From d330b22cbd1aae020d3253d8ab89de559b65b2a9 Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Tue, 27 Apr 2021 11:51:52 -0700 Subject: [PATCH 01/10] Fixing bugs and adding documentation to __init__.init Bug with uninitialized variable in data_providers.py Use generator comp instead of list in browser Better formatting of options - added options doc string to notebooklet init. Refactored large __init__ function in notebooklet Updating requirements.txt to msticpy>=1.0.0 --- msticnb/__init__.py | 35 ++++++++++++++++--- msticnb/data_providers.py | 1 + msticnb/nb_browser.py | 2 +- msticnb/nb_metadata.py | 3 +- msticnb/notebooklet.py | 20 ++++++++++- requirements.txt | 2 +- .../nb/azsent/account/test_account_summary.py | 3 +- 7 files changed, 57 insertions(+), 9 deletions(-) diff --git a/msticnb/__init__.py b/msticnb/__init__.py index 46431e1..f09e164 100644 --- a/msticnb/__init__.py +++ b/msticnb/__init__.py @@ -36,6 +36,7 @@ """ import sys +from typing import Any, Dict, List, Optional from .data_providers import DataProviders, init as dp_init # noqa:F401 from .read_modules import discover_modules, nblts, nb_index, find # noqa:F401 @@ -53,10 +54,36 @@ print(f"Notebooklets: {len(list(nblts.iter_classes()))} notebooklets loaded.") -def init(namespace: dict = None, **kwargs): - """Initialize notebooklets dataproviders and pivots.""" - query_provider = kwargs.pop("query_provider", None) - providers = kwargs.pop("providers", None) +def init( + query_provider: str, + namespace: Optional[Dict[str, Any]] = None, + providers: Optional[List[str]] = None, + **kwargs, +): + """ + Initialize notebooklets dataproviders and pivots. + + Parameters + ---------- + query_provider : str + The default query provider to use with notebooklets + namespace : Optional[Dict[str, Any]], optional + The global namespace - used to add pivot functions + providers : Optional[List[str]], optional + A list of other provider names to load + + Other parameters + ---------------- + kwargs : + Optional keyword arguments to pass to DataProviders + and Pivot initializers. + + Notes + ----- + Use msticnb.DataProviders.list_providers() to get a list + of accepted providers. + + """ dp_init(query_provider=query_provider, providers=providers, **kwargs) if not namespace: # Try to get the globals namespace from top-level caller diff --git a/msticnb/data_providers.py b/msticnb/data_providers.py index d97becc..fea058c 100644 --- a/msticnb/data_providers.py +++ b/msticnb/data_providers.py @@ -129,6 +129,7 @@ def __init__( self.providers: Dict[str, Any] = {} self.query_provider = None + parsed_provider = DataEnvironment.Unknown if isinstance(query_provider, str): parsed_provider = self._parse_provider_name(query_provider) self.provider_names.add(parsed_provider.name) diff --git a/msticnb/nb_browser.py b/msticnb/nb_browser.py index 5a46043..c9701f6 100644 --- a/msticnb/nb_browser.py +++ b/msticnb/nb_browser.py @@ -85,7 +85,7 @@ def _get_class_index(tgt_class): @staticmethod def _pyvar_case(in_name): return "_".join( - [part.lower() for part in re.split(r"([A-Z][a-z]*)", in_name) if part] + part.lower() for part in re.split(r"([A-Z][a-z]*)", in_name) if part ) def _update_nbdetails(self, change): diff --git a/msticnb/nb_metadata.py b/msticnb/nb_metadata.py index 8efc1e0..bac3c05 100644 --- a/msticnb/nb_metadata.py +++ b/msticnb/nb_metadata.py @@ -112,7 +112,8 @@ def options_doc(self) -> str: ) else: opt_list.append(" None") - opt_list.append("") + # Add a blank line to the end + opt_list.extend(["", ""]) return "\n".join(opt_list) # pylint: enable=not-an-iterable diff --git a/msticnb/notebooklet.py b/msticnb/notebooklet.py index da5f575..e6c0ea2 100644 --- a/msticnb/notebooklet.py +++ b/msticnb/notebooklet.py @@ -64,9 +64,17 @@ def __init__(self, data_providers: Optional[DataProviders] = None, **kwargs): self._current_run_silent: Optional[bool] = None set_opt("temp_silent", self.silent) + # update "run" function documentation on first run + self._add_run_doc_options() + + # Check required data providers are loaded. # pylint: disable=no-member self.data_providers = data_providers or DataProviders.current() # type: ignore # pylint: enable=no-member + self._check_nb_providers(**kwargs) + + def _check_nb_providers(self, **kwargs): + """Check that providers required for notebooklet are available.""" if not self.data_providers: raise MsticnbDataProviderError( "No current DataProviders instance was found.", @@ -90,8 +98,9 @@ def __init__(self, data_providers: Optional[DataProviders] = None, **kwargs): prov_add_errs.append(err) if missing_provs: + missing_mssg = [prov.replace("|", " or ") for prov in missing_provs] raise MsticnbDataProviderError( - f"Required data provider(s) {', '.join(missing_provs)} not loaded.", + f"Required data provider(s) {', '.join(missing_mssg)} not loaded.", f"Class {self.__class__.__name__}", *prov_add_errs, ) @@ -101,6 +110,15 @@ def __init__(self, data_providers: Optional[DataProviders] = None, **kwargs): + f"Class {self.__class__.__name__}" ) + def _add_run_doc_options(self): + """Add options documentation to run function.""" + if "Default Options" in self.__class__.run.__doc__: + return + options_doc = (f" {line}" for line in self.metadata.options_doc.split("\n")) + self.__class__.run.__doc__ = (self.__class__.run.__doc__ or "") + "\n".join( + options_doc + ) + @abstractmethod def run( self, diff --git a/requirements.txt b/requirements.txt index b1a2b52..80939b3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ ipython>=7.14.0 ipywidgets>=7.5.1 lxml>=4.4.2 Markdown>=3.2.1 -msticpy[azure]==1.0.0rc3 +msticpy==1.0.0 numpy>=1.17.3 pandas>=0.25.3 python-dateutil>=2.8.1 diff --git a/tests/nb/azsent/account/test_account_summary.py b/tests/nb/azsent/account/test_account_summary.py index ad5701b..b84e90a 100644 --- a/tests/nb/azsent/account/test_account_summary.py +++ b/tests/nb/azsent/account/test_account_summary.py @@ -25,7 +25,8 @@ def test_account_summary_notebooklet(monkeypatch): test_data = str(Path(TEST_DATA_PATH).absolute()) monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init( - query_provider="LocalData", + "LocalData", + providers=["-tilookup"], LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) From 86c0865eb65031ac6de1d7097c20c6a12a037c9f Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Thu, 29 Apr 2021 19:53:25 -0700 Subject: [PATCH 02/10] Adding notebooklet auto-generated documents. Small fix to nb_pivot.py init --- docs/notebooks/AccountSummary.ipynb | 8329 ++++++++--------- docs/notebooks/IpSummary.ipynb | 2105 +++++ docs/notebooks/NotebookletDocumentation.ipynb | 658 ++ docs/source/index.rst | 10 +- docs/source/nb_doc_details.rst | 13 + .../notebooklet_docs/AccountSummary.rst | 446 + docs/source/notebooklet_docs/EnrichAlerts.rst | 252 + .../notebooklet_docs/HostLogonsSummary.rst | 275 + docs/source/notebooklet_docs/HostSummary.rst | 321 + .../notebooklet_docs/IpAddressSummary.rst | 462 + .../notebooklet_docs/NetworkFlowSummary.rst | 418 + .../source/notebooklet_docs/WinHostEvents.rst | 340 + ...ebooklets.rst => notebooklets_summary.rst} | 18 +- msticnb/nb/azsent/network/ip_summary.yaml | 4 + msticnb/nb_pivot.py | 5 +- 15 files changed, 8972 insertions(+), 4684 deletions(-) create mode 100644 docs/notebooks/IpSummary.ipynb create mode 100644 docs/notebooks/NotebookletDocumentation.ipynb create mode 100644 docs/source/nb_doc_details.rst create mode 100644 docs/source/notebooklet_docs/AccountSummary.rst create mode 100644 docs/source/notebooklet_docs/EnrichAlerts.rst create mode 100644 docs/source/notebooklet_docs/HostLogonsSummary.rst create mode 100644 docs/source/notebooklet_docs/HostSummary.rst create mode 100644 docs/source/notebooklet_docs/IpAddressSummary.rst create mode 100644 docs/source/notebooklet_docs/NetworkFlowSummary.rst create mode 100644 docs/source/notebooklet_docs/WinHostEvents.rst rename docs/source/{notebooklets.rst => notebooklets_summary.rst} (95%) diff --git a/docs/notebooks/AccountSummary.ipynb b/docs/notebooks/AccountSummary.ipynb index 878fd37..7629063 100644 --- a/docs/notebooks/AccountSummary.ipynb +++ b/docs/notebooks/AccountSummary.ipynb @@ -11,7 +11,7 @@ }, { "cell_type": "code", - "execution_count": 1, + "execution_count": 4, "metadata": { "ExecuteTime": { "end_time": "2020-02-28T21:13:24.369073Z", @@ -20,20 +20,93 @@ }, "outputs": [ { - "name": "stdout", - "output_type": "stream", - "text": [ - "Processing imports....\n", - "Checking configuration....\n", - "No errors found.\n", - "No warnings found.\n", - "Setting options....\n" - ] + "data": { + "text/html": [ + "

Starting Notebook initialization...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "msticpy version installed: 1.1.0 latest published: 1.0.0
Latest version is installed.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "Processing imports....
" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "Imported: pd (pandas), IPython.get_ipython, IPython.display.display, IPython.display.HTML, IPython.display.Markdown, widgets (ipywidgets), pathlib.Path, plt (matplotlib.pyplot), matplotlib.MatplotlibDeprecationWarning, sns (seaborn), np (numpy), msticpy.data.QueryProvider, msticpy.nbtools.foliummap.FoliumMap, msticpy.common.utility.md, msticpy.common.utility.md_warn, msticpy.common.wsconfig.WorkspaceConfig, msticpy.datamodel.pivot.Pivot, msticpy.datamodel.entities
" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "Checking configuration....
" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "Setting notebook options....
" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "
" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" }, { "data": { "text/html": [ - "

Notebook setup complete

" + "

Notebook initialization complete

" ], "text/plain": [ "" @@ -63,16 +136,16 @@ }, { "cell_type": "code", - "execution_count": 2, + "execution_count": 1, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ - "7 notebooklets loaded.\n", - "\\src\\msticnb\\tests\\testdata\\msticpyconfig-test.yaml is not a valid query definition file - skipping.\n", - "\\src\\msticnb\\tests\\testdata\\custom_nb\\host\\host_test_nb.yaml is not a valid query definition file - skipping.\n" + "Notebooklets: 8 notebooklets loaded.\n", + "E:\\src\\msticnb\\tests\\testdata\\msticpyconfig-test.yaml is not a valid query definition file - skipping.\n", + "E:\\src\\msticnb\\tests\\testdata\\custom_nb\\host\\host_test_nb.yaml is not a valid query definition file - skipping.\n" ] }, { @@ -93,7 +166,29 @@ "name": "stdout", "output_type": "stream", "text": [ - "Loaded providers: LocalData, geolitelookup\n" + "Notebooklets: Loaded providers: LocalData, geolitelookup\n", + "Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank\n" + ] + }, + { + "data": { + "text/html": [ + "\n", + "This library uses services provided by ipstack.\n", + "https://ipstack.com" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank\n" ] } ], @@ -109,46 +204,18 @@ }, { "cell_type": "code", - "execution_count": 3, + "execution_count": 5, "metadata": {}, "outputs": [ { "data": { "application/vnd.jupyter.widget-view+json": { - "model_id": "40763aee53144837b20e54549ff9d9c6", - "version_major": 2, - "version_minor": 0 - }, - "text/plain": [ - "HTML(value='

Set query time boundaries

')" - ] - }, - "metadata": {}, - "output_type": "display_data" - }, - { - "data": { - "application/vnd.jupyter.widget-view+json": { - "model_id": "4c12732c1a904514a25129f9e62a48ce", - "version_major": 2, - "version_minor": 0 - }, - "text/plain": [ - "HBox(children=(DatePicker(value=datetime.date(2020, 7, 31), description='Origin Date'), Text(value='20:50:51.8…" - ] - }, - "metadata": {}, - "output_type": "display_data" - }, - { - "data": { - "application/vnd.jupyter.widget-view+json": { - "model_id": "4ab865ea1c82425890774899f13b0e9f", + "model_id": "52704e1c8d2f4de48176c622072b3701", "version_major": 2, "version_minor": 0 }, "text/plain": [ - "VBox(children=(IntRangeSlider(value=(-1, 1), description='Time Range (day):', layout=Layout(width='80%'), max=…" + "VBox(children=(HTML(value='

Set query time boundaries

'), HBox(children=(DatePicker(value=datetime.date…" ] }, "metadata": {}, @@ -161,7 +228,7 @@ }, { "cell_type": "code", - "execution_count": 4, + "execution_count": 6, "metadata": {}, "outputs": [ { @@ -179,7 +246,7 @@ { "data": { "text/html": [ - "This function searches Active Directory, Azure, Office365, Windows and Linux logs for matching accounts.
If any matches are found you can choose an account to explore, viewing the times of recent event types, any alerts and hunting bookmarks that relate to the account name.
You can also retrieve recent details of the logon activity or cloud activity for the account.
For further investigation use the host_logons_summary notebooklet for Windows and Linux host logons. Or use the azure_account_summary for cloud accounts." + "This function searches Active Directory, Azure, Office365, Windows and Linux logs for matching accounts.
If any matches are found you can choose an account to explore, viewing the times of recent event types, any alerts and hunting bookmarks that relate to the account name.
You can also retrieve recent details of the logon activity or cloud activity for the account.
For further investigation use the host_logons_summary notebooklet for Windows and Linux host logons." ], "text/plain": [ "" @@ -191,7 +258,7 @@ { "data": { "text/html": [ - "

Querying for account matches.

" + "

Querying for account matches.

" ], "text/plain": [ "" @@ -213,11 +280,16 @@ "output_type": "display_data" }, { - "name": "stdout", - "output_type": "stream", - "text": [ - "Getting data from AADSignin...\n" - ] + "data": { + "text/html": [ + "

Getting data from AADSignin...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" }, { "data": { @@ -232,11 +304,16 @@ "output_type": "display_data" }, { - "name": "stdout", - "output_type": "stream", - "text": [ - "Getting data from Office365Activity...\n" - ] + "data": { + "text/html": [ + "

Getting data from Office365Activity...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" }, { "data": { @@ -251,11 +328,16 @@ "output_type": "display_data" }, { - "name": "stdout", - "output_type": "stream", - "text": [ - "Getting data from Windows Logon activity...\n" - ] + "data": { + "text/html": [ + "

Getting data from Windows Logon activity...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" }, { "data": { @@ -270,11 +352,16 @@ "output_type": "display_data" }, { - "name": "stdout", - "output_type": "stream", - "text": [ - "Getting data from Linux logon activity...\n" - ] + "data": { + "text/html": [ + "

Getting data from Linux logon activity...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" }, { "data": { @@ -291,7 +378,31 @@ { "data": { "text/html": [ - "

Found 196 total recordsmsticnb.

" + "

Found 196 total records.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Multiple matching accounts found, select one to see details.

" ], "text/plain": [ "" @@ -303,7 +414,7 @@ { "data": { "application/vnd.jupyter.widget-view+json": { - "model_id": "3cdbc2993f0f495da285450b82a9a9b0", + "model_id": "a1a23b1125e14533b39c8e869d878212", "version_major": 2, "version_minor": 0 }, @@ -327,11 +438,16 @@ "output_type": "display_data" }, { - "name": "stdout", - "output_type": "stream", - "text": [ - "Getting data from Alerts...\n" - ] + "data": { + "text/html": [ + "

Getting data from Alerts...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" }, { "data": { @@ -575,7 +691,7 @@ " document.body.appendChild(element);\n", " }\n", "\n", - " const hashes = {\"https://cdn.bokeh.org/bokeh/release/bokeh-2.1.1.min.js\": \"kLr4fYcqcSpbuI95brIH3vnnYCquzzSxHPU6XGQCIkQRGJwhg0StNbj1eegrHs12\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.1.1.min.js\": \"xIGPmVtaOm+z0BqfSOMn4lOR6ciex448GIKG4eE61LsAvmGj48XcMQZtKcE/UXZe\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.1.1.min.js\": \"Dc9u1wF/0zApGIWoBbH77iWEHtdmkuYWG839Uzmv8y8yBLXebjO9ZnERsde5Ln/P\", \"https://cdn.bokeh.org/bokeh/release/bokeh-gl-2.1.1.min.js\": \"cT9JaBz7GiRXdENrJLZNSC6eMNF3nh3fa5fTF51Svp+ukxPdwcU5kGXGPBgDCa2j\"};\n", + " const hashes = {\"https://cdn.bokeh.org/bokeh/release/bokeh-2.2.2.min.js\": \"JayppSWSRBsibIZqI8S4vAb1oFgLL0uhNvSn8cmArlOvYOwfFjYeyY5UWwJ+K0SU\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.2.2.min.js\": \"G0/Tv/Yy/zEPNsnW0Qif/FOsGesd+KIrKg/QLmvQmReuUW9qmSP7mAmr0VpiUNr3\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.2.2.min.js\": \"VLYHEbLQDk5G1+/4ALU0myoJPMEUsngWry2fzYorFOUmarjGRPLLURaeK/on6JqX\"};\n", "\n", " for (var i = 0; i < js_urls.length; i++) {\n", " var url = js_urls[i];\n", @@ -600,7 +716,7 @@ " }\n", "\n", " \n", - " var js_urls = [\"https://cdn.bokeh.org/bokeh/release/bokeh-2.1.1.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.1.1.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.1.1.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-gl-2.1.1.min.js\"];\n", + " var js_urls = [\"https://cdn.bokeh.org/bokeh/release/bokeh-2.2.2.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.2.2.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.2.2.min.js\"];\n", " var css_urls = [];\n", " \n", "\n", @@ -646,22 +762,27 @@ " }\n", "}(window));" ], - "application/vnd.bokehjs_load.v0+json": "\n(function(root) {\n function now() {\n return new Date();\n }\n\n var force = true;\n\n if (typeof root._bokeh_onload_callbacks === \"undefined\" || force === true) {\n root._bokeh_onload_callbacks = [];\n root._bokeh_is_loading = undefined;\n }\n\n \n\n \n if (typeof (root._bokeh_timeout) === \"undefined\" || force === true) {\n root._bokeh_timeout = Date.now() + 5000;\n root._bokeh_failed_load = false;\n }\n\n var NB_LOAD_WARNING = {'data': {'text/html':\n \"
\\n\"+\n \"

\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"

\\n\"+\n \"
    \\n\"+\n \"
  • re-rerun `output_notebook()` to attempt to load from CDN again, or
    • \\n\"+\n \"
  • use INLINE resources instead, as so:
    • \\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"\\n\"+\n \"
\"}};\n\n function display_loaded() {\n var el = document.getElementById(\"1001\");\n if (el != null) {\n el.textContent = \"BokehJS is loading...\";\n }\n if (root.Bokeh !== undefined) {\n if (el != null) {\n el.textContent = \"BokehJS \" + root.Bokeh.version + \" successfully loaded.\";\n }\n } else if (Date.now() < root._bokeh_timeout) {\n setTimeout(display_loaded, 100)\n }\n }\n\n\n function run_callbacks() {\n try {\n root._bokeh_onload_callbacks.forEach(function(callback) {\n if (callback != null)\n callback();\n });\n } finally {\n delete root._bokeh_onload_callbacks\n }\n console.debug(\"Bokeh: all callbacks have finished\");\n }\n\n function load_libs(css_urls, js_urls, callback) {\n if (css_urls == null) css_urls = [];\n if (js_urls == null) js_urls = [];\n\n root._bokeh_onload_callbacks.push(callback);\n if (root._bokeh_is_loading > 0) {\n console.debug(\"Bokeh: BokehJS is being loaded, scheduling callback at\", now());\n return null;\n }\n if (js_urls == null || js_urls.length === 0) {\n run_callbacks();\n return null;\n }\n console.debug(\"Bokeh: BokehJS not loaded, scheduling load and callback at\", now());\n root._bokeh_is_loading = css_urls.length + js_urls.length;\n\n function on_load() {\n root._bokeh_is_loading--;\n if (root._bokeh_is_loading === 0) {\n console.debug(\"Bokeh: all BokehJS libraries/stylesheets loaded\");\n run_callbacks()\n }\n }\n\n function on_error() {\n console.error(\"failed to load \" + url);\n }\n\n for (var i = 0; i < css_urls.length; i++) {\n var url = css_urls[i];\n const element = document.createElement(\"link\");\n element.onload = on_load;\n element.onerror = on_error;\n element.rel = \"stylesheet\";\n element.type = \"text/css\";\n element.href = url;\n console.debug(\"Bokeh: injecting link tag for BokehJS stylesheet: \", url);\n document.body.appendChild(element);\n }\n\n const hashes = {\"https://cdn.bokeh.org/bokeh/release/bokeh-2.1.1.min.js\": \"kLr4fYcqcSpbuI95brIH3vnnYCquzzSxHPU6XGQCIkQRGJwhg0StNbj1eegrHs12\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.1.1.min.js\": \"xIGPmVtaOm+z0BqfSOMn4lOR6ciex448GIKG4eE61LsAvmGj48XcMQZtKcE/UXZe\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.1.1.min.js\": \"Dc9u1wF/0zApGIWoBbH77iWEHtdmkuYWG839Uzmv8y8yBLXebjO9ZnERsde5Ln/P\", \"https://cdn.bokeh.org/bokeh/release/bokeh-gl-2.1.1.min.js\": \"cT9JaBz7GiRXdENrJLZNSC6eMNF3nh3fa5fTF51Svp+ukxPdwcU5kGXGPBgDCa2j\"};\n\n for (var i = 0; i < js_urls.length; i++) {\n var url = js_urls[i];\n var element = document.createElement('script');\n element.onload = on_load;\n element.onerror = on_error;\n element.async = false;\n element.src = url;\n if (url in hashes) {\n element.crossOrigin = \"anonymous\";\n element.integrity = \"sha384-\" + hashes[url];\n }\n console.debug(\"Bokeh: injecting script tag for BokehJS library: \", url);\n document.head.appendChild(element);\n }\n };\n\n function inject_raw_css(css) {\n const element = document.createElement(\"style\");\n element.appendChild(document.createTextNode(css));\n document.body.appendChild(element);\n }\n\n \n var js_urls = [\"https://cdn.bokeh.org/bokeh/release/bokeh-2.1.1.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.1.1.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.1.1.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-gl-2.1.1.min.js\"];\n var css_urls = [];\n \n\n var inline_js = [\n function(Bokeh) {\n Bokeh.set_log_level(\"info\");\n },\n function(Bokeh) {\n \n \n }\n ];\n\n function run_inline_js() {\n \n if (root.Bokeh !== undefined || force === true) {\n \n for (var i = 0; i < inline_js.length; i++) {\n inline_js[i].call(root, root.Bokeh);\n }\n if (force === true) {\n display_loaded();\n }} else if (Date.now() < root._bokeh_timeout) {\n setTimeout(run_inline_js, 100);\n } else if (!root._bokeh_failed_load) {\n console.log(\"Bokeh: BokehJS failed to load within specified timeout.\");\n root._bokeh_failed_load = true;\n } else if (force !== true) {\n var cell = $(document.getElementById(\"1001\")).parents('.cell').data().cell;\n cell.output_area.append_execute_result(NB_LOAD_WARNING)\n }\n\n }\n\n if (root._bokeh_is_loading === 0) {\n console.debug(\"Bokeh: BokehJS loaded, going straight to plotting\");\n run_inline_js();\n } else {\n load_libs(css_urls, js_urls, function() {\n console.debug(\"Bokeh: BokehJS plotting callback run at\", now());\n run_inline_js();\n });\n }\n}(window));" + "application/vnd.bokehjs_load.v0+json": "\n(function(root) {\n function now() {\n return new Date();\n }\n\n var force = true;\n\n if (typeof root._bokeh_onload_callbacks === \"undefined\" || force === true) {\n root._bokeh_onload_callbacks = [];\n root._bokeh_is_loading = undefined;\n }\n\n \n\n \n if (typeof (root._bokeh_timeout) === \"undefined\" || force === true) {\n root._bokeh_timeout = Date.now() + 5000;\n root._bokeh_failed_load = false;\n }\n\n var NB_LOAD_WARNING = {'data': {'text/html':\n \"
\\n\"+\n \"

\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"

\\n\"+\n \"
    \\n\"+\n \"
  • re-rerun `output_notebook()` to attempt to load from CDN again, or
    • \\n\"+\n \"
  • use INLINE resources instead, as so:
    • \\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"\\n\"+\n \"
\"}};\n\n function display_loaded() {\n var el = document.getElementById(\"1001\");\n if (el != null) {\n el.textContent = \"BokehJS is loading...\";\n }\n if (root.Bokeh !== undefined) {\n if (el != null) {\n el.textContent = \"BokehJS \" + root.Bokeh.version + \" successfully loaded.\";\n }\n } else if (Date.now() < root._bokeh_timeout) {\n setTimeout(display_loaded, 100)\n }\n }\n\n\n function run_callbacks() {\n try {\n root._bokeh_onload_callbacks.forEach(function(callback) {\n if (callback != null)\n callback();\n });\n } finally {\n delete root._bokeh_onload_callbacks\n }\n console.debug(\"Bokeh: all callbacks have finished\");\n }\n\n function load_libs(css_urls, js_urls, callback) {\n if (css_urls == null) css_urls = [];\n if (js_urls == null) js_urls = [];\n\n root._bokeh_onload_callbacks.push(callback);\n if (root._bokeh_is_loading > 0) {\n console.debug(\"Bokeh: BokehJS is being loaded, scheduling callback at\", now());\n return null;\n }\n if (js_urls == null || js_urls.length === 0) {\n run_callbacks();\n return null;\n }\n console.debug(\"Bokeh: BokehJS not loaded, scheduling load and callback at\", now());\n root._bokeh_is_loading = css_urls.length + js_urls.length;\n\n function on_load() {\n root._bokeh_is_loading--;\n if (root._bokeh_is_loading === 0) {\n console.debug(\"Bokeh: all BokehJS libraries/stylesheets loaded\");\n run_callbacks()\n }\n }\n\n function on_error() {\n console.error(\"failed to load \" + url);\n }\n\n for (var i = 0; i < css_urls.length; i++) {\n var url = css_urls[i];\n const element = document.createElement(\"link\");\n element.onload = on_load;\n element.onerror = on_error;\n element.rel = \"stylesheet\";\n element.type = \"text/css\";\n element.href = url;\n console.debug(\"Bokeh: injecting link tag for BokehJS stylesheet: \", url);\n document.body.appendChild(element);\n }\n\n const hashes = {\"https://cdn.bokeh.org/bokeh/release/bokeh-2.2.2.min.js\": \"JayppSWSRBsibIZqI8S4vAb1oFgLL0uhNvSn8cmArlOvYOwfFjYeyY5UWwJ+K0SU\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.2.2.min.js\": \"G0/Tv/Yy/zEPNsnW0Qif/FOsGesd+KIrKg/QLmvQmReuUW9qmSP7mAmr0VpiUNr3\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.2.2.min.js\": \"VLYHEbLQDk5G1+/4ALU0myoJPMEUsngWry2fzYorFOUmarjGRPLLURaeK/on6JqX\"};\n\n for (var i = 0; i < js_urls.length; i++) {\n var url = js_urls[i];\n var element = document.createElement('script');\n element.onload = on_load;\n element.onerror = on_error;\n element.async = false;\n element.src = url;\n if (url in hashes) {\n element.crossOrigin = \"anonymous\";\n element.integrity = \"sha384-\" + hashes[url];\n }\n console.debug(\"Bokeh: injecting script tag for BokehJS library: \", url);\n document.head.appendChild(element);\n }\n };\n\n function inject_raw_css(css) {\n const element = document.createElement(\"style\");\n element.appendChild(document.createTextNode(css));\n document.body.appendChild(element);\n }\n\n \n var js_urls = [\"https://cdn.bokeh.org/bokeh/release/bokeh-2.2.2.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.2.2.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.2.2.min.js\"];\n var css_urls = [];\n \n\n var inline_js = [\n function(Bokeh) {\n Bokeh.set_log_level(\"info\");\n },\n function(Bokeh) {\n \n \n }\n ];\n\n function run_inline_js() {\n \n if (root.Bokeh !== undefined || force === true) {\n \n for (var i = 0; i < inline_js.length; i++) {\n inline_js[i].call(root, root.Bokeh);\n }\n if (force === true) {\n display_loaded();\n }} else if (Date.now() < root._bokeh_timeout) {\n setTimeout(run_inline_js, 100);\n } else if (!root._bokeh_failed_load) {\n console.log(\"Bokeh: BokehJS failed to load within specified timeout.\");\n root._bokeh_failed_load = true;\n } else if (force !== true) {\n var cell = $(document.getElementById(\"1001\")).parents('.cell').data().cell;\n cell.output_area.append_execute_result(NB_LOAD_WARNING)\n }\n\n }\n\n if (root._bokeh_is_loading === 0) {\n console.debug(\"Bokeh: BokehJS loaded, going straight to plotting\");\n run_inline_js();\n } else {\n load_libs(css_urls, js_urls, function() {\n console.debug(\"Bokeh: BokehJS plotting callback run at\", now());\n run_inline_js();\n });\n }\n}(window));" }, "metadata": {}, "output_type": "display_data" }, { - "name": "stdout", - "output_type": "stream", - "text": [ - "Getting data from Bookmarks...\n" - ] + "data": { + "text/html": [ + "

