{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Title: msticpy - nbwidgets\n", "## Description:\n", "This contains a few aggregated widgets using IPyWidgets that help speed things up during an investigation.\n", "\n", "You must have msticpy installed to run this notebook:\n", "```\n", "%pip install --upgrade msticpy\n", "```\n", "\n", "MSTICpy versions >= 0.8.5" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "\n", "## Table of Contents\n", "- [Setting query start/end times](#QueryTime)\n", "- [Simple time range](#Lookback)\n", "- [Selecting and Displaying Alerts](#AlertSelector)\n", "- [Selecting from list or dict](#SelectString)\n", "- [Getting a value from environment](#GetEnvironmentKey)\n" ] }, { "cell_type": "code", "execution_count": 5, "metadata": { "ExecuteTime": { "end_time": "2019-12-19T22:12:36.439490Z", "start_time": "2019-12-19T22:12:34.694845Z" }, "scrolled": true }, "outputs": [], "source": [ "# Imports\n", "import sys\n", "MIN_REQ_PYTHON = (3,6)\n", "if sys.version_info < MIN_REQ_PYTHON:\n", " print('Check the Kernel->Change Kernel menu and ensure that Python 3.6')\n", " print('or later is selected as the active kernel.')\n", " sys.exit(\"Python %s.%s or later is required.\\n\" % MIN_REQ_PYTHON)\n", "\n", "from IPython.display import display, Markdown\n", "import pandas as pd\n", "\n", "from msticpy import nbwidgets\n", "from msticpy.nbtools.security_alert import SecurityAlert\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "[Contents](#contents)\n", "## QueryTime\n", "\n", "This widget is used to specify time boundaries - designed to be used with the built-in msticpy queries and custom queries.\n", "The `start` and `end` times are exposed as datetime properties.\n", "\n", "```\n", "QueryTime.\n", "\n", "Composite widget to capture date and time origin\n", "and set start and end times for queries.\n", "\n", "Parameters\n", "----------\n", "QueryParamProvider : QueryParamProvider\n", " Abstract base class\n", "\n", "Parameters\n", "----------\n", "origin_time : datetime, optional\n", " The origin time (the default is `datetime.utcnow()`)\n", "label : str, optional\n", " The description to display\n", " (the default is 'Select time ({units}) to look back')\n", "before : int, optional\n", " The default number of `units` before the `origin_time`\n", " (the default is 60)\n", "after : int, optional\n", " The default number of `units` after the `origin_time`\n", " (the default is 10)\n", "max_before : int, optional\n", " The largest value for `before` (the default is 600)\n", "max_after : int, optional\n", " The largest value for `after` (the default is 100)\n", "units : str, optional\n", " Time unit (the default is 'min')\n", " Permissable values are 'day', 'hour', 'minute', 'second'\n", " These can all be abbreviated down to initial characters\n", " ('d', 'm', etc.)\n", "auto_display : bool, optional\n", " Whether to display on instantiation (the default is False)\n", "```" ] }, { "cell_type": "code", "execution_count": 6, "metadata": { "ExecuteTime": { "end_time": "2019-12-19T22:12:42.494790Z", "start_time": "2019-12-19T22:12:42.453819Z" }, "tags": [] }, "outputs": [ { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "4a6e2f13719448c3adbae56ec68b6065", "version_major": 2, "version_minor": 0 }, "text/plain": [ "VBox(children=(HTML(value='
