{ "cells": [ { "metadata": { "toc": true }, "cell_type": "markdown", "source": "
Datasources available to query for IP ::
", "text/plain": "\n | Table | \nRowCount | \n
---|---|---|
0 | \nHeartbeat | \n7222 | \n
1 | \nSecurityEvent | \n39120 | \n
Depending on the IP Address origin, different sections of this notebook are applicable
", "text/plain": "Please follow either the Interal IP Address or External IP Address sections
", "text/plain": "IP Address type: Public
", "text/plain": "Go to section [InternalIP](#goto_internalIP)
", "text/plain": "System Info retrieved from Heartbeat table ::
", "text/plain": "\n | 0 | \n
---|---|
TimeGenerated | \n2019-10-30 00:13:48.787000 | \n
Computer | \nWinAttackSim | \n
ComputerIP | \n104.211.48.180 | \n
ComputerEnvironment | \nAzure | \n
SubscriptionId | \n40dcc8bf-0478-4f3b-b275-ed0a94f2c013 | \n
ResourceType | \nvirtualMachines | \n
OSType | \nWindows | \n
OSName | \n\n |
OSMajorVersion | \n10 | \n
OSMinorVersion | \n0 | \n
RemoteIPCountry | \nUnited States | \n
RemoteIPLatitude | \n38.73 | \n
RemoteIPLongitude | \n-78.17 | \n
Solutions | \n\"securityInsights\" | \n
SourceComputerId | \nbbecaa2f-4656-4080-8ad7-3a52e29c8595 | \n
VMUUID | \n7487bc42-5f85-4f16-84e6-c35531fbcd11 | \n
Warning: ServiceMap data is not enabled
", "text/plain": "Enable ServiceMap Solution from Azure marketplce:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/service-map#enable-service-map
Geo Location for the IP Address ::
", "text/plain": "### Whois Registrar Info ::
", "text/plain": "ThreatIntel Lookup for IP ::
", "text/plain": "\n | OTX | \nXForce | \n
---|---|---|
Ioc | \n104.211.48.180 | \n104.211.48.180 | \n
IocType | \nipv4 | \nipv4 | \n
QuerySubtype | \nNone | \nNone | \n
Provider | \nOTX | \nXForce | \n
Result | \nTrue | \nTrue | \n
Severity | \n0 | \n1 | \n
Details | \n{'pulse_count': 0, 'sections_available': ['general', 'geo', 'reputation', 'url_list', 'passive_d... | \n{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're... | \n
RawResult | \n{'sections': ['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', 'nids_list',... | \n{'ip': '104.211.48.180', 'history': [{'created': '2014-10-02T06:27:00.000Z', 'reason': 'Regional... | \n
Reference | \nhttps://otx.alienvault.com/api/v1/indicators/IPv4/104.211.48.180/general | \nhttps://api.xforce.ibmcloud.com/ipr/104.211.48.180 | \n
Status | \n0 | \n0 | \n
No passive domains found from the providers
", "text/plain": "No related alerts found.
", "text/plain": "Entity Relationship Graph - Related Hosts ::
", "text/plain": "Entity Relationship Graph - Related Accounts ::
", "text/plain": "\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"LogonCount | |
---|---|
LogonTypeDesc | Service |
Account | |
NT AUTHORITY\\SYSTEM | \n045 | \n
Warning: No network flow data available.
", "text/plain": "Please skip the remainder of this section and go to [Time-Series-Anomalies](#Outbound-Data-transfer-Time-Series-Anomalies)
", "text/plain": "\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"Choose IPs from Selected ASNs to look up for Threat Intel.
", "text/plain": "Warning: Positive Threat Intel Results found for the following flows
", "text/plain": "Please examine these IP flows using the IP Explorer notebook.
