{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Table of Contents\n",
"* [msticpy - anomalous_sequence](#msticpy)\n",
"* [Sessions explained](#create_sessions)\n",
" * [Create sessions using msticpy](#msticpy_ses)\n",
" * [Using the sessionize_data function](#sessionize_data)\n",
"* [Explain the modelling approach](#explain_model)\n",
" * [Using the score_sessions function](#model_function)\n",
" * [Advanced: access Model class directly](#model_class)\n",
"* [Visualise the modelled sessions](#visualize_function)\n",
" * [Using the visualise_scored_sessions function](#visualize_function)\n",
"* [Model and visualise sessions in one go](#score_and_visualise_sessions)\n",
" * [Using the score_and_visualise_sessions function](#score_and_visualise_sessions)\n",
"* [Sessionize other log types using KQL](#other_sessions)\n",
" * [Authenticate Log Analytics](#la_auth) \n",
" * [Office Activity Logs](#office_sessions)\n",
" * [Sessionize using KQL](#office_sessions)\n",
" * [Convert sessions into an allowed format for the modelling](#clean_exchange)\n",
" * [AWS Cloud Trail Logs](#aws_sessions)\n",
" * [Sessionize using KQL](#aws_sessions)\n",
" * [Convert sessions into an allowed format for the modelling](#clean_aws)\n",
" * [VM Process Logs](#vm_sessions)\n",
" * [Sessionize using KQL](#vm_sessions)\n",
" * [Convert sessions into an allowed format for the modelling](#clean_vm)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# msticpy - anomalous_sequence subpackage \n",
"\n",
"Various types of security logs can be broken up into sessions/sequences where each session can be thought of as an ordered sequence of events. It can be useful to model these sessions in order to understand what the usual activity is like so that we can highlight anomalous sequences of events.\n",
"\n",
"A new subpackage called anomalous_sequence has been released to [msticpy](https://github.com/microsoft/msticpy/tree/master/msticpy/analysis/anomalous_sequence) recently. This library allows the user to sessionize, model and visualize their data via a high level interface.\n",
"\n",
"This notebook demonstrates the sessionizing, modelling and visualisation on some Office Exchange Admin logs from one of our demo tenants. However there is a section at the end which demonstrates how some other log types can be sessionized as well. "
]
},
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"env: KQLMAGIC_LOAD_MODE=silent\n",
"finished the imports\n"
]
}
],
"source": [
"# Imports\n",
"from msticpy.nbtools.utility import check_py_version\n",
"\n",
"MIN_REQ_PYTHON = (3, 6)\n",
"check_py_version(MIN_REQ_PYTHON)\n",
"\n",
"from typing import List, Dict, Union\n",
"\n",
"# setting pandas display options for dataframe\n",
"import pandas as pd\n",
"pd.set_option(\"display.max_rows\", 100)\n",
"pd.set_option(\"display.max_columns\", 50)\n",
"pd.set_option(\"display.max_colwidth\", 100)\n",
"\n",
"# msticpy imports\n",
"from msticpy.analysis.anomalous_sequence import sessionize\n",
"from msticpy.analysis.anomalous_sequence.utils.data_structures import Cmd\n",
"from msticpy.analysis.anomalous_sequence import anomalous\n",
"from msticpy.analysis.anomalous_sequence.model import Model\n",
"from msticpy.data import QueryProvider\n",
"from msticpy.nbtools.wsconfig import WorkspaceConfig\n",
"\n",
"%env KQLMAGIC_LOAD_MODE=silent\n",
"\n",
"print('finished the imports')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# What is a Session? \n",
"\n",
"In this context, a session is an ordered sequence of events/commands. The anomalous_sequence subpackage can handle 3 different formats for each of the sessions:\n",
"\n",
"1. sequence of just events/commands.\\\n",
"e.g. \\[\"Set-User\", \"Set-Mailbox\"\\]
\n",
"2. sequence of events/commands with accompanying parameters.\\\n",
"\\[Cmd(name=\"Set-User\", params=\\{\"Identity', \"Force\"\\}), Cmd(name=\"Set-Mailbox\", params=\\{\"Identity\", \"AuditEnabled\"\\})\\]
\n",
"3. sequence of events/commands with accompanying parameters and their corresponding values.\\\n",
"\\[Cmd(name=\"Set-User\", params=\\{\"Identity\": \"blahblah\", \"Force\": 'true'\\}), Cmd(name=\"Set-Mailbox\", params=\\{\"Identity\": \"blahblah\", \"AuditEnabled\": \"false\"\\})\\]\n",
"\n",
"The Cmd datatype can be accessed from msticpy.analysis.anomalous_sequence.utils.data_structures"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Use the sessionize module from msticpy \n",
"\n",
"In this section, we demonstrate how you can use msticpy to create sessions from your data. \n",
"\n",
"We read in some office exchange events from one of our demo tenants as a csv."