\n", " | 0 | \n", "
---|---|
Unnamed: 0 | \n", "0 | \n", "
TenantId | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "
StartTimeUtc | \n", "2019-01-11 06:31:40 | \n", "
EndTimeUtc | \n", "2019-01-12 06:31:40 | \n", "
ProviderAlertId | \n", "e0c9484b-ad5f-4161-b73b-388676c05818 | \n", "
SystemAlertId | \n", "047f47d6-79b7-4502-824b-97abc4905a73 | \n", "
ProviderName | \n", "CustomAlertRule | \n", "
VendorName | \n", "Alert Rule | \n", "
AlertType | \n", "DC local group addition - Demo | \n", "
AlertName | \n", "DC local group addition - Demo | \n", "
AlertDisplayName | \n", "DC local group addition - Demo | \n", "
Description | \n", "Domain controllers local group addition | \n", "
Severity | \n", "Low | \n", "
IsIncident | \n", "False | \n", "
ExtendedProperties | \n", "{'Alert Mode': 'Aggregated', 'Search Query': '{\"detailBladeInputs\":{\"id\":\"/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\",\"parameters\":{\"q\":\"SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\"75.10.91.22\\\"\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\",\"timeInterval\":{\"intervalDuration\":86400,\"intervalEnd\":\"2019-01-12T06%3A31%3A40.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\"75.10.91.22\\\"\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}', 'Search Query Results Overall Count': '23034', 'Threshold Operator': 'Greater Than', 'Threshold Value': '10000', 'Query Interval in Minutes': '1440', 'Suppression in Minutes': '800', 'Total Account Entities': '1563', 'Total IP Entities': '1', 'Total Host Entities': '1'} | \n", "
Entities | \n", "[{'$id': '3', 'Address': '75.10.91.22', 'Type': 'ip', 'Count': 23034}, {'$id': '4', 'HostName': 'DHCPContoso77', 'Type': 'host', 'Count': 23034}, {'$id': '5', 'Name': 'ADMINISTRATOR', 'NTDomain': '', 'Host': {'$ref': '4'}, 'IsDomainJoined': False, 'Type': 'account', 'Count': 5909}, {'$id': '6', 'Name': 'ADMIN', 'NTDomain': '', 'Host': {'$ref': '4'}, 'IsDomainJoined': False, 'Type': 'account', 'Count': 878}, {'$id': '7', 'Name': 'USER', 'NTDomain': '', 'Host': {'$ref': '4'}, 'IsDomainJoined': False, 'Type': 'account', 'Count': 486}] | \n", "
ConfidenceLevel | \n", "Unknown | \n", "
ConfidenceScore | \n", "NaN | \n", "
ExtendedLinks | \n", "NaN | \n", "
WorkspaceSubscriptionId | \n", "3c1bb38c-82e3-4f8d-a115-a7110ba70d05 | \n", "
WorkspaceResourceGroup | \n", "contoso77 | \n", "
TimeGenerated | \n", "2019-01-12 06:41:44 | \n", "
ResourceId | \n", "NaN | \n", "
SourceComputerId | \n", "NaN | \n", "
CompromisedEntity | \n", "NaN | \n", "
\n", " | 0 | \n", "
---|---|
Alert Mode | \n", "Aggregated | \n", "
Search Query | \n", "{\"detailBladeInputs\":{\"id\":\"/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\",\"parameters\":{\"q\":\"SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\"75.10.91.22\\\"\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\",\"timeInterval\":{\"intervalDuration\":86400,\"intervalEnd\":\"2019-01-12T06%3A31%3A40.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\"75.10.91.22\\\"\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"} | \n", "
Search Query Results Overall Count | \n", "23034 | \n", "
Threshold Operator | \n", "Greater Than | \n", "
Threshold Value | \n", "10000 | \n", "
Query Interval in Minutes | \n", "1440 | \n", "