", "text/plain": "\n | source | \ndest | \nL7Protocol | \nFlowDirection | \nTotalAllowedFlows | \nDestASN | \nSourceASN | \nDestASNFull | \nSourceASNFull | \nIoc | \nIocType | \nQuerySubtype | \nProvider | \nResult | \nSeverity | \nDetails | \nRawResult | \nReference | \nStatus | \n
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n10.0.3.5 | \n205.185.216.10 | \nhttp | \nO | \n4.0 | \nHIGHWINDS3 - Highwinds Network Group, Inc., US | \nNO ASN Information since IP address is of type | \n{'nir': None, 'asn_registry': 'arin', 'asn': '20446', 'asn_cidr': '205.185.216.0/24', 'asn_count... | \n{Private} | \n205.185.216.10 | \nipv4 | \nNone | \nXForce | \nFalse | \n0 | \nAuthorization failed. Check account and key details. | \n<Response [401]> | \nhttps://api.xforce.ibmcloud.com/ipr/205.185.216.10 | \n401 | \n
1 | \n10.0.3.5 | \n205.185.216.42 | \nhttp | \nO | \n1.0 | \nHIGHWINDS3 - Highwinds Network Group, Inc., US | \nNO ASN Information since IP address is of type | \n{'nir': None, 'asn_registry': 'arin', 'asn': '20446', 'asn_cidr': '205.185.216.0/24', 'asn_count... | \n{Private} | \n205.185.216.42 | \nipv4 | \nNone | \nXForce | \nFalse | \n0 | \nAuthorization failed. Check account and key details. | \n<Response [401]> | \nhttps://api.xforce.ibmcloud.com/ipr/205.185.216.42 | \n401 | \n
* a927809c-8142-43e1-96b3-4ad87cfe95a3@loganalytics
['{"error":{"message":"The request had some invalid properties","code":"BadArgumentError","innererror":{"code":"SemanticError","message":"A semantic error occurred.","innererror":{"code":"SEM0100","message":"\\'extend\\' operator: Failed to resolve table or column expression named \\'PaloAltoBytesSent_CL\\'"}}}}']
\n | 0 | \n
---|---|
TenantId | \n52b1ab41-869e-4138-9e40-2a4457f09bf0 | \n
TimeGenerated | \n2019-02-15 20:27:38 | \n
AlertDisplayName | \nSuspicious Activity Detected | \n
AlertName | \nSuspicious Activity Detected | \n
Severity | \nMedium | \n
Description | \nAnalysis of host data has detected a sequence of one or more processes running on MSTICAlertsWin1 that have historically been associated with malicious activity. While individual commands may appear benign the alert is scored based on an aggregation of these commands. This could either be legitimate activity, or an indication of a compromised host. | \n
ProviderName | \nDetection | \n
VendorName | \nMicrosoft | \n
VendorOriginalId | \nb946cd89-667e-4ce7-b571-9603859a7234 | \n
SystemAlertId | \n2518520402897969999_b946cd89-667e-4ce7-b571-9603859a7234 | \n
ResourceId | \n/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1 | \n
SourceComputerId | \n263a788b-6526-4cdc-8ed9-d79402fe4aa0 | \n
AlertType | \nSuspiciousActivity | \n
ConfidenceLevel | \nUnknown | \n
ConfidenceScore | \nNaN | \n
IsIncident | \nFalse | \n
StartTimeUtc | \n2019-02-15 19:55:10 | \n
EndTimeUtc | \n2019-02-15 19:55:10 | \n
ProcessingEndTime | \n2019-02-15 20:27:38 | \n
RemediationSteps | \n[\\r\\n \"Review each of the individual line items in this alert to see if you recognise them as legitimate administrative activity.\"\\r\\n] | \n
ExtendedProperties | \n{'Machine Name': 'MSTICAlertsWin1', 'Command List': 'FTP session was established.\nPING command was executed.\nNew user was created.\nAdministrators group members enumeration.\nNew user was added to the Administrators group.\nNew scheduled task was created.', 'Account List': 'MSTICALERTSWIN1\\ian', 'compromised host': 'MSTICAlertsWin1', 'End Time UTC': '02/15/2019 19:55:11', 'ActionTaken': 'Detected', 'resourceType': 'Virtual Machine', 'ServiceId': '14fa08c7-c48e-4c18-950c-8148024b4398', 'ReportingSystem': 'Azure', 'OccuringDatacenter': 'eastus'} | \n
Entities | \n[{'$id': '2', 'HostName': 'msticalertswin1', 'AzureID': '/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1', 'OMSAgentID': '263a788b-6526-4cdc-8ed9-d79402fe4aa0', 'Type': 'host'}, {'$id': '3', 'Name': 'ian', 'NTDomain': 'msticalertswin1', 'Host': {'$ref': '2'}, 'IsDomainJoined': False, 'Type': 'account'}] | \n
SourceSystem | \nDetection | \n
WorkspaceSubscriptionId | \n40dcc8bf-0478-4f3b-b275-ed0a94f2c013 | \n