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [],
"source": [
"exchange = pd.read_csv('data/demo_exchange_data.csv')"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"
\n", " | TimeGenerated | \n", "UserId | \n", "ClientIP | \n", "Operation | \n", "Parameters | \n", "
---|---|---|---|---|---|
0 | \n", "2020-04-18T04:50:30Z | \n", "NaN | \n", "NaN | \n", "Set-ConditionalAccessPolicy | \n", "[\\n {\\n \"Name\": \"Identity\",\\n \"Value\": \"seccxpninja.onmicrosoft.com\\\\6490d00c-7ba1-42cf-a... | \n", "
1 | \n", "2020-04-18T04:50:31Z | \n", "NaN | \n", "NaN | \n", "Set-ConditionalAccessPolicy | \n", "[\\n {\\n \"Name\": \"Identity\",\\n \"Value\": \"seccxpninja.onmicrosoft.com\\\\ba36f0a4-6d73-4ba4-9... | \n", "
2 | \n", "2020-04-18T04:50:30Z | \n", "NaN | \n", "NaN | \n", "Set-ConditionalAccessPolicy | \n", "[\\n {\\n \"Name\": \"Identity\",\\n \"Value\": \"seccxpninja.onmicrosoft.com\\\\5fd0c4ff-1cd7-4bf6-8... | \n", "
3 | \n", "2020-04-18T04:50:30Z | \n", "NaN | \n", "NaN | \n", "Set-ConditionalAccessPolicy | \n", "[\\n {\\n \"Name\": \"Identity\",\\n \"Value\": \"seccxpninja.onmicrosoft.com\\\\b2915792-0396-4abe-9... | \n", "
4 | \n", "2020-04-18T04:50:30Z | \n", "NaN | \n", "NaN | \n", "Set-ConditionalAccessPolicy | \n", "[\\n {\\n \"Name\": \"Identity\",\\n \"Value\": \"seccxpninja.onmicrosoft.com\\\\83a057fb-dbca-4ba8-b... | \n", "
\n", " | TimeGenerated | \n", "UserId | \n", "ClientIP | \n", "Operation | \n", "Parameters | \n", "cmd_param | \n", "cmd_param_val | \n", "
---|---|---|---|---|---|---|---|
0 | \n", "2020-04-18T04:50:30Z | \n", "NaN | \n", "NaN | \n", "Set-ConditionalAccessPolicy | \n", "[\\n {\\n \"Name\": \"Identity\",\\n \"Value\": \"seccxpninja.onmicrosoft.com\\\\6490d00c-7ba1-42cf-a... | \n", "Cmd(name='Set-ConditionalAccessPolicy', params={'PolicyLastUpdatedTime', 'PolicyIdentifierString... | \n", "Cmd(name='Set-ConditionalAccessPolicy', params={'Identity': 'seccxpninja.onmicrosoft.com\\\\6490d0... | \n", "
1 | \n", "2020-04-18T04:50:31Z | \n", "NaN | \n", "NaN | \n", "Set-ConditionalAccessPolicy | \n", "[\\n {\\n \"Name\": \"Identity\",\\n \"Value\": \"seccxpninja.onmicrosoft.com\\\\ba36f0a4-6d73-4ba4-9... | \n", "Cmd(name='Set-ConditionalAccessPolicy', params={'PolicyLastUpdatedTime', 'PolicyIdentifierString... | \n", "Cmd(name='Set-ConditionalAccessPolicy', params={'Identity': 'seccxpninja.onmicrosoft.com\\\\ba36f0... | \n", "
2 | \n", "2020-04-18T04:50:30Z | \n", "NaN | \n", "NaN | \n", "Set-ConditionalAccessPolicy | \n", "[\\n {\\n \"Name\": \"Identity\",\\n \"Value\": \"seccxpninja.onmicrosoft.com\\\\5fd0c4ff-1cd7-4bf6-8... | \n", "Cmd(name='Set-ConditionalAccessPolicy', params={'PolicyLastUpdatedTime', 'PolicyIdentifierString... | \n", "Cmd(name='Set-ConditionalAccessPolicy', params={'Identity': 'seccxpninja.onmicrosoft.com\\\\5fd0c4... | \n", "
