{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# MSTICPy Pivot Functions\n", "\n", "We recently released a new version of *MSTICPy* with a feature called **Pivot functions**.\n", "You must have msticpy installed to run this notebook:\n", "```\n", "%pip install --upgrade msticpy\n", "```\n", "\n", "MSTICpy versions >= 1.0.0\n", "\n", "This feature has three main goals:\n", "- Making it easy to discover and invoke *MSTICPy* functionality\n", "- Creating a standardized way to call pivotable functions\n", "- Letting you assemble multiple functions into re-usable pipelines.\n", "\n", "Here are a couple of examples showing calling different kinds of\n", "enrichment functions from the IpAddress entity:\n", "\n", "```python\n", "\n", " >>> from msticpy.datamodel.entities import IpAddress, Host\n", " >>> IpAddress.util.ip_type(ip_str=\"157.53.1.1\"))\n", " ip result\n", " 157.53.1.1 Public\n", "\n", " >>> IpAddress.util.whois(\"157.53.1.1\"))\n", " asn asn_cidr asn_country_code asn_date asn_description asn_registry nets .....\n", " NA NA US 2015-04-01 NA arin [{'cidr': '157.53.0.0/16'...\n", "\n", " >>> IpAddress.util.geoloc(value=\"157.53.1.1\"))\n", " CountryCode CountryName State City Longitude Latitude Asn...\n", " US United States None None -97.822 37.751 None...\n", "```\n", "\n", "This second example shows a pivot function that does a data query for host\n", "logon events from a Host entity.\n", "\n", "```python\n", " >>> Host.AzureSentinel.list_host_logons(host_name=\"VictimPc\")\n", " Account EventID TimeGenerated Computer SubjectUserName SubjectDomainName\n", " NT AUTHORITY\\SYSTEM 4624 2020-10-01 22:39:36.987000+00:00 VictimPc.Contoso.Azure VictimPc$ CONTOSO\n", " NT AUTHORITY\\SYSTEM 4624 2020-10-01 22:39:37.220000+00:00 VictimPc.Contoso.Azure VictimPc$ CONTOSO\n", " NT AUTHORITY\\SYSTEM 4624 2020-10-01 22:39:42.603000+00:00 VictimPc.Contoso.Azure VictimPc$ CONTOSO\n", "```\n", "\n", "The pivot functionality exposes operations relevant to a particular\n", "entity as methods (or functions) of that entity. These operations include:\n", "\n", "- Data queries\n", "- Threat intelligence lookups\n", "- Other data lookups such as geo-location or domain resolution\n", "- and other local functionality\n", "\n", "You can also add other functions from 3rd party Python packages or\n", "ones you write yourself as pivot functions.\n", "\n", "\n", "## Terminology\n", "Before we get into things let's clear up a few terms.\n", "\n", "### Entities\n", "These are Python classes that represent real-world objects\n", "commonly encountered in CyberSec investigations and hunting. E.g. Host,\n", "URL, IP Address, Account, etc.\n", "\n", "### Pivoting\n", "This comes from the common practice in CyberSec investigations\n", "of navigating from one suspect entity to another. E.g. you might start\n", "with an alert identifying a potentially malicious IP Address, from there you\n", "'pivot' to see which hosts or accounts were communicating with that \n", "address. From there you might pivot again to look at processes running on\n", "the host or Office activity for the account." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Background Reading" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "This article is available in Notebook form so that you can try out the examples. [TODO]\n", "\n", "There is also full documenation of the Pivot functionality on our [ReadtheDocs page](https://msticpy.readthedocs.io/en/latest/data_analysis/PivotFunctions.html)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "
\n", " | ip | \n", "result | \n", "src_row_index | \n", "
---|---|---|---|
0 | \n", "20.72.193.242 | \n", "Public | \n", "0 | \n", "
