{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# MSTICPy Pivot Functions\n", "\n", "## What are Pivot Functions?\n", "\n", "MSTICPy has a lot of functionality distributed across many classes and modules. \n", "However, there is no simple way to discover where these functions are and what types\n", "of data the function is relevant to.\n", "\n", "Pivot functions bring this functionality together grouped around Entities.\n", "\n", "Entities are representations real-world objects found commonly in CyberSec investigations.\n", "Some examples are:\n", "\n", "- IP Address\n", "- Host\n", "- Account\n", "- URL\n", "\n", "MSTICPy has had entity classes from the very early days but, until now, these\n", "have only been used sporadically in the rest of the package.\n", "\n", "The pivot functionality exposed operations relevant to a particular\n", "entity as methods of that entity. These operations could include:\n", "\n", "- Data queries\n", "- Threat intelligence lookups\n", "- Other data lookups such as GeoLocation or domain resolution\n", "- and other local functionality\n", "\n", "## What is Pivoting?\n", "\n", "The name comes from the common practice of Cyber investigators navigating\n", "between related entities. For example an entity/investigation chain might\n", "look like the following:\n", "\n", "\n", "| Step | Source | Operation | Target |\n", "| :--: | :----------------- | :----------------- | :----------------- |\n", "| 1 | Alert | Review alert -> | Source IP(A) |\n", "| 2 | Source IP(A) | Lookup TI -> | Related URLs |\n", "| | | | Malware names |\n", "| 3 | URL | Query web logs -> | Requesting hosts |\n", "| 4 | Host | Query host logons -> | Accounts |\n", "\n", "\n", "At each step there are one or more directions that you can take to\n", "follow the chain of related indicators of activity in a possible attack.\n", "\n", "Bringing these functions into a few, well-known locations makes it easier to\n", "use MSTICPy to carry out this common pivoting pattern in Jupyter notebooks." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "---\n", "\n", "## Getting started" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Processing imports....\n", "Checking configuration....\n", "No errors found.\n", "No warnings found.\n", "Setting notebook options....\n" ] }, { "data": { "text/html": [ "
\n", " | ip | \n", "result | \n", "
---|---|---|
0 | \n", "10.1.1.1 | \n", "Private | \n", "
\n", " | ip | \n", "result | \n", "
---|---|---|
0 | \n", "10.1.1.1 | \n", "Private | \n", "
\n", " | ip | \n", "result | \n", "
---|---|---|
0 | \n", "157.53.1.1 | \n", "Public | \n", "
\n", " | asn | \n", "asn_cidr | \n", "asn_country_code | \n", "asn_date | \n", "asn_description | \n", "asn_registry | \n", "nets | \n", "nir | \n", "query | \n", "raw | \n", "raw_referral | \n", "referral | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "NA | \n", "NA | \n", "US | \n", "2015-04-01 | \n", "NA | \n", "arin | \n", "[{'cidr': '157.53.0.0/16', 'name': 'NETACTUATE-MDN-04', 'handle': 'NET-157-53-0-0-1', 'range': '... | \n", "None | \n", "157.53.1.1 | \n", "None | \n", "None | \n", "None | \n", "
\n", " | CountryCode | \n", "CountryName | \n", "State | \n", "City | \n", "Longitude | \n", "Latitude | \n", "Asn | \n", "edges | \n", "Type | \n", "AdditionalData | \n", "IpAddress | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "US | \n", "United States | \n", "None | \n", "None | \n", "-97.822 | \n", "37.751 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "157.53.1.1 | \n", "
\n", " | ip | \n", "result | \n", "
---|---|---|
0 | \n", "10.1.1.1 | \n", "Private | \n", "
\n", " | ip | \n", "result | \n", "
---|---|---|
0 | \n", "157.53.1.1 | \n", "Public | \n", "
\n", " | asn | \n", "asn_cidr | \n", "asn_country_code | \n", "asn_date | \n", "asn_description | \n", "asn_registry | \n", "nets | \n", "nir | \n", "query | \n", "raw | \n", "raw_referral | \n", "referral | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "NA | \n", "NA | \n", "US | \n", "2015-04-01 | \n", "NA | \n", "arin | \n", "[{'cidr': '157.53.0.0/16', 'name': 'NETACTUATE-MDN-04', 'handle': 'NET-157-53-0-0-1', 'range': '... | \n", "None | \n", "157.53.1.1 | \n", "None | \n", "None | \n", "None | \n", "
\n", " | CountryCode | \n", "CountryName | \n", "State | \n", "City | \n", "Longitude | \n", "Latitude | \n", "Asn | \n", "edges | \n", "Type | \n", "AdditionalData | \n", "IpAddress | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "US | \n", "United States | \n", "None | \n", "None | \n", "-97.822 | \n", "37.751 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "157.53.1.1 | \n", "
Use our magic function to convert pasted-in list to dataframe
" ], "text/plain": [ "\n", " | AllExtIPs | \n", "
---|---|
9 | \n", "172.217.15.99 | \n", "
10 | \n", "40.85.232.64 | \n", "
11 | \n", "20.38.98.100 | \n", "
12 | \n", "23.96.64.84 | \n", "
13 | \n", "65.55.44.108 | \n", "
14 | \n", "131.107.147.209 | \n", "
15 | \n", "10.0.3.4 | \n", "
16 | \n", "10.0.3.5 | \n", "
17 | \n", "13.82.152.48 | \n", "