3 | \n", "2020-04-18T04:50:30Z | \n", "NaN | \n", "NaN | \n", "Set-ConditionalAccessPolicy | \n", "[\\n {\\n \"Name\": \"Identity\",\\n \"Value\": \"seccxpninja.onmicrosoft.com\\\\b2915792-0396-4abe-9... | \n", "Cmd(name='Set-ConditionalAccessPolicy', params={'PolicyLastUpdatedTime', 'PolicyIdentifierString... | \n", "Cmd(name='Set-ConditionalAccessPolicy', params={'Identity': 'seccxpninja.onmicrosoft.com\\\\b29157... | \n", "
4 | \n", "2020-04-18T04:50:30Z | \n", "NaN | \n", "NaN | \n", "Set-ConditionalAccessPolicy | \n", "[\\n {\\n \"Name\": \"Identity\",\\n \"Value\": \"seccxpninja.onmicrosoft.com\\\\83a057fb-dbca-4ba8-b... | \n", "Cmd(name='Set-ConditionalAccessPolicy', params={'PolicyLastUpdatedTime', 'PolicyIdentifierString... | \n", "Cmd(name='Set-ConditionalAccessPolicy', params={'Identity': 'seccxpninja.onmicrosoft.com\\\\83a057... | \n", "
\n", " | UserId | \n", "ClientIP | \n", "TimeGenerated_min | \n", "TimeGenerated_max | \n", "Operation_list | \n", "duration | \n", "number_events | \n", "
---|---|---|---|---|---|---|---|
0 | \n", "NAMPRD06\\Administrator (Microsoft.Office.Datacenter.Torus.PowerShellWorker) | \n", "NaN | \n", "2020-05-12 01:34:59+00:00 | \n", "2020-05-12 01:35:02+00:00 | \n", "[Set-ConditionalAccessPolicy, Set-ConditionalAccessPolicy, Set-ConditionalAccessPolicy, Set-Cond... | \n", "00:00:03 | \n", "13 | \n", "
1 | \n", "NAMPRD06\\Administrator (Microsoft.Office.Datacenter.Torus.PowerShellWorker) | \n", "NaN | \n", "2020-05-12 04:48:43+00:00 | \n", "2020-05-12 04:48:46+00:00 | \n", "[Set-ConditionalAccessPolicy, Set-ConditionalAccessPolicy, Set-ConditionalAccessPolicy, Set-Cond... | \n", "00:00:03 | \n", "13 | \n", "
2 | \n", "NAMPRD06\\Administrator (Microsoft.Office.Datacenter.Torus.PowerShellWorker) | \n", "NaN | \n", "2020-05-20 02:18:27+00:00 | \n", "2020-05-20 02:18:31+00:00 | \n", "[Set-ConditionalAccessPolicy, Set-ConditionalAccessPolicy, Set-ConditionalAccessPolicy, Set-Cond... | \n", "00:00:04 | \n", "14 | \n", "
3 | \n", "NAMPRD06\\Administrator (Microsoft.Office.Datacenter.Torus.PowerShellWorker) | \n", "NaN | \n", "2020-05-20 05:12:55+00:00 | \n", "2020-05-20 05:12:58+00:00 | \n", "[Set-ConditionalAccessPolicy, Set-ConditionalAccessPolicy, Set-ConditionalAccessPolicy, Set-Cond... | \n", "00:00:03 | \n", "14 | \n", "
4 | \n", "NAMPRD06\\Administrator (Microsoft.Office.Datacenter.Torus.PowerShellWorker) | \n", "NaN | \n", "2020-05-21 01:50:12+00:00 | \n", "2020-05-21 01:50:13+00:00 | \n", "[Set-ConditionalAccessPolicy, Set-ConditionalAccessPolicy, Set-ConditionalAccessPolicy, Set-Cond... | \n", "00:00:01 | \n", "14 | \n", "