Suppression in Minutes | \n", "800 | \n", "
Total Account Entities | \n", "1563 | \n", "
Total IP Entities | \n", "1 | \n", "
Total Host Entities | \n", "1 | \n", "
\n", " | 45 | \n", "
---|---|
Unnamed: 0 | \n", "45 | \n", "
TenantId | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "
StartTimeUtc | \n", "2019-01-15 09:15:03 | \n", "
EndTimeUtc | \n", "2019-01-15 09:15:03 | \n", "
ProviderAlertId | \n", "526e34b6-6578-4fc0-9db6-e126b4d673f0 | \n", "
SystemAlertId | \n", "2518547570966661760_526e34b6-6578-4fc0-9db6-e126b4d673f0 | \n", "
ProviderName | \n", "Detection | \n", "
VendorName | \n", "Microsoft | \n", "
AlertType | \n", "Suspicious Account Creation Detected | \n", "
AlertName | \n", "Suspicious Account Creation Detected | \n", "
AlertDisplayName | \n", "Suspicious Account Creation Detected | \n", "
Description | \n", "Analysis of host data on MSTICALERTSWIN1 detected creation or use of a local account adm1nistrator : this account name closely resembles a standard Windows account or group name 'administrator'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator. | \n", "
Severity | \n", "Medium | \n", "
IsIncident | \n", "False | \n", "
ExtendedProperties | \n", "{'Compromised Host': 'MSTICALERTSWIN1', 'User Name': 'adm1nistrator', 'Account Session Id': '0x0', 'Suspicious Process': 'c:\\windows\\system32\\net.exe', 'Suspicious Command Line': 'net user adm1nistrator bob_testing /add', 'Parent Process': 'c:\\windows\\system32\\cmd.exe', 'Suspicious Process Id': '0x141c', 'Suspicious Account Name': 'adm1nistrator', 'Similar To Account Name': 'administrator', 'resourceType': 'Virtual Machine', 'ServiceId': '14fa08c7-c48e-4c18-950c-8148024b4398', 'ReportingSystem': 'Azure', 'OccuringDatacenter': 'eastus'} | \n", "
Entities | \n", "[{'$id': '4', 'DnsDomain': '', 'NTDomain': '', 'HostName': 'MSTICALERTSWIN1', 'NetBiosName': 'MSTICALERTSWIN1', 'OSFamily': 'Windows', 'OSVersion': 'Windows', 'IsDomainJoined': False, 'Type': 'host'}, {'$id': '5', 'Name': 'adm1nistrator', 'Host': {'$ref': '4'}, 'Type': 'account', 'LogonId': '0x0'}, {'$id': '6', 'Directory': 'c:\\windows\\system32', 'Name': 'cmd.exe', 'Type': 'file'}, {'$id': '7', 'ProcessId': '0x165c', 'CommandLine': '', 'ImageFile': {'$ref': '6'}, 'Host': {'$ref': '4'}, 'Type': 'process'}, {'$id': '8', 'Name': 'MSTICAdmin', 'NTDomain': 'MSTICAlertsWin1', 'Sid': 'S-1-5-21-996632719-2361334927-4038480536-500', 'IsDomainJoined': False, 'Type': 'account', 'LogonId': '0x13bded7'}, {'$id': '9', 'Directory': 'c:\\windows\\system32', 'Name': 'net.exe', 'Type': 'file'}, {'$id': '10', 'ProcessId': '0x141c', 'CommandLine': 'net user adm1nistrator bob_testing /add', 'ElevationToken': 'Default', 'CreationTimeUtc': '2019-01-15T09:15:03.3338239Z', 'ImageFile': {'$ref': '9'}, 'Account': {'$ref': '8'}, 'ParentProcess': {'$ref': '7'}, 'Host': {'$ref': '4'}, 'Type': 'process'}, {'$id': '11', 'SessionId': '0x0', 'StartTimeUtc': '2019-01-15T09:15:03.3338239Z', 'EndTimeUtc': '2019-01-15T09:15:03.3338239Z', 'Type': 'host-logon-session', 'Host': {'$ref': '4'}, 'Account': {'$ref': '5'}}] | \n", "
ConfidenceLevel | \n", "Unknown | \n", "
ConfidenceScore | \n", "NaN | \n", "
ExtendedLinks | \n", "NaN | \n", "
WorkspaceSubscriptionId | \n", "3c1bb38c-82e3-4f8d-a115-a7110ba70d05 | \n", "
WorkspaceResourceGroup | \n", "contoso77 | \n", "