\n", " | ip | \n", "result | \n", "
---|---|---|
0 | \n", "23.96.64.84 | \n", "Public | \n", "
1 | \n", "65.55.44.108 | \n", "Public | \n", "
2 | \n", "131.107.147.209 | \n", "Public | \n", "
3 | \n", "10.0.3.4 | \n", "Private | \n", "
4 | \n", "10.0.3.5 | \n", "Private | \n", "
5 | \n", "13.82.152.48 | \n", "Public | \n", "
\n", " | ip | \n", "result | \n", "
---|---|---|
0 | \n", "23.96.64.84 | \n", "Public | \n", "
1 | \n", "65.55.44.108 | \n", "Public | \n", "
2 | \n", "131.107.147.209 | \n", "Public | \n", "
3 | \n", "10.0.3.4 | \n", "Private | \n", "
4 | \n", "10.0.3.5 | \n", "Private | \n", "
5 | \n", "13.82.152.48 | \n", "Public | \n", "
\n", " | nir | \n", "asn_registry | \n", "asn | \n", "asn_cidr | \n", "asn_country_code | \n", "asn_date | \n", "asn_description | \n", "query | \n", "nets | \n", "raw | \n", "referral | \n", "raw_referral | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "NaN | \n", "arin | \n", "8075 | \n", "23.96.0.0/14 | \n", "US | \n", "2013-06-18 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "23.96.64.84 | \n", "[{'cidr': '23.96.0.0/13', 'name': 'MSFT', 'handle': 'NET-23-96-0-0-1', 'range': '23.96.0.0 - 23.... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
1 | \n", "NaN | \n", "arin | \n", "8075 | \n", "65.52.0.0/14 | \n", "US | \n", "2001-02-14 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "65.55.44.108 | \n", "[{'cidr': '65.52.0.0/14', 'name': 'MICROSOFT-1BLK', 'handle': 'NET-65-52-0-0-1', 'range': '65.52... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
2 | \n", "NaN | \n", "arin | \n", "3598 | \n", "131.107.0.0/16 | \n", "US | \n", "1988-11-11 | \n", "MICROSOFT-CORP-AS, US | \n", "131.107.147.209 | \n", "[{'cidr': '131.107.0.0/16', 'name': 'MICROSOFT', 'handle': 'NET-131-107-0-0-1', 'range': '131.10... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
3 | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
4 | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
5 | \n", "NaN | \n", "arin | \n", "8075 | \n", "13.64.0.0/11 | \n", "US | \n", "2015-03-26 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "13.82.152.48 | \n", "[{'cidr': '13.104.0.0/14, 13.64.0.0/11, 13.96.0.0/13', 'name': 'MSFT', 'handle': 'NET-13-64-0-0-... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
\n", " | CountryCode | \n", "CountryName | \n", "State | \n", "City | \n", "Longitude | \n", "Latitude | \n", "Asn | \n", "edges | \n", "Type | \n", "AdditionalData | \n", "IpAddress | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "US | \n", "United States | \n", "Virginia | \n", "Washington | \n", "-78.1539 | \n", "38.7095 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "23.96.64.84 | \n", "
1 | \n", "US | \n", "United States | \n", "Virginia | \n", "Boydton | \n", "-78.3750 | \n", "36.6534 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "65.55.44.108 | \n", "
2 | \n", "US | \n", "United States | \n", "Washington | \n", "Redmond | \n", "-122.1257 | \n", "47.6722 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "131.107.147.209 | \n", "
3 | \n", "US | \n", "United States | \n", "Virginia | \n", "Washington | \n", "-78.1539 | \n", "38.7095 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "13.82.152.48 | \n", "
\n", " | ip | \n", "result | \n", "
---|---|---|
0 | \n", "172.217.15.99 | \n", "Public | \n", "
1 | \n", "40.85.232.64 | \n", "Public | \n", "
2 | \n", "20.38.98.100 | \n", "Public | \n", "
3 | \n", "23.96.64.84 | \n", "Public | \n", "
4 | \n", "65.55.44.108 | \n", "Public | \n", "
5 | \n", "131.107.147.209 | \n", "Public | \n", "
6 | \n", "10.0.3.4 | \n", "Private | \n", "
7 | \n", "10.0.3.5 | \n", "Private | \n", "
8 | \n", "13.82.152.48 | \n", "Public | \n", "
\n", " | ip | \n", "result | \n", "
---|---|---|
0 | \n", "172.217.15.99 | \n", "Public | \n", "
1 | \n", "40.85.232.64 | \n", "Public | \n", "
2 | \n", "20.38.98.100 | \n", "Public | \n", "
3 | \n", "23.96.64.84 | \n", "Public | \n", "
4 | \n", "65.55.44.108 | \n", "Public | \n", "
5 | \n", "131.107.147.209 | \n", "Public | \n", "
6 | \n", "10.0.3.4 | \n", "Private | \n", "
7 | \n", "10.0.3.5 | \n", "Private | \n", "
8 | \n", "13.82.152.48 | \n", "Public | \n", "
\n", " | nir | \n", "asn_registry | \n", "asn | \n", "asn_cidr | \n", "asn_country_code | \n", "asn_date | \n", "asn_description | \n", "query | \n", "nets | \n", "raw | \n", "referral | \n", "raw_referral | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|
9 | \n", "NaN | \n", "arin | \n", "15169 | \n", "172.217.15.0/24 | \n", "US | \n", "2012-04-16 | \n", "GOOGLE, US | \n", "172.217.15.99 | \n", "[{'cidr': '172.217.0.0/16', 'name': 'GOOGLE', 'handle': 'NET-172-217-0-0-1', 'range': '172.217.0... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
10 | \n", "NaN | \n", "arin | \n", "8075 | \n", "40.80.0.0/12 | \n", "US | \n", "2015-02-23 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "40.85.232.64 | \n", "[{'cidr': '40.112.0.0/13, 40.76.0.0/14, 40.120.0.0/14, 40.80.0.0/12, 40.74.0.0/15, 40.125.0.0/17... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
