{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# msticpy Threat Intel Lookup\n", "This notebook describes the use of the Threat Intelligence lookup class in msticpy.\n", "The class allows lookup of individual or multiple IoCs from one or more TI providers.\n", "\n", "TILookup is also extensible - you can subclass TIProvider to implement your own custom lookups. You can also subclass the HTTPProvider or KqlProvider classes, which provide support for querying a REST endpoint or Log Analytics table respectively." ] }, { "cell_type": "markdown", "metadata": { "toc": true }, "source": [ "
\n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Provider | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
---|---|---|---|---|---|---|---|---|---|---|
XForce | \n", "52.183.120.194 | \n", "ipv4 | \n", "None | \n", "XForce | \n", "True | \n", "warning | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're... | \n", "{'ip': '52.183.120.194', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional... | \n", "https://api.xforce.ibmcloud.com/ipr/52.183.120.194 | \n", "0 | \n", "
AzSTI | \n", "52.183.120.194 | \n", "ipv4 | \n", "None | \n", "AzSTI | \n", "False | \n", "information | \n", "Not found. | \n", "None | \n", "None | \n", "0 | \n", "
\n", " | OTX | \n", "OPR | \n", "Tor | \n", "VirusTotal | \n", "XForce | \n", "
---|---|---|---|---|---|
Ioc | \n", "52.183.120.194 | \n", "52.183.120.194 | \n", "52.183.120.194 | \n", "52.183.120.194 | \n", "52.183.120.194 | \n", "
IocType | \n", "ipv4 | \n", "ipv4 | \n", "ipv4 | \n", "ipv4 | \n", "ipv4 | \n", "
QuerySubtype | \n", "None | \n", "None | \n", "None | \n", "None | \n", "None | \n", "
Provider | \n", "OTX | \n", "OPR | \n", "Tor | \n", "VirusTotal | \n", "XForce | \n", "
Result | \n", "True | \n", "False | \n", "True | \n", "True | \n", "True | \n", "
Severity | \n", "information | \n", "information | \n", "information | \n", "information | \n", "warning | \n", "
Details | \n", "{'pulse_count': 0, 'sections_available': ['general', 'geo', 'reputation', 'url_list', 'passive_d... | \n", "IoC type ipv4 not supported. | \n", "Not found. | \n", "{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'detected_urls': [], 'positives': 0} | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're... | \n", "
RawResult | \n", "{'sections': ['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', 'nids_list',... | \n", "None | \n", "None | \n", "{'https_certificate_date': 1569589456, 'whois': 'NetRange: 52.145.0.0 - 52.191.255.255\n", "CIDR: 52.... | \n", "{'ip': '52.183.120.194', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional... | \n", "
Reference | \n", "https://otx.alienvault.com/api/v1/indicators/IPv4/52.183.120.194/general | \n", "None | \n", "https://check.torproject.org/exit-addresses | \n", "https://www.virustotal.com/vtapi/v2/ip-address/report | \n", "https://api.xforce.ibmcloud.com/ipr/52.183.120.194 | \n", "
Status | \n", "0 | \n", "1 | \n", "0 | \n", "0 | \n", "0 | \n", "
\n", " | OTX | \n", "
---|---|
Ioc | \n", "38.75.137.9 | \n", "
IocType | \n", "ipv4 | \n", "
QuerySubtype | \n", "None | \n", "
Provider | \n", "OTX | \n", "
Result | \n", "True | \n", "
Severity | \n", "high | \n", "
Details | \n", "{'pulse_count': 2, 'names': ['Underminer.EK - Exploit Kit IOC Feed', 'Underminer EK'], 'tags': [... | \n", "
RawResult | \n", "{'sections': ['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', 'nids_list',... | \n", "
Reference | \n", "https://otx.alienvault.com/api/v1/indicators/IPv4/38.75.137.9/general | \n", "
Status | \n", "0 | \n", "
\n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Provider | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
---|---|---|---|---|---|---|---|---|---|---|
OTX | \n", "188.127.231.124 | \n", "ipv4 | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 4, 'names': ['Locky Ransomware C2 IP blocklist (LY_C2_IPBL)', 'Malicious IP', 'F... | \n", "{'sections': ['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', 'nids_list',... | \n", "https://otx.alienvault.com/api/v1/indicators/IPv4/188.127.231.124/general | \n", "0 | \n", "
OPR | \n", "188.127.231.124 | \n", "ipv4 | \n", "None | \n", "OPR | \n", "False | \n", "information | \n", "IoC type ipv4 not supported. | \n", "None | \n", "None | \n", "1 | \n", "
Tor | \n", "188.127.231.124 | \n", "ipv4 | \n", "None | \n", "Tor | \n", "True | \n", "information | \n", "Not found. | \n", "None | \n", "https://check.torproject.org/exit-addresses | \n", "0 | \n", "
VirusTotal | \n", "188.127.231.124 | \n", "ipv4 | \n", "None | \n", "VirusTotal | \n", "True | \n", "information | \n", "{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'detected_urls': [], 'positives': 0... | \n", "{'undetected_downloaded_samples': [{'date': '2018-01-09 20:05:03', 'positives': 0, 'total': 71, ... | \n", "https://www.virustotal.com/vtapi/v2/ip-address/report | \n", "0 | \n", "