TimeGenerated | \n", "2019-01-15 09:15:08 | \n", "
ResourceId | \n", "/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1 | \n", "
SourceComputerId | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "
CompromisedEntity | \n", "MSTICALERTSWIN1 | \n", "
\n", " | 0 | \n", "
---|---|
Compromised Host | \n", "MSTICALERTSWIN1 | \n", "
User Name | \n", "adm1nistrator | \n", "
Account Session Id | \n", "0x0 | \n", "
Suspicious Process | \n", "c:\\windows\\system32\\net.exe | \n", "
Suspicious Command Line | \n", "net user adm1nistrator bob_testing /add | \n", "
Parent Process | \n", "c:\\windows\\system32\\cmd.exe | \n", "
Suspicious Process Id | \n", "0x141c | \n", "
Suspicious Account Name | \n", "adm1nistrator | \n", "
Similar To Account Name | \n", "administrator | \n", "
resourceType | \n", "Virtual Machine | \n", "
ServiceId | \n", "14fa08c7-c48e-4c18-950c-8148024b4398 | \n", "
ReportingSystem | \n", "Azure | \n", "
OccuringDatacenter | \n", "eastus | \n", "
Account: MSTICAdmin Account Domain: MSTICAlertsWin1 Logon Time: 2019-01-15 05:15:02.980 Logon type: 4(Batch) User Id/SID: S-1-5-21-996632719-2361334927-4038480536-500 SID S-1-5-21-996632719-2361334927-4038480536-500 is administrator SID S-1-5-21-996632719-2361334927-4038480536-500 is local machine or domain account Subject (source) account: WORKGROUP/MSTICAlertsWin1$ Logon process: Advapi Authentication: Negotiate Source IpAddress: - Source Host: MSTICAlertsWin1 Logon status: nan |
Account: MSTICAdmin Account Domain: MSTICAlertsWin1 Logon Time: 2019-01-15 05:15:02.980 Logon type: 4(Batch) User Id/SID: S-1-5-21-996632719-2361334927-4038480536-500 SID S-1-5-21-996632719-2361334927-4038480536-500 is administrator SID S-1-5-21-996632719-2361334927-4038480536-500 is local machine or domain account Subject (source) account: WORKGROUP/MSTICAlertsWin1$ Logon process: Advapi Authentication: Negotiate Source IpAddress: - Source Host: MSTICAlertsWin1 Logon status: nan |
Account: SYSTEM Account Domain: NT AUTHORITY Logon Time: 2019-01-15 05:15:04.503 Logon type: 5(Service) User Id/SID: S-1-5-18 SID S-1-5-18 is LOCAL_SYSTEM Subject (source) account: WORKGROUP/MSTICAlertsWin1$ Logon process: Advapi Authentication: Negotiate Source IpAddress: - Source Host: - Logon status: nan |
Account: adm1nistrator Account Domain: MSTICAlertsWin1 Logon Time: 2019-01-15 05:15:06.363 Logon type: 3(Network) User Id/SID: S-1-5-21-996632719-2361334927-4038480536-1066 SID S-1-5-21-996632719-2361334927-4038480536-1066 is local machine or domain account Subject (source) account: -/- Logon process: NtLmSsp Authentication: NTLM Source IpAddress: fe80::38dc:e4a9:61bd:b458 Source Host: MSTICAlertsWin1 Logon status: nan |
Account: SYSTEM Account Domain: NT AUTHORITY Logon Time: 2019-01-15 05:15:10.813 Logon type: 5(Service) User Id/SID: S-1-5-18 SID S-1-5-18 is LOCAL_SYSTEM Subject (source) account: WORKGROUP/MSTICAlertsWin1$ Logon process: Advapi Authentication: Negotiate Source IpAddress: - Source Host: - Logon status: nan |
Account: SYSTEM Account Domain: NT AUTHORITY Logon Time: 2019-01-15 05:15:14.453 Logon type: 5(Service) User Id/SID: S-1-5-18 SID S-1-5-18 is LOCAL_SYSTEM Subject (source) account: WORKGROUP/MSTICAlertsWin1$ Logon process: Advapi Authentication: Negotiate Source IpAddress: - Source Host: - Logon status: nan |