\n", " | UserId | \n", "ClientIP | \n", "TimeGenerated_min | \n", "TimeGenerated_max | \n", "Operation_list | \n", "duration | \n", "number_events | \n", "rarest_window3_likelihood | \n", "rarest_window3 | \n", "
---|---|---|---|---|---|---|---|---|---|
157 | \n", "NaN | \n", "NaN | \n", "2020-03-26 22:40:30+00:00 | \n", "2020-03-26 22:40:33+00:00 | \n", "[New-Mailbox, Set-Mailbox] | \n", "00:00:03 | \n", "2 | \n", "0.000021 | \n", "[New-Mailbox, Set-Mailbox] | \n", "
216 | \n", "NaN | \n", "NaN | \n", "2020-04-17 21:00:31+00:00 | \n", "2020-04-17 21:00:31+00:00 | \n", "[New-App, New-App] | \n", "00:00:00 | \n", "2 | \n", "0.000028 | \n", "[New-App, New-App] | \n", "
261 | \n", "NaN | \n", "NaN | \n", "2020-05-06 01:49:17+00:00 | \n", "2020-05-06 01:50:56+00:00 | \n", "[Enable-AddressListPaging, New-ExchangeAssistanceConfig, Set-TransportConfig, Install-DefaultSha... | \n", "00:01:39 | \n", "48 | \n", "0.000063 | \n", "[Set-ExchangeAssistanceConfig, Set-TransportConfig, Set-RecipientEnforcementProvisioningPolicy] | \n", "
247 | \n", "NaN | \n", "NaN | \n", "2020-05-02 11:31:53+00:00 | \n", "2020-05-02 11:33:14+00:00 | \n", "[Enable-AddressListPaging, New-ExchangeAssistanceConfig, Set-TransportConfig, Install-DefaultSha... | \n", "00:01:21 | \n", "49 | \n", "0.000081 | \n", "[Set-ExchangeAssistanceConfig, Set-AdminAuditLogConfig, Set-TenantObjectVersion] | \n", "
224 | \n", "NaN | \n", "NaN | \n", "2020-04-23 21:42:48+00:00 | \n", "2020-04-23 21:44:45+00:00 | \n", "[Enable-AddressListPaging, New-ExchangeAssistanceConfig, Set-TransportConfig, Install-DefaultSha... | \n", "00:01:57 | \n", "49 | \n", "0.000085 | \n", "[Set-OwaMailboxPolicy, Set-Mailbox, Add-MailboxPermission] | \n", "
\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | UserId | \n", "ClientIP | \n", "nCmds | \n", "nDistinctCmds | \n", "begin | \n", "end | \n", "duration | \n", "cmds | \n", "params | \n", "
---|---|---|---|---|---|---|---|---|---|
0 | \n", "\n", " | \n", " | 2 | \n", "2 | \n", "2020-03-31 02:19:26+00:00 | \n", "2020-03-31 02:19:28+00:00 | \n", "00:00:02 | \n", "[Remove-MailboxLocation, Set-User] | \n", "[{'Remove-MailboxLocation': [{'Name': 'Identity', 'Value': '4b2462a4-bbee-495a-a0e1-f23ae524cc9c... | \n", "
1 | \n", "\n", " | \n", " | 1 | \n", "1 | \n", "2020-03-31 22:02:51+00:00 | \n", "2020-03-31 22:02:51+00:00 | \n", "00:00:00 | \n", "[Set-User] | \n", "[{'Set-User': [{'Name': 'Identity', 'Value': '4b2462a4-bbee-495a-a0e1-f23ae524cc9c\\\\a2409f54-2a3... | \n", "
2 | \n", "\n", " | \n", " | 2 | \n", "2 | \n", "2020-04-01 20:12:19+00:00 | \n", "2020-04-01 20:12:55+00:00 | \n", "00:00:36 | \n", "[Remove-MailboxLocation, Set-User] | \n", "[{'Remove-MailboxLocation': [{'Name': 'Identity', 'Value': '4b2462a4-bbee-495a-a0e1-f23ae524cc9c... | \n", "