Getting data from Bookmarks...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" }, { "data": { "text/html": [ - "

Alert Entity

" + "

Account Entity

" ], "text/plain": [ "" @@ -673,10 +794,12 @@ { "data": { "text/html": [ - "

account

{ 'AadTenantId': 'c9472277-d7f0-4af1-8d14-c27ba5d96716',
  'AdditionalData': {},
  'IpAddress': {'AdditionalData': {}, 'Address': '152.133.101.25', 'Type': 'ipaddress'},
  'Name': 'crqerkikpjo@ld.fkaframbemji.pjb',
  'OrganizationId': '7a2333d3-adbf-4e7c-b58d-2a7144511ba8',
  'Type': 'account',
  'UPNSuffix': 'ld.fkaframbemji.pjb'}" + "

account

{ 'AadTenantId': 'b1315f05-4a7a-45b4-811f-73e715f7c122',
  'AdditionalData': {},
  'Host': { 'AdditionalData': {},
            'HostName': 'VictimHost',
            'IpAddress': { 'AdditionalData': {},
                           'Address': '141.98.81.81',
                           'FirstSeen': Timestamp('2020-05-06 00:40:30.043000+0000', tz='UTC'),
                           'LastSeen': Timestamp('2020-05-06 00:40:30.287000+0000', tz='UTC'),
                           'Location': { 'AdditionalData': {},
                                         'CountryCode': 'PA',
                                         'CountryName': 'Panama',
                                         'Latitude': 9.0,
                                         'Longitude': -80.0,
                                         'Type': 'geolocation',
                                         'edges': set()},
                           'ThreatIntelligence': [],
                           'Type': 'ipaddress',
                           'edges': set()},
            'IsDomainJoined': False,
            'OSFamily': ,
            'Type': 'host',
            'edges': set()},
  'IsDomainJoined': False,
  'LogonType': ' (sshd)',
  'Name': '1234',
  'Sid': nan,
  'Type': 'account',
  'edges': set()}" ], "text/plain": [ - "Account(Type=account, Name=crqerkikpjo@ld.fkaframbemji.pjb, UPNSuffix=ld.fkaframbemji.pj...)" + "Account(Name=1234, Host={ 'AdditionalData': {},\n", + " 'HostName': 'VictimHost',\n", + " 'IpAddress...)" ] }, "metadata": {}, @@ -697,7 +820,7 @@ { "data": { "text/html": [ - "crqerkikpjo@ld.fkaframbemji.pjb (source: Office365)" + "1234 (source: Linux)" ], "text/plain": [ "" @@ -727,4495 +850,3136 @@ " \n", " \n", " \n", + " Unnamed: 0\n", " TenantId\n", " SourceSystem\n", " TimeGenerated\n", - " ResourceId\n", - " Operation\n", - " AppResourceProvider\n", - " IPAddress\n", - " UserAgent\n", - " UserId\n", - " UserPrincipalName\n", + " Computer\n", + " EventTime\n", + " Facility\n", + " HostName\n", + " SeverityLevel\n", + " SyslogMessage\n", + " ProcessID\n", + " HostIP\n", + " LogonTypeName\n", + " MG\n", " Type\n", " _ResourceId\n", - " Application\n", - " UserDomain\n", - " RecordType\n", - " OrganizationId\n", - " OrganizationId_\n", - " UserType\n", - " UserKey\n", - " ResultStatus\n", - " ResultReasonType\n", - " UserId_\n", - " ClientIP_\n", - " Scope\n", - " Site_\n", - " ...\n", - " AzureActiveDirectory_EventType\n", - " AADTarget\n", - " Start_Time\n", - " OfficeTenantId\n", - " OfficeTenantId_\n", - " TargetUserOrGroupName\n", - " TargetUserOrGroupType\n", - " MessageId\n", - " TeamName\n", - " TeamGuid\n", - " ChannelType\n", - " ChannelName\n", - " ChannelGuid\n", - " AddOnType\n", - " AddonName\n", - " TabType\n", - " Name\n", - " OldValue\n", - " NewValue\n", - " ItemName\n", - " ChatThreadId\n", - " CommunicationType\n", - " AADGroupId\n", + " LogonResult\n", + " User\n", + " LogonType\n", + " SourceIP\n", + " SourcePort\n", + " UID\n", + " SourceUser\n", + " Account\n", + " LogonProcessName\n", " AccountName\n", " Source\n", + " Operation\n", " \n", " \n", " \n", " \n", - " 35\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:24+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/polyfill/set.js\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:48:45+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", - " \n", - " \n", - " 32\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:24+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/sitecollectionimages/centrica-184-39.gif\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:48:45+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", - " \n", - " \n", - " 59\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:24+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/style%20library/en-us/themable/core%20styles/p...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:17+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", - " \n", - " \n", - " 41\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:24+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/vendor.css\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:15+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", - " \n", - " \n", - " 43\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:24+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/bundle.css\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:15+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", - " \n", - " \n", - " 48\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:24+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/Pages/Home.aspx\n", - " PageViewed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePoint\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:16+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", - " \n", - " \n", - " 39\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:24+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/bundle.js\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:48:45+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 1\n", + " 1\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:09:41.080000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:09:41.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by authenticating user peteb 172.92.153.236 port 3531 [preauth]\n", + " 2581.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " peteb\n", + " (sshd)\n", + " 172.92.153.236\n", + " 3531.0\n", + " NaN\n", + " authenticating\n", + " peteb\n", + " sshd\n", + " peteb\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 51\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:24+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/vendor.js\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:16+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 2\n", + " 2\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:13:53.010000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:13:53.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Accepted publickey for peteb from 172.92.153.236 port 3715 ssh2: RSA SHA256:iMp4nnErVTXWJR2JKUEM...\n", + " 12111.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Success\n", + " peteb\n", + " publickey (sshd)\n", + " 172.92.153.236\n", + " 3715.0\n", + " NaN\n", + " NaN\n", + " peteb\n", + " sshd\n", + " peteb\n", + " Linux\n", + " Logon-Success\n", " \n", " \n", - " 40\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:25+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/social-icon...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:15+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 3\n", + " 3\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:13:53.013000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:13:53.000\n", + " authpriv\n", + " VictimHost\n", + " info\n", + " pam_unix(sshd:session): session opened for user peteb by (uid=0)\n", + " 12111.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " peteb\n", + " (sshd)\n", + " NaN\n", + " NaN\n", + " 0.0\n", + " NaN\n", + " peteb\n", + " sshd\n", + " peteb\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 56\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:25+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/Style Library/WM.Intranet/fonts/fontawesome-we...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:16+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 4\n", + " 4\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:13:53.430000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:13:53.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " New session 6 of user peteb.\n", + " 1263.0\n", + " 10.0.0.7\n", + " systemd-logind\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " peteb\n", + " (systemd-logind)\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " peteb\n", + " systemd-logind\n", + " peteb\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 47\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:25+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/spoinsights/aitracker.js\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:16+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 5\n", + " 5\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:13:53.570000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:13:53.000\n", + " authpriv\n", + " VictimHost\n", + " info\n", + " pam_unix(systemd-user:session): session opened for user peteb by (uid=0)\n", + " NaN\n", + " 10.0.0.7\n", + " systemd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " peteb\n", + " (systemd)\n", + " NaN\n", + " NaN\n", + " 0.0\n", + " NaN\n", + " peteb\n", + " systemd\n", + " peteb\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 38\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:26+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/coronavirus_hub_rollover_380_...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:48:45+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 6\n", + " 6\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:14:05.760000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:14:05.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Disconnected from user peteb 172.92.153.236 port 3715\n", + " 12837.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " peteb\n", + " (sshd)\n", + " 172.92.153.236\n", + " 3715.0\n", + " NaN\n", + " NaN\n", + " peteb\n", + " sshd\n", + " peteb\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 31\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:26+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/chris_th_start_380_77.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:48:45+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 7\n", + " 7\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:14:05.760000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:14:05.000\n", + " authpriv\n", + " VictimHost\n", + " info\n", + " pam_unix(sshd:session): session closed for user peteb\n", + " 12111.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " peteb\n", + " (sshd)\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " peteb\n", + " sshd\n", + " peteb\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 46\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:26+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/2021_gp_start_380_77.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:16+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 8\n", + " 8\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:14:05.760000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:14:05.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Received disconnect from 172.92.153.236 port 3715:11: disconnected by user\n", + " 12837.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " NaN\n", + " (sshd)\n", + " 172.92.153.236\n", + " 3715.0\n", + " NaN\n", + " user\n", + " NaN\n", + " sshd\n", + " NaN\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 50\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:26+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/2021_gp_rollover_380_77.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:16+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 9\n", + " 9\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:14:05.767000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:14:05.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Removed session 6.\n", + " 1263.0\n", + " 10.0.0.7\n", + " systemd-logind\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " NaN\n", + " (systemd-logind)\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " systemd-logind\n", + " NaN\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 60\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:26+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/002-sad.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:17+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 10\n", + " 10\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:14:15.680000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:14:15.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Accepted publickey for peteb from 172.92.153.236 port 3724 ssh2: RSA SHA256:iMp4nnErVTXWJR2JKUEM...\n", + " 12934.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Success\n", + " peteb\n", + " publickey (sshd)\n", + " 172.92.153.236\n", + " 3724.0\n", + " NaN\n", + " NaN\n", + " peteb\n", + " sshd\n", + " peteb\n", + " Linux\n", + " Logon-Success\n", " \n", " \n", - " 58\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:26+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/003-surpris...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:17+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 11\n", + " 11\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:14:15.680000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:14:15.000\n", + " authpriv\n", + " VictimHost\n", + " info\n", + " pam_unix(sshd:session): session opened for user peteb by (uid=0)\n", + " 12934.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " peteb\n", + " (sshd)\n", + " NaN\n", + " NaN\n", + " 0.0\n", + " NaN\n", + " peteb\n", + " sshd\n", + " peteb\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 53\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:26+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/chris_th_rollover_380_77.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:15+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 12\n", + " 12\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:14:15.707000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:14:15.000\n", + " authpriv\n", + " VictimHost\n", + " info\n", + " pam_unix(systemd-user:session): session opened for user peteb by (uid=0)\n", + " NaN\n", + " 10.0.0.7\n", + " systemd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " peteb\n", + " (systemd)\n", + " NaN\n", + " NaN\n", + " 0.0\n", + " NaN\n", + " peteb\n", + " systemd\n", + " peteb\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 55\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:26+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/coronavirus_hub_start_380_77.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:16+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 13\n", + " 13\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:14:15.710000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:14:15.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " New session 9 of user peteb.\n", + " 1263.0\n", + " 10.0.0.7\n", + " systemd-logind\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " peteb\n", + " (systemd-logind)\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " peteb\n", + " systemd-logind\n", + " peteb\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 37\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:27+00:00\n", - " https://centricaplc-my.sharepoint.com/User Photos/Profile Pictures/amber_heavisides_centrica_com...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " efb97716-3699-4616-9d0a-a9cea743bda7\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:48:45+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 14\n", + " 14\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:17.680000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:17.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by authenticating user root 141.98.81.83 port 34871 [preauth]\n", + " 16702.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " root\n", + " (sshd)\n", + " 141.98.81.83\n", + " 34871.0\n", + " NaN\n", + " authenticating\n", + " root\n", + " sshd\n", + " root\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 45\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:27+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/001-happy.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:15+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 15\n", + " 15\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:20.593000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:20.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user admin from 141.98.81.84 port 43513\n", + " 16705.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.81.84\n", + " 43513.0\n", + " NaN\n", + " NaN\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 42\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:32+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/icons/icon-salesforce-tile-125-125.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:15+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 16\n", + " 16\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:20.777000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:20.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user admin 141.98.81.84 port 43513 [preauth]\n", + " 16705.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.81.84\n", + " 43513.0\n", + " NaN\n", + " invalid\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 52\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:32+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/umind_mylink_logo_1...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:15+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 17\n", + " 17\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:23.880000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:23.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user Administrator from 141.98.81.99 port 44191\n", + " 16715.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " Administrator\n", + " (sshd)\n", + " 141.98.81.99\n", + " 44191.0\n", + " NaN\n", + " NaN\n", + " Administrator\n", + " sshd\n", + " Administrator\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 49\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:32+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/hse.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:16+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 18\n", + " 18\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:24.070000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:24.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user Administrator 141.98.81.99 port 44191 [preauth]\n", + " 16715.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " Administrator\n", + " (sshd)\n", + " 141.98.81.99\n", + " 44191.0\n", + " NaN\n", + " invalid\n", + " Administrator\n", + " sshd\n", + " Administrator\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 19\n", + " 19\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:25.963000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:25.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by authenticating user root 141.98.81.107 port 42727 [preauth]\n", + " 16717.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " root\n", + " (sshd)\n", + " 141.98.81.107\n", + " 42727.0\n", + " NaN\n", + " authenticating\n", + " root\n", + " sshd\n", + " root\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 20\n", + " 20\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:28.087000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:28.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user admin from 141.98.81.108 port 46207\n", + " 16723.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.81.108\n", + " 46207.0\n", + " NaN\n", + " NaN\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 54\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:32+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/okh_icon_2_120_120.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:16+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 21\n", + " 21\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:28.383000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:28.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user admin 141.98.81.108 port 46207 [preauth]\n", + " 16723.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.81.108\n", + " 46207.0\n", + " NaN\n", + " invalid\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 36\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:32+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/icons/values-icon-colour-104-104.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:48:45+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 22\n", + " 22\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:30.043000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:30.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user 1234 from 141.98.81.81 port 51226\n", + " 16743.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " 1234\n", + " (sshd)\n", + " 141.98.81.81\n", + " 51226.0\n", + " NaN\n", + " NaN\n", + " 1234\n", + " sshd\n", + " 1234\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 44\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:32+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/centrica_c.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:15+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 23\n", + " 23\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:30.287000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:30.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user 1234 141.98.81.81 port 51226 [preauth]\n", + " 16743.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " 1234\n", + " (sshd)\n", + " 141.98.81.81\n", + " 51226.0\n", + " NaN\n", + " invalid\n", + " 1234\n", + " sshd\n", + " 1234\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 34\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:32+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/icons/code-tile-icon-104-104.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:48:45+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 24\n", + " 24\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:31.713000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:31.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user guest from 141.98.81.83 port 40397\n", + " 16750.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " guest\n", + " (sshd)\n", + " 141.98.81.83\n", + " 40397.0\n", + " NaN\n", + " NaN\n", + " guest\n", + " sshd\n", + " guest\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 57\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:32+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/direct_energy.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.49\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.182\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:54:17+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 25\n", + " 25\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:31.837000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:31.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user guest 141.98.81.83 port 40397 [preauth]\n", + " 16750.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " guest\n", + " (sshd)\n", + " 141.98.81.83\n", + " 40397.0\n", + " NaN\n", + " invalid\n", + " guest\n", + " sshd\n", + " guest\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 33\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-28 12:43:39+00:00\n", - " https://centricaplc.sharepoint.com/sites/allcompany712/Shared Documents/Apps/Yammer/20200715_142...\n", - " FilePreviewed\n", - " SharePoint\n", - " 13.89.136.240\n", - " akpeippj (faeccpibdbierfjcmrpckokm)\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 35.47.146.75\n", - " \n", - " cc215b5c-17a1-4377-8c08-1f9a60157ed8\n", - " ...\n", - " \n", - " \n", - " 2020-07-28 12:48:45+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 26\n", + " 26\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:34.370000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:34.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user Admin from 141.98.81.84 port 34717\n", + " 16752.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " Admin\n", + " (sshd)\n", + " 141.98.81.84\n", + " 34717.0\n", + " NaN\n", + " NaN\n", + " Admin\n", + " sshd\n", + " Admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 24\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:45+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/Pages/Home.aspx\n", - " PageViewed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePoint\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 27\n", + " 27\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:34.887000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:34.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user Admin 141.98.81.84 port 34717 [preauth]\n", + " 16752.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " Admin\n", + " (sshd)\n", + " 141.98.81.84\n", + " 34717.0\n", + " NaN\n", + " invalid\n", + " Admin\n", + " sshd\n", + " Admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 20\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:46+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/spoinsights/aitracker.js\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 28\n", + " 28\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:38.300000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:38.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by authenticating user root 141.98.81.99 port 36241 [preauth]\n", + " 16758.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " root\n", + " (sshd)\n", + " 141.98.81.99\n", + " 36241.0\n", + " NaN\n", + " authenticating\n", + " root\n", + " sshd\n", + " root\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 29\n", + " 29\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:40.770000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:40.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user admin from 141.98.81.107 port 40527\n", + " 16762.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.81.107\n", + " 40527.0\n", + " NaN\n", + " NaN\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 30\n", + " 30\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:41.157000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:41.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user admin 141.98.81.107 port 40527 [preauth]\n", + " 16762.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.81.107\n", + " 40527.0\n", + " NaN\n", + " invalid\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 31\n", + " 31\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:43.957000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:43.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user admin from 141.98.81.108 port 46475\n", + " 16770.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.81.108\n", + " 46475.0\n", + " NaN\n", + " NaN\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 32\n", + " 32\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:44.110000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:44.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user admin 141.98.81.108 port 46475 [preauth]\n", + " 16770.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.81.108\n", + " 46475.0\n", + " NaN\n", + " invalid\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 33\n", + " 33\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:47.280000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:47.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user user from 141.98.81.81 port 58652\n", + " 16782.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " user\n", + " (sshd)\n", + " 141.98.81.81\n", + " 58652.0\n", + " NaN\n", + " NaN\n", + " user\n", + " sshd\n", + " user\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 15\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:46+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/polyfill/set.js\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 34\n", + " 34\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:40:47.370000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:40:47.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user user 141.98.81.81 port 58652 [preauth]\n", + " 16782.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " user\n", + " (sshd)\n", + " 141.98.81.81\n", + " 58652.0\n", + " NaN\n", + " invalid\n", + " user\n", + " sshd\n", + " user\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 8\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:46+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/bundle.css\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:48:47+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 35\n", + " 35\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:43:34.333000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:43:34.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Did not receive identification string from 85.239.35.161 port 60402\n", + " 17120.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " NaN\n", + " (sshd)\n", + " 85.239.35.161\n", + " 60402.0\n", + " NaN\n", + " NaN\n", + " NaN\n", + " sshd\n", + " NaN\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 9\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:46+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/vendor.css\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:48:47+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 36\n", + " 36\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:43:40.020000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:43:40.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user admin from 85.239.35.161 port 43382\n", + " 17121.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 85.239.35.161\n", + " 43382.0\n", + " NaN\n", + " NaN\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 12\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:46+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/style%20library/en-us/themable/core%20styles/p...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 37\n", + " 37\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:43:40.947000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:43:40.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user admin 85.239.35.161 port 43382 [preauth]\n", + " 17121.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 85.239.35.161\n", + " 43382.0\n", + " NaN\n", + " invalid\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 19\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:46+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/vendor.js\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:55+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 38\n", + " 38\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:43:41+00:00\n", + " VictimHost\n", + " 2020-05-06 00:43:40.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user user from 85.239.35.161 port 43438\n", + " 17126.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " user\n", + " (sshd)\n", + " 85.239.35.161\n", + " 43438.0\n", + " NaN\n", + " NaN\n", + " user\n", + " sshd\n", + " user\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 4\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:46+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/sitecollectionimages/centrica-184-39.gif\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 39\n", + " 39\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:43:41.627000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:43:41.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user user 85.239.35.161 port 43438 [preauth]\n", + " 17126.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " user\n", + " (sshd)\n", + " 85.239.35.161\n", + " 43438.0\n", + " NaN\n", + " invalid\n", + " user\n", + " sshd\n", + " user\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 6\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:47+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/bundle.js\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 40\n", + " 40\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 00:43:42.977000+00:00\n", + " VictimHost\n", + " 2020-05-06 00:43:42.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by authenticating user root 85.239.35.161 port 59508 [preauth]\n", + " 17146.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " root\n", + " (sshd)\n", + " 85.239.35.161\n", + " 59508.0\n", + " NaN\n", + " authenticating\n", + " root\n", + " sshd\n", + " root\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 2\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:47+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/social-icon...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 41\n", + " 41\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:06:54.183000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:06:54.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user from 65.49.20.69 port 24062\n", + " 20114.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " NaN\n", + " (sshd)\n", + " 65.49.20.69\n", + " 24062.0\n", + " NaN\n", + " NaN\n", + " NaN\n", + " sshd\n", + " NaN\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 42\n", + " 42\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:06:58.913000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:06:58.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user 65.49.20.69 port 24062 [preauth]\n", + " 20114.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " NaN\n", + " (sshd)\n", + " 65.49.20.69\n", + " 24062.0\n", + " NaN\n", + " invalid\n", + " NaN\n", + " sshd\n", + " NaN\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 43\n", + " 43\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:11:44.543000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:11:44.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user tester from 46.148.21.32 port 60136\n", + " 21089.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " tester\n", + " (sshd)\n", + " 46.148.21.32\n", + " 60136.0\n", + " NaN\n", + " NaN\n", + " tester\n", + " sshd\n", + " tester\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 16\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:47+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/Style Library/WM.Intranet/fonts/fontawesome-we...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 44\n", + " 44\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:11:44.757000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:11:44.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user tester 46.148.21.32 port 60136 [preauth]\n", + " 21089.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " tester\n", + " (sshd)\n", + " 46.148.21.32\n", + " 60136.0\n", + " NaN\n", + " invalid\n", + " tester\n", + " sshd\n", + " tester\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 0\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:48+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/2021_gp_rollover_380_77.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 45\n", + " 45\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:39:51.600000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:39:51.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user support from 46.148.21.32 port 49512\n", + " 24633.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " support\n", + " (sshd)\n", + " 46.148.21.32\n", + " 49512.0\n", + " NaN\n", + " NaN\n", + " support\n", + " sshd\n", + " support\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 27\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:48+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/001-happy.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 46\n", + " 46\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:39:51.827000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:39:51.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user support 46.148.21.32 port 49512 [preauth]\n", + " 24633.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " support\n", + " (sshd)\n", + " 46.148.21.32\n", + " 46.0\n", + " NaN\n", + " invalid\n", + " support\n", + " sshd\n", + " support\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 25\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:48+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/chris_th_rollover_380_77.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 47\n", + " 47\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:44:45.127000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:44:45.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Timeout, client not responding.\n", + " 13017.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " NaN\n", + " (sshd)\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " sshd\n", + " NaN\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 23\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:48+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/chris_th_start_380_77.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 48\n", + " 48\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:44:45.327000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:44:45.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Removed session 9.\n", + " 1263.0\n", + " 10.0.0.7\n", + " systemd-logind\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " NaN\n", + " (systemd-logind)\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " systemd-logind\n", + " NaN\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 21\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:48+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/2021_gp_start_380_77.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 49\n", + " 49\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:44:45.327000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:44:45.000\n", + " authpriv\n", + " VictimHost\n", + " info\n", + " pam_unix(sshd:session): session closed for user peteb\n", + " 12934.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " peteb\n", + " (sshd)\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " peteb\n", + " sshd\n", + " peteb\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", - " 18\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:48+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/003-surpris...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:55+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 50\n", + " 50\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:17.787000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:17.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user admin from 141.98.9.157 port 40289\n", + " 25803.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.9.157\n", + " 40289.0\n", + " NaN\n", + " NaN\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 3\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:48+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/coronavirus_hub_start_380_77.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 51\n", + " 51\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:17.933000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:17.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user admin 141.98.9.157 port 40289 [preauth]\n", + " 25803.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.9.157\n", + " 40289.0\n", + " NaN\n", + " invalid\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 52\n", + " 52\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:19.660000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:19.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user admin from 141.98.9.159 port 35637\n", + " 25816.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.9.159\n", + " 35637.0\n", + " NaN\n", + " NaN\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 7\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:48+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/publishingimages/coronavirus_hub_rollover_380_...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:48:47+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 53\n", + " 53\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:19.813000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:19.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user admin 141.98.9.159 port 35637 [preauth]\n", + " 25816.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.9.159\n", + " 35637.0\n", + " NaN\n", + " invalid\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 11\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:48+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/002-sad.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 54\n", + " 54\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:21.860000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:21.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user user from 141.98.9.160 port 43607\n", + " 25822.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " user\n", + " (sshd)\n", + " 141.98.9.160\n", + " 43607.0\n", + " NaN\n", + " NaN\n", + " user\n", + " sshd\n", + " user\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 22\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:49+00:00\n", - " https://centricaplc-my.sharepoint.com/User Photos/Profile Pictures/amber_heavisides_centrica_com...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " efb97716-3699-4616-9d0a-a9cea743bda7\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 55\n", + " 55\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:21.950000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:21.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user user 141.98.9.160 port 43607 [preauth]\n", + " 25822.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " user\n", + " (sshd)\n", + " 141.98.9.160\n", + " 43607.0\n", + " NaN\n", + " invalid\n", + " user\n", + " sshd\n", + " user\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 14\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:52+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/hse.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 56\n", + " 56\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:24.507000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:24.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user admin from 141.98.9.161 port 45085\n", + " 25825.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.9.161\n", + " 45085.0\n", + " NaN\n", + " NaN\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 1\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:52+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/icons/values-icon-colour-104-104.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 57\n", + " 57\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:25.070000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:25.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user admin 141.98.9.161 port 45085 [preauth]\n", + " 25825.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 141.98.9.161\n", + " 45085.0\n", + " NaN\n", + " invalid\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 5\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:52+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/okh_icon_2_120_120.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 58\n", + " 58\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:26.747000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:26.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by authenticating user root 141.98.9.156 port 33769 [preauth]\n", + " 25832.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " root\n", + " (sshd)\n", + " 141.98.9.156\n", + " 33769.0\n", + " NaN\n", + " authenticating\n", + " root\n", + " sshd\n", + " root\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 30\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:52+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/icons/icon-salesforce-tile-125-125.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:54+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 59\n", + " 59\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:28.267000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:28.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user operator from 141.98.9.137 port 56654\n", + " 25834.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " operator\n", + " (sshd)\n", + " 141.98.9.137\n", + " 56654.0\n", + " NaN\n", + " NaN\n", + " operator\n", + " sshd\n", + " operator\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 29\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:52+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/direct_energy.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 60\n", + " 60\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:28.383000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:28.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user operator 141.98.9.137 port 56654 [preauth]\n", + " 25834.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " operator\n", + " (sshd)\n", + " 141.98.9.137\n", + " 56654.0\n", + " NaN\n", + " invalid\n", + " operator\n", + " sshd\n", + " operator\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 61\n", + " 61\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:29.807000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:29.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user test from 141.98.9.157 port 39665\n", + " 25841.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " test\n", + " (sshd)\n", + " 141.98.9.157\n", + " 39665.0\n", + " NaN\n", + " NaN\n", + " test\n", + " sshd\n", + " test\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 62\n", + " 62\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:29.977000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:29.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user test 141.98.9.157 port 39665 [preauth]\n", + " 25841.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " test\n", + " (sshd)\n", + " 141.98.9.157\n", + " 39665.0\n", + " NaN\n", + " invalid\n", + " test\n", + " sshd\n", + " test\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 63\n", + " 63\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:32.097000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:32.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by authenticating user root 141.98.9.159 port 41651 [preauth]\n", + " 25843.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " root\n", + " (sshd)\n", + " 141.98.9.159\n", + " 41651.0\n", + " NaN\n", + " authenticating\n", + " root\n", + " sshd\n", + " root\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 64\n", + " 64\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:35.093000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:35.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user guest from 141.98.9.160 port 39145\n", + " 25845.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " guest\n", + " (sshd)\n", + " 141.98.9.160\n", + " 39145.0\n", + " NaN\n", + " NaN\n", + " guest\n", + " sshd\n", + " guest\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 65\n", + " 65\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:35.437000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:35.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user guest 141.98.9.160 port 39145 [preauth]\n", + " 25845.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " guest\n", + " (sshd)\n", + " 141.98.9.160\n", + " 39145.0\n", + " NaN\n", + " invalid\n", + " guest\n", + " sshd\n", + " guest\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 66\n", + " 66\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:37.563000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:37.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user ubnt from 141.98.9.161 port 45527\n", + " 25862.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " ubnt\n", + " (sshd)\n", + " 141.98.9.161\n", + " 45527.0\n", + " NaN\n", + " NaN\n", + " ubnt\n", + " sshd\n", + " ubnt\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 17\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:52+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/centrica_c.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:55+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 67\n", + " 67\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:37.660000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:37.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user ubnt 141.98.9.161 port 45527 [preauth]\n", + " 25862.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " ubnt\n", + " (sshd)\n", + " 141.98.9.161\n", + " 45527.0\n", + " NaN\n", + " invalid\n", + " ubnt\n", + " sshd\n", + " ubnt\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 26\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:52+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/umind_mylink_logo_1...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 68\n", + " 68\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:40.037000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:40.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user guest from 141.98.9.156 port 38585\n", + " 25866.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " guest\n", + " (sshd)\n", + " 141.98.9.156\n", + " 38585.0\n", + " NaN\n", + " NaN\n", + " guest\n", + " sshd\n", + " guest\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 10\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:52+00:00\n", - " https://centricaplc.sharepoint.com/sites/intranet/icons/code-tile-icon-104-104.png\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " a9d09708-6ca6-439b-ac48-84cbe527e408\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 69\n", + " 69\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:40.123000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:40.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user guest 141.98.9.156 port 38585 [preauth]\n", + " 25866.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " guest\n", + " (sshd)\n", + " 141.98.9.156\n", + " 38585.0\n", + " NaN\n", + " invalid\n", + " guest\n", + " sshd\n", + " guest\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 28\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:43:58+00:00\n", - " https://centricaplc.sharepoint.com/sites/adminhub/takeover%20banner%20images/home_insurance_bann...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " db32ce1a-0378-41f7-8f83-9797a8e51af8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 70\n", + " 70\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:41.557000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:41.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user support from 141.98.9.137 port 34468\n", + " 25872.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " support\n", + " (sshd)\n", + " 141.98.9.137\n", + " 34468.0\n", + " NaN\n", + " NaN\n", + " support\n", + " sshd\n", + " support\n", + " Linux\n", + " Logon-Failure\n", " \n", " \n", - " 13\n", - " c9472277-d7f0-4af1-8d14-c27ba5d96716\n", - " OfficeActivityManager\n", - " 2020-07-29 12:44:02+00:00\n", - " https://centricaplc.sharepoint.com/sites/allcompany712/Shared Documents/Apps/Yammer/applet movin...\n", - " FileAccessed\n", - " SharePoint\n", - " 165.225.221.35\n", - " aeoeecblecnaklnndkojpqfnlmrrlap/o.n\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " OfficeActivity\n", - " \n", - " \n", - " \n", - " SharePointFileOperation\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " 7a2333d3-adbf-4e7c-b58d-2a7144511ba8\n", - " Regular\n", - " d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb\n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " 152.133.101.25\n", - " \n", - " cc215b5c-17a1-4377-8c08-1f9a60157ed8\n", - " ...\n", - " \n", - " \n", - " 2020-07-29 12:53:53+00:00\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " 734d800a-d091-427f-a517-ee1e0bc4ab94\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " crqerkikpjo@ld.fkaframbemji.pjb\n", - " Office365\n", + " 71\n", + " 71\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:48:41.643000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:48:41.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user support 141.98.9.137 port 34468 [preauth]\n", + " 25872.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " support\n", + " (sshd)\n", + " 141.98.9.137\n", + " 141.0\n", + " NaN\n", + " invalid\n", + " support\n", + " sshd\n", + " support\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 72\n", + " 72\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:49:29.780000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:49:29.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Invalid user admin from 46.148.21.32 port 55894\n", + " 25968.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 46.148.21.32\n", + " 55894.0\n", + " NaN\n", + " NaN\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 73\n", + " 73\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:49:30.043000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:49:30.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by invalid user admin 46.148.21.32 port 55894 [preauth]\n", + " 25968.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " admin\n", + " (sshd)\n", + " 46.148.21.32\n", + " 55894.0\n", + " NaN\n", + " invalid\n", + " admin\n", + " sshd\n", + " admin\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 74\n", + " 74\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 01:58:13.857000+00:00\n", + " VictimHost\n", + " 2020-05-06 01:58:13.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Connection closed by authenticating user root 46.148.21.32 port 38956 [preauth]\n", + " 27009.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Failure\n", + " root\n", + " (sshd)\n", + " 46.148.21.32\n", + " 38956.0\n", + " NaN\n", + " authenticating\n", + " root\n", + " sshd\n", + " root\n", + " Linux\n", + " Logon-Failure\n", + " \n", + " \n", + " 0\n", + " 0\n", + " b1315f05-4a7a-45b4-811f-73e715f7c122\n", + " Linux\n", + " 2020-05-06 02:02:18.700000+00:00\n", + " VictimHost\n", + " 2020-05-06 02:02:18.000\n", + " auth\n", + " VictimHost\n", + " info\n", + " Received signal 15 terminating.\n", + " 1382.0\n", + " 10.0.0.7\n", + " sshd\n", + " 00000000-0000-0000-0000-000000000002\n", + " Syslog\n", + " /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros...\n", + " Unknown\n", + " NaN\n", + " (sshd)\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " NaN\n", + " sshd\n", + " NaN\n", + " Linux\n", + " Logon-Unknown\n", " \n", " \n", "\n", - "