11 | \n", "NaN | \n", "arin | \n", "8075 | \n", "20.36.0.0/14 | \n", "US | \n", "2017-10-18 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "20.38.98.100 | \n", "[{'cidr': '20.40.0.0/13, 20.33.0.0/16, 20.36.0.0/14, 20.64.0.0/10, 20.34.0.0/15, 20.128.0.0/16, ... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
12 | \n", "NaN | \n", "arin | \n", "8075 | \n", "23.96.0.0/14 | \n", "US | \n", "2013-06-18 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "23.96.64.84 | \n", "[{'cidr': '23.96.0.0/13', 'name': 'MSFT', 'handle': 'NET-23-96-0-0-1', 'range': '23.96.0.0 - 23.... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
13 | \n", "NaN | \n", "arin | \n", "8075 | \n", "65.52.0.0/14 | \n", "US | \n", "2001-02-14 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "65.55.44.108 | \n", "[{'cidr': '65.52.0.0/14', 'name': 'MICROSOFT-1BLK', 'handle': 'NET-65-52-0-0-1', 'range': '65.52... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
14 | \n", "NaN | \n", "arin | \n", "3598 | \n", "131.107.0.0/16 | \n", "US | \n", "1988-11-11 | \n", "MICROSOFT-CORP-AS, US | \n", "131.107.147.209 | \n", "[{'cidr': '131.107.0.0/16', 'name': 'MICROSOFT', 'handle': 'NET-131-107-0-0-1', 'range': '131.10... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
15 | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
16 | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
17 | \n", "NaN | \n", "arin | \n", "8075 | \n", "13.64.0.0/11 | \n", "US | \n", "2015-03-26 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "13.82.152.48 | \n", "[{'cidr': '13.104.0.0/14, 13.64.0.0/11, 13.96.0.0/13', 'name': 'MSFT', 'handle': 'NET-13-64-0-0-... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
\n", " | CountryCode | \n", "CountryName | \n", "State | \n", "City | \n", "Longitude | \n", "Latitude | \n", "Asn | \n", "edges | \n", "Type | \n", "AdditionalData | \n", "IpAddress | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "US | \n", "United States | \n", "None | \n", "None | \n", "-97.8220 | \n", "37.7510 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "172.217.15.99 | \n", "
1 | \n", "CA | \n", "Canada | \n", "Ontario | \n", "Toronto | \n", "-79.4195 | \n", "43.6644 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "40.85.232.64 | \n", "
2 | \n", "US | \n", "United States | \n", "Virginia | \n", "Washington | \n", "-78.1539 | \n", "38.7095 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "20.38.98.100 | \n", "
3 | \n", "US | \n", "United States | \n", "Virginia | \n", "Washington | \n", "-78.1539 | \n", "38.7095 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "23.96.64.84 | \n", "
4 | \n", "US | \n", "United States | \n", "Virginia | \n", "Boydton | \n", "-78.3750 | \n", "36.6534 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "65.55.44.108 | \n", "
5 | \n", "US | \n", "United States | \n", "Washington | \n", "Redmond | \n", "-122.1257 | \n", "47.6722 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "131.107.147.209 | \n", "
6 | \n", "US | \n", "United States | \n", "Virginia | \n", "Washington | \n", "-78.1539 | \n", "38.7095 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "13.82.152.48 | \n", "
\n", " | AllExtIPs | \n", "CountryCode | \n", "CountryName | \n", "State | \n", "City | \n", "Longitude | \n", "Latitude | \n", "Asn | \n", "edges | \n", "Type | \n", "AdditionalData | \n", "IpAddress | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "172.217.15.99 | \n", "US | \n", "United States | \n", "None | \n", "None | \n", "-97.8220 | \n", "37.7510 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "172.217.15.99 | \n", "
1 | \n", "40.85.232.64 | \n", "CA | \n", "Canada | \n", "Ontario | \n", "Toronto | \n", "-79.4195 | \n", "43.6644 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "40.85.232.64 | \n", "
2 | \n", "20.38.98.100 | \n", "US | \n", "United States | \n", "Virginia | \n", "Washington | \n", "-78.1539 | \n", "38.7095 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "20.38.98.100 | \n", "
3 | \n", "23.96.64.84 | \n", "US | \n", "United States | \n", "Virginia | \n", "Washington | \n", "-78.1539 | \n", "38.7095 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "23.96.64.84 | \n", "
4 | \n", "65.55.44.108 | \n", "US | \n", "United States | \n", "Virginia | \n", "Boydton | \n", "-78.3750 | \n", "36.6534 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "65.55.44.108 | \n", "
5 | \n", "131.107.147.209 | \n", "US | \n", "United States | \n", "Washington | \n", "Redmond | \n", "-122.1257 | \n", "47.6722 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "131.107.147.209 | \n", "
6 | \n", "10.0.3.4 | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
7 | \n", "10.0.3.5 | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
8 | \n", "13.82.152.48 | \n", "US | \n", "United States | \n", "Virginia | \n", "Washington | \n", "-78.1539 | \n", "38.7095 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "13.82.152.48 | \n", "