\n", " | asn | \n", "asn_cidr | \n", "asn_country_code | \n", "asn_date | \n", "asn_description | \n", "asn_registry | \n", "nets | \n", "nir | \n", "query | \n", "raw | \n", "raw_referral | \n", "referral | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "8075 | \n", "20.64.0.0/10 | \n", "US | \n", "2017-10-18 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "arin | \n", "[{'cidr': '20.40.0.0/13, 20.34.0.0/15, 20.48.0.0/12, 20.64.0.0/10, 20.33.0.0/16, 20.128.0.0/16, ... | \n", "None | \n", "20.72.193.242 | \n", "None | \n", "None | \n", "None | \n", "
\n", " | qname | \n", "rdtype | \n", "response | \n", "ip_address | \n", "src_row_index | \n", "
---|---|---|---|---|---|
0 | \n", "20.72.193.242 | \n", "PTR | \n", "None of DNS query names exist: 20.72.193.242., 20.72.193.242.corp.microsoft.com. | \n", "20.72.193.242 | \n", "0 | \n", "
\n", " | CountryCode | \n", "CountryName | \n", "State | \n", "Longitude | \n", "Latitude | \n", "TimeGenerated | \n", "Type | \n", "IpAddress | \n", "
---|---|---|---|---|---|---|---|---|
0 | \n", "US | \n", "United States | \n", "Washington | \n", "-122.3414 | \n", "47.6034 | \n", "2022-04-22 03:03:14.422813 | \n", "geolocation | \n", "20.72.193.242 | \n", "
\n", " | Ioc | \n", "IocType | \n", "SafeIoc | \n", "QuerySubtype | \n", "Provider | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "20.72.193.242 | \n", "ipv4 | \n", "20.72.193.242 | \n", "None | \n", "RiskIQ | \n", "True | \n", "high | \n", "{'summary': {'resolutions': 0, 'certificates': 0, 'malware_hashes': 0, 'projects': 0, 'articles'... | \n", "{'summary': {'resolutions': 0, 'certificates': 0, 'malware_hashes': 0, 'projects': 0, 'articles'... | \n", "https://community.riskiq.com | \n", "0 | \n", "
0 | \n", "20.72.193.242 | \n", "ipv4 | \n", "20.72.193.242 | \n", "None | \n", "Tor | \n", "True | \n", "information | \n", "Not found. | \n", "None | \n", "https://check.torproject.org/exit-addresses | \n", "0 | \n", "
0 | \n", "20.72.193.242 | \n", "ipv4 | \n", "20.72.193.242 | \n", "None | \n", "VirusTotal | \n", "True | \n", "information | \n", "{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'positives': 0, 'detected_urls': []} | \n", "{'detected_urls': [], 'asn': 8075, 'country': 'US', 'response_code': 1, 'as_owner': 'MICROSOFT-C... | \n", "https://www.virustotal.com/vtapi/v2/ip-address/report | \n", "0 | \n", "
0 | \n", "20.72.193.242 | \n", "ipv4 | \n", "20.72.193.242 | \n", "None | \n", "XForce | \n", "False | \n", "information | \n", "Authorization failed. Check account and key details. | \n", "<Response [401 Unauthorized]> | \n", "https://api.xforce.ibmcloud.com/ipr/20.72.193.242 | \n", "401 | \n", "
\n", " | TenantId | \n", "TimeGenerated | \n", "AlertDisplayName | \n", "AlertName | \n", "Severity | \n", "Description | \n", "ProviderName | \n", "VendorName | \n", "VendorOriginalId | \n", "SystemAlertId | \n", "ResourceId | \n", "SourceComputerId | \n", "AlertType | \n", "ConfidenceLevel | \n", "ConfidenceScore | \n", "IsIncident | \n", "StartTimeUtc | \n", "EndTimeUtc | \n", "ProcessingEndTime | \n", "RemediationSteps | \n", "ExtendedProperties | \n", "Entities | \n", "SourceSystem | \n", "WorkspaceSubscriptionId | \n", "WorkspaceResourceGroup | \n", "ExtendedLinks | \n", "ProductName | \n", "ProductComponentName | \n", "AlertLink | \n", "Status | \n", "CompromisedEntity | \n", "Tactics | \n", "Type | \n", "Computer | \n", "src_hostname | \n", "src_accountname | \n", "src_procname | \n", "host_match | \n", "acct_match | \n", "proc_match | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "2021-03-11 12:05:14.355000+00:00 | \n", "Suspected credential theft activity | \n", "Suspected credential theft activity | \n", "Medium | \n", "This program exhibits suspect characteristics potentially associated with credential theft. Onc... | \n", "MDATP | \n", "Microsoft | \n", "da637509097413415122_-841817867 | \n", "bf226b1b-8bda-31f7-c848-1f8bbb5f5922 | \n", "\n", " | \n", " | WindowsDefenderAtp | \n", "\n", " | NaN | \n", "False | \n", "2021-03-09 17:56:55.275000+00:00 | \n", "2021-03-09 17:56:55.275000+00:00 | \n", "2021-03-11 12:05:13.759000+00:00 | \n", "[\\r\\n \"1. Make sure the machine is completely updated and all your software has the latest patc... | \n", "{\\r\\n \"MicrosoftDefenderAtp.Category\": \"CredentialAccess\",\\r\\n \"MicrosoftDefenderAtp.Investiga... | \n", "[\\r\\n {\\r\\n \"$id\": \"4\",\\r\\n \"DnsDomain\": \"na.contosohotels.com\",\\r\\n \"HostName\": \"vict... | \n", "Detection | \n", "\n", " | \n", " | \n", " | Microsoft Defender Advanced Threat Protection | \n", "\n", " | https://securitycenter.microsoft.com/alert/da637509097413415122_-841817867?tid=4b2462a4-bbee-495... | \n", "New | \n", "victim00.na.contosohotels.com | \n", "CredentialAccess | \n", "SecurityAlert | \n", "victim00 | \n", "victim00 | \n", "\n", " | \n", " | True | \n", "False | \n", "False | \n", "
1 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "2021-03-11 13:24:53.495000+00:00 | \n", "'Mimikatz' hacktool was detected | \n", "'Mimikatz' hacktool was detected | \n", "Low | \n", "Readily available tools, such as hacking programs, can be used by unauthorized individuals to sp... | \n", "MDATP | \n", "Microsoft | \n", "da637510393722104539_-1180405651 | \n", "ef04126b-2683-0a98-d01c-77ee6b1115ac | \n", "\n", " | \n", " | WindowsDefenderAv | \n", "\n", " | NaN | \n", "False | \n", "2021-03-11 06:00:14.083000+00:00 | \n", "2021-03-11 06:00:14.083000+00:00 | \n", "2021-03-11 13:24:53.379000+00:00 | \n", "[\\r\\n \"1. Make sure the machine is completely updated and all your software has the latest patc... | \n", "{\\r\\n \"MicrosoftDefenderAtp.Category\": \"Malware\",\\r\\n \"MicrosoftDefenderAtp.InvestigationId\": ... | \n", "[\\r\\n {\\r\\n \"$id\": \"4\",\\r\\n \"DnsDomain\": \"na.contosohotels.com\",\\r\\n \"HostName\": \"vict... | \n", "Detection | \n", "\n", " | \n", " | \n", " | Microsoft Defender Advanced Threat Protection | \n", "\n", " | https://securitycenter.microsoft.com/alert/da637510393722104539_-1180405651?tid=4b2462a4-bbee-49... | \n", "New | \n", "victim00.na.contosohotels.com | \n", "Unknown | \n", "SecurityAlert | \n", "victim00 | \n", "victim00 | \n", "\n", " | \n", " | True | \n", "False | \n", "False | \n", "
2 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "2021-03-11 13:24:53.490000+00:00 | \n", "Suspected credential theft activity | \n", "Suspected credential theft activity | \n", "Medium | \n", "This program exhibits suspect characteristics potentially associated with credential theft. Onc... | \n", "MDATP | \n", "Microsoft | \n", "da637509097413415122_-841817867 | \n", "bf226b1b-8bda-31f7-c848-1f8bbb5f5922 | \n", "\n", " | \n", " | WindowsDefenderAtp | \n", "\n", " | NaN | \n", "False | \n", "2021-03-09 17:56:55.275000+00:00 | \n", "2021-03-09 17:56:55.275000+00:00 | \n", "2021-03-11 13:24:53.363000+00:00 | \n", "[\\r\\n \"1. Make sure the machine is completely updated and all your software has the latest patc... | \n", "{\\r\\n \"MicrosoftDefenderAtp.Category\": \"CredentialAccess\",\\r\\n \"MicrosoftDefenderAtp.Investiga... | \n", "[\\r\\n {\\r\\n \"$id\": \"4\",\\r\\n \"DnsDomain\": \"na.contosohotels.com\",\\r\\n \"HostName\": \"vict... | \n", "Detection | \n", "\n", " | \n", " | \n", " | Microsoft Defender Advanced Threat Protection | \n", "\n", " | https://securitycenter.microsoft.com/alert/da637509097413415122_-841817867?tid=4b2462a4-bbee-495... | \n", "New | \n", "victim00.na.contosohotels.com | \n", "CredentialAccess | \n", "SecurityAlert | \n", "victim00 | \n", "victim00 | \n", "\n", " | \n", " | True | \n", "False | \n", "False | \n", "