61 rows × 118 columns

\n", "" ], "text/plain": [ - " TenantId SourceSystem \\\n", - "35 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "32 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "59 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "41 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "43 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "48 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "39 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "51 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "40 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "56 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "47 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "38 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "31 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "46 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "50 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "60 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "58 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "53 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "55 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "37 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "45 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "42 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "52 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "49 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "54 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "36 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "44 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "34 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "57 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "33 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "24 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "20 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "15 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "8 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "9 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "12 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "19 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "4 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "6 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "2 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "16 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "0 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "27 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "25 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "23 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "21 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "18 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "3 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "7 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "11 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "22 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "14 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "1 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "5 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "30 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "29 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "17 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "26 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "10 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "28 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "13 c9472277-d7f0-4af1-8d14-c27ba5d96716 OfficeActivityManager \n", - "\n", - " TimeGenerated \\\n", - "35 2020-07-28 12:43:24+00:00 \n", - "32 2020-07-28 12:43:24+00:00 \n", - "59 2020-07-28 12:43:24+00:00 \n", - "41 2020-07-28 12:43:24+00:00 \n", - "43 2020-07-28 12:43:24+00:00 \n", - "48 2020-07-28 12:43:24+00:00 \n", - "39 2020-07-28 12:43:24+00:00 \n", - "51 2020-07-28 12:43:24+00:00 \n", - "40 2020-07-28 12:43:25+00:00 \n", - "56 2020-07-28 12:43:25+00:00 \n", - "47 2020-07-28 12:43:25+00:00 \n", - "38 2020-07-28 12:43:26+00:00 \n", - "31 2020-07-28 12:43:26+00:00 \n", - "46 2020-07-28 12:43:26+00:00 \n", - "50 2020-07-28 12:43:26+00:00 \n", - "60 2020-07-28 12:43:26+00:00 \n", - "58 2020-07-28 12:43:26+00:00 \n", - "53 2020-07-28 12:43:26+00:00 \n", - "55 2020-07-28 12:43:26+00:00 \n", - "37 2020-07-28 12:43:27+00:00 \n", - "45 2020-07-28 12:43:27+00:00 \n", - "42 2020-07-28 12:43:32+00:00 \n", - "52 2020-07-28 12:43:32+00:00 \n", - "49 2020-07-28 12:43:32+00:00 \n", - "54 2020-07-28 12:43:32+00:00 \n", - "36 2020-07-28 12:43:32+00:00 \n", - "44 2020-07-28 12:43:32+00:00 \n", - "34 2020-07-28 12:43:32+00:00 \n", - "57 2020-07-28 12:43:32+00:00 \n", - "33 2020-07-28 12:43:39+00:00 \n", - "24 2020-07-29 12:43:45+00:00 \n", - "20 2020-07-29 12:43:46+00:00 \n", - "15 2020-07-29 12:43:46+00:00 \n", - "8 2020-07-29 12:43:46+00:00 \n", - "9 2020-07-29 12:43:46+00:00 \n", - "12 2020-07-29 12:43:46+00:00 \n", - "19 2020-07-29 12:43:46+00:00 \n", - "4 2020-07-29 12:43:46+00:00 \n", - "6 2020-07-29 12:43:47+00:00 \n", - "2 2020-07-29 12:43:47+00:00 \n", - "16 2020-07-29 12:43:47+00:00 \n", - "0 2020-07-29 12:43:48+00:00 \n", - "27 2020-07-29 12:43:48+00:00 \n", - "25 2020-07-29 12:43:48+00:00 \n", - "23 2020-07-29 12:43:48+00:00 \n", - "21 2020-07-29 12:43:48+00:00 \n", - "18 2020-07-29 12:43:48+00:00 \n", - "3 2020-07-29 12:43:48+00:00 \n", - "7 2020-07-29 12:43:48+00:00 \n", - "11 2020-07-29 12:43:48+00:00 \n", - "22 2020-07-29 12:43:49+00:00 \n", - "14 2020-07-29 12:43:52+00:00 \n", - "1 2020-07-29 12:43:52+00:00 \n", - "5 2020-07-29 12:43:52+00:00 \n", - "30 2020-07-29 12:43:52+00:00 \n", - "29 2020-07-29 12:43:52+00:00 \n", - "17 2020-07-29 12:43:52+00:00 \n", - "26 2020-07-29 12:43:52+00:00 \n", - "10 2020-07-29 12:43:52+00:00 \n", - "28 2020-07-29 12:43:58+00:00 \n", - "13 2020-07-29 12:44:02+00:00 \n", - "\n", - " ResourceId \\\n", - "35 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/polyfill/set.js \n", - "32 https://centricaplc.sharepoint.com/sites/intranet/sitecollectionimages/centrica-184-39.gif \n", - "59 https://centricaplc.sharepoint.com/sites/intranet/style%20library/en-us/themable/core%20styles/p... \n", - "41 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/vendor.css \n", - "43 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/bundle.css \n", - "48 https://centricaplc.sharepoint.com/sites/intranet/Pages/Home.aspx \n", - "39 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/bundle.js \n", - "51 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/vendor.js \n", - "40 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/social-icon... \n", - "56 https://centricaplc.sharepoint.com/sites/adminhub/Style Library/WM.Intranet/fonts/fontawesome-we... \n", - "47 https://centricaplc.sharepoint.com/sites/intranet/spoinsights/aitracker.js \n", - "38 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/coronavirus_hub_rollover_380_... \n", - "31 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/chris_th_start_380_77.png \n", - "46 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/2021_gp_start_380_77.png \n", - "50 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/2021_gp_rollover_380_77.png \n", - "60 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/002-sad.png \n", - "58 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/003-surpris... \n", - "53 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/chris_th_rollover_380_77.png \n", - "55 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/coronavirus_hub_start_380_77.png \n", - "37 https://centricaplc-my.sharepoint.com/User Photos/Profile Pictures/amber_heavisides_centrica_com... \n", - "45 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/001-happy.png \n", - "42 https://centricaplc.sharepoint.com/sites/intranet/icons/icon-salesforce-tile-125-125.png \n", - "52 https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/umind_mylink_logo_1... \n", - "49 https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/hse.png \n", - "54 https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/okh_icon_2_120_120.png \n", - "36 https://centricaplc.sharepoint.com/sites/intranet/icons/values-icon-colour-104-104.png \n", - "44 https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/centrica_c.png \n", - "34 https://centricaplc.sharepoint.com/sites/intranet/icons/code-tile-icon-104-104.png \n", - "57 https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/direct_energy.png \n", - "33 https://centricaplc.sharepoint.com/sites/allcompany712/Shared Documents/Apps/Yammer/20200715_142... \n", - "24 https://centricaplc.sharepoint.com/sites/intranet/Pages/Home.aspx \n", - "20 https://centricaplc.sharepoint.com/sites/intranet/spoinsights/aitracker.js \n", - "15 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/polyfill/set.js \n", - "8 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/bundle.css \n", - "9 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/vendor.css \n", - "12 https://centricaplc.sharepoint.com/sites/intranet/style%20library/en-us/themable/core%20styles/p... \n", - "19 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/vendor.js \n", - "4 https://centricaplc.sharepoint.com/sites/intranet/sitecollectionimages/centrica-184-39.gif \n", - "6 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/bundle.js \n", - "2 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/social-icon... \n", - "16 https://centricaplc.sharepoint.com/sites/adminhub/Style Library/WM.Intranet/fonts/fontawesome-we... \n", - "0 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/2021_gp_rollover_380_77.png \n", - "27 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/001-happy.png \n", - "25 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/chris_th_rollover_380_77.png \n", - "23 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/chris_th_start_380_77.png \n", - "21 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/2021_gp_start_380_77.png \n", - "18 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/003-surpris... \n", - "3 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/coronavirus_hub_start_380_77.png \n", - "7 https://centricaplc.sharepoint.com/sites/intranet/publishingimages/coronavirus_hub_rollover_380_... \n", - "11 https://centricaplc.sharepoint.com/sites/adminhub/style%20library/wm.intranet/images/002-sad.png \n", - "22 https://centricaplc-my.sharepoint.com/User Photos/Profile Pictures/amber_heavisides_centrica_com... \n", - "14 https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/hse.png \n", - "1 https://centricaplc.sharepoint.com/sites/intranet/icons/values-icon-colour-104-104.png \n", - "5 https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/okh_icon_2_120_120.png \n", - "30 https://centricaplc.sharepoint.com/sites/intranet/icons/icon-salesforce-tile-125-125.png \n", - "29 https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/direct_energy.png \n", - "17 https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/centrica_c.png \n", - "26 https://centricaplc.sharepoint.com/sites/intranet/centrica%20asset%20library/umind_mylink_logo_1... \n", - "10 https://centricaplc.sharepoint.com/sites/intranet/icons/code-tile-icon-104-104.png \n", - "28 https://centricaplc.sharepoint.com/sites/adminhub/takeover%20banner%20images/home_insurance_bann... \n", - "13 https://centricaplc.sharepoint.com/sites/allcompany712/Shared Documents/Apps/Yammer/applet movin... \n", - "\n", - " Operation AppResourceProvider IPAddress \\\n", - "35 FileAccessed SharePoint 165.225.221.49 \n", - "32 FileAccessed SharePoint 165.225.221.49 \n", - "59 FileAccessed SharePoint 165.225.221.49 \n", - "41 FileAccessed SharePoint 165.225.221.49 \n", - "43 FileAccessed SharePoint 165.225.221.49 \n", - "48 PageViewed SharePoint 165.225.221.49 \n", - "39 FileAccessed SharePoint 165.225.221.49 \n", - "51 FileAccessed SharePoint 165.225.221.49 \n", - "40 FileAccessed SharePoint 165.225.221.49 \n", - "56 FileAccessed SharePoint 165.225.221.49 \n", - "47 FileAccessed SharePoint 165.225.221.49 \n", - "38 FileAccessed SharePoint 165.225.221.49 \n", - "31 FileAccessed SharePoint 165.225.221.49 \n", - "46 FileAccessed SharePoint 165.225.221.49 \n", - "50 FileAccessed SharePoint 165.225.221.49 \n", - "60 FileAccessed SharePoint 165.225.221.49 \n", - "58 FileAccessed SharePoint 165.225.221.49 \n", - "53 FileAccessed SharePoint 165.225.221.49 \n", - "55 FileAccessed SharePoint 165.225.221.49 \n", - "37 FileAccessed SharePoint 165.225.221.49 \n", - "45 FileAccessed SharePoint 165.225.221.49 \n", - "42 FileAccessed SharePoint 165.225.221.49 \n", - "52 FileAccessed SharePoint 165.225.221.49 \n", - "49 FileAccessed SharePoint 165.225.221.49 \n", - "54 FileAccessed SharePoint 165.225.221.49 \n", - "36 FileAccessed SharePoint 165.225.221.49 \n", - "44 FileAccessed SharePoint 165.225.221.49 \n", - "34 FileAccessed SharePoint 165.225.221.49 \n", - "57 FileAccessed SharePoint 165.225.221.49 \n", - "33 FilePreviewed SharePoint 13.89.136.240 \n", - "24 PageViewed SharePoint 165.225.221.35 \n", - "20 FileAccessed SharePoint 165.225.221.35 \n", - "15 FileAccessed SharePoint 165.225.221.35 \n", - "8 FileAccessed SharePoint 165.225.221.35 \n", - "9 FileAccessed SharePoint 165.225.221.35 \n", - "12 FileAccessed SharePoint 165.225.221.35 \n", - "19 FileAccessed SharePoint 165.225.221.35 \n", - "4 FileAccessed SharePoint 165.225.221.35 \n", - "6 FileAccessed SharePoint 165.225.221.35 \n", - "2 FileAccessed SharePoint 165.225.221.35 \n", - "16 FileAccessed SharePoint 165.225.221.35 \n", - "0 FileAccessed SharePoint 165.225.221.35 \n", - "27 FileAccessed SharePoint 165.225.221.35 \n", - "25 FileAccessed SharePoint 165.225.221.35 \n", - "23 FileAccessed SharePoint 165.225.221.35 \n", - "21 FileAccessed SharePoint 165.225.221.35 \n", - "18 FileAccessed SharePoint 165.225.221.35 \n", - "3 FileAccessed SharePoint 165.225.221.35 \n", - "7 FileAccessed SharePoint 165.225.221.35 \n", - "11 FileAccessed SharePoint 165.225.221.35 \n", - "22 FileAccessed SharePoint 165.225.221.35 \n", - "14 FileAccessed SharePoint 165.225.221.35 \n", - "1 FileAccessed SharePoint 165.225.221.35 \n", - "5 FileAccessed SharePoint 165.225.221.35 \n", - "30 FileAccessed SharePoint 165.225.221.35 \n", - "29 FileAccessed SharePoint 165.225.221.35 \n", - "17 FileAccessed SharePoint 165.225.221.35 \n", - "26 FileAccessed SharePoint 165.225.221.35 \n", - "10 FileAccessed SharePoint 165.225.221.35 \n", - "28 FileAccessed SharePoint 165.225.221.35 \n", - "13 FileAccessed SharePoint 165.225.221.35 \n", + " Unnamed: 0 TenantId SourceSystem \\\n", + "1 1 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "2 2 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "3 3 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "4 4 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "5 5 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "6 6 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "7 7 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "8 8 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "9 9 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "10 10 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "11 11 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "12 12 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "13 13 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "14 14 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "15 15 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "16 16 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "17 17 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "18 18 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "19 19 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "20 20 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "21 21 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "22 22 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "23 23 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "24 24 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "25 25 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "26 26 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "27 27 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "28 28 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "29 29 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "30 30 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "31 31 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "32 32 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "33 33 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "34 34 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "35 35 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "36 36 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "37 37 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "38 38 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "39 39 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "40 40 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "41 41 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "42 42 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "43 43 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "44 44 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "45 45 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "46 46 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "47 47 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "48 48 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "49 49 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "50 50 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "51 51 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "52 52 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "53 53 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "54 54 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "55 55 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "56 56 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "57 57 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "58 58 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "59 59 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "60 60 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "61 61 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "62 62 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "63 63 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "64 64 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "65 65 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "66 66 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "67 67 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "68 68 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "69 69 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "70 70 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "71 71 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "72 72 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "73 73 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "74 74 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", + "0 0 b1315f05-4a7a-45b4-811f-73e715f7c122 Linux \n", "\n", - " UserAgent \\\n", - "35 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "32 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "59 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "41 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "43 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "48 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "39 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "51 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "40 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "56 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "47 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "38 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "31 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "46 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "50 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "60 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "58 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "53 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "55 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "37 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "45 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "42 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "52 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "49 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "54 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "36 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "44 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "34 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "57 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "33 akpeippj (faeccpibdbierfjcmrpckokm) \n", - "24 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "20 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "15 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "8 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "9 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "12 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "19 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "4 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "6 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "2 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "16 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "0 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "27 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "25 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "23 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "21 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "18 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "3 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "7 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "11 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "22 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "14 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "1 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "5 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "30 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "29 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "17 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "26 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "10 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "28 irrjlpa/e.n (dnrqiko ff ma.fj odbaib pjcirnb/p.fj qronr.n) cabk lkdjo \n", - "13 aeoeecblecnaklnndkojpqfnlmrrlap/o.n \n", + " TimeGenerated Computer EventTime \\\n", + "1 2020-05-06 00:09:41.080000+00:00 VictimHost 2020-05-06 00:09:41.000 \n", + "2 2020-05-06 00:13:53.010000+00:00 VictimHost 2020-05-06 00:13:53.000 \n", + "3 2020-05-06 00:13:53.013000+00:00 VictimHost 2020-05-06 00:13:53.000 \n", + "4 2020-05-06 00:13:53.430000+00:00 VictimHost 2020-05-06 00:13:53.000 \n", + "5 2020-05-06 00:13:53.570000+00:00 VictimHost 2020-05-06 00:13:53.000 \n", + "6 2020-05-06 00:14:05.760000+00:00 VictimHost 2020-05-06 00:14:05.000 \n", + "7 2020-05-06 00:14:05.760000+00:00 VictimHost 2020-05-06 00:14:05.000 \n", + "8 2020-05-06 00:14:05.760000+00:00 VictimHost 2020-05-06 00:14:05.000 \n", + "9 2020-05-06 00:14:05.767000+00:00 VictimHost 2020-05-06 00:14:05.000 \n", + "10 2020-05-06 00:14:15.680000+00:00 VictimHost 2020-05-06 00:14:15.000 \n", + "11 2020-05-06 00:14:15.680000+00:00 VictimHost 2020-05-06 00:14:15.000 \n", + "12 2020-05-06 00:14:15.707000+00:00 VictimHost 2020-05-06 00:14:15.000 \n", + "13 2020-05-06 00:14:15.710000+00:00 VictimHost 2020-05-06 00:14:15.000 \n", + "14 2020-05-06 00:40:17.680000+00:00 VictimHost 2020-05-06 00:40:17.000 \n", + "15 2020-05-06 00:40:20.593000+00:00 VictimHost 2020-05-06 00:40:20.000 \n", + "16 2020-05-06 00:40:20.777000+00:00 VictimHost 2020-05-06 00:40:20.000 \n", + "17 2020-05-06 00:40:23.880000+00:00 VictimHost 2020-05-06 00:40:23.000 \n", + "18 2020-05-06 00:40:24.070000+00:00 VictimHost 2020-05-06 00:40:24.000 \n", + "19 2020-05-06 00:40:25.963000+00:00 VictimHost 2020-05-06 00:40:25.000 \n", + "20 2020-05-06 00:40:28.087000+00:00 VictimHost 2020-05-06 00:40:28.000 \n", + "21 2020-05-06 00:40:28.383000+00:00 VictimHost 2020-05-06 00:40:28.000 \n", + "22 2020-05-06 00:40:30.043000+00:00 VictimHost 2020-05-06 00:40:30.000 \n", + "23 2020-05-06 00:40:30.287000+00:00 VictimHost 2020-05-06 00:40:30.000 \n", + "24 2020-05-06 00:40:31.713000+00:00 VictimHost 2020-05-06 00:40:31.000 \n", + "25 2020-05-06 00:40:31.837000+00:00 VictimHost 2020-05-06 00:40:31.000 \n", + "26 2020-05-06 00:40:34.370000+00:00 VictimHost 2020-05-06 00:40:34.000 \n", + "27 2020-05-06 00:40:34.887000+00:00 VictimHost 2020-05-06 00:40:34.000 \n", + "28 2020-05-06 00:40:38.300000+00:00 VictimHost 2020-05-06 00:40:38.000 \n", + "29 2020-05-06 00:40:40.770000+00:00 VictimHost 2020-05-06 00:40:40.000 \n", + "30 2020-05-06 00:40:41.157000+00:00 VictimHost 2020-05-06 00:40:41.000 \n", + "31 2020-05-06 00:40:43.957000+00:00 VictimHost 2020-05-06 00:40:43.000 \n", + "32 2020-05-06 00:40:44.110000+00:00 VictimHost 2020-05-06 00:40:44.000 \n", + "33 2020-05-06 00:40:47.280000+00:00 VictimHost 2020-05-06 00:40:47.000 \n", + "34 2020-05-06 00:40:47.370000+00:00 VictimHost 2020-05-06 00:40:47.000 \n", + "35 2020-05-06 00:43:34.333000+00:00 VictimHost 2020-05-06 00:43:34.000 \n", + "36 2020-05-06 00:43:40.020000+00:00 VictimHost 2020-05-06 00:43:40.000 \n", + "37 2020-05-06 00:43:40.947000+00:00 VictimHost 2020-05-06 00:43:40.000 \n", + "38 2020-05-06 00:43:41+00:00 VictimHost 2020-05-06 00:43:40.000 \n", + "39 2020-05-06 00:43:41.627000+00:00 VictimHost 2020-05-06 00:43:41.000 \n", + "40 2020-05-06 00:43:42.977000+00:00 VictimHost 2020-05-06 00:43:42.000 \n", + "41 2020-05-06 01:06:54.183000+00:00 VictimHost 2020-05-06 01:06:54.000 \n", + "42 2020-05-06 01:06:58.913000+00:00 VictimHost 2020-05-06 01:06:58.000 \n", + "43 2020-05-06 01:11:44.543000+00:00 VictimHost 2020-05-06 01:11:44.000 \n", + "44 2020-05-06 01:11:44.757000+00:00 VictimHost 2020-05-06 01:11:44.000 \n", + "45 2020-05-06 01:39:51.600000+00:00 VictimHost 2020-05-06 01:39:51.000 \n", + "46 2020-05-06 01:39:51.827000+00:00 VictimHost 2020-05-06 01:39:51.000 \n", + "47 2020-05-06 01:44:45.127000+00:00 VictimHost 2020-05-06 01:44:45.000 \n", + "48 2020-05-06 01:44:45.327000+00:00 VictimHost 2020-05-06 01:44:45.000 \n", + "49 2020-05-06 01:44:45.327000+00:00 VictimHost 2020-05-06 01:44:45.000 \n", + "50 2020-05-06 01:48:17.787000+00:00 VictimHost 2020-05-06 01:48:17.000 \n", + "51 2020-05-06 01:48:17.933000+00:00 VictimHost 2020-05-06 01:48:17.000 \n", + "52 2020-05-06 01:48:19.660000+00:00 VictimHost 2020-05-06 01:48:19.000 \n", + "53 2020-05-06 01:48:19.813000+00:00 VictimHost 2020-05-06 01:48:19.000 \n", + "54 2020-05-06 01:48:21.860000+00:00 VictimHost 2020-05-06 01:48:21.000 \n", + "55 2020-05-06 01:48:21.950000+00:00 VictimHost 2020-05-06 01:48:21.000 \n", + "56 2020-05-06 01:48:24.507000+00:00 VictimHost 2020-05-06 01:48:24.000 \n", + "57 2020-05-06 01:48:25.070000+00:00 VictimHost 2020-05-06 01:48:25.000 \n", + "58 2020-05-06 01:48:26.747000+00:00 VictimHost 2020-05-06 01:48:26.000 \n", + "59 2020-05-06 01:48:28.267000+00:00 VictimHost 2020-05-06 01:48:28.000 \n", + "60 2020-05-06 01:48:28.383000+00:00 VictimHost 2020-05-06 01:48:28.000 \n", + "61 2020-05-06 01:48:29.807000+00:00 VictimHost 2020-05-06 01:48:29.000 \n", + "62 2020-05-06 01:48:29.977000+00:00 VictimHost 2020-05-06 01:48:29.000 \n", + "63 2020-05-06 01:48:32.097000+00:00 VictimHost 2020-05-06 01:48:32.000 \n", + "64 2020-05-06 01:48:35.093000+00:00 VictimHost 2020-05-06 01:48:35.000 \n", + "65 2020-05-06 01:48:35.437000+00:00 VictimHost 2020-05-06 01:48:35.000 \n", + "66 2020-05-06 01:48:37.563000+00:00 VictimHost 2020-05-06 01:48:37.000 \n", + "67 2020-05-06 01:48:37.660000+00:00 VictimHost 2020-05-06 01:48:37.000 \n", + "68 2020-05-06 01:48:40.037000+00:00 VictimHost 2020-05-06 01:48:40.000 \n", + "69 2020-05-06 01:48:40.123000+00:00 VictimHost 2020-05-06 01:48:40.000 \n", + "70 2020-05-06 01:48:41.557000+00:00 VictimHost 2020-05-06 01:48:41.000 \n", + "71 2020-05-06 01:48:41.643000+00:00 VictimHost 2020-05-06 01:48:41.000 \n", + "72 2020-05-06 01:49:29.780000+00:00 VictimHost 2020-05-06 01:49:29.000 \n", + "73 2020-05-06 01:49:30.043000+00:00 VictimHost 2020-05-06 01:49:30.000 \n", + "74 2020-05-06 01:58:13.857000+00:00 VictimHost 2020-05-06 01:58:13.000 \n", + "0 2020-05-06 02:02:18.700000+00:00 VictimHost 2020-05-06 02:02:18.000 \n", "\n", - " UserId UserPrincipalName \\\n", - "35 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "32 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "59 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "41 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "43 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "48 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "39 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "51 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "40 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "56 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "47 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "38 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "31 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "46 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "50 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "60 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "58 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "53 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "55 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "37 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "45 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "42 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "52 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "49 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "54 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "36 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "44 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "34 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "57 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "33 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "24 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "20 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "15 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "8 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "9 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "12 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "19 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "4 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "6 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "2 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "16 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "0 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "27 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "25 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "23 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "21 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "18 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "3 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "7 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "11 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "22 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "14 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "1 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "5 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "30 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "29 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "17 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "26 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "10 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "28 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", - "13 crqerkikpjo@ld.fkaframbemji.pjb crqerkikpjo@ld.fkaframbemji.pjb \n", + " Facility HostName SeverityLevel \\\n", + "1 auth VictimHost info \n", + "2 auth VictimHost info \n", + "3 authpriv VictimHost info \n", + "4 auth VictimHost info \n", + "5 authpriv VictimHost info \n", + "6 auth VictimHost info \n", + "7 authpriv VictimHost info \n", + "8 auth VictimHost info \n", + "9 auth VictimHost info \n", + "10 auth VictimHost info \n", + "11 authpriv VictimHost info \n", + "12 authpriv VictimHost info \n", + "13 auth VictimHost info \n", + "14 auth VictimHost info \n", + "15 auth VictimHost info \n", + "16 auth VictimHost info \n", + "17 auth VictimHost info \n", + "18 auth VictimHost info \n", + "19 auth VictimHost info \n", + "20 auth VictimHost info \n", + "21 auth VictimHost info \n", + "22 auth VictimHost info \n", + "23 auth VictimHost info \n", + "24 auth VictimHost info \n", + "25 auth VictimHost info \n", + "26 auth VictimHost info \n", + "27 auth VictimHost info \n", + "28 auth VictimHost info \n", + "29 auth VictimHost info \n", + "30 auth VictimHost info \n", + "31 auth VictimHost info \n", + "32 auth VictimHost info \n", + "33 auth VictimHost info \n", + "34 auth VictimHost info \n", + "35 auth VictimHost info \n", + "36 auth VictimHost info \n", + "37 auth VictimHost info \n", + "38 auth VictimHost info \n", + "39 auth VictimHost info \n", + "40 auth VictimHost info \n", + "41 auth VictimHost info \n", + "42 auth VictimHost info \n", + "43 auth VictimHost info \n", + "44 auth VictimHost info \n", + "45 auth VictimHost info \n", + "46 auth VictimHost info \n", + "47 auth VictimHost info \n", + "48 auth VictimHost info \n", + "49 authpriv VictimHost info \n", + "50 auth VictimHost info \n", + "51 auth VictimHost info \n", + "52 auth VictimHost info \n", + "53 auth VictimHost info \n", + "54 auth VictimHost info \n", + "55 auth VictimHost info \n", + "56 auth VictimHost info \n", + "57 auth VictimHost info \n", + "58 auth VictimHost info \n", + "59 auth VictimHost info \n", + "60 auth VictimHost info \n", + "61 auth VictimHost info \n", + "62 auth VictimHost info \n", + "63 auth VictimHost info \n", + "64 auth VictimHost info \n", + "65 auth VictimHost info \n", + "66 auth VictimHost info \n", + "67 auth VictimHost info \n", + "68 auth VictimHost info \n", + "69 auth VictimHost info \n", + "70 auth VictimHost info \n", + "71 auth VictimHost info \n", + "72 auth VictimHost info \n", + "73 auth VictimHost info \n", + "74 auth VictimHost info \n", + "0 auth VictimHost info \n", "\n", - " Type _ResourceId Application UserDomain \\\n", - "35 OfficeActivity \n", - "32 OfficeActivity \n", - "59 OfficeActivity \n", - "41 OfficeActivity \n", - "43 OfficeActivity \n", - "48 OfficeActivity \n", - "39 OfficeActivity \n", - "51 OfficeActivity \n", - "40 OfficeActivity \n", - "56 OfficeActivity \n", - "47 OfficeActivity \n", - "38 OfficeActivity \n", - "31 OfficeActivity \n", - "46 OfficeActivity \n", - "50 OfficeActivity \n", - "60 OfficeActivity \n", - "58 OfficeActivity \n", - "53 OfficeActivity \n", - "55 OfficeActivity \n", - "37 OfficeActivity \n", - "45 OfficeActivity \n", - "42 OfficeActivity \n", - "52 OfficeActivity \n", - "49 OfficeActivity \n", - "54 OfficeActivity \n", - "36 OfficeActivity \n", - "44 OfficeActivity \n", - "34 OfficeActivity \n", - "57 OfficeActivity \n", - "33 OfficeActivity \n", - "24 OfficeActivity \n", - "20 OfficeActivity \n", - "15 OfficeActivity \n", - "8 OfficeActivity \n", - "9 OfficeActivity \n", - "12 OfficeActivity \n", - "19 OfficeActivity \n", - "4 OfficeActivity \n", - "6 OfficeActivity \n", - "2 OfficeActivity \n", - "16 OfficeActivity \n", - "0 OfficeActivity \n", - "27 OfficeActivity \n", - "25 OfficeActivity \n", - "23 OfficeActivity \n", - "21 OfficeActivity \n", - "18 OfficeActivity \n", - "3 OfficeActivity \n", - "7 OfficeActivity \n", - "11 OfficeActivity \n", - "22 OfficeActivity \n", - "14 OfficeActivity \n", - "1 OfficeActivity \n", - "5 OfficeActivity \n", - "30 OfficeActivity \n", - "29 OfficeActivity \n", - "17 OfficeActivity \n", - "26 OfficeActivity \n", - "10 OfficeActivity \n", - "28 OfficeActivity \n", - "13 OfficeActivity \n", + " SyslogMessage \\\n", + "1 Connection closed by authenticating user peteb 172.92.153.236 port 3531 [preauth] \n", + "2 Accepted publickey for peteb from 172.92.153.236 port 3715 ssh2: RSA SHA256:iMp4nnErVTXWJR2JKUEM... \n", + "3 pam_unix(sshd:session): session opened for user peteb by (uid=0) \n", + "4 New session 6 of user peteb. \n", + "5 pam_unix(systemd-user:session): session opened for user peteb by (uid=0) \n", + "6 Disconnected from user peteb 172.92.153.236 port 3715 \n", + "7 pam_unix(sshd:session): session closed for user peteb \n", + "8 Received disconnect from 172.92.153.236 port 3715:11: disconnected by user \n", + "9 Removed session 6. \n", + "10 Accepted publickey for peteb from 172.92.153.236 port 3724 ssh2: RSA SHA256:iMp4nnErVTXWJR2JKUEM... \n", + "11 pam_unix(sshd:session): session opened for user peteb by (uid=0) \n", + "12 pam_unix(systemd-user:session): session opened for user peteb by (uid=0) \n", + "13 New session 9 of user peteb. \n", + "14 Connection closed by authenticating user root 141.98.81.83 port 34871 [preauth] \n", + "15 Invalid user admin from 141.98.81.84 port 43513 \n", + "16 Connection closed by invalid user admin 141.98.81.84 port 43513 [preauth] \n", + "17 Invalid user Administrator from 141.98.81.99 port 44191 \n", + "18 Connection closed by invalid user Administrator 141.98.81.99 port 44191 [preauth] \n", + "19 Connection closed by authenticating user root 141.98.81.107 port 42727 [preauth] \n", + "20 Invalid user admin from 141.98.81.108 port 46207 \n", + "21 Connection closed by invalid user admin 141.98.81.108 port 46207 [preauth] \n", + "22 Invalid user 1234 from 141.98.81.81 port 51226 \n", + "23 Connection closed by invalid user 1234 141.98.81.81 port 51226 [preauth] \n", + "24 Invalid user guest from 141.98.81.83 port 40397 \n", + "25 Connection closed by invalid user guest 141.98.81.83 port 40397 [preauth] \n", + "26 Invalid user Admin from 141.98.81.84 port 34717 \n", + "27 Connection closed by invalid user Admin 141.98.81.84 port 34717 [preauth] \n", + "28 Connection closed by authenticating user root 141.98.81.99 port 36241 [preauth] \n", + "29 Invalid user admin from 141.98.81.107 port 40527 \n", + "30 Connection closed by invalid user admin 141.98.81.107 port 40527 [preauth] \n", + "31 Invalid user admin from 141.98.81.108 port 46475 \n", + "32 Connection closed by invalid user admin 141.98.81.108 port 46475 [preauth] \n", + "33 Invalid user user from 141.98.81.81 port 58652 \n", + "34 Connection closed by invalid user user 141.98.81.81 port 58652 [preauth] \n", + "35 Did not receive identification string from 85.239.35.161 port 60402 \n", + "36 Invalid user admin from 85.239.35.161 port 43382 \n", + "37 Connection closed by invalid user admin 85.239.35.161 port 43382 [preauth] \n", + "38 Invalid user user from 85.239.35.161 port 43438 \n", + "39 Connection closed by invalid user user 85.239.35.161 port 43438 [preauth] \n", + "40 Connection closed by authenticating user root 85.239.35.161 port 59508 [preauth] \n", + "41 Invalid user from 65.49.20.69 port 24062 \n", + "42 Connection closed by invalid user 65.49.20.69 port 24062 [preauth] \n", + "43 Invalid user tester from 46.148.21.32 port 60136 \n", + "44 Connection closed by invalid user tester 46.148.21.32 port 60136 [preauth] \n", + "45 Invalid user support from 46.148.21.32 port 49512 \n", + "46 Connection closed by invalid user support 46.148.21.32 port 49512 [preauth] \n", + "47 Timeout, client not responding. \n", + "48 Removed session 9. \n", + "49 pam_unix(sshd:session): session closed for user peteb \n", + "50 Invalid user admin from 141.98.9.157 port 40289 \n", + "51 Connection closed by invalid user admin 141.98.9.157 port 40289 [preauth] \n", + "52 Invalid user admin from 141.98.9.159 port 35637 \n", + "53 Connection closed by invalid user admin 141.98.9.159 port 35637 [preauth] \n", + "54 Invalid user user from 141.98.9.160 port 43607 \n", + "55 Connection closed by invalid user user 141.98.9.160 port 43607 [preauth] \n", + "56 Invalid user admin from 141.98.9.161 port 45085 \n", + "57 Connection closed by invalid user admin 141.98.9.161 port 45085 [preauth] \n", + "58 Connection closed by authenticating user root 141.98.9.156 port 33769 [preauth] \n", + "59 Invalid user operator from 141.98.9.137 port 56654 \n", + "60 Connection closed by invalid user operator 141.98.9.137 port 56654 [preauth] \n", + "61 Invalid user test from 141.98.9.157 port 39665 \n", + "62 Connection closed by invalid user test 141.98.9.157 port 39665 [preauth] \n", + "63 Connection closed by authenticating user root 141.98.9.159 port 41651 [preauth] \n", + "64 Invalid user guest from 141.98.9.160 port 39145 \n", + "65 Connection closed by invalid user guest 141.98.9.160 port 39145 [preauth] \n", + "66 Invalid user ubnt from 141.98.9.161 port 45527 \n", + "67 Connection closed by invalid user ubnt 141.98.9.161 port 45527 [preauth] \n", + "68 Invalid user guest from 141.98.9.156 port 38585 \n", + "69 Connection closed by invalid user guest 141.98.9.156 port 38585 [preauth] \n", + "70 Invalid user support from 141.98.9.137 port 34468 \n", + "71 Connection closed by invalid user support 141.98.9.137 port 34468 [preauth] \n", + "72 Invalid user admin from 46.148.21.32 port 55894 \n", + "73 Connection closed by invalid user admin 46.148.21.32 port 55894 [preauth] \n", + "74 Connection closed by authenticating user root 46.148.21.32 port 38956 [preauth] \n", + "0 Received signal 15 terminating. \n", "\n", - " RecordType OrganizationId \\\n", - "35 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "32 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "59 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "41 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "43 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "48 SharePoint 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "39 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "51 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "40 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "56 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "47 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "38 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "31 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "46 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "50 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "60 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "58 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "53 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "55 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "37 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "45 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "42 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "52 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "49 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "54 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "36 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "44 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "34 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "57 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "33 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "24 SharePoint 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "20 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "15 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "8 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "9 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "12 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "19 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "4 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "6 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "2 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "16 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "0 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "27 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "25 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "23 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "21 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "18 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "3 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "7 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "11 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "22 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "14 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "1 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "5 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "30 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "29 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "17 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "26 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "10 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "28 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", - "13 SharePointFileOperation 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 \n", + " ProcessID HostIP LogonTypeName MG \\\n", + "1 2581.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "2 12111.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "3 12111.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "4 1263.0 10.0.0.7 systemd-logind 00000000-0000-0000-0000-000000000002 \n", + "5 NaN 10.0.0.7 systemd 00000000-0000-0000-0000-000000000002 \n", + "6 12837.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "7 12111.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "8 12837.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "9 1263.0 10.0.0.7 systemd-logind 00000000-0000-0000-0000-000000000002 \n", + "10 12934.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "11 12934.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "12 NaN 10.0.0.7 systemd 00000000-0000-0000-0000-000000000002 \n", + "13 1263.0 10.0.0.7 systemd-logind 00000000-0000-0000-0000-000000000002 \n", + "14 16702.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "15 16705.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "16 16705.