\n", " | TenantId | \n", "SourceSystem | \n", "TimeGenerated | \n", "MG | \n", "ManagementGroupName | \n", "SourceComputerId | \n", "ComputerIP | \n", "Computer | \n", "Category | \n", "OSType | \n", "OSName | \n", "OSMajorVersion | \n", "OSMinorVersion | \n", "Version | \n", "SCAgentChannel | \n", "IsGatewayInstalled | \n", "RemoteIPLongitude | \n", "RemoteIPLatitude | \n", "RemoteIPCountry | \n", "SubscriptionId | \n", "ResourceGroup | \n", "ResourceProvider | \n", "Resource | \n", "ResourceId | \n", "ResourceType | \n", "ComputerEnvironment | \n", "Solutions | \n", "VMUUID | \n", "Type | \n", "_ResourceId | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "OpsManager | \n", "2020-12-03 18:01:11.167000+00:00 | \n", "00000000-0000-0000-0000-000000000001 | \n", "AOI-8ecf8077-cf51-4820-aadd-14040956f35d | \n", "f6638b82-98a5-4542-8bec-6bc0977f793f | \n", "13.89.108.248 | \n", "VictimPc.Contoso.Azure | \n", "Direct Agent | \n", "Windows | \n", "\n", " | 10 | \n", "0 | \n", "10.20.18040.0 | \n", "Direct | \n", "False | \n", "-93.62 | \n", "41.59 | \n", "United States | \n", "d1d8779d-38d7-4f06-91db-9cbc8de0176f | \n", "DefendTheFlag | \n", "Microsoft.Compute | \n", "VictimPc | \n", "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourceGroups/DefendTheFlag/providers/Micro... | \n", "virtualMachines | \n", "Azure | \n", "\"behaviorAnalyticsInsights\", \"security\", \"networkMonitoring\", \"dnsAnalytics\", \"securityCenterFre... | \n", "14fa800d-e9b0-4dea-86ac-679933d59253 | \n", "Heartbeat | \n", "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/defendtheflag/providers/micro... | \n", "
\n", " | TenantId | \n", "Account | \n", "EventID | \n", "TimeGenerated | \n", "SourceComputerId | \n", "Computer | \n", "SubjectUserName | \n", "SubjectDomainName | \n", "SubjectUserSid | \n", "TargetUserName | \n", "TargetDomainName | \n", "TargetUserSid | \n", "TargetLogonId | \n", "LogonProcessName | \n", "LogonType | \n", "LogonTypeName | \n", "AuthenticationPackageName | \n", "Status | \n", "IpAddress | \n", "WorkstationName | \n", "TimeCreatedUtc | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "NT AUTHORITY\\SYSTEM | \n", "4624 | \n", "2020-10-01 22:39:36.987000+00:00 | \n", "f6638b82-98a5-4542-8bec-6bc0977f793f | \n", "VictimPc.Contoso.Azure | \n", "VictimPc$ | \n", "CONTOSO | \n", "S-1-5-18 | \n", "SYSTEM | \n", "NT AUTHORITY | \n", "S-1-5-18 | \n", "0x3e7 | \n", "Advapi | \n", "5 | \n", "5 - Service | \n", "Negotiate | \n", "\n", " | - | \n", "- | \n", "2020-10-01 22:39:36.987000+00:00 | \n", "
1 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "NT AUTHORITY\\SYSTEM | \n", "4624 | \n", "2020-10-01 22:39:37.220000+00:00 | \n", "f6638b82-98a5-4542-8bec-6bc0977f793f | \n", "VictimPc.Contoso.Azure | \n", "VictimPc$ | \n", "CONTOSO | \n", "S-1-5-18 | \n", "SYSTEM | \n", "NT AUTHORITY | \n", "S-1-5-18 | \n", "0x3e7 | \n", "Advapi | \n", "5 | \n", "5 - Service | \n", "Negotiate | \n", "\n", " | - | \n", "- | \n", "2020-10-01 22:39:37.220000+00:00 | \n", "
2 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "NT AUTHORITY\\SYSTEM | \n", "4624 | \n", "2020-10-01 22:39:42.603000+00:00 | \n", "f6638b82-98a5-4542-8bec-6bc0977f793f | \n", "VictimPc.Contoso.Azure | \n", "VictimPc$ | \n", "CONTOSO | \n", "S-1-5-18 | \n", "SYSTEM | \n", "NT AUTHORITY | \n", "S-1-5-18 | \n", "0x3e7 | \n", "Advapi | \n", "5 | \n", "5 - Service | \n", "Negotiate | \n", "\n", " | - | \n", "- | \n", "2020-10-01 22:39:42.603000+00:00 | \n", "
3 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "CONTOSO\\RonHD | \n", "4624 | \n", "2020-10-01 22:40:00.957000+00:00 | \n", "f6638b82-98a5-4542-8bec-6bc0977f793f | \n", "VictimPc.Contoso.Azure | \n", "VictimPc$ | \n", "CONTOSO | \n", "S-1-5-18 | \n", "RonHD | \n", "CONTOSO | \n", "S-1-5-21-1661583231-2311428937-3957907789-1105 | \n", "0x117a0f7f | \n", "Advapi | \n", "4 | \n", "4 - Batch | \n", "Negotiate | \n", "\n", " | - | \n", "VictimPc | \n", "2020-10-01 22:40:00.957000+00:00 | \n", "
4 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "NT AUTHORITY\\SYSTEM | \n", "4624 | \n", "2020-10-01 22:40:14.040000+00:00 | \n", "f6638b82-98a5-4542-8bec-6bc0977f793f | \n", "VictimPc.Contoso.Azure | \n", "VictimPc$ | \n", "CONTOSO | \n", "S-1-5-18 | \n", "SYSTEM | \n", "NT AUTHORITY | \n", "S-1-5-18 | \n", "0x3e7 | \n", "Advapi | \n", "5 | \n", "5 - Service | \n", "Negotiate | \n", "\n", " | - | \n", "- | \n", "2020-10-01 22:40:14.040000+00:00 | \n", "
\n", " | \n", " | Computer | \n", "
---|---|---|
EventID | \n", "Activity | \n", "\n", " |
4624 | \n", "4624 - An account was successfully logged on. | \n", "520 | \n", "
4672 | \n", "4672 - Special privileges assigned to new logon. | \n", "436 | \n", "