WorkspaceResourceGroup | \nasihuntomsworkspacerg | \n
ExtendedLinks | \n\n |
ProductName | \n\n |
ProductComponentName | \n\n |
Type | \nSecurityAlert | \n
Computer | \nMSTICAlertsWin1 | \n
src_hostname | \nMSTICAlertsWin1 | \n
src_accountname | \n\n |
src_procname | \n\n |
host_match | \nTrue | \n
acct_match | \nFalse | \n
proc_match | \nFalse | \n
CompromisedEntity | \nMSTICAlertsWin1 | \n
\n | 0 | \n
---|---|
Machine Name | \nMSTICAlertsWin1 | \n
Command List | \nFTP session was established.\\nPING command was executed.\\nNew user was created.\\nAdministrators group members enumeration.\\nNew user was added to the Administrators group.\\nNew scheduled task was created. | \n
Account List | \nMSTICALERTSWIN1\\ian | \n
compromised host | \nMSTICAlertsWin1 | \n
End Time UTC | \n02/15/2019 19:55:11 | \n
ActionTaken | \nDetected | \n
resourceType | \nVirtual Machine | \n
ServiceId | \n14fa08c7-c48e-4c18-950c-8148024b4398 | \n
ReportingSystem | \nAzure | \n
OccuringDatacenter | \neastus | \n
\n | 29 | \n
---|---|
TenantId | \n52b1ab41-869e-4138-9e40-2a4457f09bf0 | \n
TimeGenerated | \n2019-02-06 04:58:33 | \n
AlertDisplayName | \nSample Alert Rule | \n
AlertName | \nSample Alert Rule | \n
Severity | \nMedium | \n
Description | \n\n |
ProviderName | \nCustomAlertRule | \n
VendorName | \nAlert Rule | \n
VendorOriginalId | \n32bf5f3e-52b3-4bb5-a5d8-242fe3f315b5 | \n
SystemAlertId | \nfa02580a-ef45-4631-a104-27244ffd1d2b | \n
ResourceId | \n\n |
SourceComputerId | \n\n |
AlertType | \nCustomAlertRule_d45eb79f-18e2-4f9b-aeb2-f242a8007960 | \n
ConfidenceLevel | \nUnknown | \n
ConfidenceScore | \nNaN | \n
IsIncident | \nFalse | \n
StartTimeUtc | \n2019-02-06 03:48:24 | \n
EndTimeUtc | \n2019-02-06 04:48:24 | \n
ProcessingEndTime | \n2019-02-06 04:58:33 | \n
RemediationSteps | \n\n |
ExtendedProperties | \n{'Alert Mode': 'Aggregated', 'Search Query': '{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SecurityEvent\\n| limit 1000\\n| extend AccountCustomEntity = Account\\n| extend HostCustomEntity = Computer\\n| extend IPCustomEntity = IpAddress\",\"timeInterval\":{\"intervalDuration\":3600,\"intervalEnd\":\"2019-02-06T04%3A48%3A24.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SecurityEvent\\n| limit 1000\\n| extend AccountCustomEntity = Account\\n| extend HostCustomEntity = Computer\\n| extend IPCustomEntity = IpAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}', 'Search Query Results Overall Count': '629', 'Threshold Operator': 'Greater Than', 'Threshold Value': '600', 'Query Interval in Minutes': '60', 'Suppression in Minutes': '120', 'Total Account Entities': '7', 'Total Host Entities': '4'} | \n
Entities | \n[{'$id': '3', 'HostName': 'TestVM2', 'Type': 'host', 'Count': 180}, {'$id': '4', 'HostName': 'Test4VM', 'Type': 'host', 'Count': 179}, {'$id': '5', 'HostName': 'MSTICAlertsWin1', 'Type': 'host', 'Count': 177}, {'$id': '6', 'Name': 'TestVM2$', 'NTDomain': 'WORKGROUP', 'Type': 'account', 'Count': 178}, {'$id': '7', 'Name': 'Test4VM$', 'NTDomain': '', 'Host': {'$ref': '4'}, 'IsDomainJoined': False, 'Type': 'account', 'Count': 173}, {'$id': '8', 'Name': 'MSTICAlertsWin1$', 'NTDomain': 'WORKGROUP', 'Type': 'account', 'Count': 172}] | \n
SourceSystem | \nDetection | \n
WorkspaceSubscriptionId | \n40dcc8bf-0478-4f3b-b275-ed0a94f2c013 | \n
WorkspaceResourceGroup | \nasihuntomsworkspacerg | \n
ExtendedLinks | \n\n |
ProductName | \n\n |
ProductComponentName | \n\n |
Type | \nSecurityAlert | \n
Computer | \nMSTICAlertsWin1 | \n
src_hostname | \nMSTICAlertsWin1 | \n
src_accountname | \n\n |
src_procname | \n\n |
host_match | \nTrue | \n
acct_match | \nFalse | \n
proc_match | \nFalse | \n
CompromisedEntity | \nMSTICAlertsWin1 | \n
\n | 0 | \n
---|---|
Alert Mode | \nAggregated | \n
Search Query | \n{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SecurityEvent\\n| limit 1000\\n| extend AccountCustomEntity = Account\\n| extend HostCustomEntity = Computer\\n| extend IPCustomEntity = IpAddress\",\"timeInterval\":{\"intervalDuration\":3600,\"intervalEnd\":\"2019-02-06T04%3A48%3A24.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SecurityEvent\\n| limit 1000\\n| extend AccountCustomEntity = Account\\n| extend HostCustomEntity = Computer\\n| extend IPCustomEntity = IpAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"} | \n