3 | \n", "\n", " | \n", " | 3 | \n", "2 | \n", "2020-04-02 09:01:22+00:00 | \n", "2020-04-02 09:01:38+00:00 | \n", "00:00:16 | \n", "[Remove-MailboxLocation, Remove-MailboxLocation, Set-User] | \n", "[{'Remove-MailboxLocation': [{'Name': 'Identity', 'Value': '4b2462a4-bbee-495a-a0e1-f23ae524cc9c... | \n", "
4 | \n", "\n", " | \n", " | 1 | \n", "1 | \n", "2020-04-02 13:49:42+00:00 | \n", "2020-04-02 13:49:42+00:00 | \n", "00:00:00 | \n", "[Set-ConditionalAccessPolicy] | \n", "[{'Set-ConditionalAccessPolicy': [{'Name': 'Identity', 'Value': 'seccxpninja.onmicrosoft.com\\\\64... | \n", "
\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | UserId | \n", "ClientIP | \n", "nCmds | \n", "nDistinctCmds | \n", "begin | \n", "end | \n", "duration | \n", "role | \n", "UserAgent | \n", "cmds | \n", "params | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "AROA3WIKNJYL5IERDHCJX:0e1059bf-bb62-449c-bca4-90871edc48b1 | \n", "13.68.133.167 | \n", "15 | \n", "1 | \n", "2020-05-28 04:18:17+00:00 | \n", "2020-05-28 04:18:18+00:00 | \n", "00:00:01 | \n", "Ashwin-AzSentinel | \n", "aws-sdk-dotnet-45/3.3.100.7 aws-sdk-dotnet-core/3.3.100.7 .NET_Runtime/4.0 .NET_Framework/4.0 OS... | \n", "[LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvent... | \n", "[{'LookupEvents': {'startTime': 'May 28, 2020 3:57:26 AM', 'endTime': 'May 28, 2020 4:02:26 AM'}... | \n", "
1 | \n", "AROA3WIKNJYL5IERDHCJX:0e1059bf-bb62-449c-bca4-90871edc48b1 | \n", "13.68.133.167 | \n", "14 | \n", "1 | \n", "2020-05-28 04:23:23+00:00 | \n", "2020-05-28 04:23:23+00:00 | \n", "00:00:00 | \n", "Ashwin-AzSentinel | \n", "aws-sdk-dotnet-45/3.3.100.7 aws-sdk-dotnet-core/3.3.100.7 .NET_Runtime/4.0 .NET_Framework/4.0 OS... | \n", "[LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvent... | \n", "[{'LookupEvents': {'startTime': 'May 28, 2020 4:02:26 AM', 'endTime': 'May 28, 2020 4:07:26 AM'}... | \n", "
2 | \n", "AROA3WIKNJYL5IERDHCJX:0e1059bf-bb62-449c-bca4-90871edc48b1 | \n", "40.87.53.92 | \n", "14 | \n", "1 | \n", "2020-05-28 04:13:08+00:00 | \n", "2020-05-28 04:13:09+00:00 | \n", "00:00:01 | \n", "Ashwin-AzSentinel | \n", "aws-sdk-dotnet-45/3.3.100.7 aws-sdk-dotnet-core/3.3.100.7 .NET_Runtime/4.0 .NET_Framework/4.0 OS... | \n", "[LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvent... | \n", "[{'LookupEvents': {'startTime': 'May 28, 2020 3:52:26 AM', 'endTime': 'May 28, 2020 3:57:26 AM'}... | \n", "
