Notebooklet Class - IpAddressSummary¶
IP Address Summary Notebooklet class.
Queries and displays summary information about an IP address, including:
- Basic IP address properties
- IpAddress entity (and Host entity, if a host could be associated)
- WhoIs and Geo-location
- Azure activity and network data (optional)
- Office activity summary (optional)
- Threat intelligence reports
- Related alerts and hunting bookmarks
Default Options
- geoip: Get geo location information for IP address.
- alerts: Get any alerts listing the IP address.
- host_logons: Find any hosts with logons using this IP address as a source.
- related_accounts: Find any accounts using this IP address in AAD or host logs.
- device_info: Find any devices associated with this IP address.
- device_network: Find any devices communicating with this IP address.
Other Options
- bookmarks: Get any hunting bookmarks listing the IP address.
- heartbeat: Get the latest heartbeat record for for this IP address.
- az_net_if: Get the latest Azure network analytics interface data for this IP address.
- vmcomputer: Get the latest VMComputer record for this IP address.
- az_netflow: Get netflow information from AzureNetworkAnalytics table.
- passive_dns: Force fetching passive DNS data from a TI Provider even if IP is internal.
- az_activity: AAD sign-ins and Azure Activity logs.
- office_365: Office 365 activity.
- common_security: Get records from common security log.
- ti: Force get threat intelligence reports even for internal public IPs.
Display Sections¶
Azure Sign-ins and audit activity from IP Address¶
(only available for Azure)
Azure Azure NSG Flow Logs for IP¶
(only available for if Azure network analytics net flow enabled.) This
is is a list of netflow events for the IP. Timeline by protocol is
available in the result.az_network_flows_timeline
property - Use
nblt.netflow_total_by_protocol()
method to view flow totals by
protocol - Use nblt.netflow_total_by_direction()
to view a timeline
grouped by direction of flow
Office 365 operations summary from IP Address¶
(only available for Office 365)
Public IP data (GeoIP, ThreatIntel, Passive DNS, VPS membership)¶
Azure Network Analytics Topology record for the IP¶
(only available for Azure VMs)
Common security log¶
The CommonSecurityLog contains log data from firewalls and network devices.
Defender device information¶
MS Defender device network and host information.
Network connections¶
MS Defender network connections to/from this IP address.
Azure Sentinel heartbeat record for the IP¶
(only available for IP addresses that belong to the subscription)
Host logons¶
List of hosts with logon attempts from this IP address.
Azure VMComputer record for the IP.¶
(only available for Azure VMs)
Summary of Azure NSG network flow data for this IP Address¶
(only available for if Azure network analytics net flow enabled.)
Results Class¶
IPSummary Results.
- ip_str : strThe input IP address as a string.
- ip_address : Optional[Union[IPv4Address, IPv6Address]]Ip Address Python object
- ip_entity : IpAddressIpAddress entity
- ip_origin : str“External” or “Internal”
- host_entities : HostHost entity or entities associated with IP Address
- ip_type : strIP address type - “Public”, “Private”, etc.
- geoip : Optional[Dict[str, Any]]Geo location information as a dictionary.
- location : Optional[GeoLocation]Location entity context object.
- whois : pd.DataFrameWhoIs information for IP Address
- whois_nets : pd.DataFrameList of networks definitions from WhoIs data
- heartbeat : pd.DataFrameHeartbeat record for IP Address or host
- az_network_if : pd.DataFrameAzure NSG analytics interface record, if available
- vmcomputer : pd.DataFrameVMComputer latest record
- az_network_flows : pd.DataFrameAzure NSG flows for IP, if available
- az_network_flows_timeline: FigureAzure NSG flows timeline, if data is available
- aad_signins : pd.DataFrame = NoneAAD signin activity
- azure_activity : pd.DataFrame = NoneAzure Activity log entries
- azure_activity_summary : pd.DataFrame = NoneAzure Activity (AAD and Az Activity) summarized view
- office_activity : pd.DataFrame = NoneOffice 365 activity
- common_security : pd.DataFrameCommon Security Log entries for source IP
- related_bookmarks : pd.DataFrameBookmarks related to IP Address
- alert_timeline : FigureTimeline plot of alerts
- ti_results: pd.DataFrameThreat intel lookup results
- passive_dns: pd.DataFramePassive DNS lookup results
- self.host_logons : pd.DataFrameHosts with logons from this IP Address
- self.related_accounts : pd.DataFrameAccounts with activity related to this IP Address
- self.associated_hosts : pd.DataFrameHosts using this IP Address
- self.device_info : pd.DataFrameDevice info of hosts using this IP Address
- self.network_connections : pd.DataFrame = NoneNetwork connections to/from this IP on other devices
Methods¶
__init__¶
browse_alerts¶
browse_ti_results¶
display_alert_timeline¶
netflow_by_direction¶
netflow_by_protocol¶
netflow_total_by_protocol¶
run¶
Inherited methods¶
check_table_exists¶
check_valid_result_data¶
attrib
contains data.get_methods¶
get_pivot_run¶
get_provider¶
list_methods¶
run_nb_func¶
run_nb_funcs¶
Other Methods¶
add_nb_function¶
all_options¶
default_options¶
description¶
entity_types¶
get_help¶
get_settings¶
import_cell¶
keywords¶
list_options¶
match_terms¶
search_terms
.name¶
print_options¶
result¶
result [property] Return result of the most recent notebooklet run.
show_help¶
run
function documentation¶
Return IP Address activity summary.
- value : str
- IP Address - The key for searches
- data : Optional[pd.DataFrame], optional
- Not supported for this notebooklet.
- timespan : TimeSpan
- Timespan for queries
- options : Optional[Iterable[str]], optional
- List of options to use, by default None. A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class.
- IpSummaryResult
- Result object with attributes for each result type.
- MsticnbMissingParameterError
- If required parameters are missing
- geoip: Get geo location information for IP address.
- alerts: Get any alerts listing the IP address.
- host_logons: Find any hosts with logons using this IP address as a source.
- related_accounts: Find any accounts using this IP address in AAD or host logs.
- device_info: Find any devices associated with this IP address.
- device_network: Find any devices communicating with this IP address.
- bookmarks: Get any hunting bookmarks listing the IP address.
- heartbeat: Get the latest heartbeat record for for this IP address.
- az_net_if: Get the latest Azure network analytics interface data for this IP address.
- vmcomputer: Get the latest VMComputer record for this IP address.
- az_netflow: Get netflow information from AzureNetworkAnalytics table.
- passive_dns: Force fetching passive DNS data from a TI Provider even if IP is internal.
- az_activity: AAD sign-ins and Azure Activity logs.
- office_365: Office 365 activity.
- common_security: Get records from common security log.
- ti: Force get threat intelligence reports even for internal public IPs.