Search Query Results Overall Count | \n629 | \n
Threshold Operator | \nGreater Than | \n
Threshold Value | \n600 | \n
Query Interval in Minutes | \n60 | \n
Suppression in Minutes | \n120 | \n
Total Account Entities | \n7 | \n
Total Host Entities | \n4 | \n
\n | 0 | \n
---|---|
TenantId | \n52b1ab41-869e-4138-9e40-2a4457f09bf0 | \n
TimeGenerated | \n2019-02-07 00:58:29 | \n
AlertDisplayName | \nSample Alert Rule | \n
AlertName | \nSample Alert Rule | \n
Severity | \nMedium | \n
Description | \n\n |
ProviderName | \nCustomAlertRule | \n
VendorName | \nAlert Rule | \n
VendorOriginalId | \n1ff13f6a-481e-4a7c-8ab1-654a054f647e | \n
SystemAlertId | \n4b955429-bea1-4fe8-9dce-661f861975e0 | \n
ResourceId | \n\n |
SourceComputerId | \n\n |
AlertType | \nCustomAlertRule_d45eb79f-18e2-4f9b-aeb2-f242a8007960 | \n
ConfidenceLevel | \nUnknown | \n
ConfidenceScore | \nNaN | \n
IsIncident | \nFalse | \n
StartTimeUtc | \n2019-02-06 23:48:24 | \n
EndTimeUtc | \n2019-02-07 00:48:24 | \n
ProcessingEndTime | \n2019-02-07 00:58:29 | \n
RemediationSteps | \n\n |
ExtendedProperties | \n{'Alert Mode': 'Aggregated', 'Search Query': '{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SecurityEvent\\n| limit 1000\\n| extend AccountCustomEntity = Account\\n| extend HostCustomEntity = Computer\\n| extend IPCustomEntity = IpAddress\",\"timeInterval\":{\"intervalDuration\":3600,\"intervalEnd\":\"2019-02-07T00%3A48%3A24.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SecurityEvent\\n| limit 1000\\n| extend AccountCustomEntity = Account\\n| extend HostCustomEntity = Computer\\n| extend IPCustomEntity = IpAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}', 'Search Query Results Overall Count': '1000', 'Threshold Operator': 'Greater Than', 'Threshold Value': '600', 'Query Interval in Minutes': '60', 'Suppression in Minutes': '120', 'Total Account Entities': '7', 'Total Host Entities': '4'} | \n
Entities | \n[{'$id': '3', 'HostName': 'MSTICAlertsWin1', 'Type': 'host', 'Count': 708}, {'$id': '4', 'HostName': 'Test4VM', 'Type': 'host', 'Count': 130}, {'$id': '5', 'HostName': 'TestVM2', 'Type': 'host', 'Count': 112}, {'$id': '6', 'Name': 'MSTICAlertsWin1$', 'NTDomain': 'WORKGROUP', 'Type': 'account', 'Count': 700}, {'$id': '7', 'Name': 'Test4VM$', 'NTDomain': '', 'Host': {'$ref': '4'}, 'IsDomainJoined': False, 'Type': 'account', 'Count': 124}, {'$id': '8', 'Name': 'TestVM2$', 'NTDomain': 'WORKGROUP', 'Type': 'account', 'Count': 109}] | \n
SourceSystem | \nDetection | \n
WorkspaceSubscriptionId | \n40dcc8bf-0478-4f3b-b275-ed0a94f2c013 | \n
WorkspaceResourceGroup | \nasihuntomsworkspacerg | \n
ExtendedLinks | \n\n |
ProductName | \n\n |
ProductComponentName | \n\n |
Type | \nSecurityAlert | \n
Computer | \nMSTICAlertsWin1 | \n
src_hostname | \nMSTICAlertsWin1 | \n
src_accountname | \n\n |
src_procname | \n\n |
host_match | \nTrue | \n
acct_match | \nFalse | \n
proc_match | \nFalse | \n
CompromisedEntity | \nMSTICAlertsWin1 | \n
\n | 0 | \n
---|---|
Alert Mode | \nAggregated | \n
Search Query | \n{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SecurityEvent\\n| limit 1000\\n| extend AccountCustomEntity = Account\\n| extend HostCustomEntity = Computer\\n| extend IPCustomEntity = IpAddress\",\"timeInterval\":{\"intervalDuration\":3600,\"intervalEnd\":\"2019-02-07T00%3A48%3A24.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SecurityEvent\\n| limit 1000\\n| extend AccountCustomEntity = Account\\n| extend HostCustomEntity = Computer\\n| extend IPCustomEntity = IpAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"} | \n
Search Query Results Overall Count | \n1000 | \n
Threshold Operator | \nGreater Than | \n
Threshold Value | \n600 | \n
Query Interval in Minutes | \n60 | \n
Suppression in Minutes | \n120 | \n
Total Account Entities | \n7 | \n
Total Host Entities | \n4 | \n