3 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "2021-03-11 13:19:42.521000+00:00 | \n", "Malicious credential theft tool execution detected | \n", "Malicious credential theft tool execution detected | \n", "High | \n", "A known credential theft tool execution command line was detected.\\nEither the process itself or... | \n", "MDATP | \n", "Microsoft | \n", "da637508847019595161_-562481393 | \n", "753680a5-4d20-2726-61b4-9c36e620ea26 | \n", "\n", " | \n", " | WindowsDefenderAtp | \n", "\n", " | NaN | \n", "False | \n", "2021-03-09 10:56:58.134000+00:00 | \n", "2021-03-09 10:56:58.134000+00:00 | \n", "2021-03-11 13:19:42.289000+00:00 | \n", "[\\r\\n \"1. Make sure the machine is completely updated and all your software has the latest patc... | \n", "{\\r\\n \"MicrosoftDefenderAtp.Category\": \"CredentialAccess\",\\r\\n \"MicrosoftDefenderAtp.Investiga... | \n", "[\\r\\n {\\r\\n \"$id\": \"4\",\\r\\n \"DnsDomain\": \"na.contosohotels.com\",\\r\\n \"HostName\": \"vict... | \n", "Detection | \n", "\n", " | \n", " | \n", " | Microsoft Defender Advanced Threat Protection | \n", "\n", " | https://securitycenter.microsoft.com/alert/da637508847019595161_-562481393?tid=4b2462a4-bbee-495... | \n", "New | \n", "victim00.na.contosohotels.com | \n", "CredentialAccess | \n", "SecurityAlert | \n", "victim00 | \n", "victim00 | \n", "\n", " | \n", " | True | \n", "False | \n", "False | \n", "
4 | \n", "8ecf8077-cf51-4820-aadd-14040956f35d | \n", "2021-03-11 14:30:14.730000+00:00 | \n", "'Mimikatz' hacktool was detected | \n", "'Mimikatz' hacktool was detected | \n", "Low | \n", "Readily available tools, such as hacking programs, can be used by unauthorized individuals to sp... | \n", "MDATP | \n", "Microsoft | \n", "da637510393722104539_-1180405651 | \n", "ef04126b-2683-0a98-d01c-77ee6b1115ac | \n", "\n", " | \n", " | WindowsDefenderAv | \n", "\n", " | NaN | \n", "False | \n", "2021-03-11 06:00:14.083000+00:00 | \n", "2021-03-11 06:00:14.083000+00:00 | \n", "2021-03-11 14:30:14.450000+00:00 | \n", "[\\r\\n \"1. Make sure the machine is completely updated and all your software has the latest patc... | \n", "{\\r\\n \"MicrosoftDefenderAtp.Category\": \"Malware\",\\r\\n \"MicrosoftDefenderAtp.InvestigationId\": ... | \n", "[\\r\\n {\\r\\n \"$id\": \"4\",\\r\\n \"DnsDomain\": \"na.contosohotels.com\",\\r\\n \"HostName\": \"vict... | \n", "Detection | \n", "\n", " | \n", " | \n", " | Microsoft Defender Advanced Threat Protection | \n", "\n", " | https://securitycenter.microsoft.com/alert/da637510393722104539_-1180405651?tid=4b2462a4-bbee-49... | \n", "New | \n", "victim00.na.contosohotels.com | \n", "Unknown | \n", "SecurityAlert | \n", "victim00 | \n", "victim00 | \n", "\n", " | \n", " | True | \n", "False | \n", "False | \n", "
\n", " | idx | \n", "ip | \n", "type | \n", "
---|---|---|---|
0 | \n", "0 | \n", "172.217.15.99 | \n", "Public | \n", "
1 | \n", "1 | \n", "40.85.232.64 | \n", "Public | \n", "
2 | \n", "2 | \n", "20.38.98.100 | \n", "Public | \n", "
3 | \n", "3 | \n", "23.96.64.84 | \n", "Public | \n", "
4 | \n", "4 | \n", "65.55.44.108 | \n", "Public | \n", "
5 | \n", "5 | \n", "131.107.147.209 | \n", "Public | \n", "
6 | \n", "6 | \n", "10.0.3.4 | \n", "Private | \n", "
7 | \n", "7 | \n", "10.0.3.5 | \n", "Private | \n", "
8 | \n", "8 | \n", "13.82.152.48 | \n", "Public | \n", "
\n", " | ip | \n", "result | \n", "src_row_index | \n", "
---|---|---|---|
0 | \n", "172.217.15.99 | \n", "Public | \n", "0 | \n", "
1 | \n", "40.85.232.64 | \n", "Public | \n", "1 | \n", "
2 | \n", "20.38.98.100 | \n", "Public | \n", "2 | \n", "
3 | \n", "23.96.64.84 | \n", "Public | \n", "3 | \n", "
4 | \n", "65.55.44.108 | \n", "Public | \n", "4 | \n", "
5 | \n", "131.107.147.209 | \n", "Public | \n", "5 | \n", "
6 | \n", "10.0.3.4 | \n", "Private | \n", "6 | \n", "