\n", " | TenantId | \n", "SourceSystem | \n", "TimeGenerated | \n", "ResourceId | \n", "OperationName | \n", "OperationVersion | \n", "Category | \n", "ResultType | \n", "ResultSignature | \n", "ResultDescription | \n", "DurationMs | \n", "CorrelationId | \n", "Resource | \n", "ResourceGroup | \n", "ResourceProvider | \n", "Identity | \n", "Level | \n", "Location | \n", "AlternateSignInName | \n", "AppDisplayName | \n", "AppId | \n", "AuthenticationDetails | \n", "AuthenticationMethodsUsed | \n", "AuthenticationProcessingDetails | \n", "AuthenticationRequirement | \n", "... | \n", "IsRisky | \n", "LocationDetails | \n", "MfaDetail | \n", "NetworkLocationDetails | \n", "OriginalRequestId | \n", "ProcessingTimeInMilliseconds | \n", "RiskDetail | \n", "RiskEventTypes | \n", "RiskEventTypes_V2 | \n", "RiskLevelAggregated | \n", "RiskLevelDuringSignIn | \n", "RiskState | \n", "ResourceDisplayName | \n", "ResourceIdentity | \n", "ServicePrincipalId | \n", "ServicePrincipalName | \n", "Status | \n", "TokenIssuerName | \n", "TokenIssuerType | \n", "UserAgent | \n", "UserDisplayName | \n", "UserId | \n", "UserPrincipalName | \n", "AADTenantId | \n", "Type | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "Azure AD | \n", "2020-10-01 13:02:35.957000+00:00 | \n", "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", "Sign-in activity | \n", "1.0 | \n", "SignInLogs | \n", "0 | \n", "None | \n", "\n", " | 0 | \n", "affb9968-fde2-4369-bd7e-d529369d6da1 | \n", "Microsoft.aadiam | \n", "Microsoft.aadiam | \n", "\n", " | Brandon | \n", "4 | \n", "US | \n", "\n", " | Azure Advanced Threat Protection | \n", "7b7531ad-5926-4f2d-8a1d-38495ad33e17 | \n", "[] | \n", "\n", " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", "singleFactorAuthentication | \n", "... | \n", "None | \n", "{'city': 'Lewisville', 'state': 'Texas', 'countryOrRegion': 'US', 'geoCoordinates': {'latitude':... | \n", "None | \n", "[] | \n", "5d995a60-e8ef-4ca8-acdd-41c2db788100 | \n", "182 | \n", "none | \n", "[] | \n", "[] | \n", "none | \n", "none | \n", "none | \n", "Azure Advanced Threat Protection | \n", "7b7531ad-5926-4f2d-8a1d-38495ad33e17 | \n", "\n", " | \n", " | {'errorCode': 0} | \n", "\n", " | AzureAD | \n", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.427... | \n", "Brandon | \n", "9dadd76f-3237-4e1d-84e7-e45c59867492 | \n", "brandon@seccxpninja.onmicrosoft.com | \n", "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", "SigninLogs | \n", "
1 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "Azure AD | \n", "2020-10-01 14:02:40.100000+00:00 | \n", "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", "Sign-in activity | \n", "1.0 | \n", "SignInLogs | \n", "0 | \n", "None | \n", "\n", " | 0 | \n", "9d67aa98-e889-417b-888d-e75611c1a458 | \n", "Microsoft.aadiam | \n", "Microsoft.aadiam | \n", "\n", " | Brandon | \n", "4 | \n", "US | \n", "\n", " | Azure Advanced Threat Protection | \n", "7b7531ad-5926-4f2d-8a1d-38495ad33e17 | \n", "[] | \n", "\n", " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", "singleFactorAuthentication | \n", "... | \n", "None | \n", "{'city': 'Lewisville', 'state': 'Texas', 'countryOrRegion': 'US', 'geoCoordinates': {'latitude':... | \n", "None | \n", "[] | \n", "70141716-651c-4f23-a1f8-e06015497f00 | \n", "176 | \n", "none | \n", "[] | \n", "[] | \n", "none | \n", "none | \n", "none | \n", "Azure Advanced Threat Protection | \n", "7b7531ad-5926-4f2d-8a1d-38495ad33e17 | \n", "\n", " | \n", " | {'errorCode': 0} | \n", "\n", " | AzureAD | \n", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.427... | \n", "Brandon | \n", "9dadd76f-3237-4e1d-84e7-e45c59867492 | \n", "brandon@seccxpninja.onmicrosoft.com | \n", "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", "SigninLogs | \n", "
2 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "Azure AD | \n", "2020-10-01 15:02:45.205000+00:00 | \n", "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", "Sign-in activity | \n", "1.0 | \n", "SignInLogs | \n", "0 | \n", "None | \n", "\n", " | 0 | \n", "d3c71898-c2f7-4563-ae0c-82851116852d | \n", "Microsoft.aadiam | \n", "Microsoft.aadiam | \n", "\n", " | Brandon | \n", "4 | \n", "US | \n", "\n", " | Azure Advanced Threat Protection | \n", "7b7531ad-5926-4f2d-8a1d-38495ad33e17 | \n", "[] | \n", "\n", " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", "singleFactorAuthentication | \n", "... | \n", "None | \n", "{'city': 'Lewisville', 'state': 'Texas', 'countryOrRegion': 'US', 'geoCoordinates': {'latitude':... | \n", "None | \n", "[] | \n", "422d0e7e-9e69-48ea-85a7-34bcb7a20101 | \n", "166 | \n", "none | \n", "[] | \n", "[] | \n", "none | \n", "none | \n", "none | \n", "Azure Advanced Threat Protection | \n", "7b7531ad-5926-4f2d-8a1d-38495ad33e17 | \n", "\n", " | \n", " | {'errorCode': 0} | \n", "\n", " | AzureAD | \n", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.427... | \n", "Brandon | \n", "9dadd76f-3237-4e1d-84e7-e45c59867492 | \n", "brandon@seccxpninja.onmicrosoft.com | \n", "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", "SigninLogs | \n", "