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "17 16715.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "18 16715.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "19 16717.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "20 16723.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "21 16723.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "22 16743.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "23 16743.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "24 16750.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "25 16750.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "26 16752.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "27 16752.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "28 16758.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "29 16762.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "30 16762.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "31 16770.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "32 16770.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "33 16782.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "34 16782.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "35 17120.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "36 17121.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "37 17121.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "38 17126.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "39 17126.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "40 17146.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "41 20114.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "42 20114.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "43 21089.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "44 21089.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "45 24633.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "46 24633.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "47 13017.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "48 1263.0 10.0.0.7 systemd-logind 00000000-0000-0000-0000-000000000002 \n", + "49 12934.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "50 25803.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "51 25803.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "52 25816.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "53 25816.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "54 25822.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "55 25822.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "56 25825.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "57 25825.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "58 25832.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "59 25834.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "60 25834.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "61 25841.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "62 25841.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "63 25843.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "64 25845.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "65 25845.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "66 25862.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "67 25862.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "68 25866.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "69 25866.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "70 25872.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "71 25872.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "72 25968.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "73 25968.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "74 27009.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", + "0 1382.0 10.0.0.7 sshd 00000000-0000-0000-0000-000000000002 \n", "\n", - " OrganizationId_ UserType \\\n", - "35 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "32 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "59 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "41 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "43 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "48 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "39 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "51 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "40 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "56 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "47 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "38 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "31 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "46 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "50 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "60 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "58 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "53 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "55 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "37 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "45 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "42 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "52 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "49 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "54 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "36 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "44 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "34 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "57 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "33 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "24 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "20 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "15 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "8 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "9 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "12 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "19 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "4 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "6 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "2 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "16 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "0 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "27 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "25 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "23 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "21 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "18 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "3 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "7 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "11 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "22 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "14 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "1 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "5 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "30 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "29 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "17 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "26 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "10 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "28 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", - "13 7a2333d3-adbf-4e7c-b58d-2a7144511ba8 Regular \n", + " Type \\\n", + "1 Syslog \n", + "2 Syslog \n", + "3 Syslog \n", + "4 Syslog \n", + "5 Syslog \n", + "6 Syslog \n", + "7 Syslog \n", + "8 Syslog \n", + "9 Syslog \n", + "10 Syslog \n", + "11 Syslog \n", + "12 Syslog \n", + "13 Syslog \n", + "14 Syslog \n", + "15 Syslog \n", + "16 Syslog \n", + "17 Syslog \n", + "18 Syslog \n", + "19 Syslog \n", + "20 Syslog \n", + "21 Syslog \n", + "22 Syslog \n", + "23 Syslog \n", + "24 Syslog \n", + "25 Syslog \n", + "26 Syslog \n", + "27 Syslog \n", + "28 Syslog \n", + "29 Syslog \n", + "30 Syslog \n", + "31 Syslog \n", + "32 Syslog \n", + "33 Syslog \n", + "34 Syslog \n", + "35 Syslog \n", + "36 Syslog \n", + "37 Syslog \n", + "38 Syslog \n", + "39 Syslog \n", + "40 Syslog \n", + "41 Syslog \n", + "42 Syslog \n", + "43 Syslog \n", + "44 Syslog \n", + "45 Syslog \n", + "46 Syslog \n", + "47 Syslog \n", + "48 Syslog \n", + "49 Syslog \n", + "50 Syslog \n", + "51 Syslog \n", + "52 Syslog \n", + "53 Syslog \n", + "54 Syslog \n", + "55 Syslog \n", + "56 Syslog \n", + "57 Syslog \n", + "58 Syslog \n", + "59 Syslog \n", + "60 Syslog \n", + "61 Syslog \n", + "62 Syslog \n", + "63 Syslog \n", + "64 Syslog \n", + "65 Syslog \n", + "66 Syslog \n", + "67 Syslog \n", + "68 Syslog \n", + "69 Syslog \n", + "70 Syslog \n", + "71 Syslog \n", + "72 Syslog \n", + "73 Syslog \n", + "74 Syslog \n", + "0 Syslog \n", "\n", - " UserKey ResultStatus ResultReasonType \\\n", - "35 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "32 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "59 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "41 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "43 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "48 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "39 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "51 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "40 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "56 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "47 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "38 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "31 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "46 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "50 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "60 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "58 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "53 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "55 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "37 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "45 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "42 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "52 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "49 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "54 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "36 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "44 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "34 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "57 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "33 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "24 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "20 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "15 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "8 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "9 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "12 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "19 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "4 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "6 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "2 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "16 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "0 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "27 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "25 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "23 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "21 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "18 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "3 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "7 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "11 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "22 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "14 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "1 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "5 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "30 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "29 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "17 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "26 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "10 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "28 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", - "13 d:rm.mideioerdbfomqjaqfrkniffbjema@kmpo.pjb \n", + " _ResourceId \\\n", + "1 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "2 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "3 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "4 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "5 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "6 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "7 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "8 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "9 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "10 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "11 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "12 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "13 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "14 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "15 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "16 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "17 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "18 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "19 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "20 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "21 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "22 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "23 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "24 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "25 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "26 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "27 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "28 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "29 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "30 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "31 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "32 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "33 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "34 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "35 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "36 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "37 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "38 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "39 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "40 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "41 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "42 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "43 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "44 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "45 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "46 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "47 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "48 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "49 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "50 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "51 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "52 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "53 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "54 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "55 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "56 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "57 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "58 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "59 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "60 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "61 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "62 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "63 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "64 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "65 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "66 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "67 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "68 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "69 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "70 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "71 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "72 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "73 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "74 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", + "0 /subscriptions/3b701f84-d04b-4479-89b1-fa8827eb537e/resourcegroups/sentineltest/providers/micros... \n", "\n", - " UserId_ ClientIP_ Scope \\\n", - "35 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "32 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "59 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "41 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "43 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "48 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "39 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "51 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "40 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "56 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "47 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "38 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "31 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "46 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "50 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "60 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "58 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "53 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "55 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "37 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "45 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "42 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "52 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "49 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "54 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "36 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "44 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "34 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "57 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.182 \n", - "33 crqerkikpjo@ld.fkaframbemji.pjb 35.47.146.75 \n", - "24 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "20 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "15 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "8 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "9 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "12 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "19 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "4 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "6 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "2 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "16 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "0 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "27 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "25 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "23 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "21 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "18 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "3 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "7 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "11 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "22 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "14 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "1 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "5 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "30 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "29 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "17 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "26 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "10 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "28 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", - "13 crqerkikpjo@ld.fkaframbemji.pjb 152.133.101.25 \n", + " LogonResult User LogonType SourceIP SourcePort \\\n", + "1 Failure peteb (sshd) 172.92.153.236 3531.0 \n", + "2 Success peteb publickey (sshd) 172.92.153.236 3715.0 \n", + "3 Unknown peteb (sshd) NaN NaN \n", + "4 Unknown peteb (systemd-logind) NaN NaN \n", + "5 Unknown peteb (systemd) NaN NaN \n", + "6 Unknown peteb (sshd) 172.92.153.236 3715.0 \n", + "7 Unknown peteb (sshd) NaN NaN \n", + "8 Unknown NaN (sshd) 172.92.153.236 3715.0 \n", + "9 Unknown NaN (systemd-logind) NaN NaN \n", + "10 Success peteb publickey (sshd) 172.92.153.236 3724.0 \n", + "11 Unknown peteb (sshd) NaN NaN \n", + "12 Unknown peteb (systemd) NaN NaN \n", + "13 Unknown peteb (systemd-logind) NaN NaN \n", + "14 Failure root (sshd) 141.98.81.83 34871.0 \n", + "15 Failure admin (sshd) 141.98.81.84 43513.0 \n", + "16 Failure admin (sshd) 141.98.81.84 43513.0 \n", + "17 Failure Administrator (sshd) 141.98.81.99 44191.0 \n", + "18 Failure Administrator (sshd) 141.98.81.99 44191.0 \n", + "19 Failure root (sshd) 141.98.81.107 42727.0 \n", + "20 Failure admin (sshd) 141.98.81.108 46207.0 \n", + "21 Failure admin (sshd) 141.98.81.108 46207.0 \n", + "22 Failure 1234 (sshd) 141.98.81.81 51226.0 \n", + "23 Failure 1234 (sshd) 141.98.81.81 51226.0 \n", + "24 Failure guest (sshd) 141.98.81.83 40397.0 \n", + "25 Failure guest (sshd) 141.98.81.83 40397.0 \n", + "26 Failure Admin (sshd) 141.98.81.84 34717.0 \n", + "27 Failure Admin (sshd) 141.98.81.84 34717.0 \n", + "28 Failure root (sshd) 141.98.81.99 36241.0 \n", + "29 Failure admin (sshd) 141.98.81.107 40527.0 \n", + "30 Failure admin (sshd) 141.98.81.107 40527.0 \n", + "31 Failure admin (sshd) 141.98.81.108 46475.0 \n", + "32 Failure admin (sshd) 141.98.81.108 46475.0 \n", + "33 Failure user (sshd) 141.98.81.81 58652.0 \n", + "34 Failure user (sshd) 141.98.81.81 58652.0 \n", + "35 Failure NaN (sshd) 85.239.35.161 60402.0 \n", + "36 Failure admin (sshd) 85.239.35.161 43382.0 \n", + "37 Failure admin (sshd) 85.239.35.161 43382.0 \n", + "38 Failure user (sshd) 85.239.35.161 43438.0 \n", + "39 Failure user (sshd) 85.239.35.161 43438.0 \n", + "40 Failure root (sshd) 85.239.35.161 59508.0 \n", + "41 Failure NaN (sshd) 65.49.20.69 24062.0 \n", + "42 Failure NaN (sshd) 65.49.20.69 24062.0 \n", + "43 Failure tester (sshd) 46.148.21.32 60136.0 \n", + "44 Failure tester (sshd) 46.148.21.32 60136.0 \n", + "45 Failure support (sshd) 46.148.21.32 49512.0 \n", + "46 Failure support (sshd) 46.148.21.32 46.0 \n", + "47 Unknown NaN (sshd) NaN NaN \n", + "48 Unknown NaN (systemd-logind) NaN NaN \n", + "49 Unknown peteb (sshd) NaN NaN \n", + "50 Failure admin (sshd) 141.98.9.157 40289.0 \n", + "51 Failure admin (sshd) 141.98.9.157 40289.0 \n", + "52 Failure admin (sshd) 141.98.9.159 35637.0 \n", + "53 Failure admin (sshd) 141.98.9.159 35637.0 \n", + "54 Failure user (sshd) 141.98.9.160 43607.0 \n", + "55 Failure user (sshd) 141.98.9.160 43607.0 \n", + "56 Failure admin (sshd) 141.98.9.161 45085.0 \n", + "57 Failure admin (sshd) 141.98.9.161 45085.0 \n", + "58 Failure root (sshd) 141.98.9.156 33769.0 \n", + "59 Failure operator (sshd) 141.98.9.137 56654.0 \n", + "60 Failure operator (sshd) 141.98.9.137 56654.0 \n", + "61 Failure test (sshd) 141.98.9.157 39665.0 \n", + "62 Failure test (sshd) 141.98.9.157 39665.0 \n", + "63 Failure root (sshd) 141.98.9.159 41651.0 \n", + "64 Failure guest (sshd) 141.98.9.160 39145.0 \n", + "65 Failure guest (sshd) 141.98.9.160 39145.0 \n", + "66 Failure ubnt (sshd) 141.98.9.161 45527.0 \n", + "67 Failure ubnt (sshd) 141.98.9.161 45527.0 \n", + "68 Failure guest (sshd) 141.98.9.156 38585.0 \n", + "69 Failure guest (sshd) 141.98.9.156 38585.0 \n", + "70 Failure support (sshd) 141.98.9.137 34468.0 \n", + "71 Failure support (sshd) 141.98.9.137 141.0 \n", + "72 Failure admin (sshd) 46.148.21.32 55894.0 \n", + "73 Failure admin (sshd) 46.148.21.32 55894.0 \n", + "74 Failure root (sshd) 46.148.21.32 38956.0 \n", + "0 Unknown NaN (sshd) NaN NaN \n", "\n", - " Site_ ... AzureActiveDirectory_EventType \\\n", - "35 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "32 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "59 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "41 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "43 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "48 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "39 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "51 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "40 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "56 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "47 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "38 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "31 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "46 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "50 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "60 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "58 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "53 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "55 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "37 efb97716-3699-4616-9d0a-a9cea743bda7 ... \n", - "45 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "42 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "52 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "49 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "54 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "36 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "44 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "34 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "57 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "33 cc215b5c-17a1-4377-8c08-1f9a60157ed8 ... \n", - "24 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "20 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "15 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "8 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "9 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "12 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "19 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "4 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "6 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "2 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "16 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "0 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "27 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "25 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "23 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "21 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "18 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "3 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "7 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "11 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "22 efb97716-3699-4616-9d0a-a9cea743bda7 ... \n", - "14 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "1 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "5 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "30 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "29 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "17 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "26 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "10 a9d09708-6ca6-439b-ac48-84cbe527e408 ... \n", - "28 db32ce1a-0378-41f7-8f83-9797a8e51af8 ... \n", - "13 cc215b5c-17a1-4377-8c08-1f9a60157ed8 ... \n", + " UID SourceUser Account LogonProcessName AccountName Source \\\n", + "1 NaN authenticating peteb sshd peteb Linux \n", + "2 NaN NaN peteb sshd peteb Linux \n", + "3 0.0 NaN peteb sshd peteb Linux \n", + "4 NaN NaN peteb systemd-logind peteb Linux \n", + "5 0.0 NaN peteb systemd peteb Linux \n", + "6 NaN NaN peteb sshd peteb Linux \n", + "7 NaN NaN peteb sshd peteb Linux \n", + "8 NaN user NaN sshd NaN Linux \n", + "9 NaN NaN NaN systemd-logind NaN Linux \n", + "10 NaN NaN peteb sshd peteb Linux \n", + "11 0.0 NaN peteb sshd peteb Linux \n", + "12 0.0 NaN peteb systemd peteb Linux \n", + "13 NaN NaN peteb systemd-logind peteb Linux \n", + "14 NaN authenticating root sshd root Linux \n", + "15 NaN NaN admin sshd admin Linux \n", + "16 NaN invalid admin sshd admin Linux \n", + "17 NaN NaN Administrator sshd Administrator Linux \n", + "18 NaN invalid Administrator sshd Administrator Linux \n", + "19 NaN authenticating root sshd root Linux \n", + "20 NaN NaN admin sshd admin Linux \n", + "21 NaN invalid admin sshd admin Linux \n", + "22 NaN NaN 1234 sshd 1234 Linux \n", + "23 NaN invalid 1234 sshd 1234 Linux \n", + "24 NaN NaN guest sshd guest Linux \n", + "25 NaN invalid guest sshd guest Linux \n", + "26 NaN NaN Admin sshd Admin Linux \n", + "27 NaN invalid Admin sshd Admin Linux \n", + "28 NaN authenticating root sshd root Linux \n", + "29 NaN NaN admin sshd admin Linux \n", + "30 NaN invalid admin sshd admin Linux \n", + "31 NaN NaN admin sshd admin Linux \n", + "32 NaN invalid admin sshd admin Linux \n", + "33 NaN NaN user sshd user Linux \n", + "34 NaN invalid user sshd user Linux \n", + "35 NaN NaN NaN sshd NaN Linux \n", + "36 NaN NaN admin sshd admin Linux \n", + "37 NaN invalid admin sshd admin Linux \n", + "38 NaN NaN user sshd user Linux \n", + "39 NaN invalid user sshd user Linux \n", + "40 NaN authenticating root sshd root Linux \n", + "41 NaN NaN NaN sshd NaN Linux \n", + "42 NaN invalid NaN sshd NaN Linux \n", + "43 NaN NaN tester sshd tester Linux \n", + "44 NaN invalid tester sshd tester Linux \n", + "45 NaN NaN support sshd support Linux \n", + "46 NaN invalid support sshd support Linux \n", + "47 NaN NaN NaN sshd NaN Linux \n", + "48 NaN NaN NaN systemd-logind NaN Linux \n", + "49 NaN NaN peteb sshd peteb Linux \n", + "50 NaN NaN admin sshd admin Linux \n", + "51 NaN invalid admin sshd admin Linux \n", + "52 NaN NaN admin sshd admin Linux \n", + "53 NaN invalid admin sshd admin Linux \n", + "54 NaN NaN user sshd user Linux \n", + "55 NaN invalid user sshd user Linux \n", + "56 NaN NaN admin sshd admin Linux \n", + "57 NaN invalid admin sshd admin Linux \n", + "58 NaN authenticating root sshd root Linux \n", + "59 NaN NaN operator sshd operator Linux \n", + "60 NaN invalid operator sshd operator Linux \n", + "61 NaN NaN test sshd test Linux \n", + "62 NaN invalid test sshd test Linux \n", + "63 NaN authenticating root sshd root Linux \n", + "64 NaN NaN guest sshd guest Linux \n", + "65 NaN invalid guest sshd guest Linux \n", + "66 NaN NaN ubnt sshd ubnt Linux \n", + "67 NaN invalid ubnt sshd ubnt Linux \n", + "68 NaN NaN guest sshd guest Linux \n", + "69 NaN invalid guest sshd guest Linux \n", + "70 NaN NaN support sshd support Linux \n", + "71 NaN invalid support sshd support Linux \n", + "72 NaN NaN admin sshd admin Linux \n", + "73 NaN invalid admin sshd admin Linux \n", + "74 NaN authenticating root sshd root Linux \n", + "0 NaN NaN NaN sshd NaN Linux \n", "\n", - " AADTarget Start_Time OfficeTenantId \\\n", - "35 2020-07-28 12:48:45+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "32 2020-07-28 12:48:45+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "59 2020-07-28 12:54:17+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "41 2020-07-28 12:54:15+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "43 2020-07-28 12:54:15+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "48 2020-07-28 12:54:16+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "39 2020-07-28 12:48:45+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "51 2020-07-28 12:54:16+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "40 2020-07-28 12:54:15+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "56 2020-07-28 12:54:16+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "47 2020-07-28 12:54:16+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "38 2020-07-28 12:48:45+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "31 2020-07-28 12:48:45+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "46 2020-07-28 12:54:16+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "50 2020-07-28 12:54:16+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "60 2020-07-28 12:54:17+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "58 2020-07-28 12:54:17+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "53 2020-07-28 12:54:15+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "55 2020-07-28 12:54:16+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "37 2020-07-28 12:48:45+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "45 2020-07-28 12:54:15+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "42 2020-07-28 12:54:15+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "52 2020-07-28 12:54:15+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "49 2020-07-28 12:54:16+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "54 2020-07-28 12:54:16+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "36 2020-07-28 12:48:45+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "44 2020-07-28 12:54:15+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "34 2020-07-28 12:48:45+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "57 2020-07-28 12:54:17+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "33 2020-07-28 12:48:45+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "24 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "20 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "15 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "8 2020-07-29 12:48:47+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "9 2020-07-29 12:48:47+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "12 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "19 2020-07-29 12:53:55+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "4 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "6 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "2 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "16 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "0 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "27 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "25 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "23 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "21 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "18 2020-07-29 12:53:55+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "3 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "7 2020-07-29 12:48:47+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "11 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "22 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "14 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "1 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "5 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "30 2020-07-29 12:53:54+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "29 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "17 2020-07-29 12:53:55+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "26 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "10 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "28 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "13 2020-07-29 12:53:53+00:00 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "\n", - " OfficeTenantId_ TargetUserOrGroupName \\\n", - "35 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "32 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "59 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "41 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "43 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "48 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "39 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "51 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "40 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "56 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "47 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "38 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "31 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "46 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "50 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "60 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "58 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "53 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "55 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "37 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "45 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "42 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "52 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "49 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "54 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "36 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "44 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "34 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "57 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "33 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "24 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "20 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "15 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "8 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "9 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "12 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "19 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "4 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "6 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "2 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "16 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "0 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "27 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "25 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "23 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "21 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "18 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "3 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "7 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "11 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "22 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "14 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "1 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "5 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "30 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "29 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "17 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "26 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "10 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "28 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "13 734d800a-d091-427f-a517-ee1e0bc4ab94 \n", - "\n", - " TargetUserOrGroupType MessageId TeamName TeamGuid ChannelType ChannelName \\\n", - "35 \n", - "32 \n", - "59 \n", - "41 \n", - "43 \n", - "48 \n", - "39 \n", - "51 \n", - "40 \n", - "56 \n", - "47 \n", - "38 \n", - "31 \n", - "46 \n", - "50 \n", - "60 \n", - "58 \n", - "53 \n", - "55 \n", - "37 \n", - "45 \n", - "42 \n", - "52 \n", - "49 \n", - "54 \n", - "36 \n", - "44 \n", - "34 \n", - "57 \n", - "33 \n", - "24 \n", - "20 \n", - "15 \n", - "8 \n", - "9 \n", - "12 \n", - "19 \n", - "4 \n", - "6 \n", - "2 \n", - "16 \n", - "0 \n", - "27 \n", - "25 \n", - "23 \n", - "21 \n", - "18 \n", - "3 \n", - "7 \n", - "11 \n", - "22 \n", - "14 \n", - "1 \n", - "5 \n", - "30 \n", - "29 \n", - "17 \n", - "26 \n", - "10 \n", - "28 \n", - "13 \n", - "\n", - " ChannelGuid AddOnType AddonName TabType Name OldValue NewValue ItemName \\\n", - "35 \n", - "32 \n", - "59 \n", - "41 \n", - "43 \n", - "48 \n", - "39 \n", - "51 \n", - "40 \n", - "56 \n", - "47 \n", - "38 \n", - "31 \n", - "46 \n", - "50 \n", - "60 \n", - "58 \n", - "53 \n", - "55 \n", - "37 \n", - "45 \n", - "42 \n", - "52 \n", - "49 \n", - "54 \n", - "36 \n", - "44 \n", - "34 \n", - "57 \n", - "33 \n", - "24 \n", - "20 \n", - "15 \n", - "8 \n", - "9 \n", - "12 \n", - "19 \n", - "4 \n", - "6 \n", - "2 \n", - "16 \n", - "0 \n", - "27 \n", - "25 \n", - "23 \n", - "21 \n", - "18 \n", - "3 \n", - "7 \n", - "11 \n", - "22 \n", - "14 \n", - "1 \n", - "5 \n", - "30 \n", - "29 \n", - "17 \n", - "26 \n", - "10 \n", - "28 \n", - "13 \n", - "\n", - " ChatThreadId CommunicationType AADGroupId AccountName \\\n", - "35 crqerkikpjo@ld.fkaframbemji.pjb \n", - "32 crqerkikpjo@ld.fkaframbemji.pjb \n", - "59 crqerkikpjo@ld.fkaframbemji.pjb \n", - "41 crqerkikpjo@ld.fkaframbemji.pjb \n", - "43 crqerkikpjo@ld.fkaframbemji.pjb \n", - "48 crqerkikpjo@ld.fkaframbemji.pjb \n", - "39 crqerkikpjo@ld.fkaframbemji.pjb \n", - "51 crqerkikpjo@ld.fkaframbemji.pjb \n", - "40 crqerkikpjo@ld.fkaframbemji.pjb \n", - "56 crqerkikpjo@ld.fkaframbemji.pjb \n", - "47 crqerkikpjo@ld.fkaframbemji.pjb \n", - "38 crqerkikpjo@ld.fkaframbemji.pjb \n", - "31 crqerkikpjo@ld.fkaframbemji.pjb \n", - "46 crqerkikpjo@ld.fkaframbemji.pjb \n", - "50 crqerkikpjo@ld.fkaframbemji.pjb \n", - "60 crqerkikpjo@ld.fkaframbemji.pjb \n", - "58 crqerkikpjo@ld.fkaframbemji.pjb \n", - "53 crqerkikpjo@ld.fkaframbemji.pjb \n", - "55 crqerkikpjo@ld.fkaframbemji.pjb \n", - "37 crqerkikpjo@ld.fkaframbemji.pjb \n", - "45 crqerkikpjo@ld.fkaframbemji.pjb \n", - "42 crqerkikpjo@ld.fkaframbemji.pjb \n", - "52 crqerkikpjo@ld.fkaframbemji.pjb \n", - "49 crqerkikpjo@ld.fkaframbemji.pjb \n", - "54 crqerkikpjo@ld.fkaframbemji.pjb \n", - "36 crqerkikpjo@ld.fkaframbemji.pjb \n", - "44 crqerkikpjo@ld.fkaframbemji.pjb \n", - "34 crqerkikpjo@ld.fkaframbemji.pjb \n", - "57 crqerkikpjo@ld.fkaframbemji.pjb \n", - "33 crqerkikpjo@ld.fkaframbemji.pjb \n", - "24 crqerkikpjo@ld.fkaframbemji.pjb \n", - "20 crqerkikpjo@ld.fkaframbemji.pjb \n", - "15 crqerkikpjo@ld.fkaframbemji.pjb \n", - "8 crqerkikpjo@ld.fkaframbemji.pjb \n", - "9 crqerkikpjo@ld.fkaframbemji.pjb \n", - "12 crqerkikpjo@ld.fkaframbemji.pjb \n", - "19 crqerkikpjo@ld.fkaframbemji.pjb \n", - "4 crqerkikpjo@ld.fkaframbemji.pjb \n", - "6 crqerkikpjo@ld.fkaframbemji.pjb \n", - "2 crqerkikpjo@ld.fkaframbemji.pjb \n", - "16 crqerkikpjo@ld.fkaframbemji.pjb \n", - "0 crqerkikpjo@ld.fkaframbemji.pjb \n", - "27 crqerkikpjo@ld.fkaframbemji.pjb \n", - "25 crqerkikpjo@ld.fkaframbemji.pjb \n", - "23 crqerkikpjo@ld.fkaframbemji.pjb \n", - "21 crqerkikpjo@ld.fkaframbemji.pjb \n", - "18 crqerkikpjo@ld.fkaframbemji.pjb \n", - "3 crqerkikpjo@ld.fkaframbemji.pjb \n", - "7 crqerkikpjo@ld.fkaframbemji.pjb \n", - "11 crqerkikpjo@ld.fkaframbemji.pjb \n", - "22 crqerkikpjo@ld.fkaframbemji.pjb \n", - "14 crqerkikpjo@ld.fkaframbemji.pjb \n", - "1 crqerkikpjo@ld.fkaframbemji.pjb \n", - "5 crqerkikpjo@ld.fkaframbemji.pjb \n", - "30 crqerkikpjo@ld.fkaframbemji.pjb \n", - "29 crqerkikpjo@ld.fkaframbemji.pjb \n", - "17 crqerkikpjo@ld.fkaframbemji.pjb \n", - "26 crqerkikpjo@ld.fkaframbemji.pjb \n", - "10 crqerkikpjo@ld.fkaframbemji.pjb \n", - "28 crqerkikpjo@ld.fkaframbemji.pjb \n", - "13 crqerkikpjo@ld.fkaframbemji.pjb \n", - "\n", - " Source \n", - "35 Office365 \n", - "32 Office365 \n", - "59 Office365 \n", - "41 Office365 \n", - "43 Office365 \n", - "48 Office365 \n", - "39 Office365 \n", - "51 Office365 \n", - "40 Office365 \n", - "56 Office365 \n", - "47 Office365 \n", - "38 Office365 \n", - "31 Office365 \n", - "46 Office365 \n", - "50 Office365 \n", - "60 Office365 \n", - "58 Office365 \n", - "53 Office365 \n", - "55 Office365 \n", - "37 Office365 \n", - "45 Office365 \n", - "42 Office365 \n", - "52 Office365 \n", - "49 Office365 \n", - "54 Office365 \n", - "36 Office365 \n", - "44 Office365 \n", - "34 Office365 \n", - "57 Office365 \n", - "33 Office365 \n", - "24 Office365 \n", - "20 Office365 \n", - "15 Office365 \n", - "8 Office365 \n", - "9 Office365 \n", - "12 Office365 \n", - "19 Office365 \n", - "4 Office365 \n", - "6 Office365 \n", - "2 Office365 \n", - "16 Office365 \n", - "0 Office365 \n", - "27 Office365 \n", - "25 Office365 \n", - "23 Office365 \n", - "21 Office365 \n", - "18 Office365 \n", - "3 Office365 \n", - "7 Office365 \n", - "11 Office365 \n", - "22 Office365 \n", - "14 Office365 \n", - "1 Office365 \n", - "5 Office365 \n", - "30 Office365 \n", - "29 Office365 \n", - "17 Office365 \n", - "26 Office365 \n", - "10 Office365 \n", - "28 Office365 \n", - "13 Office365 \n", - "\n", - "[61 rows x 118 columns]" + " Operation \n", + "1 Logon-Failure \n", + "2 Logon-Success \n", + "3 Logon-Unknown \n", + "4 Logon-Unknown \n", + "5 Logon-Unknown \n", + "6 Logon-Unknown \n", + "7 Logon-Unknown \n", + "8 Logon-Unknown \n", + "9 Logon-Unknown \n", + "10 Logon-Success \n", + "11 Logon-Unknown \n", + "12 Logon-Unknown \n", + "13 Logon-Unknown \n", + "14 Logon-Failure \n", + "15 Logon-Failure \n", + "16 Logon-Failure \n", + "17 Logon-Failure \n", + "18 Logon-Failure \n", + "19 Logon-Failure \n", + "20 Logon-Failure \n", + "21 Logon-Failure \n", + "22 Logon-Failure \n", + "23 Logon-Failure \n", + "24 Logon-Failure \n", + "25 Logon-Failure \n", + "26 Logon-Failure \n", + "27 Logon-Failure \n", + "28 Logon-Failure \n", + "29 Logon-Failure \n", + "30 Logon-Failure \n", + "31 Logon-Failure \n", + "32 Logon-Failure \n", + "33 Logon-Failure \n", + "34 Logon-Failure \n", + "35 Logon-Failure \n", + "36 Logon-Failure \n", + "37 Logon-Failure \n", + "38 Logon-Failure \n", + "39 Logon-Failure \n", + "40 Logon-Failure \n", + "41 Logon-Failure \n", + "42 Logon-Failure \n", + "43 Logon-Failure \n", + "44 Logon-Failure \n", + "45 Logon-Failure \n", + "46 Logon-Failure \n", + "47 Logon-Unknown \n", + "48 Logon-Unknown \n", + "49 Logon-Unknown \n", + "50 Logon-Failure \n", + "51 Logon-Failure \n", + "52 Logon-Failure \n", + "53 Logon-Failure \n", + "54 Logon-Failure \n", + "55 Logon-Failure \n", + "56 Logon-Failure \n", + "57 Logon-Failure \n", + "58 Logon-Failure \n", + "59 Logon-Failure \n", + "60 Logon-Failure \n", + "61 Logon-Failure \n", + "62 Logon-Failure \n", + "63 Logon-Failure \n", + "64 Logon-Failure \n", + "65 Logon-Failure \n", + "66 Logon-Failure \n", + "67 Logon-Failure \n", + "68 Logon-Failure \n", + "69 Logon-Failure \n", + "70 Logon-Failure \n", + "71 Logon-Failure \n", + "72 Logon-Failure \n", + "73 Logon-Failure \n", + "74 Logon-Failure \n", + "0 Logon-Unknown " ] }, "metadata": {}, @@ -5224,7 +3988,7 @@ { "data": { "text/html": [ - "