7 | \n", "10.0.3.5 | \n", "Private | \n", "7 | \n", "
8 | \n", "13.82.152.48 | \n", "Public | \n", "8 | \n", "
\n", " | nir | \n", "asn_registry | \n", "asn | \n", "asn_cidr | \n", "asn_country_code | \n", "asn_date | \n", "asn_description | \n", "query | \n", "nets | \n", "raw | \n", "referral | \n", "raw_referral | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "NaN | \n", "arin | \n", "15169 | \n", "172.217.15.0/24 | \n", "US | \n", "2012-04-16 | \n", "GOOGLE, US | \n", "172.217.15.99 | \n", "[{'cidr': '172.217.0.0/16', 'name': 'GOOGLE', 'handle': 'NET-172-217-0-0-1', 'range': '172.217.0... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
1 | \n", "NaN | \n", "arin | \n", "8075 | \n", "40.80.0.0/12 | \n", "US | \n", "2015-02-23 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "40.85.232.64 | \n", "[{'cidr': '40.80.0.0/12, 40.124.0.0/16, 40.74.0.0/15, 40.76.0.0/14, 40.120.0.0/14, 40.125.0.0/17... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
2 | \n", "NaN | \n", "arin | \n", "8075 | \n", "20.36.0.0/14 | \n", "US | \n", "2017-10-18 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "20.38.98.100 | \n", "[{'cidr': '20.128.0.0/16, 20.33.0.0/16, 20.34.0.0/15, 20.36.0.0/14, 20.64.0.0/10, 20.40.0.0/13, ... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
3 | \n", "NaN | \n", "arin | \n", "8075 | \n", "23.96.0.0/14 | \n", "US | \n", "2013-06-18 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "23.96.64.84 | \n", "[{'cidr': '23.96.0.0/13', 'name': 'MSFT', 'handle': 'NET-23-96-0-0-1', 'range': '23.96.0.0 - 23.... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
4 | \n", "NaN | \n", "arin | \n", "8075 | \n", "65.52.0.0/14 | \n", "US | \n", "2001-02-14 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "65.55.44.108 | \n", "[{'cidr': '65.52.0.0/14', 'name': 'MICROSOFT-1BLK', 'handle': 'NET-65-52-0-0-1', 'range': '65.52... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
5 | \n", "NaN | \n", "arin | \n", "3598 | \n", "131.107.0.0/16 | \n", "US | \n", "1988-11-11 | \n", "MICROSOFT-CORP-AS, US | \n", "131.107.147.209 | \n", "[{'cidr': '131.107.0.0/16', 'name': 'MICROSOFT', 'handle': 'NET-131-107-0-0-1', 'range': '131.10... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
6 | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
7 | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
8 | \n", "NaN | \n", "arin | \n", "8075 | \n", "13.64.0.0/11 | \n", "US | \n", "2015-03-26 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "13.82.152.48 | \n", "[{'cidr': '13.64.0.0/11, 13.96.0.0/13, 13.104.0.0/14', 'name': 'MSFT', 'handle': 'NET-13-64-0-0-... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
\n", " | ip | \n", "result | \n", "
---|---|---|
0 | \n", "40.85.232.64 | \n", "Public | \n", "
\n", " | TenantId | \n", "TimeGenerated | \n", "AlertDisplayName | \n", "AlertName | \n", "Severity | \n", "Description | \n", "ProviderName | \n", "VendorName | \n", "VendorOriginalId | \n", "SystemAlertId | \n", "ResourceId | \n", "SourceComputerId | \n", "AlertType | \n", "ConfidenceLevel | \n", "ConfidenceScore | \n", "IsIncident | \n", "StartTimeUtc | \n", "EndTimeUtc | \n", "ProcessingEndTime | \n", "RemediationSteps | \n", "ExtendedProperties | \n", "Entities | \n", "SourceSystem | \n", "WorkspaceSubscriptionId | \n", "WorkspaceResourceGroup | \n", "ExtendedLinks | \n", "ProductName | \n", "ProductComponentName | \n", "AlertLink | \n", "Status | \n", "CompromisedEntity | \n", "Tactics | \n", "Techniques | \n", "Type | \n", "Computer | \n", "src_hostname | \n", "src_accountname | \n", "src_procname | \n", "host_match | \n", "acct_match | \n", "proc_match | \n", "
---|
\n", " | LogonType | \n", "count_ | \n", "
---|---|---|
0 | \n", "5 | \n", "21650 | \n", "