3 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "Azure AD | \n", "2020-10-01 17:45:14.507000+00:00 | \n", "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", "Sign-in activity | \n", "1.0 | \n", "SignInLogs | \n", "0 | \n", "None | \n", "\n", " | 0 | \n", "b1d3e8fa-fe53-4b6f-b683-debb7b482f87 | \n", "Microsoft.aadiam | \n", "Microsoft.aadiam | \n", "\n", " | Brandon | \n", "4 | \n", "US | \n", "\n", " | Microsoft Cloud App Security | \n", "05a65629-4c1b-48c1-a78b-804c4abdd4af | \n", "[] | \n", "\n", " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", "singleFactorAuthentication | \n", "... | \n", "None | \n", "{'city': 'Lewisville', 'state': 'Texas', 'countryOrRegion': 'US', 'geoCoordinates': {'latitude':... | \n", "None | \n", "[] | \n", "70959618-8d07-4004-a68f-0b93c1409200 | \n", "150 | \n", "none | \n", "[] | \n", "[] | \n", "none | \n", "none | \n", "none | \n", "Windows Azure Active Directory | \n", "00000002-0000-0000-c000-000000000000 | \n", "\n", " | \n", " | {'errorCode': 0} | \n", "\n", " | AzureAD | \n", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.427... | \n", "Brandon | \n", "9dadd76f-3237-4e1d-84e7-e45c59867492 | \n", "brandon@seccxpninja.onmicrosoft.com | \n", "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", "SigninLogs | \n", "
4 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "Azure AD | \n", "2020-10-01 10:02:18.923000+00:00 | \n", "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", "Sign-in activity | \n", "1.0 | \n", "SignInLogs | \n", "0 | \n", "None | \n", "\n", " | 0 | \n", "ac81524b-bb83-4a0a-a3f8-577a14dda295 | \n", "Microsoft.aadiam | \n", "Microsoft.aadiam | \n", "\n", " | Brandon | \n", "4 | \n", "US | \n", "\n", " | Azure Advanced Threat Protection | \n", "7b7531ad-5926-4f2d-8a1d-38495ad33e17 | \n", "[] | \n", "\n", " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", "singleFactorAuthentication | \n", "... | \n", "None | \n", "{'city': 'Lewisville', 'state': 'Texas', 'countryOrRegion': 'US', 'geoCoordinates': {'latitude':... | \n", "None | \n", "[] | \n", "c2bcb991-75ad-42f4-a6c0-1a90686dfd00 | \n", "210 | \n", "none | \n", "[] | \n", "[] | \n", "none | \n", "none | \n", "none | \n", "Azure Advanced Threat Protection | \n", "7b7531ad-5926-4f2d-8a1d-38495ad33e17 | \n", "\n", " | \n", " | {'errorCode': 0} | \n", "\n", " | AzureAD | \n", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.427... | \n", "Brandon | \n", "9dadd76f-3237-4e1d-84e7-e45c59867492 | \n", "brandon@seccxpninja.onmicrosoft.com | \n", "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", "SigninLogs | \n", "
5 rows × 59 columns
\n", "\n", " | TenantId | \n", "SourceSystem | \n", "TimeGenerated | \n", "ResourceId | \n", "OperationName | \n", "OperationVersion | \n", "Category | \n", "ResultType | \n", "ResultSignature | \n", "ResultDescription | \n", "DurationMs | \n", "CorrelationId | \n", "Resource | \n", "ResourceGroup | \n", "ResourceProvider | \n", "Identity | \n", "Level | \n", "Location | \n", "AlternateSignInName | \n", "AppDisplayName | \n", "AppId | \n", "AuthenticationDetails | \n", "AuthenticationMethodsUsed | \n", "AuthenticationProcessingDetails | \n", "AuthenticationRequirement | \n", "... | \n", "IsRisky | \n", "LocationDetails | \n", "MfaDetail | \n", "NetworkLocationDetails | \n", "OriginalRequestId | \n", "ProcessingTimeInMilliseconds | \n", "RiskDetail | \n", "RiskEventTypes | \n", "RiskEventTypes_V2 | \n", "RiskLevelAggregated | \n", "RiskLevelDuringSignIn | \n", "RiskState | \n", "ResourceDisplayName | \n", "ResourceIdentity | \n", "ServicePrincipalId | \n", "ServicePrincipalName | \n", "Status | \n", "TokenIssuerName | \n", "TokenIssuerType | \n", "UserAgent | \n", "UserDisplayName | \n", "UserId | \n", "UserPrincipalName | \n", "AADTenantId | \n", "Type | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "Azure AD | \n", "2020-10-01 11:04:42.689000+00:00 | \n", "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", "Sign-in activity | \n", "1.0 | \n", "SignInLogs | \n", "0 | \n", "None | \n", "\n", " | 0 | \n", "2e6fd17c-1227-433e-b3a3-80a74374a7dc | \n", "Microsoft.aadiam | \n", "Microsoft.aadiam | \n", "\n", " | Ofer Shezaf | \n", "4 | \n", "IL | \n", "\n", " | Azure Portal | \n", "c44b4083-3bb0-49c1-b47d-974e53cbdf3c | \n", "[] | \n", "\n", " | [\\r\\n {\\r\\n \"key\": \"Login Hint Present\",\\r\\n \"value\": \"True\"\\r\\n },\\r\\n {\\r\\n \"key\":... | \n", "multiFactorAuthentication | \n", "... | \n", "None | \n", "{'city': 'Tiberias', 'state': 'Hazafon', 'countryOrRegion': 'IL', 'geoCoordinates': {'latitude':... | \n", "{} | \n", "[] | \n", "c8bfc04f-28bf-40b4-a9c1-07fd5bd9f800 | \n", "918 | \n", "none | \n", "[] | \n", "[] | \n", "none | \n", "none | \n", "none | \n", "Windows Azure Service Management API | \n", "797f4846-ba00-4fd7-ba43-dac1f8f63013 | \n", "\n", " | \n", " | {'errorCode': 0, 'additionalDetails': 'MFA requirement satisfied by claim in the token'} | \n", "\n", " | AzureAD | \n", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.418... | \n", "Ofer Shezaf | \n", "9c459db5-0407-43fe-a2ea-126757297beb | \n", "ofshezaf@microsoft.com | \n", "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", "SigninLogs | \n", "