3 | \n", "AROA3WIKNJYL5IERDHCJX:0e1059bf-bb62-449c-bca4-90871edc48b1 | \n", "40.87.53.92 | \n", "16 | \n", "1 | \n", "2020-05-28 04:42:30+00:00 | \n", "2020-05-28 04:42:30+00:00 | \n", "00:00:00 | \n", "Ashwin-AzSentinel | \n", "aws-sdk-dotnet-45/3.3.100.7 aws-sdk-dotnet-core/3.3.100.7 .NET_Runtime/4.0 .NET_Framework/4.0 OS... | \n", "[LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvent... | \n", "[{'LookupEvents': {'startTime': 'May 28, 2020 4:22:26 AM', 'endTime': 'May 28, 2020 4:27:26 AM'}... | \n", "
4 | \n", "AROA3WIKNJYL5IERDHCJX:0e1059bf-bb62-449c-bca4-90871edc48b1 | \n", "52.170.0.208 | \n", "16 | \n", "1 | \n", "2020-05-28 04:02:45+00:00 | \n", "2020-05-28 04:02:45+00:00 | \n", "00:00:00 | \n", "Ashwin-AzSentinel | \n", "aws-sdk-dotnet-45/3.3.100.7 aws-sdk-dotnet-core/3.3.100.7 .NET_Runtime/4.0 .NET_Framework/4.0 OS... | \n", "[LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvents, LookupEvent... | \n", "[{'LookupEvents': {'startTime': 'May 28, 2020 3:42:26 AM', 'endTime': 'May 28, 2020 3:47:26 AM'}... | \n", "
\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | UserId | \n", "Computer | \n", "nExecutables | \n", "nDistinctExecutables | \n", "begin | \n", "end | \n", "duration | \n", "executables | \n", "params | \n", "
---|---|---|---|---|---|---|---|---|---|
0 | \n", "AAD_c47380e4e88e--CONTOSO | \n", "ContosoDc.Contoso.Azure | \n", "1 | \n", "1 | \n", "2020-05-21 18:32:45.557000+00:00 | \n", "2020-05-21 18:32:45.557000+00:00 | \n", "0 days | \n", "[miiserver] | \n", "[{'miiserver': ['miiserver', 'Microsoft® Azure® AD Connect', 'Microsoft® Azure® AD Connect',... | \n", "
1 | \n", "AAD_c47380e4e88e--CONTOSO | \n", "ContosoDc.Contoso.Azure | \n", "1 | \n", "1 | \n", "2020-05-21 19:32:45.731000+00:00 | \n", "2020-05-21 19:32:45.731000+00:00 | \n", "0 days | \n", "[miiserver] | \n", "[{'miiserver': ['miiserver', 'Microsoft® Azure® AD Connect', 'Microsoft® Azure® AD Connect',... | \n", "
2 | \n", "AAD_c47380e4e88e--CONTOSO | \n", "ContosoDc.Contoso.Azure | \n", "1 | \n", "1 | \n", "2020-05-21 20:32:45.911000+00:00 | \n", "2020-05-21 20:32:45.911000+00:00 | \n", "0 days | \n", "[miiserver] | \n", "[{'miiserver': ['miiserver', 'Microsoft® Azure® AD Connect', 'Microsoft® Azure® AD Connect',... | \n", "
3 | \n", "AAD_c47380e4e88e--CONTOSO | \n", "ContosoDc.Contoso.Azure | \n", "1 | \n", "1 | \n", "2020-05-21 21:32:46.104000+00:00 | \n", "2020-05-21 21:32:46.104000+00:00 | \n", "0 days | \n", "[miiserver] | \n", "[{'miiserver': ['miiserver', 'Microsoft® Azure® AD Connect', 'Microsoft® Azure® AD Connect',... | \n", "
4 | \n", "AAD_c47380e4e88e--CONTOSO | \n", "ContosoDc.Contoso.Azure | \n", "1 | \n", "1 | \n", "2020-05-21 22:32:46.271000+00:00 | \n", "2020-05-21 22:32:46.271000+00:00 | \n", "0 days | \n", "[miiserver] | \n", "[{'miiserver': ['miiserver', 'Microsoft® Azure® AD Connect', 'Microsoft® Azure® AD Connect',... | \n", "
\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"