Related alerts


Found 5 different alert types related to this account
- Detected suspicious file download, # Alerts: 2
- Possible suspicious scheduling tasks access detected, # Alerts: 1
- SSH Anomalous Login ML, # Alerts: 20
- Security incident detected, # Alerts: 1
- Suspicious Activity Detected, # Alerts: 1

To show the alert timeline call the display_alert_time() method.
To browse the alerts call the browse_alerts() method." + "

Related alerts


Found 5 different alert types related to this account
- Detected suspicious file download, # Alerts: 2
- Possible suspicious scheduling tasks access detected, # Alerts: 1
- SSH Anomalous Login ML, # Alerts: 20
- Security incident detected, # Alerts: 1
- Suspicious Activity Detected, # Alerts: 1

To show the alert timeline call the display_alert_timeline() method.
To browse the alerts call the browse_alerts() method." ], "text/plain": [ "" @@ -5246,11 +4010,47 @@ }, "metadata": {}, "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Use result.notebooklet.get_additional_data() to retrieve more data.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Additional methods for this class:
az_activity_timeline_by_ip - 'Display Azure activity timeline by IP address.'
az_activity_timeline_by_operation - 'Display Azure activity timeline by operation.'
az_activity_timeline_by_provider - 'Display Azure activity timeline by provider.'
browse_accounts - 'Return the accounts browser/viewer.'
browse_alerts - 'Return alert browser/viewer.'
browse_bookmarks - 'Return bookmark browser/viewer.'
display_alert_timeline - 'Display the alert timeline.'
get_additional_data - 'Find additional data for the selected account.'
get_geoip_map - 'Return Folium map of IP activity.'
host_logon_timeline - 'Display IP address summary.'
run - 'Return account activity summary.'
show_ip_summary - 'Display Azure activity timeline by operation.'

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" } ], "source": [ "acc_summary = nb.nblts.azsent.account.AccountSummary()\n", - "acc_summary_rslt = acc_summary.run(value=\"prt_ozamora@na.directenergy.com\", timespan=time_span)" + "acc_summary_rslt = acc_summary.run(value=\"user\", timespan=time_span)" ] }, { @@ -6500,440 +5300,607 @@ "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", - "version": "3.6.10" + "version": "3.7.10" }, "widgets": { "application/vnd.jupyter.widget-state+json": { "state": { - "004ed2c5db8f406db75c3b3a0d319606": { + "01e17ed1505d4f8ab463b79d47a35963": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Filter:", + "layout": "IPY_MODEL_9e5667f141064618a46befcb508e86e6", + "style": "IPY_MODEL_2a800406a6e04fababf785317416c59e" + } + }, + "08bf48ef0fd24dac90be1117067540fd": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "152c2ca6c578455fb5c9c732767dd8ee": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "1dd4dfa5818d4e3b93093e2cda4ef5be": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "27d8f931f5b0444193cf24195a2f975e": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "2857bf02feac4fa1b23ed4e6c389076b": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", + "state": {} + }, + "2a800406a6e04fababf785317416c59e": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", "state": { - "height": "200px", - "width": "100%" + "description_width": "initial" + } + }, + "2c37ad10e99e485eb71ee85870848e50": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DatePickerModel", + "state": { + "description": "Origin Date", + "disabled": false, + "layout": "IPY_MODEL_6094150a3f8743a1ad697482f0ea122a", + "style": "IPY_MODEL_1dd4dfa5818d4e3b93093e2cda4ef5be", + "value": { + "date": 30, + "month": 3, + "year": 2021 + } } }, - "0b7ea944f2784fc084f51d2d1b187392": { + "367b2476a3ab4b8792cf9ef41df6e8dc": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { - "description": "Query end time (UTC) : ", - "layout": "IPY_MODEL_1e08c6fb54874a48802a9ff58650275d", - "style": "IPY_MODEL_b3da25868b26486ca63a6983ce7dcc74", - "value": "2020-08-01 20:50:51.856183" + "description": "Time (24hr)", + "layout": "IPY_MODEL_de73ca3d6e4b4bde9735fc0feece83f8", + "style": "IPY_MODEL_5a6bfa561f9d4e979f2573f90a237db5", + "value": "02:46:12.661752" } }, - "0d2cccf0c5a742d0b9a748e92c5574ff": { + "3b0398f00a864b6fb84270582382a137": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { - "height": "200px", - "width": "100%" + "width": "100px" } }, - "141986884a2a4ebb97f4f5099c95eb9e": { + "3bf3fb74fb51464d927a7792af06cd2e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "TextModel", + "model_name": "VBoxModel", "state": { - "description": "Filter:", - "layout": "IPY_MODEL_87f246e7b439495fb8ef10f0669ef154", - "style": "IPY_MODEL_337e6566f2904151a4662ea822719e53" + "children": [ + "IPY_MODEL_efdad4b001684393ae10ff8b793d0d3a", + "IPY_MODEL_6567b10a342f44e2acd0a6eec6a31419", + "IPY_MODEL_9d9380106db141d8be33e47659bad07d" + ], + "layout": "IPY_MODEL_da66d6818c4f4dbba5996ae1174584eb" } }, - "1645d55e77a3479bb7a5fb4b5f5cfbea": { + "403a22aa846c426aa1ec4274676aa5e2": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { - "description_width": "initial" + "description_width": "" } }, - "16af6192e54a4425b336a114c8d96233": { + "44d0de2da4e9462490558564dad67bca": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "DatePickerModel", + "model_name": "DropdownModel", "state": { - "description": "Origin Date", - "disabled": false, - "layout": "IPY_MODEL_7796e25a060244649eac792143a6fa3e", - "style": "IPY_MODEL_7b63e4c15e044b108e3ccda7b2171a5b", - "value": { - "date": 31, - "month": 6, - "year": 2020 - } + "_options_labels": [ + "minute", + "hour", + "day", + "week" + ], + "index": 2, + "layout": "IPY_MODEL_eec283e8f3dd497ba2c7bf14f05065c7", + "style": "IPY_MODEL_e079ff19b08d4e168ced70b741c22af3" } }, - "1c62d9e9a1c54c2d8ef9eba3a860784c": { + "4e28fffea2d04f13a9de4f06a330f0ec": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "52704e1c8d2f4de48176c622072b3701": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ - "IPY_MODEL_da9d9532924d478e96b35227b3e06d29", - "IPY_MODEL_a1275b85ab524d689a734ec629912c18" + "IPY_MODEL_5679f4b465da45a89586ae1b272e6688", + "IPY_MODEL_8631da04697e49a19fe6ed6d36743ed2", + "IPY_MODEL_3bf3fb74fb51464d927a7792af06cd2e" ], - "layout": "IPY_MODEL_622cff11b7b44a039b94e0311ca969b7" + "layout": "IPY_MODEL_8ba0759f11694aa4b495e2c5bbfb0aeb" } }, - "1e08c6fb54874a48802a9ff58650275d": { + "52fb5eb9668142cf980926c925636650": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { - "width": "50%" + "height": "200px", + "width": "100%" } }, - "2226e3e946844a25806f14966f8d6223": { + "53097da4787740ef9826808e3d2af96a": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, - "22e1df39712846fc90bb44d8543b2762": { + "54af7aae77c24be88f8434eac09392cd": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "50%" + } + }, + "56737be7d3934fe299f6add8d91342a4": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "SelectModel", + "model_name": "DescriptionStyleModel", "state": { - "_options_labels": [ - "SecurityEvent - 08d69bf66806 (1) - LastUpdated 2020-04-01T17:35:17Z", - "SecurityEvent - 08d69bf66806 - LastUpdated 2020-04-01T17:35:15Z", - "SecurityEvent - 08d69bf66806 (2) - LastUpdated 2020-04-01T17:35:22Z", - "SecurityEvent - 08d69bf66806 (3) - LastUpdated 2020-04-01T17:35:27Z", - "SecurityEvent - 08d69bf66806 (4) - LastUpdated 2020-04-01T17:35:28Z", - "TEST - Arash (2) - LastUpdated 2019-09-24T19:50:51Z", - " Test - 0e8267d9d855 - LastUpdated 2019-09-16T19:41:05Z", - " Test - 0e8267d9d855 (1) - LastUpdated 2019-09-16T19:41:07Z", - " Test - 54cfd9b64e9f - LastUpdated 2019-09-16T19:42:57Z", - " Test - 54cfd9b64e9f (1) - LastUpdated 2019-09-16T19:43:00Z" - ], - "description": "Select an item", - "index": 2, - "layout": "IPY_MODEL_004ed2c5db8f406db75c3b3a0d319606", - "style": "IPY_MODEL_5b25a3bfa85745838d9e5c76bed85ab1" + "description_width": "initial" } }, - "31ffac2e002d4da09498022662f7a628": { + "5679f4b465da45a89586ae1b272e6688": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "IntRangeSliderModel", + "model_name": "HTMLModel", "state": { - "_model_name": "IntRangeSliderModel", - "_view_name": "IntRangeSliderView", - "description": "Time Range (day):", - "layout": "IPY_MODEL_d43307c5552d4cabbcc26cea2fa42960", - "max": 7, - "min": -7, - "style": "IPY_MODEL_3d70146ea61347a48e37d1d395e69cea", - "value": [ - -1, - 1 - ] + "layout": "IPY_MODEL_53097da4787740ef9826808e3d2af96a", + "style": "IPY_MODEL_27d8f931f5b0444193cf24195a2f975e", + "value": "

Set query time boundaries

" } }, - "337e6566f2904151a4662ea822719e53": { + "58f5b1b1f29f4c8e8ad8abedf048d2ec": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "DescriptionStyleModel", + "model_name": "HBoxModel", "state": { - "description_width": "initial" + "children": [ + "IPY_MODEL_ebfb6f285281424689521d3833dfc706", + "IPY_MODEL_44d0de2da4e9462490558564dad67bca" + ], + "layout": "IPY_MODEL_d92f3f847b8045a9b4b814ff93b03d49" } }, - "3a4acf2e34b64fc6b5920952477ffe3f": { - "model_module": "@jupyter-widgets/base", - "model_module_version": "1.2.0", - "model_name": "LayoutModel", + "5a6bfa561f9d4e979f2573f90a237db5": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", "state": { - "width": "50%" + "description_width": "" } }, - "3af261f257bb43b2ae6b976e4f9fee84": { + "6094150a3f8743a1ad697482f0ea122a": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, - "3cdbc2993f0f495da285450b82a9a9b0": { + "6567b10a342f44e2acd0a6eec6a31419": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "VBoxModel", + "model_name": "TextModel", + "state": { + "description": "Query start time (UTC):", + "layout": "IPY_MODEL_df62c161ec8f4615914d81cf27a4ba00", + "style": "IPY_MODEL_56737be7d3934fe299f6add8d91342a4", + "value": "2021-04-29 02:46:12.661752" + } + }, + "6ba9467e016c4d0f8c9e46e241450405": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "HBoxModel", "state": { "children": [ - "IPY_MODEL_141986884a2a4ebb97f4f5099c95eb9e", - "IPY_MODEL_fcf4e8b41953457c969e4db834f425d7" + "IPY_MODEL_a735532fbb1742baa1a1847cdae8d79c", + "IPY_MODEL_7145b63a078e434191b2c75ee1e2145e" ], - "layout": "IPY_MODEL_626caef9f3614066afa9fe8f7f615430" + "layout": "IPY_MODEL_4e28fffea2d04f13a9de4f06a330f0ec" } }, - "3d70146ea61347a48e37d1d395e69cea": { + "6dd3b9c68826408081c3df6f9e980c6c": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "SliderStyleModel", + "model_name": "HTMLModel", "state": { - "description_width": "initial" + "layout": "IPY_MODEL_9f2edc43d742493cb3ca7d8a1a78f1f8", + "style": "IPY_MODEL_403a22aa846c426aa1ec4274676aa5e2", + "value": "

Set time range for pivot functions.