XForce | \n", "188.127.231.124 | \n", "ipv4 | \n", "None | \n", "XForce | \n", "True | \n", "warning | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're... | \n", "{'ip': '188.127.231.124', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regiona... | \n", "https://api.xforce.ibmcloud.com/ipr/188.127.231.124 | \n", "0 | \n", "
\n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Reference | \n", "Result | \n", "Details | \n", "Status | \n", "Severity | \n", "Provider | \n", "
---|---|---|---|---|---|---|---|---|---|
0 | \n", "51.75.29.61 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2020-06-09T22:21:31.328494Z) | w... | \n", "False | \n", "Not found. | \n", "0 | \n", "0 | \n", "AzSTI | \n", "
1 | \n", "13.91.229.209 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2020-06-09T22:21:31.328494Z) | w... | \n", "False | \n", "Not found. | \n", "0 | \n", "0 | \n", "AzSTI | \n", "
2 | \n", "52.167.223.49 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2020-06-09T22:21:31.328494Z) | w... | \n", "False | \n", "Not found. | \n", "0 | \n", "0 | \n", "AzSTI | \n", "
3 | \n", "1.2.3.4 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2020-06-09T22:21:31.328494Z) | w... | \n", "False | \n", "Not found. | \n", "0 | \n", "0 | \n", "AzSTI | \n", "
4 | \n", "1.2.3.5 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2020-06-09T22:21:31.328494Z) | w... | \n", "False | \n", "Not found. | \n", "0 | \n", "0 | \n", "AzSTI | \n", "
\n", " | Ioc | \n", "IocType | \n", "SafeIoc | \n", "QuerySubtype | \n", "Provider | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
5 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "http://104.248.196.145/apache2 | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
5 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "http://104.248.196.145/apache2 | \n", "None | \n", "XForce | \n", "False | \n", "information | \n", "Not found. | \n", "<Response [404]> | \n", "https://api.xforce.ibmcloud.com/url/http://104.248.196.145/apache2 | \n", "404 | \n", "
5 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "http%3A%2F%2F104.248.196.145%2Fapache2 | \n", "None | \n", "OTX | \n", "True | \n", "information | \n", "{'pulse_count': 0, 'sections_available': ['general', 'url_list', 'http_scans', 'screenshot']} | \n", "{'indicator': 'http://104.248.196.145/apache2', 'alexa': '', 'whois': '', 'sections': ['general'... | \n", "https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2F104.248.196.145%2Fapache2/general | \n", "0 | \n", "
6 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "http://ajaraheritage.ge/g7cberv | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'ajaraheritage.ge', 'cats': {}, 'score': None, 'categoryDescriptions': {}}, '... | \n", "https://api.xforce.ibmcloud.com/url/http://ajaraheritage.ge/g7cberv | \n", "0 | \n", "
6 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "http%3A%2F%2Fajaraheritage.ge%2Fg7cberv | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 2, 'names': ['Locky Ransomware Distribution Sites URL blocklist (LY_DS_URLBL)', ... | \n", "{'indicator': 'http://ajaraheritage.ge/g7cberv', 'alexa': 'http://www.alexa.com/siteinfo/ajarahe... | \n", "https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fajaraheritage.ge%2Fg7cberv/general | \n", "0 | \n", "
6 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "http://ajaraheritage.ge/g7cberv | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
4 | \n", "http://append.pl/srh9xsz | \n", "url | \n", "http%3A%2F%2Fappend.pl%2Fsrh9xsz | \n", "None | \n", "OTX | \n", "True | \n", "warning | \n", "{'pulse_count': 1, 'names': ['Locky Ransomware Distribution Sites URL blocklist (LY_DS_URLBL)'],... | \n", "{'indicator': 'http://append.pl/srh9xsz', 'alexa': 'http://www.alexa.com/siteinfo/append.pl', 'w... | \n", "https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fappend.pl%2Fsrh9xsz/general | \n", "0 | \n", "
4 | \n", "http://append.pl/srh9xsz | \n", "url | \n", "http://append.pl/srh9xsz | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'append.pl', 'cats': {'Software / Hardware': True}, 'score': 1, 'categoryDesc... | \n", "https://api.xforce.ibmcloud.com/url/http://append.pl/srh9xsz | \n", "0 | \n", "
4 | \n", "http://append.pl/srh9xsz | \n", "url | \n", "http://append.pl/srh9xsz | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