1 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "Azure AD | \n", "2020-10-01 11:19:36.626000+00:00 | \n", "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", "Sign-in activity | \n", "1.0 | \n", "SignInLogs | \n", "0 | \n", "None | \n", "\n", " | 0 | \n", "4bdf65b2-99af-4bd4-ab7c-ffbc5a1d5038 | \n", "Microsoft.aadiam | \n", "Microsoft.aadiam | \n", "\n", " | Mor Shabi | \n", "4 | \n", "IL | \n", "\n", " | Azure Portal | \n", "c44b4083-3bb0-49c1-b47d-974e53cbdf3c | \n", "[] | \n", "\n", " | [\\r\\n {\\r\\n \"key\": \"Login Hint Present\",\\r\\n \"value\": \"True\"\\r\\n },\\r\\n {\\r\\n \"key\":... | \n", "multiFactorAuthentication | \n", "... | \n", "None | \n", "{'city': 'Herzliya', 'state': 'Tel Aviv', 'countryOrRegion': 'IL', 'geoCoordinates': {'latitude'... | \n", "{} | \n", "[] | \n", "4a40c63d-5e43-4af0-a0e5-2ae5df81e500 | \n", "3600 | \n", "none | \n", "[] | \n", "[] | \n", "none | \n", "none | \n", "none | \n", "Windows Azure Service Management API | \n", "797f4846-ba00-4fd7-ba43-dac1f8f63013 | \n", "\n", " | \n", " | {'errorCode': 0, 'additionalDetails': 'MFA requirement satisfied by claim in the token'} | \n", "\n", " | AzureAD | \n", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.418... | \n", "Mor Shabi | \n", "7b77cfef-7ac7-4121-a834-561291927ad1 | \n", "moshabi@microsoft.com | \n", "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", "SigninLogs | \n", "
2 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "Azure AD | \n", "2020-10-01 11:19:40.787000+00:00 | \n", "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", "Sign-in activity | \n", "1.0 | \n", "SignInLogs | \n", "0 | \n", "None | \n", "\n", " | 0 | \n", "4460b859-84c1-4751-bddb-b305516cbed4 | \n", "Microsoft.aadiam | \n", "Microsoft.aadiam | \n", "\n", " | Mor Shabi | \n", "4 | \n", "IL | \n", "\n", " | Azure Portal | \n", "c44b4083-3bb0-49c1-b47d-974e53cbdf3c | \n", "[] | \n", "\n", " | [\\r\\n {\\r\\n \"key\": \"Login Hint Present\",\\r\\n \"value\": \"True\"\\r\\n },\\r\\n {\\r\\n \"key\":... | \n", "singleFactorAuthentication | \n", "... | \n", "None | \n", "{'city': 'Herzliya', 'state': 'Tel Aviv', 'countryOrRegion': 'IL', 'geoCoordinates': {'latitude'... | \n", "{} | \n", "[] | \n", "4a40c63d-5e43-4af0-a0e5-2ae5c182e500 | \n", "1526 | \n", "none | \n", "[] | \n", "[] | \n", "none | \n", "none | \n", "none | \n", "Windows Azure Service Management API | \n", "797f4846-ba00-4fd7-ba43-dac1f8f63013 | \n", "\n", " | \n", " | {'errorCode': 0} | \n", "\n", " | AzureAD | \n", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.418... | \n", "Mor Shabi | \n", "7b77cfef-7ac7-4121-a834-561291927ad1 | \n", "moshabi@microsoft.com | \n", "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", "SigninLogs | \n", "
3 rows × 59 columns
\n", "\n", " | UserPrincipalName | \n", "Identity | \n", "
---|---|---|
0 | \n", "ofshezaf@microsoft.com | \n", "Ofer Shezaf | \n", "
1 | \n", "moshabi@microsoft.com | \n", "Mor Shabi | \n", "
2 | \n", "moshabi@microsoft.com | \n", "Mor Shabi | \n", "
\n", " | User | \n", "
---|---|
0 | \n", "ofshezaf | \n", "
1 | \n", "moshabi | \n", "
\n", " | UserPrincipalName | \n", "Identity | \n", "
---|---|---|
0 | \n", "ofshezaf@microsoft.com | \n", "Ofer Shezaf | \n", "
1 | \n", "moshabi@microsoft.com | \n", "Mor Shabi | \n", "
2 | \n", "moshabi@microsoft.com | \n", "Mor Shabi | \n", "
\n", " | Ioc | \n", "IocType | \n", "SafeIoc | \n", "QuerySubtype | \n", "Provider | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "fkksjobnn43.org | \n", "dns | \n", "fkksjobnn43.org | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 35, 'names': ['Jaff - Malware Domain Feed V2', 'Jaff - Malware Domain Feed V2', ... | \n", "{'indicator': 'fkksjobnn43.org', 'alexa': 'http://www.alexa.com/siteinfo/fkksjobnn43.org', 'whoi... | \n", "https://otx.alienvault.com/api/v1/indicators/domain/fkksjobnn43.org/general | \n", "0 | \n", "
0 | \n", "fkksjobnn43.org | \n", "dns | \n", "\n", " | None | \n", "OPR | \n", "True | \n", "warning | \n", "{'rank': None, 'error': 'Domain not found'} | \n", "{'status_code': 404, 'error': 'Domain not found', 'page_rank_integer': 0, 'page_rank_decimal': 0... | \n", "https://openpagerank.com/api/v1.0/getPageRank?domains[0]=fkksjobnn43.org | \n", "0 | \n", "
0 | \n", "fkksjobnn43.org | \n", "dns | \n", "fkksjobnn43.org | \n", "None | \n", "VirusTotal | \n", "True | \n", "information | \n", "{'verbose_msg': 'Domain found in dataset', 'response_code': 1, 'detected_urls': [], 'positives':... | \n", "{'undetected_downloaded_samples': [], 'whois_timestamp': 1603963073, 'detected_downloaded_sample... | \n", "https://www.virustotal.com/vtapi/v2/domain/report | \n", "0 | \n", "
0 | \n", "fkksjobnn43.org | \n", "dns | \n", "fkksjobnn43.org | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'fkksjobnn43.org', 'cats': {'General Business': True}, 'score': 1, 'categoryD... | \n", "https://api.xforce.ibmcloud.com/url/fkksjobnn43.org | \n", "0 | \n", "
\n", " | Ioc | \n", "IocType | \n", "SafeIoc | \n", "QuerySubtype | \n", "Provider | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "fkksjobnn43.org | \n", "dns | \n", "fkksjobnn43.org | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 35, 'names': ['Jaff - Malware Domain Feed V2', 'Jaff - Malware Domain Feed V2', ... | \n", "{'indicator': 'fkksjobnn43.org', 'alexa': 'http://www.alexa.com/siteinfo/fkksjobnn43.org', 'whoi... | \n", "https://otx.alienvault.com/api/v1/indicators/domain/fkksjobnn43.org/general | \n", "0 | \n", "