" } }, - "40763aee53144837b20e54549ff9d9c6": { + "7145b63a078e434191b2c75ee1e2145e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "HTMLModel", + "model_name": "TextModel", "state": { - "layout": "IPY_MODEL_3af261f257bb43b2ae6b976e4f9fee84", - "style": "IPY_MODEL_4718a3decc584587b1ab5de0c24abb6e", - "value": "

Set query time boundaries

" + "description": "Time (24hr)", + "layout": "IPY_MODEL_8929cf618c7e4f759a152d795ccaa5d6", + "style": "IPY_MODEL_152c2ca6c578455fb5c9c732767dd8ee", + "value": "02:44:39.380327" } }, - "4718a3decc584587b1ab5de0c24abb6e": { + "742457c4b9d7424ea292069a9b0322c9": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "DescriptionStyleModel", + "model_name": "TextModel", "state": { - "description_width": "" + "description": "Query start time (UTC):", + "layout": "IPY_MODEL_d1ef4be34e664be8babc3e6e6cc00e46", + "style": "IPY_MODEL_e08cc16c5a174f63861c0446cbac9a2a", + "value": "2021-04-29 02:44:39.380327" + } + }, + "744fce91ce57460e83bb48f5e56d017d": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "70%" + } + }, + "7a5a34a6e98b4cea81270b2cf5af9c9e": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "95%" } }, - "4ab865ea1c82425890774899f13b0e9f": { + "7b3a56ddfcab4cb0b118eea7ac37e193": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ - "IPY_MODEL_31ffac2e002d4da09498022662f7a628", - "IPY_MODEL_96271d59440c4ca2bb030b88ee3fd4b9", - "IPY_MODEL_0b7ea944f2784fc084f51d2d1b187392" + "IPY_MODEL_6dd3b9c68826408081c3df6f9e980c6c", + "IPY_MODEL_6ba9467e016c4d0f8c9e46e241450405", + "IPY_MODEL_a94ef95f57b14338bd3437a27b4aa36e" ], - "layout": "IPY_MODEL_98968fb8244b4f88be333393cdb1aefd" + "layout": "IPY_MODEL_aa65ea99e58d4805a1e48a49c1a87d30" } }, - "4c12732c1a904514a25129f9e62a48ce": { + "8631da04697e49a19fe6ed6d36743ed2": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HBoxModel", "state": { "children": [ - "IPY_MODEL_16af6192e54a4425b336a114c8d96233", - "IPY_MODEL_8f015001ed8047d792460f0006415833" + "IPY_MODEL_2c37ad10e99e485eb71ee85870848e50", + "IPY_MODEL_367b2476a3ab4b8792cf9ef41df6e8dc" ], - "layout": "IPY_MODEL_c99a04cfc83c4f7e9cf3c2d7a2205666" + "layout": "IPY_MODEL_8e7397ffd0e04380bfdfc702f57da1d1" } }, - "5b25a3bfa85745838d9e5c76bed85ab1": { - "model_module": "@jupyter-widgets/controls", - "model_module_version": "1.5.0", - "model_name": "DescriptionStyleModel", - "state": { - "description_width": "initial" - } + "880b872a7c4e4f1bbd6bd92813cda728": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} }, - "622cff11b7b44a039b94e0311ca969b7": { + "8929cf618c7e4f759a152d795ccaa5d6": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, - "62525d1a43544b2e82948559d26012e0": { + "8ba0759f11694aa4b495e2c5bbfb0aeb": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", - "state": { - "width": "95%" - } + "state": {} }, - "626caef9f3614066afa9fe8f7f615430": { + "8e7397ffd0e04380bfdfc702f57da1d1": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, - "694d0535e7f64f29bf8e335af769d0d3": { + "9b5cdc7f7bb840e2bf03f104e562e101": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "DescriptionStyleModel", + "model_name": "SliderStyleModel", "state": { "description_width": "initial" } }, - "731cdf2bfdc140ab9052ef94b7478d1e": { - "model_module": "@jupyter-widgets/base", - "model_module_version": "1.2.0", - "model_name": "LayoutModel", + "9d9380106db141d8be33e47659bad07d": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", "state": { - "height": "300px", - "width": "95%" + "description": "Query end time (UTC) : ", + "layout": "IPY_MODEL_54af7aae77c24be88f8434eac09392cd", + "style": "IPY_MODEL_e14c4950075e441daa210ace9106ccfe", + "value": "2021-05-01 02:46:12.661752" } }, - "7796e25a060244649eac792143a6fa3e": { + "9e5667f141064618a46befcb508e86e6": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, - "7b63e4c15e044b108e3ccda7b2171a5b": { + "9e6b152b8474440ab02cefb682765e25": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "DescriptionStyleModel", + "model_name": "DropdownModel", "state": { - "description_width": "" + "_options_labels": [ + "minute", + "hour", + "day", + "week" + ], + "index": 2, + "layout": "IPY_MODEL_3b0398f00a864b6fb84270582382a137", + "style": "IPY_MODEL_08bf48ef0fd24dac90be1117067540fd" } }, - "87f246e7b439495fb8ef10f0669ef154": { + "9f2edc43d742493cb3ca7d8a1a78f1f8": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, - "8b706469646344e592b0909ee3533bdf": { + "a1a23b1125e14533b39c8e869d878212": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "DescriptionStyleModel", + "model_name": "VBoxModel", + "state": { + "children": [ + "IPY_MODEL_01e17ed1505d4f8ab463b79d47a35963", + "IPY_MODEL_adbe10a1512f4d6384f4ac845c8809be" + ], + "layout": "IPY_MODEL_b9321ea8cdcd4554b84368070e7b6239" + } + }, + "a55731dbbbb6431f89a32a88b5ea19cb": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "SliderStyleModel", "state": { "description_width": "initial" } }, - "8f015001ed8047d792460f0006415833": { + "a735532fbb1742baa1a1847cdae8d79c": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "TextModel", + "model_name": "DatePickerModel", "state": { - "description": "Time (24hr)", - "layout": "IPY_MODEL_f6d22e1aedf8484bb3422d05ba69f04d", - "style": "IPY_MODEL_f6af26d3e02b4b28b07726fd07b78121", - "value": "20:50:51.856183" + "description": "Origin Date", + "disabled": false, + "layout": "IPY_MODEL_baceace52f604f20bd6d4000e94b21ec", + "style": "IPY_MODEL_e26f572cd6b545038e38520d1ce14fb8", + "value": { + "date": 30, + "month": 3, + "year": 2021 + } } }, - "96271d59440c4ca2bb030b88ee3fd4b9": { + "a94ef95f57b14338bd3437a27b4aa36e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "TextModel", + "model_name": "VBoxModel", "state": { - "description": "Query start time (UTC):", - "layout": "IPY_MODEL_3a4acf2e34b64fc6b5920952477ffe3f", - "style": "IPY_MODEL_e767f8e2d72e45e480879491519762c8", - "value": "2020-07-30 20:50:51.856183" + "children": [ + "IPY_MODEL_58f5b1b1f29f4c8e8ad8abedf048d2ec", + "IPY_MODEL_742457c4b9d7424ea292069a9b0322c9", + "IPY_MODEL_e5fd10fcc8f54aa286e2b750738d6eba" + ], + "layout": "IPY_MODEL_880b872a7c4e4f1bbd6bd92813cda728" } }, - "98968fb8244b4f88be333393cdb1aefd": { + "aa65ea99e58d4805a1e48a49c1a87d30": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, - "9cf7d9e47b704f0f9f89ccf781a15a68": { - "model_module": "@jupyter-widgets/base", - "model_module_version": "1.2.0", - "model_name": "LayoutModel", - "state": {} + "ad5532ff3cd14ff6b3d3a53bcff6c0f0": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "initial" + } }, - "a1275b85ab524d689a734ec629912c18": { + "adbe10a1512f4d6384f4ac845c8809be": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectModel", "state": { "_options_labels": [ - "2019-02-13 02:50:38 - Security incident detected - (MSTICALERTSLXVM2) - [id:2518522745615999999_30ac5794-a265-4420-a1b7-6335ac08e2c0]", - "2019-02-15 03:50:55 - Detected suspicious file download - (MSTICALERTSLXVM2) - [id:2518520981440769999_caab1270-55d3-4447-8618-16cf8672e4e1]", - "2019-02-15 04:03:22 - Possible suspicious scheduling tasks access detected - (MSTICALERTSLXVM2) - [id:2518520973978269999_57b6af71-984e-45f3-9aac-d6bbd79eed07]", - "2019-02-15 19:55:10 - Suspicious Activity Detected - () - [id:2518520402897969999_b946cd89-667e-4ce7-b571-9603859a7234]", - "2019-02-16 03:23:54 - Detected suspicious file download - (MSTICALERTSLXVM2) - [id:2518520133657099999_384e00d0-4afc-4e9a-8935-bec64d3951a4]", - "2019-02-16 20:49:59 - SSH Anomalous Login ML - () - [id:cf3d882a-3dc8-4526-80f0-0962b8d480c1]", - "2019-02-16 21:24:02 - SSH Anomalous Login ML - () - [id:9e25fa59-032f-42be-b8a1-495b773d6ef8]", - "2019-02-16 23:09:02 - SSH Anomalous Login ML - () - [id:2007a3bf-db86-4a2e-ab4c-240660c6820a]", - "2019-02-16 23:14:02 - SSH Anomalous Login ML - () - [id:52f884eb-4193-43e7-9e3a-63889edbfb04]", - "2019-02-16 23:29:02 - SSH Anomalous Login ML - () - [id:3f756526-328e-4dc2-badb-304acded79fe]", - "2019-02-18 01:09:02 - SSH Anomalous Login ML - () - [id:dbd390dc-7a94-47e4-83e4-60a390e4073c]", - "2019-02-18 01:14:02 - SSH Anomalous Login ML - () - [id:64a2b4af-c3d7-422c-820b-7f1feb664222]", - "2019-02-18 01:19:02 - SSH Anomalous Login ML - () - [id:3968ef4e-b322-48ca-b297-e984aff8888d]", - "2019-02-18 01:24:02 - SSH Anomalous Login ML - () - [id:41f1f6b6-d2ea-4821-9659-0cfab6558cec]", - "2019-02-18 01:29:02 - SSH Anomalous Login ML - () - [id:214e5829-1a76-445b-845e-bf9ce81c3d4c]", - "2019-02-18 01:33:19 - SSH Anomalous Login ML - () - [id:8f622935-1422-41e6-b8f6-9119e681645c]", - "2019-02-18 01:34:02 - SSH Anomalous Login ML - () - [id:770459f6-d5ca-4561-a5fe-0911c64d3ace]", - "2019-02-18 01:39:02 - SSH Anomalous Login ML - () - [id:5dc33495-46c1-4232-9031-1cfa67c36724]", - "2019-02-18 01:44:02 - SSH Anomalous Login ML - () - [id:2de58958-55b0-4f0c-8113-063c815248a0]", - "2019-02-18 01:44:02 - SSH Anomalous Login ML - () - [id:95fb8ee8-479d-4b5f-b061-0b76946c9f4f]", - "2019-02-18 01:44:02 - SSH Anomalous Login ML - () - [id:e7a2c7ee-f8aa-4684-805d-72041ea18cf7]", - "2019-02-18 01:49:02 - SSH Anomalous Login ML - () - [id:a17c8522-f069-4943-8783-171654d0de7c]", - "2019-02-18 01:49:02 - SSH Anomalous Login ML - () - [id:3a78a119-abe9-4b5e-9786-300ddcfd9530]", - "2019-02-18 01:49:02 - SSH Anomalous Login ML - () - [id:f1ce87ca-8863-4a66-a0bd-a4d3776a7c64]", - "2019-02-18 03:14:21 - SSH Anomalous Login ML - () - [id:69a87b55-b6a5-4e58-8101-906a4051e29a]" + "1234 Linux (Last activity: 2020-05-06 00:40:30.287000+00:00)", + "Admin Linux (Last activity: 2020-05-06 00:40:34.887000+00:00)", + "Administrator Linux (Last activity: 2020-05-06 00:40:24.070000+00:00)", + "admin Linux (Last activity: 2020-05-06 01:49:30.043000+00:00)", + "crqerkikpjo@ld.fkaframbemji.pjb AzureActiveDirectory (Last activity: 2020-07-29 15:54:23.981000+00:00)", + "crqerkikpjo@ld.fkaframbemji.pjb Office365 (Last activity: 2020-07-29 12:44:02+00:00)", + "guest Linux (Last activity: 2020-05-06 01:48:40.123000+00:00)", + "operator Linux (Last activity: 2020-05-06 01:48:28.383000+00:00)", + "peteb Linux (Last activity: 2020-05-06 01:44:45.327000+00:00)", + "root Linux (Last activity: 2020-05-06 01:58:13.857000+00:00)", + "support Linux (Last activity: 2020-05-06 01:48:41.643000+00:00)", + "test Linux (Last activity: 2020-05-06 01:48:29.977000+00:00)", + "tester Linux (Last activity: 2020-05-06 01:11:44.757000+00:00)", + "ubnt Linux (Last activity: 2020-05-06 01:48:37.660000+00:00)", + "user Linux (Last activity: 2020-05-06 01:48:21.950000+00:00)" ], - "description": "Select alert :", - "index": 4, - "layout": "IPY_MODEL_731cdf2bfdc140ab9052ef94b7478d1e", - "style": "IPY_MODEL_1645d55e77a3479bb7a5fb4b5f5cfbea" + "description": "Select an account to explore", + "index": 0, + "layout": "IPY_MODEL_52fb5eb9668142cf980926c925636650", + "style": "IPY_MODEL_ea39ff2a40db4422a1047c9c9c73be5b" + } + }, + "b83a23aee9924115a5d40ce16b7e6a7e": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "70%" } }, - "b3da25868b26486ca63a6983ce7dcc74": { + "b9321ea8cdcd4554b84368070e7b6239": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "baceace52f604f20bd6d4000e94b21ec": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "c2c4c7894868427db464eba3da3c7319": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "DescriptionStyleModel", + "model_name": "IntRangeSliderModel", "state": { - "description_width": "initial" + "_model_name": "IntRangeSliderModel", + "_view_name": "IntRangeSliderView", + "description": "Time Range", + "layout": "IPY_MODEL_b83a23aee9924115a5d40ce16b7e6a7e", + "max": 4, + "min": -4, + "style": "IPY_MODEL_9b5cdc7f7bb840e2bf03f104e562e101", + "value": [ + -1, + 1 + ] } }, - "c99a04cfc83c4f7e9cf3c2d7a2205666": { + "d1ef4be34e664be8babc3e6e6cc00e46": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", - "state": {} + "state": { + "width": "50%" + } }, - "d43307c5552d4cabbcc26cea2fa42960": { + "d5178ec542f140e59b7b68c6c1a2b20c": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { - "width": "80%" + "width": "50%" } }, - "d4ff4ab7b47c46bf9481bb4d8efb868e": { + "d92f3f847b8045a9b4b814ff93b03d49": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "da66d6818c4f4dbba5996ae1174584eb": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "de73ca3d6e4b4bde9735fc0feece83f8": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, - "da9d9532924d478e96b35227b3e06d29": { + "df62c161ec8f4615914d81cf27a4ba00": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "50%" + } + }, + "e079ff19b08d4e168ced70b741c22af3": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "TextModel", + "model_name": "DescriptionStyleModel", "state": { - "description": "Filter alerts by title:", - "layout": "IPY_MODEL_d4ff4ab7b47c46bf9481bb4d8efb868e", - "style": "IPY_MODEL_eef9f7a7598f4260ae1d1fd966c5230e" + "description_width": "" } }, - "db291c70fd304be5911176dfa2ee09c2": { + "e08cc16c5a174f63861c0446cbac9a2a": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "TextModel", + "model_name": "DescriptionStyleModel", "state": { - "description": "Filter:", - "layout": "IPY_MODEL_2226e3e946844a25806f14966f8d6223", - "style": "IPY_MODEL_694d0535e7f64f29bf8e335af769d0d3" + "description_width": "initial" } }, - "db9865aa952842db8201c683344c20c8": { + "e14c4950075e441daa210ace9106ccfe": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "VBoxModel", + "model_name": "DescriptionStyleModel", "state": { - "children": [ - "IPY_MODEL_db291c70fd304be5911176dfa2ee09c2", - "IPY_MODEL_22e1df39712846fc90bb44d8543b2762" - ], - "layout": "IPY_MODEL_9cf7d9e47b704f0f9f89ccf781a15a68" + "description_width": "initial" } }, - "e767f8e2d72e45e480879491519762c8": { + "e26f572cd6b545038e38520d1ce14fb8": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { - "description_width": "initial" + "description_width": "" } }, - "eef9f7a7598f4260ae1d1fd966c5230e": { + "e5fd10fcc8f54aa286e2b750738d6eba": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Query end time (UTC) : ", + "layout": "IPY_MODEL_d5178ec542f140e59b7b68c6c1a2b20c", + "style": "IPY_MODEL_ad5532ff3cd14ff6b3d3a53bcff6c0f0", + "value": "2021-04-30 02:44:39.380327" + } + }, + "ea39ff2a40db4422a1047c9c9c73be5b": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", @@ -6941,46 +5908,50 @@ "description_width": "initial" } }, - "f6af26d3e02b4b28b07726fd07b78121": { + "ebfb6f285281424689521d3833dfc706": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "DescriptionStyleModel", + "model_name": "IntRangeSliderModel", "state": { - "description_width": "" + "_model_name": "IntRangeSliderModel", + "_view_name": "IntRangeSliderView", + "description": "Time Range", + "layout": "IPY_MODEL_744fce91ce57460e83bb48f5e56d017d", + "max": 4, + "min": -4, + "style": "IPY_MODEL_a55731dbbbb6431f89a32a88b5ea19cb", + "value": [ + -1, + 0 + ] } }, - "f6d22e1aedf8484bb3422d05ba69f04d": { + "ed958271651346ccaf3c5128dbea901a": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", - "state": {} + "state": { + "width": "95%" + } + }, + "eec283e8f3dd497ba2c7bf14f05065c7": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "100px" + } }, - "fcf4e8b41953457c969e4db834f425d7": { + "efdad4b001684393ae10ff8b793d0d3a": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", - "model_name": "SelectModel", + "model_name": "HBoxModel", "state": { - "_options_labels": [ - "1234 Linux (Last activity: 2020-05-06 00:40:30.287000)", - "Admin Linux (Last activity: 2020-05-06 00:40:34.887000)", - "Administrator Linux (Last activity: 2020-05-06 00:40:24.070000)", - "admin Linux (Last activity: 2020-05-06 01:49:30.043000)", - "crqerkikpjo@ld.fkaframbemji.pjb AzureActiveDirectory (Last activity: 2020-07-29 15:54:23.981000+00:00)", - "crqerkikpjo@ld.fkaframbemji.pjb Office365 (Last activity: 2020-07-29 12:44:02+00:00)", - "guest Linux (Last activity: 2020-05-06 01:48:40.123000)", - "operator Linux (Last activity: 2020-05-06 01:48:28.383000)", - "peteb Linux (Last activity: 2020-05-06 01:44:45.327000)", - "root Linux (Last activity: 2020-05-06 01:58:13.857000)", - "support Linux (Last activity: 2020-05-06 01:48:41.643000)", - "test Linux (Last activity: 2020-05-06 01:48:29.977000)", - "tester Linux (Last activity: 2020-05-06 01:11:44.757000)", - "ubnt Linux (Last activity: 2020-05-06 01:48:37.660000)", - "user Linux (Last activity: 2020-05-06 01:48:21.950000)" + "children": [ + "IPY_MODEL_c2c4c7894868427db464eba3da3c7319", + "IPY_MODEL_9e6b152b8474440ab02cefb682765e25" ], - "description": "Select an account to explore", - "index": 5, - "layout": "IPY_MODEL_0d2cccf0c5a742d0b9a748e92c5574ff", - "style": "IPY_MODEL_8b706469646344e592b0909ee3533bdf" + "layout": "IPY_MODEL_2857bf02feac4fa1b23ed4e6c389076b" } } }, diff --git a/docs/notebooks/IpSummary.ipynb b/docs/notebooks/IpSummary.ipynb new file mode 100644 index 0000000..77d7d56 --- /dev/null +++ b/docs/notebooks/IpSummary.ipynb @@ -0,0 +1,2105 @@ +{ + "cells": [ + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# IP Summary" + ] + }, + { + "cell_type": "code", + "execution_count": 1, + "metadata": { + "ExecuteTime": { + "end_time": "2020-02-28T21:13:24.369073Z", + "start_time": "2020-02-28T21:13:24.260137Z" + } + }, + "outputs": [ + { + "data": { + "text/html": [ + "

Starting Notebook initialization...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "msticpy version installed: 1.1.0 latest published: 1.0.0
Latest version is installed.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "Processing imports....
" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "Imported: pd (pandas), IPython.get_ipython, IPython.display.display, IPython.display.HTML, IPython.display.Markdown, widgets (ipywidgets), pathlib.Path, plt (matplotlib.pyplot), matplotlib.MatplotlibDeprecationWarning, sns (seaborn), np (numpy), msticpy.data.QueryProvider, msticpy.nbtools.foliummap.FoliumMap, msticpy.common.utility.md, msticpy.common.utility.md_warn, msticpy.common.wsconfig.WorkspaceConfig, msticpy.datamodel.pivot.Pivot, msticpy.datamodel.entities
" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "Checking configuration....
" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "Setting notebook options....
" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "
" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Notebook initialization complete

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + } + ], + "source": [ + "import sys\n", + "import os\n", + "from IPython.display import display, HTML, Markdown\n", + "\n", + "from msticpy.nbtools.nbinit import init_notebook\n", + "init_notebook(namespace=globals());" + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Notebooklets: 8 notebooklets loaded.\n" + ] + } + ], + "source": [ + "import msticnb as nb" + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Please wait. Loading Kqlmagic extension...\n" + ] + }, + { + "data": { + "text/html": [ + "\n", + " \n", + " \n", + " " + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "\n", + "This product includes GeoLite2 data created by MaxMind, available from\n", + "https://www.maxmind.com.\n" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank\n", + "Notebooklets: Loaded providers: AzureSentinel, geolitelookup, tilookup\n", + "Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank\n" + ] + }, + { + "data": { + "text/html": [ + "\n", + "This library uses services provided by ipstack.\n", + "https://ipstack.com" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + } + ], + "source": [ + "nb.init(query_provider=\"AzureSentinel\")" + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [ + { + "data": { + "application/vnd.jupyter.widget-view+json": { + "model_id": "e3f03862ba154353b39efcbbe6c95bf2", + "version_major": 2, + "version_minor": 0 + }, + "text/plain": [ + "VBox(children=(HTML(value='

Set query time boundaries

'), HBox(children=(DatePicker(value=datetime.date…" + ] + }, + "metadata": {}, + "output_type": "display_data" + } + ], + "source": [ + "qry_time = nbwidgets.QueryTime(units=\"day\")\n", + "qry_time" + ] + }, + { + "cell_type": "code", + "execution_count": 6, + "metadata": {}, + "outputs": [], + "source": [ + "# qry = \"\"\"\n", + "# SecurityAlert\n", + "# | where TimeGenerated > datetime({start})\n", + "# | where TimeGenerated < datetime({end})\n", + "# | take 20\n", + "# \"\"\"\n", + "# qry_prov.exec_query(qry.format(start=qry_time.start, end=qry_time.end))" + ] + }, + { + "cell_type": "code", + "execution_count": 7, + "metadata": {}, + "outputs": [], + "source": [ + "# nb.qry_prov.connect(WorkspaceConfig(workspace=\"CyberSOC\").code_connect_str)" + ] + }, + { + "cell_type": "code", + "execution_count": 5, + "metadata": {}, + "outputs": [], + "source": [ + "from msticnb.nb.azsent.network import ip_summary\n", + "\n", + "ip_cls = ip_summary.IpAddressSummary\n", + "ip_summary = ip_cls()" + ] + }, + { + "cell_type": "code", + "execution_count": 9, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Help on method run in module msticnb.nb.azsent.network.ip_summary:\n", + "\n", + "run(value: Any = None, data: Union[pandas.core.frame.DataFrame, NoneType] = None, timespan: Union[msticpy.common.timespan.TimeSpan, NoneType] = None, options: Union[Iterable[str], NoneType] = None, **kwargs) -> msticnb.nb.azsent.network.ip_summary.IpSummaryResult method of msticnb.nb.azsent.network.ip_summary.IpAddressSummary instance\n", + " Return XYZ summary.\n", + " \n", + " Parameters\n", + " ----------\n", + " value : str\n", + " IP Address - The key for searches\n", + " data : Optional[pd.DataFrame], optional\n", + " Not supported for this notebooklet.\n", + " timespan : TimeSpan\n", + " Timespan for queries\n", + " options : Optional[Iterable[str]], optional\n", + " List of options to use, by default None.\n", + " A value of None means use default options.\n", + " Options prefixed with \"+\" will be added to the default options.\n", + " To see the list of available options type `help(cls)` where\n", + " \"cls\" is the notebooklet class or an instance of this class.\n", + " \n", + " Returns\n", + " -------\n", + " IpSummaryResult\n", + " Result object with attributes for each result type.\n", + " \n", + " Raises\n", + " ------\n", + " MsticnbMissingParameterError\n", + " If required parameters are missing\n", + "\n" + ] + } + ], + "source": [ + "help(ip_summary.run)" + ] + }, + { + "cell_type": "code", + "execution_count": 7, + "metadata": {}, + "outputs": [], + "source": [ + "\n", + "dest = \"10.240.1.135\"\n", + "src = \"165.225.39.73\"\n" + ] + }, + { + "cell_type": "code", + "execution_count": 8, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "

IP Address summary

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "Retrieving data for IP Address Data and plots are stored in the result class returned by this function." + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

165.225.39.73, ip address type: Public

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Azure Network Analytics Topology record for the IP.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "(only available for Azure VMs)" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Getting data from AzureNetworkAnalytics topology...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Could not get Azure network interface record

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Azure Sentinel heartbeat record for the IP.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "(only available for IP addresses that belong to the subscription)" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Getting data from Heartbeat...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Could not get Azure Heartbeat record

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Azure VMComputer record for the IP.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "(only available for Azure VMs)" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Getting data from VMComputer...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Could not get VMComputer record

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Azure Sentinel alerts related to the IP.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "Use `nblt.browse_alerts()` to retrieve a list of alerts." + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Getting data from RelatedAlerts...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

No events from related alerts found.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Public IP data (GeoIP, ThreatIntel, Passive DNS, VPS membership)

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Whois data retrieved

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

WhoIs data

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
nirasn_registryasnasn_cidrasn_country_codeasn_dateasn_descriptionquerynetsrawreferralraw_referral
0Nonearin22616165.225.38.0/23US2014-11-14ZSCALER-SJC1, US165.225.39.73{'cidr': '165.225.0.0/17', 'name': 'ZSCAL', 'handle': 'NET-165-225-0-0-1', 'range': '165.225.0.0...NoneNoneNone
\n", + "
" + ], + "text/plain": [ + " nir asn_registry asn asn_cidr asn_country_code asn_date \\\n", + "0 None arin 22616 165.225.38.0/23 US 2014-11-14 \n", + "\n", + " asn_description query \\\n", + "0 ZSCALER-SJC1, US 165.225.39.73 \n", + "\n", + " nets \\\n", + "0 {'cidr': '165.225.0.0/17', 'name': 'ZSCAL', 'handle': 'NET-165-225-0-0-1', 'range': '165.225.0.0... \n", + "\n", + " raw referral raw_referral \n", + "0 None None None " + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

GeoLocation data retrieved

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

geolocation

{ 'AdditionalData': {},
  'City': 'New York',
  'CountryCode': 'US',
  'CountryName': 'United States',
  'Latitude': 40.7809,
  'Longitude': -73.9502,
  'State': 'New York',
  'Type': 'geolocation',
  'edges': set()}" + ], + "text/plain": [ + "GeoLocation(CountryCode=US, CountryName=United States, State=New York, City=New York, Longit...)" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Getting data from Threat Intel...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

1 TI result(s) of severity 'warning' or above found.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
IocIocTypeQuerySubtypeProviderResultSeverityDetailsRawResultReferenceStatus
OTX165.225.39.73ipv4NoneOTXTrueinformation{'pulse_count': 0, 'sections_available': ['general', 'geo', 'reputation', 'url_list', 'passive_d...{'whois': 'http://whois.domaintools.com/165.225.39.73', 'reputation': 0, 'indicator': '165.225.3...https://otx.alienvault.com/api/v1/indicators/IPv4/165.225.39.73/general0
OPR165.225.39.73ipv4NoneOPRFalseinformationIoC type ipv4 not supported.NoneNone1
Tor165.225.39.73ipv4NoneTorTrueinformationNot found.Nonehttps://check.torproject.org/exit-addresses0
VirusTotal165.225.39.73ipv4NoneVirusTotalTrueinformation{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'detected_urls': [], 'positives': 0}{'country': 'US', 'response_code': 1, 'detected_urls': [], 'resolutions': [], 'verbose_msg': 'IP...https://www.virustotal.com/vtapi/v2/ip-address/report0
XForce165.225.39.73ipv4NoneXForceTruewarning{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're...{'ip': '165.225.39.73', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional ...https://api.xforce.ibmcloud.com/ipr/165.225.39.730
\n", + "
" + ], + "text/plain": [ + " Ioc IocType QuerySubtype Provider Result \\\n", + "OTX 165.225.39.73 ipv4 None OTX True \n", + "OPR 165.225.39.73 ipv4 None OPR False \n", + "Tor 165.225.39.73 ipv4 None Tor True \n", + "VirusTotal 165.225.39.73 ipv4 None VirusTotal True \n", + "XForce 165.225.39.73 ipv4 None XForce True \n", + "\n", + " Severity \\\n", + "OTX information \n", + "OPR information \n", + "Tor information \n", + "VirusTotal information \n", + "XForce warning \n", + "\n", + " Details \\\n", + "OTX {'pulse_count': 0, 'sections_available': ['general', 'geo', 'reputation', 'url_list', 'passive_d... \n", + "OPR IoC type ipv4 not supported. \n", + "Tor Not found. \n", + "VirusTotal {'verbose_msg': 'IP address in dataset', 'response_code': 1, 'detected_urls': [], 'positives': 0} \n", + "XForce {'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're... \n", + "\n", + " RawResult \\\n", + "OTX {'whois': 'http://whois.domaintools.com/165.225.39.73', 'reputation': 0, 'indicator': '165.225.3... \n", + "OPR None \n", + "Tor None \n", + "VirusTotal {'country': 'US', 'response_code': 1, 'detected_urls': [], 'resolutions': [], 'verbose_msg': 'IP... \n", + "XForce {'ip': '165.225.39.73', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional ... \n", + "\n", + " Reference \\\n", + "OTX https://otx.alienvault.com/api/v1/indicators/IPv4/165.225.39.73/general \n", + "OPR None \n", + "Tor https://check.torproject.org/exit-addresses \n", + "VirusTotal https://www.virustotal.com/vtapi/v2/ip-address/report \n", + "XForce https://api.xforce.ibmcloud.com/ipr/165.225.39.73 \n", + "\n", + " Status \n", + "OTX 0 \n", + "OPR 1 \n", + "Tor 0 \n", + "VirusTotal 0 \n", + "XForce 0 " + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Use `browse_ti_results()` to view details.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Getting data from Passive DNS...