3 | \n", "http://businesstobuy.net | \n", "url | \n", "http%3A%2F%2Fbusinesstobuy.net | \n", "None | \n", "OTX | \n", "True | \n", "information | \n", "{'pulse_count': 0, 'sections_available': ['general', 'url_list', 'http_scans', 'screenshot']} | \n", "{'indicator': 'http://businesstobuy.net', 'alexa': 'http://www.alexa.com/siteinfo/businesstobuy.... | \n", "https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fbusinesstobuy.net/general | \n", "0 | \n", "
3 | \n", "http://businesstobuy.net | \n", "url | \n", "http://businesstobuy.net | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'businesstobuy.net', 'cats': {'Phishing URLs': True}, 'score': 10, 'categoryD... | \n", "https://api.xforce.ibmcloud.com/url/http://businesstobuy.net | \n", "0 | \n", "
3 | \n", "http://businesstobuy.net | \n", "url | \n", "http://businesstobuy.net | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
0 | \n", "http://cheapshirts.us/zVnMrG.php | \n", "url | \n", "http://cheapshirts.us/zVnMrG.php | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'cheapshirts.us', 'cats': {'Shopping': True, 'Auctions / Classified Ads': Tru... | \n", "https://api.xforce.ibmcloud.com/url/http://cheapshirts.us/zVnMrG.php | \n", "0 | \n", "
0 | \n", "http://cheapshirts.us/zVnMrG.php | \n", "url | \n", "http%3A%2F%2Fcheapshirts.us%2FzVnMrG.php | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 7, 'names': ['CryptoWall Ransomware C2 URL blocklist (CW_C2_URLBL)', 'CryptoWall... | \n", "{'indicator': 'http://cheapshirts.us/zVnMrG.php', 'alexa': 'http://www.alexa.com/siteinfo/cheaps... | \n", "https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fcheapshirts.us%2FzVnMrG.php/general | \n", "0 | \n", "
0 | \n", "http://cheapshirts.us/zVnMrG.php | \n", "url | \n", "http://cheapshirts.us/zVnMrG.php | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
1 | \n", "http://chinasymbolic.com/i9jnrc | \n", "url | \n", "http://chinasymbolic.com/i9jnrc | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
1 | \n", "http://chinasymbolic.com/i9jnrc | \n", "url | \n", "http%3A%2F%2Fchinasymbolic.com%2Fi9jnrc | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 2, 'names': ['Locky Ransomware Distribution Sites URL blocklist (LY_DS_URLBL)', ... | \n", "{'indicator': 'http://chinasymbolic.com/i9jnrc', 'alexa': 'http://www.alexa.com/siteinfo/chinasy... | \n", "https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fchinasymbolic.com%2Fi9jnrc/general | \n", "0 | \n", "
1 | \n", "http://chinasymbolic.com/i9jnrc | \n", "url | \n", "http://chinasymbolic.com/i9jnrc | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'chinasymbolic.com', 'cats': {}, 'score': None, 'categoryDescriptions': {}}, ... | \n", "https://api.xforce.ibmcloud.com/url/http://chinasymbolic.com/i9jnrc | \n", "0 | \n", "
7 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
7 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "http%3A%2F%2Fcic-integration.com%2Fhjy93JNBasdas | \n", "None | \n", "OTX | \n", "True | \n", "warning | \n", "{'pulse_count': 1, 'names': ['Locky Ransomware Distribution Sites URL blocklist (LY_DS_URLBL)'],... | \n", "{'indicator': 'http://cic-integration.com/hjy93JNBasdas', 'alexa': 'http://www.alexa.com/siteinf... | \n", "https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fcic-integration.com%2Fhjy93JNBasda... | \n", "0 | \n", "
7 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'cic-integration.com', 'cats': {}, 'score': None, 'categoryDescriptions': {}}... | \n", "https://api.xforce.ibmcloud.com/url/http://cic-integration.com/hjy93JNBasdas | \n", "0 | \n", "
8 | \n", "https://google.com | \n", "url | \n", "https://google.com | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
8 | \n", "https://google.com | \n", "url | \n", "https%3A%2F%2Fgoogle.com | \n", "None | \n", "OTX | \n", "True | \n", "information | \n", "{'pulse_count': 0, 'sections_available': ['general', 'url_list', 'http_scans', 'screenshot']} | \n", "{'indicator': 'https://google.com', 'alexa': 'http://www.alexa.com/siteinfo/google.com', 'whois'... | \n", "https://otx.alienvault.com/api/v1/indicators/url/https%3A%2F%2Fgoogle.com/general | \n", "0 | \n", "
8 | \n", "https://google.com | \n", "url | \n", "https://google.com | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'https://google.com', 'cats': {'Search Engines / Web Catalogues / Portals': T... | \n", "https://api.xforce.ibmcloud.com/url/https://google.com | \n", "0 | \n", "
2 | \n", "https://hotel-bristol.lu/dlry/MAnJIPnY/ | \n", "url | \n", "https://hotel-bristol.lu/dlry/MAnJIPnY/ | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
2 | \n", "https://hotel-bristol.lu/dlry/MAnJIPnY/ | \n", "url | \n", "https://hotel-bristol.lu/dlry/MAnJIPnY/ | \n", "None | \n", "XForce | \n", "False | \n", "information | \n", "Not found. | \n", "<Response [404]> | \n", "https://api.xforce.ibmcloud.com/url/https://hotel-bristol.lu/dlry/MAnJIPnY/ | \n", "404 | \n", "
