default True or return the str formatted content.
Returns:	If print_settings is True, returns None. If False, returns LF-delimited string of metadata settings.
Return type:	Optional[str]

Notes

Use metadata attribute to retrieve the metadata directly.

classmethod import_cell()¶: Import the text of this module into a new cell.

classmethod keywords() → List[str]¶

Return search keywords for Notebooklet.

Returns:	Keywords
Return type:	List[str]

list_methods() → List[str]¶: Return list of methods with descriptions.

classmethod list_options() → str¶

Return options document for Notebooklet run function.

Returns:	Supported options.
Return type:	List[str]

classmethod match_terms(search_terms: str) → Tuple[bool, int]¶

Search class definition for search_terms.

Parameters:	search_terms (str) – One or more search terms, separated by spaces or commas. Terms can be simple strings or regular expressions.
Returns:	Returns a tuple of bool (True if all terms match) and int (count of matched terms)
Return type:	Tuple[bool, int]

metadata = NBMetadata(name='WinHostEvents', mod_name='msticnb.nb.azsent.host.win_host_events', description='Windows Host Security Events', default_options=[{'event_pivot': 'Display a summary of all event types.'}, {'acct_events': 'Display a summary and timeline of account management events.'}], other_options=[{'expand_events': 'parses the XML EventData column into separate DataFrame columns. This can be very expensive with a large event set. We recommend using the expand_events() method to select a specific subset of events to process.'}], inputs=['value'], entity_types=['host'], keywords=['host', 'computer', 'heartbeat', 'windows', 'account'], req_providers=['AzureSentinel|LocalData'])¶

module_path = PosixPath('/home/docs/checkouts/readthedocs.org/user_builds/msticnb/checkouts/stable/msticnb/nb/azsent/host/win_host_events.py')¶

classmethod name() → str¶

Return name of the Notebooklet.

Returns:	Name
Return type:	str

classmethod print_options()¶: Print options for Notebooklet run function.

result¶

Return result of the most recent notebooklet run.

Returns:	Notebooklet result class or None if nothing has been run.
Return type:	Optional[NotebookletResult]

run(value: Any = None, data: Optional[pandas.core.frame.DataFrame] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, options: Optional[Iterable[str]] = None, **kwargs) → msticnb.nb.azsent.host.win_host_events.WinHostEventsResult¶

Return Windows Security Event summary.

Other Parameters:
Parameters:	value (str) – Host name data (Optional[pd.DataFrame], optional) – Not used, by default None timespan (TimeSpan) – Timespan over which operations such as queries will be performed, by default None. This can be a TimeStamp object or another object that has valid start, end, or period attributes. options (Optional[Iterable[str]], optional) – List of options to use, by default None. A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class.
	start (Union[datetime, datelike-string]) – Alternative to specifying timespan parameter. end (Union[datetime, datelike-string]) – Alternative to specifying timespan parameter.
Returns:	Result object with attributes for each result type.
Return type:	HostSummaryResult
Raises:	`MsticnbMissingParameterError` – If required parameters are missing

classmethod show_help()¶: Display Documentation for class.

silent¶

Get the current instance setting for silent running.

Returns:	Silent running is enabled.
Return type:	Optional[bool]

class msticnb.nb.azsent.host.win_host_events.WinHostEventsResult(description: Optional[str] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, notebooklet: Optional[Notebooklet] = None)¶

Bases: msticnb.notebooklet_result.NotebookletResult

Windows Host Security Events Results.

all_events¶

DataFrame of all raw events retrieved.

Type:	pd.DataFrame

event_pivot¶

DataFrame that is a pivot table of event ID vs. Account

Type:	pd.DataFrame

account_events¶

DataFrame containing a subset of account management events such as account and group modification.

Type:	pd.DataFrame

acct_pivot¶

DataFrame that is a pivot table of event ID vs. Account of account management events

Type:	pd.DataFrame

account_timeline¶

Bokeh plot figure or Layout showing the account events on an interactive timeline.

Type:	Union[Figure, LayoutDOM]

expanded_events¶

If expand_events option is specified, this will contain the parsed/expanded EventData as individual columns.

Type:	pd.DataFrame

Create new Notebooklet result instance.

Parameters:	description (Optional[str], optional) – Result description, by default None timespan (Optional[TimeSpan], optional) – TimeSpan for the results, by default None notebooklet (Optional[, optional) – Originating notebooklet, by default None

data_properties(empty: bool = False) → List[str]¶: Return list of attributes with populated data.

prop_doc(name) → Tuple[str, str]¶: Get the property documentation for the property.

properties¶: Return names of all properties.

view_events(summary_cols: List[str] = None, attrib: Optional[str] = None, data: Optional[pandas.core.frame.DataFrame] = None, **kwargs) → msticpy.nbtools.nbwidgets.select_item.SelectItem¶

Return simple data view for DataFrame/result attribute.

Parameters:	summary_cols (List[str], optional) – [description] attrib (Optional[str], optional) – [description], by default None data (Optional[pd.DataFrame], optional) – [description], by default None kwargs – Additional keyword arguments passed to the SelectItem widget.
Returns:	Browser for events in DataFrame.
Return type:	SelectItem
Raises:	`AttributeError` – Attribute name not in results class. `TypeError` – Input data or attribute is not a DataFrame `MsticnbMissingParameterError` – One of data or attrib parameters must be supplied `KeyError` – Summary column name specified that isn’t in the DataFrame

vis_properties() → List[str]¶: Return list of properties with visualizations.