0 | \n", "fkksjobnn43.org | \n", "dns | \n", "\n", " | None | \n", "OPR | \n", "True | \n", "warning | \n", "{'rank': None, 'error': 'Domain not found'} | \n", "{'status_code': 404, 'error': 'Domain not found', 'page_rank_integer': 0, 'page_rank_decimal': 0... | \n", "https://openpagerank.com/api/v1.0/getPageRank?domains[0]=fkksjobnn43.org | \n", "0 | \n", "
0 | \n", "fkksjobnn43.org | \n", "dns | \n", "fkksjobnn43.org | \n", "None | \n", "VirusTotal | \n", "True | \n", "information | \n", "{'verbose_msg': 'Domain found in dataset', 'response_code': 1, 'detected_urls': [], 'positives':... | \n", "{'undetected_downloaded_samples': [], 'whois_timestamp': 1603963073, 'detected_downloaded_sample... | \n", "https://www.virustotal.com/vtapi/v2/domain/report | \n", "0 | \n", "
0 | \n", "fkksjobnn43.org | \n", "dns | \n", "fkksjobnn43.org | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'fkksjobnn43.org', 'cats': {'General Business': True}, 'score': 1, 'categoryD... | \n", "https://api.xforce.ibmcloud.com/url/fkksjobnn43.org | \n", "0 | \n", "
\n", " | Ioc | \n", "IocType | \n", "SafeIoc | \n", "QuerySubtype | \n", "Provider | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "02a7977d1faf7bfc93a4b678a049c9495ea663e7065aa5a6caf0f69c5ff25dbd | \n", "sha256_hash | \n", "02a7977d1faf7bfc93a4b678a049c9495ea663e7065aa5a6caf0f69c5ff25dbd | \n", "None | \n", "VirusTotal | \n", "True | \n", "high | \n", "{'verbose_msg': 'Scan finished, information embedded', 'response_code': 1, 'resource': '02a7977d... | \n", "{'scans': {'Bkav': {'detected': True, 'version': '1.3.0.9899', 'result': 'W32.AIDetectVM.malware... | \n", "https://www.virustotal.com/vtapi/v2/file/report | \n", "0 | \n", "
1 | \n", "06b020a3fd3296bc4c7bf53307fe7b40638e7f445bdd43fac1d04547a429fdaf | \n", "sha256_hash | \n", "06b020a3fd3296bc4c7bf53307fe7b40638e7f445bdd43fac1d04547a429fdaf | \n", "None | \n", "VirusTotal | \n", "True | \n", "high | \n", "{'verbose_msg': 'Scan finished, information embedded', 'response_code': 1, 'resource': '06b020a3... | \n", "{'scans': {'Bkav': {'detected': False, 'version': '1.3.0.9899', 'result': None, 'update': '20201... | \n", "https://www.virustotal.com/vtapi/v2/file/report | \n", "0 | \n", "
2 | \n", "06c676bf8f5c6af99172c1cf63a84348628ae3f39df9e523c42447e2045e00ff | \n", "sha256_hash | \n", "06c676bf8f5c6af99172c1cf63a84348628ae3f39df9e523c42447e2045e00ff | \n", "None | \n", "VirusTotal | \n", "True | \n", "high | \n", "{'verbose_msg': 'Scan finished, information embedded', 'response_code': 1, 'resource': '06c676bf... | \n", "{'scans': {'Bkav': {'detected': True, 'version': '1.3.0.9899', 'result': 'W32.AIDetectVM.malware... | \n", "https://www.virustotal.com/vtapi/v2/file/report | \n", "0 | \n", "
\n", " | hash | \n", "ref | \n", "desc | \n", "
---|---|---|---|
0 | \n", "02a7977d1faf7bfc93a4b678a049c9495ea663e7065aa5a6caf0f69c5ff25dbd | \n", "item_0 | \n", "stuff | \n", "
1 | \n", "06b020a3fd3296bc4c7bf53307fe7b40638e7f445bdd43fac1d04547a429fdaf | \n", "item_1 | \n", "stuff | \n", "
2 | \n", "06c676bf8f5c6af99172c1cf63a84348628ae3f39df9e523c42447e2045e00ff | \n", "item_2 | \n", "stuff | \n", "
\n", " | Ioc | \n", "IocType | \n", "SafeIoc | \n", "QuerySubtype | \n", "Provider | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "02a7977d1faf7bfc93a4b678a049c9495ea663e7065aa5a6caf0f69c5ff25dbd | \n", "sha256_hash | \n", "02a7977d1faf7bfc93a4b678a049c9495ea663e7065aa5a6caf0f69c5ff25dbd | \n", "None | \n", "VirusTotal | \n", "True | \n", "high | \n", "{'verbose_msg': 'Scan finished, information embedded', 'response_code': 1, 'resource': '02a7977d... | \n", "{'scans': {'Bkav': {'detected': True, 'version': '1.3.0.9899', 'result': 'W32.AIDetectVM.malware... | \n", "https://www.virustotal.com/vtapi/v2/file/report | \n", "0 | \n", "
1 | \n", "06b020a3fd3296bc4c7bf53307fe7b40638e7f445bdd43fac1d04547a429fdaf | \n", "sha256_hash | \n", "06b020a3fd3296bc4c7bf53307fe7b40638e7f445bdd43fac1d04547a429fdaf | \n", "None | \n", "VirusTotal | \n", "True | \n", "high | \n", "{'verbose_msg': 'Scan finished, information embedded', 'response_code': 1, 'resource': '06b020a3... | \n", "{'scans': {'Bkav': {'detected': False, 'version': '1.3.0.9899', 'result': None, 'update': '20201... | \n", "https://www.virustotal.com/vtapi/v2/file/report | \n", "0 | \n", "
2 | \n", "06c676bf8f5c6af99172c1cf63a84348628ae3f39df9e523c42447e2045e00ff | \n", "sha256_hash | \n", "06c676bf8f5c6af99172c1cf63a84348628ae3f39df9e523c42447e2045e00ff | \n", "None | \n", "VirusTotal | \n", "True | \n", "high | \n", "{'verbose_msg': 'Scan finished, information embedded', 'response_code': 1, 'resource': '06c676bf... | \n", "{'scans': {'Bkav': {'detected': True, 'version': '1.3.0.9899', 'result': 'W32.AIDetectVM.malware... | \n", "https://www.virustotal.com/vtapi/v2/file/report | \n", "0 | \n", "