2 | \n", "https://hotel-bristol.lu/dlry/MAnJIPnY/ | \n", "url | \n", "https%3A%2F%2Fhotel-bristol.lu%2Fdlry%2FMAnJIPnY%2F | \n", "None | \n", "OTX | \n", "True | \n", "information | \n", "{'pulse_count': 0, 'sections_available': ['general', 'url_list', 'http_scans', 'screenshot']} | \n", "{'indicator': 'https://hotel-bristol.lu/dlry/MAnJIPnY', 'alexa': 'http://www.alexa.com/siteinfo/... | \n", "https://otx.alienvault.com/api/v1/indicators/url/https%3A%2F%2Fhotel-bristol.lu%2Fdlry%2FMAnJIPn... | \n", "0 | \n", "
9 | \n", "https://microsoft.com | \n", "url | \n", "https://microsoft.com | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
9 | \n", "https://microsoft.com | \n", "url | \n", "https%3A%2F%2Fmicrosoft.com | \n", "None | \n", "OTX | \n", "True | \n", "information | \n", "{'pulse_count': 0, 'sections_available': ['general', 'url_list', 'http_scans', 'screenshot']} | \n", "{'indicator': 'https://microsoft.com', 'alexa': 'http://www.alexa.com/siteinfo/microsoft.com', '... | \n", "https://otx.alienvault.com/api/v1/indicators/url/https%3A%2F%2Fmicrosoft.com/general | \n", "0 | \n", "
9 | \n", "https://microsoft.com | \n", "url | \n", "https://microsoft.com | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'microsoft.com', 'cats': {'Software / Hardware': True, 'General Business': Tr... | \n", "https://api.xforce.ibmcloud.com/url/https://microsoft.com | \n", "0 | \n", "
10 | \n", "https://python.org | \n", "url | \n", "https://python.org | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
10 | \n", "https://python.org | \n", "url | \n", "https%3A%2F%2Fpython.org | \n", "None | \n", "OTX | \n", "True | \n", "information | \n", "{'pulse_count': 0, 'sections_available': ['general', 'url_list', 'http_scans', 'screenshot']} | \n", "{'indicator': 'https://python.org', 'alexa': 'http://www.alexa.com/siteinfo/python.org', 'whois'... | \n", "https://otx.alienvault.com/api/v1/indicators/url/https%3A%2F%2Fpython.org/general | \n", "0 | \n", "
10 | \n", "https://python.org | \n", "url | \n", "https://python.org | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'python.org', 'cats': {'Software / Hardware': True}, 'score': 1, 'application... | \n", "https://api.xforce.ibmcloud.com/url/https://python.org | \n", "0 | \n", "
\n", " | Ioc | \n", "IocType | \n", "SafeIoc | \n", "QuerySubtype | \n", "Provider | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "http%3A%2F%2F104.248.196.145%2Fapache2 | \n", "None | \n", "OTX | \n", "True | \n", "information | \n", "{'pulse_count': 0, 'sections_available': ['general', 'url_list', 'http_scans', 'screenshot']} | \n", "{'indicator': 'http://104.248.196.145/apache2', 'alexa': '', 'whois': '', 'sections': ['general'... | \n", "https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2F104.248.196.145%2Fapache2/general | \n", "0 | \n", "
1 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "http%3A%2F%2Fajaraheritage.ge%2Fg7cberv | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 2, 'names': ['Locky Ransomware Distribution Sites URL blocklist (LY_DS_URLBL)', ... | \n", "{'indicator': 'http://ajaraheritage.ge/g7cberv', 'alexa': 'http://www.alexa.com/siteinfo/ajarahe... | \n", "https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fajaraheritage.ge%2Fg7cberv/general | \n", "0 | \n", "
2 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "http%3A%2F%2Fcic-integration.com%2Fhjy93JNBasdas | \n", "None | \n", "OTX | \n", "True | \n", "warning | \n", "{'pulse_count': 1, 'names': ['Locky Ransomware Distribution Sites URL blocklist (LY_DS_URLBL)'],... | \n", "{'indicator': 'http://cic-integration.com/hjy93JNBasdas', 'alexa': 'http://www.alexa.com/siteinf... | \n", "https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fcic-integration.com%2Fhjy93JNBasda... | \n", "0 | \n", "
3 | \n", "51.75.29.61 | \n", "ipv4 | \n", "51.75.29.61 | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 49, 'names': ['CYBSEC-TIA Bad IPs', '2020-07-02 Fail2ban b3478ecb-279e-4ad8-864b... | \n", "{'sections': ['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', 'nids_list',... | \n", "https://otx.alienvault.com/api/v1/indicators/IPv4/51.75.29.61/general | \n", "0 | \n", "
4 | \n", "33.44.55.66 | \n", "ipv4 | \n", "33.44.55.66 | \n", "None | \n", "OTX | \n", "True | \n", "information | \n", "{'pulse_count': 0, 'sections_available': ['general', 'geo', 'reputation', 'url_list', 'passive_d... | \n", "{'sections': ['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', 'nids_list',... | \n", "https://otx.alienvault.com/api/v1/indicators/IPv4/33.44.55.66/general | \n", "0 | \n", "