1 | \n", "3 | \n", "6808 | \n", "
2 | \n", "4 | \n", "9426 | \n", "
3 | \n", "2 | \n", "109 | \n", "
4 | \n", "10 | \n", "44 | \n", "
5 | \n", "0 | \n", "7 | \n", "
6 | \n", "9 | \n", "8 | \n", "
\n", " | idx | \n", "ip | \n", "type | \n", "nir | \n", "asn_registry | \n", "asn | \n", "asn_cidr | \n", "asn_country_code | \n", "asn_date | \n", "asn_description | \n", "query | \n", "nets | \n", "raw | \n", "referral | \n", "raw_referral | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "0 | \n", "172.217.15.99 | \n", "Public | \n", "NaN | \n", "arin | \n", "15169 | \n", "172.217.15.0/24 | \n", "US | \n", "2012-04-16 | \n", "GOOGLE, US | \n", "172.217.15.99 | \n", "[{'cidr': '172.217.0.0/16', 'name': 'GOOGLE', 'handle': 'NET-172-217-0-0-1', 'range': '172.217.0... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
1 | \n", "1 | \n", "40.85.232.64 | \n", "Public | \n", "NaN | \n", "arin | \n", "8075 | \n", "40.80.0.0/12 | \n", "US | \n", "2015-02-23 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "40.85.232.64 | \n", "[{'cidr': '40.80.0.0/12, 40.124.0.0/16, 40.74.0.0/15, 40.76.0.0/14, 40.120.0.0/14, 40.125.0.0/17... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
2 | \n", "2 | \n", "20.38.98.100 | \n", "Public | \n", "NaN | \n", "arin | \n", "8075 | \n", "20.36.0.0/14 | \n", "US | \n", "2017-10-18 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "20.38.98.100 | \n", "[{'cidr': '20.128.0.0/16, 20.33.0.0/16, 20.34.0.0/15, 20.36.0.0/14, 20.64.0.0/10, 20.40.0.0/13, ... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
3 | \n", "3 | \n", "23.96.64.84 | \n", "Public | \n", "NaN | \n", "arin | \n", "8075 | \n", "23.96.0.0/14 | \n", "US | \n", "2013-06-18 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "23.96.64.84 | \n", "[{'cidr': '23.96.0.0/13', 'name': 'MSFT', 'handle': 'NET-23-96-0-0-1', 'range': '23.96.0.0 - 23.... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
4 | \n", "4 | \n", "65.55.44.108 | \n", "Public | \n", "NaN | \n", "arin | \n", "8075 | \n", "65.52.0.0/14 | \n", "US | \n", "2001-02-14 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "65.55.44.108 | \n", "[{'cidr': '65.52.0.0/14', 'name': 'MICROSOFT-1BLK', 'handle': 'NET-65-52-0-0-1', 'range': '65.52... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
5 | \n", "5 | \n", "131.107.147.209 | \n", "Public | \n", "NaN | \n", "arin | \n", "3598 | \n", "131.107.0.0/16 | \n", "US | \n", "1988-11-11 | \n", "MICROSOFT-CORP-AS, US | \n", "131.107.147.209 | \n", "[{'cidr': '131.107.0.0/16', 'name': 'MICROSOFT', 'handle': 'NET-131-107-0-0-1', 'range': '131.10... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
6 | \n", "8 | \n", "13.82.152.48 | \n", "Public | \n", "NaN | \n", "arin | \n", "8075 | \n", "13.64.0.0/11 | \n", "US | \n", "2015-03-26 | \n", "MICROSOFT-CORP-MSN-AS-BLOCK, US | \n", "13.82.152.48 | \n", "[{'cidr': '13.64.0.0/11, 13.96.0.0/13, 13.104.0.0/14', 'name': 'MSFT', 'handle': 'NET-13-64-0-0-... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
\n", " | IP | \n", "ip | \n", "result | \n", "asn | \n", "asn_cidr | \n", "asn_country_code | \n", "asn_date | \n", "asn_description | \n", "asn_registry | \n", "nets | \n", "nir | \n", "query | \n", "raw | \n", "raw_referral | \n", "referral | \n", "CountryCode | \n", "CountryName | \n", "State | \n", "City | \n", "Longitude | \n", "Latitude | \n", "Asn | \n", "edges | \n", "Type_x | \n", "AdditionalData | \n", "... | \n", "AlertType | \n", "ConfidenceLevel | \n", "ConfidenceScore | \n", "IsIncident | \n", "StartTimeUtc | \n", "EndTimeUtc | \n", "ProcessingEndTime | \n", "RemediationSteps | \n", "ExtendedProperties | \n", "Entities | \n", "SourceSystem | \n", "WorkspaceSubscriptionId | \n", "WorkspaceResourceGroup | \n", "ExtendedLinks | \n", "ProductName | \n", "ProductComponentName | \n", "AlertLink | \n", "Status | \n", "CompromisedEntity | \n", "Tactics | \n", "Type_y | \n", "SystemAlertId1 | \n", "ExtendedProperties1 | \n", "Entities1 | \n", "MatchingIps | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "3.88.48.125 | \n", "3.88.48.125 | \n", "Public | \n", "14618 | \n", "3.80.0.0/12 | \n", "US | \n", "2017-12-20 | \n", "AMAZON-AES, US | \n", "arin | \n", "[{'cidr': '3.0.0.0/9', 'name': 'AT-88-Z', 'handle': 'NET-3-0-0-0-1', 'range': '3.0.0.0 - 3.127.2... | \n", "None | \n", "3.88.48.125 | \n", "None | \n", "None | \n", "None | \n", "US | \n", "United States | \n", "Virginia | \n", "Ashburn | \n", "-77.4728 | \n", "39.0481 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "... | \n", "8ecf8077-cf51-4820-aadd-14040956f35d_8a369bd2-97b6-4fe2-922a-cd170faf25bc | \n", "\n", " | NaN | \n", "False | \n", "2020-12-19 13:04:59+00:00 | \n", "2020-12-19 19:04:59+00:00 | \n", "2020-12-19 19:10:17+00:00 | \n", "\n", " | {\\r\\n \"Query\": \"// The query_now parameter (in UTC format) was prepended to the query to reflec... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"Address\": \"3.88.48.125\",\\r\\n \"Type\": \"ip\"\\r\\n }\\r\\n] | \n", "Detection | \n", "d1d8779d-38d7-4f06-91db-9cbc8de0176f | \n", "soc | \n", "\n", " | Azure Sentinel | \n", "Scheduled Alerts | \n", "\n", " | New | \n", "\n", " | CommandAndControl | \n", "SecurityAlert | \n", "fdc54c12-efba-38b0-8379-f06d7fbfd34a | \n", "{\\r\\n \"Query\": \"// The query_now parameter (in UTC format) was prepended to the query to reflec... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"Address\": \"3.88.48.125\",\\r\\n \"Type\": \"ip\"\\r\\n }\\r\\n] | \n", "[3.88.48.125] | \n", "
1 | \n", "3.88.48.125 | \n", "3.88.48.125 | \n", "Public | \n", "14618 | \n", "3.80.0.0/12 | \n", "US | \n", "2017-12-20 | \n", "AMAZON-AES, US | \n", "arin | \n", "[{'cidr': '3.0.0.0/9', 'name': 'AT-88-Z', 'handle': 'NET-3-0-0-0-1', 'range': '3.0.0.0 - 3.127.2... | \n", "None | \n", "3.88.48.125 | \n", "None | \n", "None | \n", "None | \n", "US | \n", "United States | \n", "Virginia | \n", "Ashburn | \n", "-77.4728 | \n", "39.0481 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "... | \n", "ThreatIntelligence | \n", "83 | \n", "NaN | \n", "False | \n", "2020-12-23 13:48:23+00:00 | \n", "2020-12-23 13:48:23+00:00 | \n", "2020-12-23 14:08:15+00:00 | \n", "\n", " | {\\r\\n \"Query\": \"CommonSecurityLog| where RequestURL hasprefix(\\\"www.arboretum.hu\\\") | where Tim... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"DnsDomain\": \"www.arboretum.hu\",\\r\\n \"HostName\": \"www.arbo... | \n", "Detection | \n", "d1d8779d-38d7-4f06-91db-9cbc8de0176f | \n", "soc | \n", "\n", " | Azure Sentinel | \n", "Microsoft Threat Intelligence Analytics | \n", "\n", " | New | \n", "3.88.48.125 | \n", "Unknown | \n", "SecurityAlert | \n", "625ff9af-dddc-0cf8-9d4b-e79067fa2e71 | \n", "{\\r\\n \"Query\": \"CommonSecurityLog| where RequestURL hasprefix(\\\"www.arboretum.hu\\\") | where Tim... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"DnsDomain\": \"www.arboretum.hu\",\\r\\n \"HostName\": \"www.arbo... | \n", "[3.88.48.125] | \n", "
2 | \n", "3.88.48.125 | \n", "3.88.48.125 | \n", "Public | \n", "14618 | \n", "3.80.0.0/12 | \n", "US | \n", "2017-12-20 | \n", "AMAZON-AES, US | \n", "arin | \n", "[{'cidr': '3.0.0.0/9', 'name': 'AT-88-Z', 'handle': 'NET-3-0-0-0-1', 'range': '3.0.0.0 - 3.127.2... | \n", "None | \n", "3.88.48.125 | \n", "None | \n", "None | \n", "None | \n", "US | \n", "United States | \n", "Virginia | \n", "Ashburn | \n", "-77.4728 | \n", "39.0481 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "... | \n", "ThreatIntelligence | \n", "83 | \n", "NaN | \n", "False | \n", "2020-12-23 13:48:23+00:00 | \n", "2020-12-23 13:48:23+00:00 | \n", "2020-12-23 14:08:15+00:00 | \n", "\n", " | {\\r\\n \"Query\": \"CommonSecurityLog| where RequestURL hasprefix(\\\"www.arboretum.hu\\\") | where Tim... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"DnsDomain\": \"www.arboretum.hu\",\\r\\n \"HostName\": \"www.arbo... | \n", "Detection | \n", "d1d8779d-38d7-4f06-91db-9cbc8de0176f | \n", "soc | \n", "\n", " | Azure Sentinel | \n", "Microsoft Threat Intelligence Analytics | \n", "\n", " | New | \n", "3.88.48.125 | \n", "Unknown | \n", "SecurityAlert | \n", "c977f904-ab30-d57e-986f-9d6ebf72771b | \n", "{\\r\\n \"Query\": \"CommonSecurityLog| where RequestURL hasprefix(\\\"www.arboretum.hu\\\") | where Tim... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"DnsDomain\": \"www.arboretum.hu\",\\r\\n \"HostName\": \"www.arbo... | \n", "[3.88.48.125] | \n", "
3 | \n", "3.88.48.125 | \n", "3.88.48.125 | \n", "Public | \n", "14618 | \n", "3.80.0.0/12 | \n", "US | \n", "2017-12-20 | \n", "AMAZON-AES, US | \n", "arin | \n", "[{'cidr': '3.0.0.0/9', 'name': 'AT-88-Z', 'handle': 'NET-3-0-0-0-1', 'range': '3.0.0.0 - 3.127.2... | \n", "None | \n", "3.88.48.125 | \n", "None | \n", "None | \n", "None | \n", "US | \n", "United States | \n", "Virginia | \n", "Ashburn | \n", "-77.4728 | \n", "39.0481 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "... | \n", "ThreatIntelligence | \n", "83 | \n", "NaN | \n", "False | \n", "2020-12-23 13:48:23+00:00 | \n", "2020-12-23 13:48:23+00:00 | \n", "2020-12-23 14:08:15+00:00 | \n", "\n", " | {\\r\\n \"Query\": \"CommonSecurityLog| where RequestURL hasprefix(\\\"www.arboretum.hu\\\") | where Tim... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"DnsDomain\": \"www.arboretum.hu\",\\r\\n \"HostName\": \"www.arbo... | \n", "Detection | \n", "d1d8779d-38d7-4f06-91db-9cbc8de0176f | \n", "soc | \n", "\n", " | Azure Sentinel | \n", "Microsoft Threat Intelligence Analytics | \n", "\n", " | New | \n", "3.88.48.125 | \n", "Unknown | \n", "SecurityAlert | \n", "9ee547e4-cba1-47d1-e1f9-87247b693a52 | \n", "{\\r\\n \"Query\": \"CommonSecurityLog| where RequestURL hasprefix(\\\"www.arboretum.hu\\\") | where Tim... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"DnsDomain\": \"www.arboretum.hu\",\\r\\n \"HostName\": \"www.arbo... | \n", "[3.88.48.125] | \n", "
4 | \n", "3.88.48.125 | \n", "3.88.48.125 | \n", "Public | \n", "14618 | \n", "3.80.0.0/12 | \n", "US | \n", "2017-12-20 | \n", "AMAZON-AES, US | \n", "arin | \n", "[{'cidr': '3.0.0.0/9', 'name': 'AT-88-Z', 'handle': 'NET-3-0-0-0-1', 'range': '3.0.0.0 - 3.127.2... | \n", "None | \n", "3.88.48.125 | \n", "None | \n", "None | \n", "None | \n", "US | \n", "United States | \n", "Virginia | \n", "Ashburn | \n", "-77.4728 | \n", "39.0481 | \n", "None | \n", "{} | \n", "geolocation | \n", "{} | \n", "... | \n", "ThreatIntelligence | \n", "83 | \n", "NaN | \n", "False | \n", "2020-12-23 13:48:23+00:00 | \n", "2020-12-23 13:48:23+00:00 | \n", "2020-12-23 14:08:16+00:00 | \n", "\n", " | {\\r\\n \"Query\": \"CommonSecurityLog| where RequestURL hasprefix(\\\"www.arboretum.hu\\\") | where Tim... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"DnsDomain\": \"www.arboretum.hu\",\\r\\n \"HostName\": \"www.arbo... | \n", "Detection | \n", "d1d8779d-38d7-4f06-91db-9cbc8de0176f | \n", "soc | \n", "\n", " | Azure Sentinel | \n", "Microsoft Threat Intelligence Analytics | \n", "\n", " | New | \n", "3.88.48.125 | \n", "Unknown | \n", "SecurityAlert | \n", "83a0e08a-1adb-ef75-1c56-f6c9ce25ca69 | \n", "{\\r\\n \"Query\": \"CommonSecurityLog| where RequestURL hasprefix(\\\"www.arboretum.hu\\\") | where Tim... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"DnsDomain\": \"www.arboretum.hu\",\\r\\n \"HostName\": \"www.arbo... | \n", "[3.88.48.125] | \n", "
5 rows × 63 columns
\n", "