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

1 Passive DNS results found.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Please wait. Getting VPS data...Expected 4 octets in '118.0' \n", + "Expected 4 octets in '119.0' \n", + "Expected 4 octets in '94.136.192' \n", + "Expected 4 octets in '0000' \n", + "Address cannot be empty \n", + "done\n" + ] + }, + { + "data": { + "text/html": [ + "

No match for known VPS network

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

View the returned results object for more details.

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

Additional methods for this class:
browse_alerts - 'Return alert browser/viewer.'
browse_ti_results - 'Display Threat intel results.'
display_alert_timeline - 'Display the alert timeline.'
netflow_by_direction - 'Display netflows grouped by direction.'
netflow_by_protocol - 'Display netflows grouped by protocol.'
netflow_total_by_protocol - 'Display netflows grouped by protocol.'
run - 'Return XYZ summary.'

" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/html": [ + "

property: description


IP Address Summary

property: timespan

Time span for the queried results data. Type: [TimeSpan]
TimeStamp(start=2021-04-29 02:48:40.656183, end=2021-04-30 02:48:40.656183, period=1 day, 0:00:00)

property: notebooklet

The notebooklet instance that created this result. Type: [Notebooklet]

property: ip_str

The input IP address as a string. Type: [str]
165.225.39.73

property: ip_address

Ip Address Python object Type: [Optional[Union[IPv4Address, IPv6Address]]]
165.225.39.73

property: ip_entity

IpAddress entity Type: [IpAddress]

ipaddress

{ 'AdditionalData': {},
  'Address': '165.225.39.73',
  'Location': { 'AdditionalData': {},
                'City': 'New York',
                'CountryCode': 'US',
                'CountryName': 'United States',
                'Latitude': 40.7809,
                'Longitude': -73.9502,
                'State': 'New York',
                'Type': 'geolocation',
                'edges': set()},
  'ThreatIntelligence': [],
  'Type': 'ipaddress',
  'edges': set()}

property: ip_origin

\"External\" or \"Internal\" Type: [str]
External

property: ip_type

IP address type - \"Public\", \"Private\", etc. Type: [str]
Public

property: host_entity

Host entity associated with IP Address Type: [Host]

host

{ 'AdditionalData': {},
  'IpAddresses': [],
  'IsDomainJoined': False,
  'OSFamily': ,
  'Type': 'host',
  'edges': set()}

property: geoip

Geo location information as a dictionary. Type: [Optional[Dict[str, Any]]]
{'city': {'geoname_id': 5128581, 'names': {'de': 'New York City', 'en': 'New York', 'es': 'Nueva York', 'fr': 'New York', 'ja': 'ニューヨーク', 'pt-BR': 'Nova Iorque', 'ru': 'Нью-Йорк', 'zh-CN': '纽约'}}, 'continent': {'code': 'NA', 'geoname_id': 6255149, 'names': {'de': 'Nordamerika', 'en': 'North America', 'es': 'Norteamérica', 'fr': 'Amérique du Nord', 'ja': '北アメリカ', 'pt-BR': 'América do Norte', 'ru': 'Северная Америка', 'zh-CN': '北美洲'}}, 'country': {'geoname_id': 6252001, 'iso_code': 'US', 'names': {'de': 'USA', 'en': 'United States', 'es': 'Estados Unidos', 'fr': 'États-Unis', 'ja': 'アメリカ合衆国', 'pt-BR': 'Estados Unidos', 'ru': 'США', 'zh-CN': '美国'}}, 'location': {'accuracy_radius': 1000, 'latitude': 40.7809, 'longitude': -73.9502, 'metro_code': 501, 'time_zone': 'America/New_York'}, 'postal': {'code': '10128'}, 'registered_country': {'geoname_id': 6252001, 'iso_code': 'US', 'names': {'de': 'USA', 'en': 'United States', 'es': 'Estados Unidos', 'fr': 'États-Unis', 'ja': 'アメリカ合衆国', 'pt-BR': 'Estados Unidos', 'ru': 'США', 'zh-CN': '美国'}}, 'subdivisions': [{'geoname_id': 5128638, 'iso_code': 'NY', 'names': {'de': 'New York', 'en': 'New York', 'es': 'Nueva York', 'fr': 'New York', 'ja': 'ニューヨーク州', 'pt-BR': 'Nova Iorque', 'ru': 'Нью-Йорк', 'zh-CN': '纽约州'}}], 'traits': {'ip_address': '165.225.39.73', 'prefix_len': 23}}

property: location

Location entity context object. Type: [Optional[GeoLocation]]

geolocation

{ 'AdditionalData': {},
  'City': 'New York',
  'CountryCode': 'US',
  'CountryName': 'United States',
  'Latitude': 40.7809,
  'Longitude': -73.9502,
  'State': 'New York',
  'Type': 'geolocation',
  'edges': set()}

property: whois

WhoIs information for IP Address Type: [pd.DataFrame]
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
nirasn_registryasnasn_cidrasn_country_codeasn_dateasn_descriptionquerynetsrawreferralraw_referral
0Nonearin22616165.225.38.0/23US2014-11-14ZSCALER-SJC1, US165.225.39.73{'cidr': '165.225.0.0/17', 'name': 'ZSCAL', 'handle': 'NET-165-225-0-0-1', 'range': '165.225.0.0...NoneNoneNone
1Nonearin22616165.225.38.0/23US2014-11-14ZSCALER-SJC1, US165.225.39.73{'cidr': '165.225.39.0/24', 'name': 'ZSCALER-NYC3', 'handle': 'NET-165-225-39-0-1', 'range': Non...NoneNoneNone
\n", + "

property: whois_nets

List of networks definitions from WhoIs data Type: [pd.DataFrame]
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
cidrnamehandlerangedescriptioncountrystatecityaddresspostal_codeemailscreatedupdated
0165.225.0.0/17ZSCALNET-165-225-0-0-1165.225.0.0 - 165.225.127.255ZSCALER, INC.USCASan Jose110 Rose Orchard Way95134[poc-abuse@zscaler.com, poc-noc@zscaler.com, poc-tech@zscaler.com]2014-11-142015-01-21
1165.225.39.0/24ZSCALER-NYC3NET-165-225-39-0-1NoneZscaler, Inc.USNYNew York111 8th Avenue10011[poc-abuse@zscaler.com, poc-noc@zscaler.com, poc-tech@zscaler.com]2016-11-102016-11-10
\n", + "

property: heartbeat

Heartbeat record for IP Address or host Type: [pd.DataFrame]
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
TenantIdSourceSystemTimeGeneratedMGManagementGroupNameSourceComputerIdComputerIPComputerCategoryOSTypeOSNameOSMajorVersionOSMinorVersionVersionSCAgentChannelIsGatewayInstalledRemoteIPLongitudeRemoteIPLatitudeRemoteIPCountrySubscriptionIdResourceGroupResourceProviderResourceResourceIdResourceTypeComputerEnvironmentSolutionsVMUUIDType_ResourceId
\n", + "

property: az_network_if

Azure Network analytics interface record, if available Type: [pd.DataFrame]
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
TenantIdSourceSystemMGManagementGroupNameTimeGeneratedComputerVmssName_sZones_srecords_AddressPrefixes_srecords_RouteTable_srecords_AddressPrefix_srecords_NextHopIP_srecords_NextHopType_srecords_FlowLogStorageAccount_srecords_IsFlowEnabled_brecords_Access_srecords_Description_srecords_DestinationAddressPrefix_srecords_DestinationPortRange_srecords_Direction_srecords_Priority_drecords_RuleType_srecords_SourceAddressPrefix_srecords_SourcePortRange_srecords_ApplicationGatewayBackendPools_s...PrimarybytesIn_dPrimarybytesOut_dSecondaryAzurePort_sSecondaryPeerAddressPrefix_sSecondarybytesIn_dSecondarybytesOut_dState_sVlanId_dSchemaVersion_sTopologyVersion_sDiscoveryRegion_sName_sRegion_sResourceTypeSubType_sSubscription_gTimeProcessed_tNetwork_sPrimaryNextHop_sSecondaryNextHop_sComponentType_sStatus_sSubscriptionName_sType_ResourceId
\n", + "

0 rows × 395 columns

\n", + "

property: vmcomputer

VMComputer latest record Type: [pd.DataFrame]
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
TimeGeneratedComputerAgentIdMachineDisplayNameFullDisplayNameHostNameBootTimeTimeZoneVirtualizationStateIpv4AddressesIpv4SubnetMasksIpv4DefaultGatewaysIpv6AddressesMacAddressesDnsNamesDependencyAgentVersionOperatingSystemFamilyOperatingSystemFullNamePhysicalMemoryMBCpusCpuSpeedVirtualMachineTypeVirtualMachineNativeIdVirtualMachineNativeName...AzureResourceNameAzureLocationAzureUpdateDomainAzureFaultDomainAzureVmIdAzureSizeAzureImagePublisherAzureImageOfferingAzureImageSkuAzureImageVersionAzureCloudServiceNameAzureCloudServiceDeploymentAzureCloudServiceRoleNameAzureCloudServiceRoleTypeAzureCloudServiceInstanceIdAzureVmScaleSetNameAzureVmScaleSetDeploymentAzureVmScaleSetResourceIdAzureVmScaleSetInstanceIdAzureServiceFabricClusterIdAzureServiceFabricClusterNameTenantIdSourceSystemType_ResourceId
\n", + "

0 rows × 56 columns

\n", + "

property: related_alerts

Alerts related to IP Address Type: [pd.DataFrame]
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
TenantIdTimeGeneratedAlertDisplayNameAlertNameSeverityDescriptionProviderNameVendorNameVendorOriginalIdSystemAlertIdResourceIdSourceComputerIdAlertTypeConfidenceLevelConfidenceScoreIsIncidentStartTimeUtcEndTimeUtcProcessingEndTimeRemediationStepsExtendedPropertiesEntitiesSourceSystemWorkspaceSubscriptionIdWorkspaceResourceGroupExtendedLinksProductNameProductComponentNameAlertLinkStatusCompromisedEntityTacticsTypeSystemAlertId1ExtendedProperties1Entities1MatchingIps
\n", + "

property: ti_results

Threat intel lookup results Type: [pd.DataFrame]
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
IocIocTypeQuerySubtypeProviderResultSeverityDetailsRawResultReferenceStatus
OTX165.225.39.73ipv4NoneOTXTrueinformation{'pulse_count': 0, 'sections_available': ['general', 'geo', 'reputation', 'url_list', 'passive_d...{'whois': 'http://whois.domaintools.com/165.225.39.73', 'reputation': 0, 'indicator': '165.225.3...https://otx.alienvault.com/api/v1/indicators/IPv4/165.225.39.73/general0
OPR165.225.39.73ipv4NoneOPRFalseinformationIoC type ipv4 not supported.NoneNone1
Tor165.225.39.73ipv4NoneTorTrueinformationNot found.Nonehttps://check.torproject.org/exit-addresses0
VirusTotal165.225.39.73ipv4NoneVirusTotalTrueinformation{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'detected_urls': [], 'positives': 0}{'country': 'US', 'response_code': 1, 'detected_urls': [], 'resolutions': [], 'verbose_msg': 'IP...https://www.virustotal.com/vtapi/v2/ip-address/report0
XForce165.225.39.73ipv4NoneXForceTruewarning{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're...{'ip': '165.225.39.73', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional ...https://api.xforce.ibmcloud.com/ipr/165.225.39.730
\n", + "

property: passive_dns

Passive DNS lookup results Type: [pd.DataFrame]
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
IocIocTypeQuerySubtypeProviderResultSeverityDetailsRawResultReferenceStatus
XForce165.225.39.73ipv4passivednsXForceTrueinformation{}{'Passive': {'query': '0x00000000000000000000ffffa5e12749', 'records': []}, 'total_rows': 0}https://api.xforce.ibmcloud.com/resolve/165.225.39.730
\n", + "
" + ], + "text/plain": [ + "" + ] + }, + "execution_count": 8, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "ip_summary.run(value=src, timespan=ip_summary.timespan)" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3.6.7 64-bit ('condadev': conda)", + "language": "python", + "name": "python36764bitcondadevconda6cccf545f08246a1a5c093078bc87e5f" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.7.10" + }, + "widgets": { + "application/vnd.jupyter.widget-state+json": { + "state": { + "01983c9164374397add518f112c2dcc6": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Time (24hr)", + "layout": "IPY_MODEL_bd8c318c679a459b9c2f2c51f8a0c853", + "style": "IPY_MODEL_e85f84dc4792406e9ae9fa2d058516f8", + "value": "02:48:24.304669" + } + }, + "01c310d3fa6f41fbae272d91c5d36cc9": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "0bd426f203d442688b7590976b04e060": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "0c2615d3d65243a5a8feea7a83871506": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "initial" + } + }, + "0fd07ca934614a53b3635822a6fd749f": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "11f48fbef0f147fc9b0c00fb12256a63": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Time (24hr)", + "layout": "IPY_MODEL_c8d820ec94e640029daf4fedc44ad221", + "style": "IPY_MODEL_134719e222c64782929707c48f6e1567", + "value": "02:48:21.157064" + } + }, + "12a240edebfd4e70a4478789b7dbe29c": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "initial" + } + }, + "12fb375c5f604de0ab87299d0ca5336a": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "SliderStyleModel", + "state": { + "description_width": "initial" + } + }, + "134719e222c64782929707c48f6e1567": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "13910df4dde247aeba7aa8745727be44": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "14e60e71ed1448f6bf215214e1b122ec": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "1cdd1661fdc04c4fa6ac5073060e1e5a": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "IntRangeSliderModel", + "state": { + "_model_name": "IntRangeSliderModel", + "_view_name": "IntRangeSliderView", + "description": "Time Range", + "layout": "IPY_MODEL_a4501b36ab424c519b7a7fabfa19b8c7", + "max": 4, + "min": -4, + "style": "IPY_MODEL_ac0e1b863ef44b3facb798fba9c7096f", + "value": [ + -1, + 1 + ] + } + }, + "1ddf0ae11c8d4c8c8e00410b3c37b324": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "100px" + } + }, + "217ce36acefa4be89454800a4685534a": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "100px" + } + }, + "2345e4fa7c6442f8b713c3d2eeddc065": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "2e5934c77a5946d19224cad955668864": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "33af72f4df694d7d916316b6e41a4cc1": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "38f5f5b94f624264b4952cd15b247a42": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Query start time (UTC):", + "layout": "IPY_MODEL_75f7fe444b1f4fd38b33f15c9ac25b7e", + "style": "IPY_MODEL_12a240edebfd4e70a4478789b7dbe29c", + "value": "2021-04-29 02:48:21.157064" + } + }, + "434fbeec41a94b6fa6e2dc32bef3057f": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "initial" + } + }, + "495bc58f0e5f4ca8bbeb85dbf15d6b00": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DropdownModel", + "state": { + "_options_labels": [ + "minute", + "hour", + "day", + "week" + ], + "index": 2, + "layout": "IPY_MODEL_1ddf0ae11c8d4c8c8e00410b3c37b324", + "style": "IPY_MODEL_0bd426f203d442688b7590976b04e060" + } + }, + "4e92adc263b141a8bf3c33a3ee093685": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "533c2bbbe33a49ba9372bdeaa2ac7813": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "50%" + } + }, + "584da12387d946faae5b501d686eb674": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "initial" + } + }, + "613ccab9834343cba916c8e1af6db869": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DatePickerModel", + "state": { + "description": "Origin Date", + "disabled": false, + "layout": "IPY_MODEL_14e60e71ed1448f6bf215214e1b122ec", + "style": "IPY_MODEL_4e92adc263b141a8bf3c33a3ee093685", + "value": { + "date": 30, + "month": 3, + "year": 2021 + } + } + }, + "6272e0934bfa4a639e5c1a83c2238e07": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "VBoxModel", + "state": { + "children": [ + "IPY_MODEL_edf8560b20b941c89e68528740cae19d", + "IPY_MODEL_8c70a5eb0a7646ccbc29fe5af7d0def3", + "IPY_MODEL_f4ce11557e174a9da7a4005d1952d2ac" + ], + "layout": "IPY_MODEL_01c310d3fa6f41fbae272d91c5d36cc9" + } + }, + "673e367216dd4545be4229fd73404eec": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DropdownModel", + "state": { + "_options_labels": [ + "minute", + "hour", + "day", + "week" + ], + "index": 2, + "layout": "IPY_MODEL_217ce36acefa4be89454800a4685534a", + "style": "IPY_MODEL_a97d0575e01c4e3a9b2684f582dfcf2c" + } + }, + "75f7fe444b1f4fd38b33f15c9ac25b7e": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "50%" + } + }, + "7a08f57bd15e48da945b1a0bf936b015": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "95%" + } + }, + "83a0e881412e425b9526299b59f537d8": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "50%" + } + }, + "87fe3a5d77114752876927a4ae86aa5e": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "8c70a5eb0a7646ccbc29fe5af7d0def3": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "HBoxModel", + "state": { + "children": [ + "IPY_MODEL_a5f3e7e119f74b6cb69cd570d7b9935f", + "IPY_MODEL_11f48fbef0f147fc9b0c00fb12256a63" + ], + "layout": "IPY_MODEL_ded36666f8184e0da8346a3337178507" + } + }, + "a4501b36ab424c519b7a7fabfa19b8c7": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "70%" + } + }, + "a5f3e7e119f74b6cb69cd570d7b9935f": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DatePickerModel", + "state": { + "description": "Origin Date", + "disabled": false, + "layout": "IPY_MODEL_e4aaff526cec43048fb8579be1c6b84f", + "style": "IPY_MODEL_13910df4dde247aeba7aa8745727be44", + "value": { + "date": 30, + "month": 3, + "year": 2021 + } + } + }, + "a97d0575e01c4e3a9b2684f582dfcf2c": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "a9da1c2b6dba435baa337d5798a490f4": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "aa7a9e59198d411485f45493beeab43a": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "HBoxModel", + "state": { + "children": [ + "IPY_MODEL_1cdd1661fdc04c4fa6ac5073060e1e5a", + "IPY_MODEL_495bc58f0e5f4ca8bbeb85dbf15d6b00" + ], + "layout": "IPY_MODEL_d1174930b69f4d2dae18def78ea024d4" + } + }, + "aaa05c420bae4221a5cb7331f43162e6": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "ac0e1b863ef44b3facb798fba9c7096f": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "SliderStyleModel", + "state": { + "description_width": "initial" + } + }, + "b000e0bcb85b4aa99479d4dd123e968b": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Query end time (UTC) : ", + "layout": "IPY_MODEL_533c2bbbe33a49ba9372bdeaa2ac7813", + "style": "IPY_MODEL_434fbeec41a94b6fa6e2dc32bef3057f", + "value": "2021-04-30 02:48:21.157064" + } + }, + "bd8c318c679a459b9c2f2c51f8a0c853": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "c6b57559b6ef48d089e7478f6210d208": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "HBoxModel", + "state": { + "children": [ + "IPY_MODEL_613ccab9834343cba916c8e1af6db869", + "IPY_MODEL_01983c9164374397add518f112c2dcc6" + ], + "layout": "IPY_MODEL_fdaf3525ba714daebc8c951bb9cbbe01" + } + }, + "c8d820ec94e640029daf4fedc44ad221": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "cb65beeb0eeb43068df4d4ca41abf5c5": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "HTMLModel", + "state": { + "layout": "IPY_MODEL_2e5934c77a5946d19224cad955668864", + "style": "IPY_MODEL_33af72f4df694d7d916316b6e41a4cc1", + "value": "

Set query time boundaries

" + } + }, + "cf5e5b60f4d74b759e2b279332dd0df7": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "d1174930b69f4d2dae18def78ea024d4": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "d4b16c5469c24fc5af8f44453251f7c4": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Query start time (UTC):", + "layout": "IPY_MODEL_e53fd7abfff8477589da7047388634f2", + "style": "IPY_MODEL_584da12387d946faae5b501d686eb674", + "value": "2021-04-29 02:48:24.304669" + } + }, + "ded36666f8184e0da8346a3337178507": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "e11469ba15994dd0a7bc65f7f2f553a4": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "VBoxModel", + "state": { + "children": [ + "IPY_MODEL_aa7a9e59198d411485f45493beeab43a", + "IPY_MODEL_d4b16c5469c24fc5af8f44453251f7c4", + "IPY_MODEL_f8d1c5d99ffc42599a4a283b42a6884a" + ], + "layout": "IPY_MODEL_2345e4fa7c6442f8b713c3d2eeddc065" + } + }, + "e3f03862ba154353b39efcbbe6c95bf2": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "VBoxModel", + "state": { + "children": [ + "IPY_MODEL_cb65beeb0eeb43068df4d4ca41abf5c5", + "IPY_MODEL_c6b57559b6ef48d089e7478f6210d208", + "IPY_MODEL_e11469ba15994dd0a7bc65f7f2f553a4" + ], + "layout": "IPY_MODEL_87fe3a5d77114752876927a4ae86aa5e" + } + }, + "e4aaff526cec43048fb8579be1c6b84f": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "e53fd7abfff8477589da7047388634f2": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "50%" + } + }, + "e85f84dc4792406e9ae9fa2d058516f8": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "e9eae4703ba940648ca7cafba1719677": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "IntRangeSliderModel", + "state": { + "_model_name": "IntRangeSliderModel", + "_view_name": "IntRangeSliderView", + "description": "Time Range", + "layout": "IPY_MODEL_f62aff1d93c44850885465531134e937", + "max": 4, + "min": -4, + "style": "IPY_MODEL_12fb375c5f604de0ab87299d0ca5336a", + "value": [ + -1, + 0 + ] + } + }, + "edd41d51dd77468b98d7ab4e7a08e6af": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "95%" + } + }, + "edf8560b20b941c89e68528740cae19d": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "HTMLModel", + "state": { + "layout": "IPY_MODEL_aaa05c420bae4221a5cb7331f43162e6", + "style": "IPY_MODEL_0fd07ca934614a53b3635822a6fd749f", + "value": "

Set time range for pivot functions.

" + } + }, + "f4342f8f0063468abb29b0b3d1f67c20": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "HBoxModel", + "state": { + "children": [ + "IPY_MODEL_e9eae4703ba940648ca7cafba1719677", + "IPY_MODEL_673e367216dd4545be4229fd73404eec" + ], + "layout": "IPY_MODEL_cf5e5b60f4d74b759e2b279332dd0df7" + } + }, + "f4ce11557e174a9da7a4005d1952d2ac": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "VBoxModel", + "state": { + "children": [ + "IPY_MODEL_f4342f8f0063468abb29b0b3d1f67c20", + "IPY_MODEL_38f5f5b94f624264b4952cd15b247a42", + "IPY_MODEL_b000e0bcb85b4aa99479d4dd123e968b" + ], + "layout": "IPY_MODEL_a9da1c2b6dba435baa337d5798a490f4" + } + }, + "f62aff1d93c44850885465531134e937": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "70%" + } + }, + "f8d1c5d99ffc42599a4a283b42a6884a": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Query end time (UTC) : ", + "layout": "IPY_MODEL_83a0e881412e425b9526299b59f537d8", + "style": "IPY_MODEL_0c2615d3d65243a5a8feea7a83871506", + "value": "2021-05-01 02:48:24.304669" + } + }, + "fdaf3525ba714daebc8c951bb9cbbe01": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + } + }, + "version_major": 2, + "version_minor": 0 + } + } + }, + "nbformat": 4, + "nbformat_minor": 4 +} diff --git a/docs/notebooks/NotebookletDocumentation.ipynb b/docs/notebooks/NotebookletDocumentation.ipynb new file mode 100644 index 0000000..d46716a --- /dev/null +++ b/docs/notebooks/NotebookletDocumentation.ipynb @@ -0,0 +1,658 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Notebooklets: 8 notebooklets loaded.\n", + "E:\\src\\msticnb\\tests\\testdata\\msticpyconfig-test.yaml is not a valid query definition file - skipping.\n", + "E:\\src\\msticnb\\tests\\testdata\\custom_nb\\host\\host_test_nb.yaml is not a valid query definition file - skipping.\n" + ] + }, + { + "data": { + "text/html": [ + "\n", + "This product includes GeoLite2 data created by MaxMind, available from\n", + "https://www.maxmind.com.\n" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Notebooklets: Loaded providers: LocalData, geolitelookup\n", + "Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank\n" + ] + }, + { + "data": { + "text/html": [ + "\n", + "This library uses services provided by ipstack.\n", + "https://ipstack.com" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank\n" + ] + } + ], + "source": [ + "import msticnb as nb\r\n", + "nb.init(\r\n", + " \"LocalData\", providers=[\"-tilookup\"],\r\n", + " LocalData_data_paths=[\"/src/msticnb/tests/testdata\"],\r\n", + " LocalData_query_paths=[\"/src/msticnb/tests/testdata\"],\r\n", + ")" + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Creating docs for AccountSummary\n", + "Creating docs for EnrichAlerts\n", + "Creating docs for HostLogonsSummary\n", + "Creating docs for HostSummary\n", + "Creating docs for WinHostEvents\n", + "Creating docs for IpAddressSummary\n", + "Creating docs for NetworkFlowSummary\n", + "Creating docs for TemplateNB\n" + ] + } + ], + "source": [ + "from IPython.display import HTML\n", + "import inspect\n", + "import subprocess\n", + "from pathlib import Path\n", + "\n", + "html_tmplt = \"\"\"\n", + "\n", + "\n", + "\n", + "{cls_help}\n", + "\n", + "\n", + "\"\"\"\n", + "\n", + "def get_html_doc(cls):\n", + " html_doc = html_tmplt.format(cls_help=cls.get_help())\n", + "\n", + " html_doc = html_doc.replace(\"

\", \"\", 1).replace(\"

\", \"\", 1)\n", + " for h_num in range(4, 0, -1):\n", + " html_doc = html_doc.replace(f\"\", f\"\")\n", + " html_doc = html_doc.replace(f\"\", f\"\")\n", + "\n", + " html_doc = html_doc.replace(\"\", \"

\").replace(\"\", \"

\")\n", + " html_doc = html_doc.replace(\"`\", \"``\", 1)\n", + " return html_doc\n", + "\n", + "\n", + "def txt_to_rst(line):\n", + " if line.startswith(\"----\"):\n", + " return \"~\" * len(line.strip()) + \"\\n\"\n", + " if not line.strip():\n", + " return \"\"\n", + " if line.startswith(\" \"):\n", + " return line\n", + " if not line.startswith(\"-\"):\n", + " return f\"\\n{line}\"\n", + " return line\n", + " \n", + "\n", + "def get_run_doc(cls):\n", + " run_doc = [\n", + " \"\",\n", + " \"---------\",\n", + " \"\",\n", + " \"``run`` function documentation\",\n", + " \"------------------------------\",\n", + " *(txt_to_rst(l) for l in inspect.getdoc(cls().run).split(\"\\n\"))\n", + " ]\n", + " return \"\\n\".join(run_doc)\n", + "\n", + "\n", + "def write_doc_file(cls, folder=\".\"):\n", + " class_name = cls.__name__\n", + " html_doc = get_html_doc(cls)\n", + " run_doc_rst = get_run_doc(cls)\n", + "\n", + " Path(\"temp_doc.html\").write_text(html_doc)\n", + "\n", + " args = [\"pandoc\", \"-f\", \"html\", \"-t\", \"RST\", \"-o\", f\"temp_doc.rst\", \"temp_doc.html\"]\n", + " subprocess.run(args)\n", + " Path(\"temp_doc.html\").unlink()\n", + " \n", + " rst_contents = Path(f\"temp_doc.rst\").read_text()\n", + " Path(f\"temp_doc.rst\").unlink()\n", + " rst_contents = rst_contents + run_doc_rst\n", + " Path(folder).joinpath(f\"{class_name}.rst\").write_text(rst_contents)\n", + " \n", + "\n", + "for desc, cls in nb.nblts.iter_classes():\n", + " print(f\"Creating docs for {cls.__name__}\")\n", + " write_doc_file(cls, \"../source/notebooklet_docs\")" + ] + }, + { + "cell_type": "code", + "execution_count": 109, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "WindowsPath('foo.rst')" + ] + }, + "execution_count": 109, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "Path(\".\").joinpath(f\"foo.rst\")" + ] + }, + { + "cell_type": "code", + "execution_count": 53, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "['

Notebooklet Class - TemplateNB

\\n',\n", + " '

Template Notebooklet class.