5 | \n", "52.183.120.194 | \n", "ipv4 | \n", "52.183.120.194 | \n", "None | \n", "OTX | \n", "True | \n", "information | \n", "{'pulse_count': 0, 'sections_available': ['general', 'geo', 'reputation', 'url_list', 'passive_d... | \n", "{'sections': ['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', 'nids_list',... | \n", "https://otx.alienvault.com/api/v1/indicators/IPv4/52.183.120.194/general | \n", "0 | \n", "
6 | \n", "f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf3145865092 | \n", "sha256_hash | \n", "f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf3145865092 | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 3, 'names': ['Emotet IOCs 2/4/2019', 'Emotet IOCs 2/1/2019', 'Emotet IOCs 1/31/2... | \n", "{'indicator': 'f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf3145865092', 'sections': ['... | \n", "https://otx.alienvault.com/api/v1/indicators/file/f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5... | \n", "0 | \n", "
7 | \n", "cc2db822f652ca67038ba7cca8a8bde3 | \n", "md5_hash | \n", "cc2db822f652ca67038ba7cca8a8bde3 | \n", "None | \n", "OTX | \n", "True | \n", "information | \n", "{'pulse_count': 0, 'sections_available': ['general', 'analysis']} | \n", "{'indicator': 'cc2db822f652ca67038ba7cca8a8bde3', 'sections': ['general', 'analysis'], 'pulse_in... | \n", "https://otx.alienvault.com/api/v1/indicators/file/cc2db822f652ca67038ba7cca8a8bde3/general | \n", "0 | \n", "
8 | \n", "ajaraheritage.ge | \n", "dns | \n", "ajaraheritage.ge | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 22, 'names': ['Blah', 'Blah', 'Blah', 'IOCs - 2020272054 - Huge Upload', 'IOCs -... | \n", "{'indicator': 'ajaraheritage.ge', 'alexa': 'http://www.alexa.com/siteinfo/ajaraheritage.ge', 'wh... | \n", "https://otx.alienvault.com/api/v1/indicators/domain/ajaraheritage.ge/general | \n", "0 | \n", "
0 | \n", "ajaraheritage.ge | \n", "dns | \n", "\n", " | None | \n", "OPR | \n", "True | \n", "information | \n", "{'rank': '4421759', 'page_rank': 3.18, 'error': ''} | \n", "{'status_code': 200, 'error': '', 'page_rank_integer': 3, 'page_rank_decimal': 3.18, 'rank': '44... | \n", "https://openpagerank.com/api/v1.0/getPageRank?domains[0]=ajaraheritage.ge | \n", "0 | \n", "
3 | \n", "51.75.29.61 | \n", "ipv4 | \n", "51.75.29.61 | \n", "None | \n", "Tor | \n", "True | \n", "information | \n", "Not found. | \n", "None | \n", "https://check.torproject.org/exit-addresses | \n", "0 | \n", "
4 | \n", "33.44.55.66 | \n", "ipv4 | \n", "33.44.55.66 | \n", "None | \n", "Tor | \n", "True | \n", "information | \n", "Not found. | \n", "None | \n", "https://check.torproject.org/exit-addresses | \n", "0 | \n", "
5 | \n", "52.183.120.194 | \n", "ipv4 | \n", "52.183.120.194 | \n", "None | \n", "Tor | \n", "True | \n", "information | \n", "Not found. | \n", "None | \n", "https://check.torproject.org/exit-addresses | \n", "0 | \n", "
0 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "http://104.248.196.145/apache2 | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
1 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "http://ajaraheritage.ge/g7cberv | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
2 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/url/report | \n", "403 | \n", "
3 | \n", "51.75.29.61 | \n", "ipv4 | \n", "51.75.29.61 | \n", "None | \n", "VirusTotal | \n", "True | \n", "information | \n", "{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'detected_urls': ['http://51.75.29.... | \n", "{'https_certificate_date': 1593601749, 'undetected_downloaded_samples': [{'date': '2020-07-02 20... | \n", "https://www.virustotal.com/vtapi/v2/ip-address/report | \n", "0 | \n", "
4 | \n", "33.44.55.66 | \n", "ipv4 | \n", "33.44.55.66 | \n", "None | \n", "VirusTotal | \n", "True | \n", "information | \n", "{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'detected_urls': [], 'positives': 0... | \n", "{'undetected_urls': [['http://33.44.55.66/77/77.66.66-55-55-44', '27bf8e5c90a431fb1c078f16949a83... | \n", "https://www.virustotal.com/vtapi/v2/ip-address/report | \n", "0 | \n", "
5 | \n", "52.183.120.194 | \n", "ipv4 | \n", "52.183.120.194 | \n", "None | \n", "VirusTotal | \n", "True | \n", "information | \n", "{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'detected_urls': [], 'positives': 0} | \n", "{'https_certificate_date': 1569589456, 'whois': 'NetRange: 52.145.0.0 - 52.191.255.255\n", "CIDR: 52.... | \n", "https://www.virustotal.com/vtapi/v2/ip-address/report | \n", "0 | \n", "
6 | \n", "f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf3145865092 | \n", "sha256_hash | \n", "f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf3145865092 | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/file/report | \n", "403 | \n", "
7 | \n", "cc2db822f652ca67038ba7cca8a8bde3 | \n", "md5_hash | \n", "cc2db822f652ca67038ba7cca8a8bde3 | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "Request forbidden. Allowed query rate may have been exceeded. | \n", "<Response [403]> | \n", "https://www.virustotal.com/vtapi/v2/file/report | \n", "403 | \n", "
8 | \n", "ajaraheritage.ge | \n", "dns | \n", "ajaraheritage.ge | \n", "None | \n", "VirusTotal | \n", "False | \n", "information | \n", "No Content | \n", "<Response [204]> | \n", "https://www.virustotal.com/vtapi/v2/domain/report | \n", "204 | \n", "
0 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "http://104.248.196.145/apache2 | \n", "None | \n", "XForce | \n", "False | \n", "information | \n", "Not found. | \n", "<Response [404]> | \n", "https://api.xforce.ibmcloud.com/url/http://104.248.196.145/apache2 | \n", "404 | \n", "
1 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "http://ajaraheritage.ge/g7cberv | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'ajaraheritage.ge', 'cats': {}, 'score': None, 'categoryDescriptions': {}}, '... | \n", "https://api.xforce.ibmcloud.com/url/http://ajaraheritage.ge/g7cberv | \n", "0 | \n", "
2 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'cic-integration.com', 'cats': {}, 'score': None, 'categoryDescriptions': {}}... | \n", "https://api.xforce.ibmcloud.com/url/http://cic-integration.com/hjy93JNBasdas | \n", "0 | \n", "
3 | \n", "51.75.29.61 | \n", "ipv4 | \n", "51.75.29.61 | \n", "None | \n", "XForce | \n", "True | \n", "warning | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're... | \n", "{'ip': '51.75.29.61', 'history': [{'created': '2012-06-20T07:03:00.000Z', 'reason': 'Regional In... | \n", "https://api.xforce.ibmcloud.com/ipr/51.75.29.61 | \n", "0 | \n", "
4 | \n", "33.44.55.66 | \n", "ipv4 | \n", "33.44.55.66 | \n", "None | \n", "XForce | \n", "True | \n", "warning | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're... | \n", "{'ip': '33.44.55.66', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional In... | \n", "https://api.xforce.ibmcloud.com/ipr/33.44.55.66 | \n", "0 | \n", "
5 | \n", "52.183.120.194 | \n", "ipv4 | \n", "52.183.120.194 | \n", "None | \n", "XForce | \n", "True | \n", "warning | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're... | \n", "{'ip': '52.183.120.194', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional... | \n", "https://api.xforce.ibmcloud.com/ipr/52.183.120.194 | \n", "0 | \n", "
6 | \n", "f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf3145865092 | \n", "sha256_hash | \n", "f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf3145865092 | \n", "None | \n", "XForce | \n", "True | \n", "high | \n", "{'risk': 'high', 'family': None, 'reasonDescription': 0} | \n", "{'malware': {'origins': {'external': {'source': 'reversingLabs', 'firstSeen': '2019-01-31T17:30:... | \n", "https://api.xforce.ibmcloud.com/malware/f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf31... | \n", "0 | \n", "
7 | \n", "cc2db822f652ca67038ba7cca8a8bde3 | \n", "md5_hash | \n", "cc2db822f652ca67038ba7cca8a8bde3 | \n", "None | \n", "XForce | \n", "True | \n", "high | \n", "{'risk': 'high', 'family': None, 'reasonDescription': 0} | \n", "{'malware': {'origins': {'external': {'source': 'reversingLabs', 'firstSeen': '2019-01-22T11:37:... | \n", "https://api.xforce.ibmcloud.com/malware/cc2db822f652ca67038ba7cca8a8bde3 | \n", "0 | \n", "
8 | \n", "ajaraheritage.ge | \n", "dns | \n", "ajaraheritage.ge | \n", "None | \n", "XForce | \n", "True | \n", "information | \n", "{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,... | \n", "{'result': {'url': 'ajaraheritage.ge', 'cats': {}, 'score': None, 'categoryDescriptions': {}}, '... | \n", "https://api.xforce.ibmcloud.com/url/ajaraheritage.ge | \n", "0 | \n", "
XForce | |
score | 1 |
cats | |
categoryDescriptions | |
reason | Regional Internet Registry |
reasonDescription | One of the five RIRs announced a (new) location mapping of the IP. |
tags | [] |
{'categoryDescriptions': {},\n", "
'cats': {},
'geo': {'country': 'United States', 'countrycode': 'US'},
'history': [{'categoryDescriptions': {},
'cats': {},
'created': '2012-03-22T07:26:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '33.0.0.0/8',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'score': 1}],
'ip': '33.44.55.66',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) location mapping '
'of the IP.',
'score': 1,
'subnets': [{'categoryDescriptions': {},
'cats': {},
'created': '2012-03-22T07:26:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '33.0.0.0',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'score': 1,
'subnet': '33.0.0.0/8'}],
'tags': []}
Kqlmagic package is updated frequently. Run '!pip install Kqlmagic --no-cache-dir --upgrade' to use the latest version.
Kqlmagic version: 0.1.101, source: https://github.com/Microsoft/jupyter-Kqlmagic
* a927809c-8142-43e1-96b3-4ad87cfe95a3@loganalytics
['{"error":{"message":"The request had some invalid properties","code":"BadArgumentError","innererror":{"code":"SemanticError","message":"A semantic error occurred.","innererror":{"code":"SEM0100","message":"\\'\\' operator: Failed to resolve table or column or scalar expression named \\'connection\\'"}}}}']
Help command is a tool to get more information on a topics that are relevant to Kqlmagic.\nt\nusage: %kql --help \"topic\"
usage - How to use the Kqlmagic.
\n
conn - Lists the available connection string variation, and how their are used to authenticatie to data sources.
\n
query / kql - Reference to resources Kusto Queru language, aka kql, documentation
\n
options - Lists the available options, and their behavior impact on the submit query command.
\n
commands - Lists the available commands, and what they do.
\n
faq - Lists frequently asked quetions and answers.
\n
help - This help.
\n
AzureMonitor- Reference to resources Azure Monitor tools
\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n
AzureDataExplorer / kusto- Reference to resources Azure Data Explorer (kusto) service
\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n
LogAnalytics- Reference to resources Log Analytics service
\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n
ApplicationInsights / AppInsights- Reference to resources Application Insights service
\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n
* a927809c-8142-43e1-96b3-4ad87cfe95a3@loganalytics
['{"error":{"message":"The request had some invalid properties","code":"BadArgumentError","innererror":{"code":"SemanticError","message":"A semantic error occurred.","innererror":{"code":"SEM0100","message":"\\'\\' operator: Failed to resolve table or column or scalar expression named \\'conn\\'"}}}}']
unknown command --conn
Help command is a tool to get more information on a topics that are relevant to Kqlmagic.\nt\nusage: %kql --help \"topic\"
usage - How to use the Kqlmagic.
\n
conn - Lists the available connection string variation, and how their are used to authenticatie to data sources.
\n
query / kql - Reference to resources Kusto Queru language, aka kql, documentation
\n
options - Lists the available options, and their behavior impact on the submit query command.
\n
commands - Lists the available commands, and what they do.
\n
faq - Lists frequently asked quetions and answers.
\n
help - This help.
\n
AzureMonitor- Reference to resources Azure Monitor tools
\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n
AzureDataExplorer / kusto- Reference to resources Azure Data Explorer (kusto) service
\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n
LogAnalytics- Reference to resources Log Analytics service
\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n
ApplicationInsights / AppInsights- Reference to resources Application Insights service
\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n
failed to set --help, due to invalid str value commands.
unknown command --commands
Help command is a tool to get more information on a topics that are relevant to Kqlmagic.\nt\nusage: %kql --help \"topic\"
usage - How to use the Kqlmagic.
\n
conn - Lists the available connection string variation, and how their are used to authenticatie to data sources.
\n
query / kql - Reference to resources Kusto Queru language, aka kql, documentation
\n
options - Lists the available options, and their behavior impact on the submit query command.
\n
commands - Lists the available commands, and what they do.
\n
faq - Lists frequently asked quetions and answers.
\n
help - This help.
\n
AzureMonitor- Reference to resources Azure Monitor tools
\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n
AzureDataExplorer / kusto- Reference to resources Azure Data Explorer (kusto) service
\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n
LogAnalytics- Reference to resources Log Analytics service
\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n
ApplicationInsights / AppInsights- Reference to resources Application Insights service
\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n
Cache data source is not a real data source, it retrieves query results that were cached, but it can only retreive results queries that were executed before, new queries or modified queries won't work.\nto get more information on cache data source, execute help \"cache\"
The user can connect to multiple data resources.
\nReference to a data resource can be by connection string, connection name, or current connection (last connection used).
\nWhen a connection is specified, and it is a new connection string, the authentication and authorization is validated authomatically, by submiting \na validation query range c from 1 to 10 step 1 | count
, and if the correct result returns, the connection is established.
An initial connection can be specified as an environment variable.
\nKQLMAGIC_CONNECTION_STR
<database or alias>@<cluster>
Few options to authenticate with Azure Data Explorer (Kusto) data resources:
\n%kql azuredataexplorer://code;cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
\n%kql azuredataexplorer://tenant='<tenant-id>';clientid='<aad-appid>';clientsecret='<aad-appkey>';cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
\n%kql azuredataexplorer://tenant='<tenant-id>';certificate='<certificate>';certificate_thumbprint='<thumbprint>';cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
\n%kql azuredataexplorer://tenant='<tenant-id>';certificate_pem_file='<pem_filename>';certificate_thumbprint='<thumbprint>';cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
\n%kql azuredataexplorer://username='<username>';password='<password>';cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
\n%kql azuredataexplorer://anonymous;cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
Notes:
\n- username/password works only on corporate network.
\n- alias is optional.
\n- if credentials are missing, and a previous connection was established the credentials will be inherited.
\n- if secret (password / clientsecret / thumbprint) is missing, user will be prompted to provide it.
\n- if cluster is missing, and a previous connection was established the cluster will be inherited.
\n- if tenant is missing, and a previous connection was established the tenant will be inherited.
\n- if only the database change, a new connection can be set as follow: \n<new-database-name>@<cluster-name>
\n- a not quoted value, is a python expression, that is evaluated and its result is used as the value. This is how you can parametrize the connection string
<workspace or alias>@loganalytics
Few options to authenticate with Log Analytics:
\n%kql loganalytics://code;workspace='<workspace-id>';alias='<workspace-friendly-name>'
\n%kql loganalytics://tenant='<tenant-id>';clientid='<aad-appid>';clientsecret='<aad-appkey>';workspace='<workspace-id>';alias='<workspace-friendly-name>'
\n%kql loganalytics://username='<username>';password='<password>';workspace='<workspace-id>';alias='<workspace-friendly-name>'
\n%kql loganalytics://anonymous;workspace='<workspace-id>';alias='<workspace-friendly-name>'
Notes:
\n- authentication with appkey works only for the demo.
\n- username/password works only on corporate network.
\n- alias is optional.
\n- if credentials are missing, and a previous connection was established the credentials will be inherited.
\n- if secret (password / clientsecret) is missing, user will be prompted to provide it.
\n- if tenant is missing, and a previous connection was established the tenant will be inherited.
\n- a not quoted value, is a python expression, that is evaluated and its result is used as the value. This is how you can parametrize the connection string
<appid or alias>@appinsights
Few options to authenticate with Apllication Insights:
\n%kql appinsights://appid='<app-id>';appkey='<app-key>';alias='<appid-friendly-name>'
\n%kql appinsights://code;appid='<app-id>';alias='<appid-friendly-name>'
\n%kql appinsights://tenant='<tenant-id>';clientid='<aad-appid>';clientsecret='<aad-appkey>';appid='<app-id>';alias='<appid-friendly-name>'
\n%kql appinsights://username='<username>';password='<password>';appid='<app-id>';alias='<appid-friendly-name>'
\n%kql appinsights://anonymous;appid='<app-id>';alias='<appid-friendly-name>'
Notes:
\n- username/password works only on corporate network.
\n- alias is optional.
\n- if credentials are missing, and a previous connection was established the credentials will be inherited.
\n- if secret (password / clientsecret / appkey) is missing, user will be prompted to provide it.
\n- if tenant is missing, and a previous connection was established the tenant will be inherited.
\n- a not quoted value, is a python expression, that is evaluated and its result is used as the value. This is how you can parametrize the connection string
Except submitting kql queries, few other commands are included that may help using the Kqlmagic.
\n- Only one command can be executed per magic transaction.
\n- A command must start with a double hyphen-minus --
\n- If command is not specified, the default command \"submit\"
is assumed, that submits the query.
The following commands are supported:
\n- submit - Execute the query and return result.
\n - Options can be used to customize the behavior of the transaction.
\n - The query can parametrized.
\n - This is the default command.
\n
version - Displays the current version string.
\n
usage - Displays usage of Kqlmagic.
\n
help \"topic\" - Displays information about the topic.
%kql --help \"help\"
**palette - Display information about the current or other named color palette.
%kql --palette -palette_name \"Reds\"
**palettes - Display information about all available palettes.
%kql --palettes -palette_desaturation 0.75
schema \"database\" - Returns the database schema as a python dict (displayed as a json format).
%kql --schema \"databasename@clustername\"
%kql --schema \"appname@applicationinsights\"
%kql --schema \"workspacename@loganalytics\"
%kql --schema
**cache - Enables caching query results to a cache folder, or disbale.
%kql --cache \"XXX\"
%kql --cache None
**use_cache - Enables use of cached results from a cache folder.
%kql --use_cache \"XXX\"
%kql --use_cache None
%kql --version
\n%kql --usage
\n%kql --help \"help\"
\n%kql --help \"options\"
\n%kql --help \"conn\"
\n%kql --palette -palette_name \"Reds\"
\n%kql --schema 'DEMO_APP@applicationinsights'
\n%kql --cache \"XXX\"
\n%kql --use_cache None
\n%kql --submit appinsights://appid='DEMO_APP';appkey='DEMO_KEY' pageViews | count
\n%kql --palettes -palette_desaturation 0.75
\n%kql pageViews | count
unknown option
Kqlmagic package is updated frequently. Run '!pip install Kqlmagic --no-cache-dir --upgrade' to use the latest version.
Kqlmagic version: 0.1.101, source: https://github.com/Microsoft/jupyter-Kqlmagic