\\n',\n", + " '

Detailed description of things this notebooklet does:

\\n',\n", + " '
    \\n',\n", + " '
  • \\n',\n", + " '

    Fetches all events from XYZ

    \\n',\n", + " '
    • \\n',\n", + " '
  • \\n',\n", + " '

    Plots interesting stuff

    \\n',\n", + " '
    • \\n',\n", + " '
  • \\n',\n", + " '

    Returns extended metadata about the thing

    \\n',\n", + " '
    • \\n',\n", + " '
\\n',\n", + " '

Document the options that the Notebooklet takes, if any,

\\n',\n", + " '

Use these control which parts of the notebooklet get run.

\\n',\n", + " '

Default Options\\n',\n", + " '

\\n',\n", + " '
    \\n',\n", + " '
  • \\n',\n", + " '

    all_events: Gets all events about blah

    \\n',\n", + " '
    • \\n',\n", + " '
  • \\n',\n", + " '

    plot_events: Display and summary and timeline of events.

    \\n',\n", + " '
    • \\n',\n", + " '
\\n',\n", + " '

Other Options\\n',\n", + " '

\\n',\n", + " '
    \\n',\n", + " '
  • get_metadata: fetches additional metadata about the entity
    • \\n',\n", + " '
\\n',\n", + " '
\\n',\n", + " '

Display Sections

\\n',\n", + " '

Title for the run method (main title)

\\n',\n", + " '

Write your introductory text here\\n',\n", + " 'Data and plots are stored in the result class returned by this function.\\n',\n", + " 'If you use markdown syntax in this block add the following to use markdown processing.

\\n',\n", + " '

Display the timeline.

\\n',\n", + " '

This may take some time to complete for large numbers of events.\\n',\n", + " 'It will do: - Item one - Item two\\n',\n", + " 'Since some groups will be undefined these can show up as NaN.\\n',\n", + " 'Note: use a quoted string if you want to include yaml reserved chars such as \":\"

\\n',\n", + " '

Do something else

\\n',\n", + " '

This may take some time to complete for large numbers of events.

\\n',\n", + " '

It will do:\\n',\n", + " '- Item one\\n',\n", + " '- Item two

\\n',\n", + " '
\\n',\n", + " '

Results Class

\\n',\n", + " '

TemplateResult

\\n',\n", + " '

Template Results.

\\n',\n", + " '

Attributes

\\n',\n", + " '
    \\n',\n", + " '
  • \\n',\n", + " '

    all_events : pd.DataFrame
    \\n',\n", + " 'DataFrame of all raw events retrieved.

    \\n',\n", + " '
    • \\n',\n", + " '
  • \\n',\n", + " '

    plot : bokeh.models.LayoutDOM
    \\n',\n", + " 'Bokeh plot figure showing the account events on an\\n',\n", + " 'interactive timeline.

    \\n',\n", + " '
    • \\n',\n", + " '
  • \\n',\n", + " '

    additional_info: dict
    \\n',\n", + " 'Additional information for my notebooklet.

    \\n',\n", + " '
    • \\n',\n", + " '
\\n',\n", + " '
\\n',\n", + " '

Methods

\\n',\n", + " '

Instance Methods

\\n',\n", + " '

__init__

\\n',\n", + " '

__init__(self, data_providers: Union[<msticnb.data_providers.SingletonDecorator object at 0x0000016FC90B2F88>, NoneType] = None, **kwargs)
\\n',\n", + " 'Intialize a new instance of the notebooklet class.

\\n',\n", + " '

run

\\n',\n", + " '

run(self, value: Any = None, data: Union[pandas.core.frame.DataFrame, NoneType] = None, timespan: Union[msticpy.common.timespan.TimeSpan, NoneType] = None, options: Union[Iterable[str], NoneType] = None, **kwargs) -> msticnb.nb.template.nb_template.TemplateResult
\\n',\n", + " 'Return XYZ summary.

\\n',\n", + " '

run_additional_operation

\\n',\n", + " '

run_additional_operation(self, event_ids: Union[int, Iterable[int], NoneType] = None) -> pandas.core.frame.DataFrame
\\n',\n", + " 'Addition method.

\\n',\n", + " '

Inherited methods

\\n',\n", + " '

check_table_exists

\\n',\n", + " '

check_table_exists(self, table: str) -> bool
\\n',\n", + " 'Check to see if the table exists in the provider.

\\n',\n", + " '

check_valid_result_data

\\n',\n", + " '

check_valid_result_data(self, attrib: str = None, silent: bool = False) -> bool
\\n',\n", + " 'Check that the result is valid and attrib contains data.

\\n',\n", + " '

get_methods

\\n',\n", + " '

get_methods(self) -> Dict[str, Callable[[Any], Any]]
\\n',\n", + " 'Return methods available for this class.

\\n',\n", + " '

get_pivot_run

\\n',\n", + " '

get_pivot_run(self, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])
\\n',\n", + " 'Return Pivot-wrappable run function.

\\n',\n", + " '

get_provider

\\n',\n", + " '

get_provider(self, provider_name: str)
\\n',\n", + " 'Return data provider for the specified name.

\\n',\n", + " '

list_methods

\\n',\n", + " '

list_methods(self) -> List[str]
\\n',\n", + " 'Return list of methods with descriptions.

\\n',\n", + " '

Other Methods

\\n',\n", + " '

all_options

\\n',\n", + " '

all_options() -> List[str]
\\n',\n", + " 'Return supported options for Notebooklet run function.

\\n',\n", + " '

default_options

\\n',\n", + " '

default_options() -> List[str]
\\n',\n", + " 'Return default options for Notebooklet run function.

\\n',\n", + " '

description

\\n',\n", + " '

description() -> str
\\n',\n", + " 'Return description of the Notebooklet.

\\n',\n", + " '

entity_types

\\n',\n", + " '

entity_types() -> List[str]
\\n',\n", + " 'Entity types supported by the notebooklet.

\\n',\n", + " '

get_help

\\n',\n", + " '

get_help(fmt='html') -> str
\\n',\n", + " 'Return HTML document for class.

\\n',\n", + " '

get_settings

\\n',\n", + " '

get_settings(print_settings=True) -> Union[str, NoneType]
\\n',\n", + " 'Print or return metadata for class.

\\n',\n", + " '

import_cell

\\n',\n", + " '

import_cell()
\\n',\n", + " 'Import the text of this module into a new cell.

\\n',\n", + " '

keywords

\\n',\n", + " '

keywords() -> List[str]
\\n',\n", + " 'Return search keywords for Notebooklet.

\\n',\n", + " '

list_options

\\n',\n", + " '

list_options() -> str
\\n',\n", + " 'Return options document for Notebooklet run function.

\\n',\n", + " '

match_terms

\\n',\n", + " '

match_terms(search_terms: str) -> Tuple[bool, int]
\\n',\n", + " 'Search class definition for search_terms.

\\n',\n", + " '

name

\\n',\n", + " '

name() -> str
\\n',\n", + " 'Return name of the Notebooklet.

\\n',\n", + " '

print_options

\\n',\n", + " '

print_options()
\\n',\n", + " 'Print options for Notebooklet run function.

\\n',\n", + " '

result

\\n',\n", + " '

result [property]\\n',\n", + " 'Return result of the most recent notebooklet run.

\\n',\n", + " '

show_help

\\n',\n", + " '

show_help()
\\n',\n", + " 'Display Documentation for class.

\\n',\n", + " '

silent

\\n',\n", + " '

silent [property]\\n',\n", + " 'Get the current instance setting for silent running.

\\n']" + ] + }, + "execution_count": 53, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "[f\"{line}\\n\" for line in cls.get_help().split(\"\\n\")]" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python (condadev)", + "language": "python", + "name": "condadev" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.7.10" + }, + "widgets": { + "application/vnd.jupyter.widget-state+json": { + "state": { + "086fa1ea70004b62832ff7ac92f4fd4d": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "0f6d83208b6a4c3c986cd631071f0bb3": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "IntRangeSliderModel", + "state": { + "_model_name": "IntRangeSliderModel", + "_view_name": "IntRangeSliderView", + "description": "Time Range", + "layout": "IPY_MODEL_730f50b0ac7c47049a48a284f3ebd18e", + "max": 4, + "min": -4, + "style": "IPY_MODEL_c421dd5cb28e47ddaa7d7b1356e7b39a", + "value": [ + -1, + 0 + ] + } + }, + "16e155c5c9494ef58e71ace3b23cd5d8": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "HTMLModel", + "state": { + "layout": "IPY_MODEL_c27f5bff633e45b5befd316d601921b9", + "style": "IPY_MODEL_78eb515d2c57430d9655edb34ff2c8b4", + "value": "

Set time range for pivot functions.

" + } + }, + "32569487e73e490ba935f45b7ad12111": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "418db54fee724134a8efea5b4b339110": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Query end time (UTC) : ", + "layout": "IPY_MODEL_b1216cc150ca4e75a0f576b0960227bb", + "style": "IPY_MODEL_e46b36920e214c4c80863613ac4b4a28", + "value": "2021-04-30 02:00:04.213446" + } + }, + "49a7c321a9394ea69d17f02b4600997c": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DropdownModel", + "state": { + "_options_labels": [ + "minute", + "hour", + "day", + "week" + ], + "index": 2, + "layout": "IPY_MODEL_a670f6af5f6a490ea8c02da6f810f78e", + "style": "IPY_MODEL_bcf449aad24e4f309607bf61080db3ef" + } + }, + "4d0fdc73455d4747ae25012d4e3b9420": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Query start time (UTC):", + "layout": "IPY_MODEL_fb134491ce774f148873d20e2e744b27", + "style": "IPY_MODEL_b4e9f8ae10e446f69a63559a9652c7a8", + "value": "2021-04-29 02:00:04.213446" + } + }, + "62702feadf154aa79d9bf6b6f1445444": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "95%" + } + }, + "68f63e52a393461bab5a46dd2ab5e07f": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "VBoxModel", + "state": { + "children": [ + "IPY_MODEL_16e155c5c9494ef58e71ace3b23cd5d8", + "IPY_MODEL_d7719dabe44b4cf583ad4fd6bd7b5b57", + "IPY_MODEL_a50047475914407a82938ac658224f70" + ], + "layout": "IPY_MODEL_c0a10d855f2d4116bb1f54bd9d71da40" + } + }, + "730f50b0ac7c47049a48a284f3ebd18e": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "70%" + } + }, + "78eb515d2c57430d9655edb34ff2c8b4": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "7acc0bb50cd4482b8b97aaa7a8bedf15": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "a50047475914407a82938ac658224f70": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "VBoxModel", + "state": { + "children": [ + "IPY_MODEL_e38e55b517194d228eb4f85610a02ac1", + "IPY_MODEL_4d0fdc73455d4747ae25012d4e3b9420", + "IPY_MODEL_418db54fee724134a8efea5b4b339110" + ], + "layout": "IPY_MODEL_086fa1ea70004b62832ff7ac92f4fd4d" + } + }, + "a5c9e08437fc43a2b029e268e7e2a803": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "a670f6af5f6a490ea8c02da6f810f78e": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "100px" + } + }, + "ad3b2af5a7e04976829a5097fac1a652": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "b1216cc150ca4e75a0f576b0960227bb": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "50%" + } + }, + "b4e9f8ae10e446f69a63559a9652c7a8": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "initial" + } + }, + "bcf449aad24e4f309607bf61080db3ef": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "c0a10d855f2d4116bb1f54bd9d71da40": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "c27f5bff633e45b5befd316d601921b9": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + }, + "c421dd5cb28e47ddaa7d7b1356e7b39a": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "SliderStyleModel", + "state": { + "description_width": "initial" + } + }, + "cee26b9e0e584315b53fa1f383dd541b": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DatePickerModel", + "state": { + "description": "Origin Date", + "disabled": false, + "layout": "IPY_MODEL_fdb484e0658d4e22ac609998b1789120", + "style": "IPY_MODEL_faaaa39142954f2d8b49136329c2536c", + "value": { + "date": 30, + "month": 3, + "year": 2021 + } + } + }, + "d7719dabe44b4cf583ad4fd6bd7b5b57": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "HBoxModel", + "state": { + "children": [ + "IPY_MODEL_cee26b9e0e584315b53fa1f383dd541b", + "IPY_MODEL_eba04e25fd0f4aaaba63080d9d344c67" + ], + "layout": "IPY_MODEL_32569487e73e490ba935f45b7ad12111" + } + }, + "e38e55b517194d228eb4f85610a02ac1": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "HBoxModel", + "state": { + "children": [ + "IPY_MODEL_0f6d83208b6a4c3c986cd631071f0bb3", + "IPY_MODEL_49a7c321a9394ea69d17f02b4600997c" + ], + "layout": "IPY_MODEL_ad3b2af5a7e04976829a5097fac1a652" + } + }, + "e46b36920e214c4c80863613ac4b4a28": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "initial" + } + }, + "eba04e25fd0f4aaaba63080d9d344c67": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "TextModel", + "state": { + "description": "Time (24hr)", + "layout": "IPY_MODEL_7acc0bb50cd4482b8b97aaa7a8bedf15", + "style": "IPY_MODEL_a5c9e08437fc43a2b029e268e7e2a803", + "value": "02:00:04.213446" + } + }, + "faaaa39142954f2d8b49136329c2536c": { + "model_module": "@jupyter-widgets/controls", + "model_module_version": "1.5.0", + "model_name": "DescriptionStyleModel", + "state": { + "description_width": "" + } + }, + "fb134491ce774f148873d20e2e744b27": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": { + "width": "50%" + } + }, + "fdb484e0658d4e22ac609998b1789120": { + "model_module": "@jupyter-widgets/base", + "model_module_version": "1.2.0", + "model_name": "LayoutModel", + "state": {} + } + }, + "version_major": 2, + "version_minor": 0 + } + } + }, + "nbformat": 4, + "nbformat_minor": 4 +} diff --git a/docs/source/index.rst b/docs/source/index.rst index 4651e77..f44e18c 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -43,7 +43,15 @@ Introduction and Usage .. toctree:: :maxdepth: 2 - notebooklets + notebooklets_summary + +Notebooklet details +------------------- + +.. toctree:: + :maxdepth: 4 + + nb_doc_details Creating Notebooklets --------------------- diff --git a/docs/source/nb_doc_details.rst b/docs/source/nb_doc_details.rst new file mode 100644 index 0000000..7b04695 --- /dev/null +++ b/docs/source/nb_doc_details.rst @@ -0,0 +1,13 @@ +Notebooklets Details +-------------------- + +.. toctree:: + :maxdepth: 3 + + notebooklet_docs/AccountSummary.rst + notebooklet_docs/EnrichAlerts.rst + notebooklet_docs/HostLogonsSummary.rst + notebooklet_docs/HostSummary.rst + notebooklet_docs/IpAddressSummary.rst + notebooklet_docs/NetworkFlowSummary.rst + notebooklet_docs/WinHostEvents.rst \ No newline at end of file diff --git a/docs/source/notebooklet_docs/AccountSummary.rst b/docs/source/notebooklet_docs/AccountSummary.rst new file mode 100644 index 0000000..647948e --- /dev/null +++ b/docs/source/notebooklet_docs/AccountSummary.rst @@ -0,0 +1,446 @@ +Notebooklet Class - AccountSummary +================================== + +Retrieves account summary for the selected account. + +Main operations: + +- Searches for matches for the account name in Active Directory, + +Windows and Linux host logs. + +- If one or more matches are found it will return a selection + +widget that you can use to pick the account. + +- Selecting the account displays a summary of recent activity and + +retrieves any alerts and hunting bookmarks related to the account + +- The alerts and bookmarks are browseable using the ``browse_alerts`` + +and ``browse_bookmarks`` methods + +- You can call the ``get_additional_data`` method to retrieve and + +display more detailed activity information for the account. + +All of the returned data items are stored in the results class + +as entities, pandas DataFrames or Bokeh visualizations. + +Run help(nblt) on the notebooklet class to see usage. + +Run help(result) on the result class to see documentation of its + +properties. + +Run the print_options() method on either the notebooklet or + +results class to see information about the ``options`` parameter + +for the run() method. + +**Default Options** + +- get_alerts: Retrieve alerts and display timeline for the account. + +- get_bookmarks: Retrieve investigation bookmarks for the account + +**Other Options** + +None + +-------------- + +Display Sections +---------------- + +Account Summary +~~~~~~~~~~~~~~~ + +This function searches Active Directory, Azure, Office365, Windows and +Linux logs for matching accounts. If any matches are found you can +choose an account to explore, viewing the times of recent event types, +any alerts and hunting bookmarks that relate to the account name. You +can also retrieve recent details of the logon activity or cloud activity +for the account. For further investigation use the host_logons_summary +notebooklet for Windows and Linux host logons. + +Host logon attempt timeline +''''''''''''''''''''''''''' + +Hover over each timeline event to see details. + +IP Address details summary +'''''''''''''''''''''''''' + +Number of operations detected by IP Address. The table shows WhoIs ASN +Description and Country Code. If UserAgent is contained in the data, +operations are also grouped by this. + +Querying for account matches. +''''''''''''''''''''''''''''' + +Searching through Active Directory, Windows and Linux events. This may +take a few moments to complete. + +Summary of azure activity for AAD, Azure resource and O365 +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +Shows the total number of operations, the list of unique operations, the +list of unique resource IDs and the first and last operation recorded in +the selected time range. The data is grouped by: - Data source - User - +Type - Azure activity type/source - Client IP Address - Application +resource provider - User type + +Summary of host logon activity. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Shows the total number of logons attempts by host. FailedLogons shows +the breakdown of successfully and failed logons. IPAddresses is a list +of distinct source IP addresses for the logons. LogonTypeCount breaks +down the logon type used by count. First and LastLogon shows the +earliest and latest logons on each host by this account in the selected +time range. + +-------------- + +Results Class +------------- + +AccountSummaryResult +~~~~~~~~~~~~~~~~~~~~ + +Account Summary Result. + +Attributes +~~~~~~~~~~ + +- | account_activity : pd.DataFrame + | DataFrame of most recent activity. + +- | account_selector : msticpy.nbtools.nbwidgets.SelectString + | Selection widget for accounts. + +- | related_alerts : pd.DataFrame + | Alerts related to the account. + +- | alert_timeline : LayoutDOM + | Timeline of alerts. + +- | related_bookmarks : pd.DataFrame + | Investigation bookmarks related to the account. + +- | host_logons : pd.DataFrame + | Host logon attemtps for selected account. + +- | host_logon_summary : pd.DataFrame + | Host logon summary for selected account. + +- | azure_activity : pd.DataFrame + | Azure Account activity for selected account. + +- | account_activity_summary : pd.DataFrame + | Azure activity summary. + +- | azure_timeline_by_provider : LayoutDOM + | Azure activity timeline grouped by provider + +- | account_timeline_by_ip : LayoutDOM + | Host or Azure activity timeline by IP Address. + +- | azure_timeline_by_operation : LayoutDOM + | Azure activity timeline grouped by operation + +- | ip_address_summary : pd.DataFrame + | Summary of IP address properties and usage for the current + activity. + +- | ip_all_data : pd.DataFrame + | Full details of operations with IP WhoIs and GeoIP data. + +-------------- + +Methods +------- + +Instance Methods +~~~~~~~~~~~~~~~~ + +\__init_\_ +^^^^^^^^^^ + +| \__init__(self, *args,* \*kwargs) +| Initialize the Account Summary notebooklet. + +az_activity_timeline_by_ip +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +| az_activity_timeline_by_ip(self) +| Display Azure activity timeline by IP address. + +az_activity_timeline_by_operation +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +| az_activity_timeline_by_operation(self) +| Display Azure activity timeline by operation. + +az_activity_timeline_by_provider +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +| az_activity_timeline_by_provider(self) +| Display Azure activity timeline by provider. + +browse_accounts +^^^^^^^^^^^^^^^ + +| browse_accounts(self) -> msticpy.nbtools.nbwidgets.SelectItem +| Return the accounts browser/viewer. + +browse_alerts +^^^^^^^^^^^^^ + +| browse_alerts(self) -> msticpy.nbtools.nbwidgets.SelectAlert +| Return alert browser/viewer. + +browse_bookmarks +^^^^^^^^^^^^^^^^ + +| browse_bookmarks(self) -> msticpy.nbtools.nbwidgets.SelectItem +| Return bookmark browser/viewer. + +display_alert_timeline +^^^^^^^^^^^^^^^^^^^^^^ + +| display_alert_timeline(self) +| Display the alert timeline. + +get_additional_data +^^^^^^^^^^^^^^^^^^^ + +| get_additional_data(self) -> pandas.core.frame.DataFrame +| Find additional data for the selected account. + +get_geoip_map +^^^^^^^^^^^^^ + +| get_geoip_map(self) +| Return Folium map of IP activity. + +host_logon_timeline +^^^^^^^^^^^^^^^^^^^ + +| host_logon_timeline(self) +| Display IP address summary. + +run +^^^ + +| run(self, value: Any = None, data: Union[pandas.core.frame.DataFrame, + NoneType] = None, timespan: Union[msticpy.common.timespan.TimeSpan, + NoneType] = None, options: Union[Iterable[str], NoneType] = None, + \**kwargs) -> + msticnb.nb.azsent.account.account_summary.AccountSummaryResult +| Return account activity summary. + +show_ip_summary +^^^^^^^^^^^^^^^ + +| show_ip_summary(self) +| Display Azure activity timeline by operation. + +Inherited methods +~~~~~~~~~~~~~~~~~ + +check_table_exists +^^^^^^^^^^^^^^^^^^ + +| check_table_exists(self, table: str) -> bool +| Check to see if the table exists in the provider. + +check_valid_result_data +^^^^^^^^^^^^^^^^^^^^^^^ + +| check_valid_result_data(self, attrib: str = None, silent: bool = + False) -> bool +| Check that the result is valid and ``attrib`` contains data. + +get_methods +^^^^^^^^^^^ + +| get_methods(self) -> Dict[str, Callable[[Any], Any]] +| Return methods available for this class. + +get_pivot_run +^^^^^^^^^^^^^ + +| get_pivot_run(self, get_timespan: Callable[[], + msticpy.common.timespan.TimeSpan]) +| Return Pivot-wrappable run function. + +get_provider +^^^^^^^^^^^^ + +| get_provider(self, provider_name: str) +| Return data provider for the specified name. + +list_methods +^^^^^^^^^^^^ + +| list_methods(self) -> List[str] +| Return list of methods with descriptions. + +Other Methods +~~~~~~~~~~~~~ + +all_options +^^^^^^^^^^^ + +| all_options() -> List[str] +| Return supported options for Notebooklet run function. + +default_options +^^^^^^^^^^^^^^^ + +| default_options() -> List[str] +| Return default options for Notebooklet run function. + +description +^^^^^^^^^^^ + +| description() -> str +| Return description of the Notebooklet. + +entity_types +^^^^^^^^^^^^ + +| entity_types() -> List[str] +| Entity types supported by the notebooklet. + +get_help +^^^^^^^^ + +| get_help(fmt='html') -> str +| Return HTML document for class. + +get_settings +^^^^^^^^^^^^ + +| get_settings(print_settings=True) -> Union[str, NoneType] +| Print or return metadata for class. + +import_cell +^^^^^^^^^^^ + +| import_cell() +| Import the text of this module into a new cell. + +keywords +^^^^^^^^ + +| keywords() -> List[str] +| Return search keywords for Notebooklet. + +list_options +^^^^^^^^^^^^ + +| list_options() -> str +| Return options document for Notebooklet run function. + +match_terms +^^^^^^^^^^^ + +| match_terms(search_terms: str) -> Tuple[bool, int] +| Search class definition for ``search_terms``. + +name +^^^^ + +| name() -> str +| Return name of the Notebooklet. + +print_options +^^^^^^^^^^^^^ + +| print_options() +| Print options for Notebooklet run function. + +result +^^^^^^ + +result [property] Return result of the most recent notebooklet run. + +show_help +^^^^^^^^^ + +| show_help() +| Display Documentation for class. + +silent +^^^^^^ + +silent [property] Get the current instance setting for silent running. + +--------- + +``run`` function documentation +------------------------------ + +Return account activity summary. + + +Parameters +~~~~~~~~~~ + + +value : str + Account name to search for. + +data : Optional[pd.DataFrame], optional + Not used. + +timespan : TimeSpan + Timespan for queries + +options : Optional[Iterable[str]], optional + List of options to use, by default None. + A value of None means use default options. + Options prefixed with "+" will be added to the default options. + To see the list of available options type `help(cls)` where + "cls" is the notebooklet class or an instance of this class. + +account_types : Iterable[AccountType], Optional + A list of account types to search for, by default + all types. + + +Returns +~~~~~~~ + + +AccountSummaryResult + Result object with attributes for each result type. + + +Raises +~~~~~~ + + +MsticnbMissingParameterError + If required parameters are missing + + + +Default Options +~~~~~~~~~~~~~~~ + +- get_alerts: Retrieve alerts and display timeline for the account. +- get_bookmarks: Retrieve investigation bookmarks for the account + + +Other Options +~~~~~~~~~~~~~ + + +None \ No newline at end of file diff --git a/docs/source/notebooklet_docs/EnrichAlerts.rst b/docs/source/notebooklet_docs/EnrichAlerts.rst new file mode 100644 index 0000000..d00a100 --- /dev/null +++ b/docs/source/notebooklet_docs/EnrichAlerts.rst @@ -0,0 +1,252 @@ +Notebooklet Class - EnrichAlerts +================================ + +Alert Enrichment Notebooklet Class. + +Enriches Azure Sentinel alerts with TI data. + +-------------- + +Display Sections +---------------- + +-------------- + +Results Class +------------- + +TIEnrichResult +~~~~~~~~~~~~~~ + +Template Results. + +Attributes +~~~~~~~~~~ + +- | enriched_results : pd.DataFrame + | Alerts with additional TI enrichment + +- | picker : SelectAlert + | Alert picker + +-------------- + +Methods +------- + +Instance Methods +~~~~~~~~~~~~~~~~ + +\__init_\_ +^^^^^^^^^^ + +| \__init__(self, data_providers: + Union[, NoneType] = None, \**kwargs) +| Intialize a new instance of the notebooklet class. + +run +^^^ + +| run(self, value: Union[str, NoneType] = None, data: + Union[pandas.core.frame.DataFrame, NoneType] = None, timespan: + Union[msticpy.common.timespan.TimeSpan, NoneType] = None, options: + Union[Iterable[str], NoneType] = None, \**kwargs) -> + msticnb.nb.azsent.alert.ti_enrich.TIEnrichResult +| Return an enriched set of Alerts. + +Inherited methods +~~~~~~~~~~~~~~~~~ + +check_table_exists +^^^^^^^^^^^^^^^^^^ + +| check_table_exists(self, table: str) -> bool +| Check to see if the table exists in the provider. + +check_valid_result_data +^^^^^^^^^^^^^^^^^^^^^^^ + +| check_valid_result_data(self, attrib: str = None, silent: bool = + False) -> bool +| Check that the result is valid and ``attrib`` contains data. + +get_methods +^^^^^^^^^^^ + +| get_methods(self) -> Dict[str, Callable[[Any], Any]] +| Return methods available for this class. + +get_pivot_run +^^^^^^^^^^^^^ + +| get_pivot_run(self, get_timespan: Callable[[], + msticpy.common.timespan.TimeSpan]) +| Return Pivot-wrappable run function. + +get_provider +^^^^^^^^^^^^ + +| get_provider(self, provider_name: str) +| Return data provider for the specified name. + +list_methods +^^^^^^^^^^^^ + +| list_methods(self) -> List[str] +| Return list of methods with descriptions. + +Other Methods +~~~~~~~~~~~~~ + +all_options +^^^^^^^^^^^ + +| all_options() -> List[str] +| Return supported options for Notebooklet run function. + +default_options +^^^^^^^^^^^^^^^ + +| default_options() -> List[str] +| Return default options for Notebooklet run function. + +description +^^^^^^^^^^^ + +| description() -> str +| Return description of the Notebooklet. + +entity_types +^^^^^^^^^^^^ + +| entity_types() -> List[str] +| Entity types supported by the notebooklet. + +get_help +^^^^^^^^ + +| get_help(fmt='html') -> str +| Return HTML document for class. + +get_settings +^^^^^^^^^^^^ + +| get_settings(print_settings=True) -> Union[str, NoneType] +| Print or return metadata for class. + +import_cell +^^^^^^^^^^^ + +| import_cell() +| Import the text of this module into a new cell. + +keywords +^^^^^^^^ + +| keywords() -> List[str] +| Return search keywords for Notebooklet. + +list_options +^^^^^^^^^^^^ + +| list_options() -> str +| Return options document for Notebooklet run function. + +match_terms +^^^^^^^^^^^ + +| match_terms(search_terms: str) -> Tuple[bool, int] +| Search class definition for ``search_terms``. + +name +^^^^ + +| name() -> str +| Return name of the Notebooklet. + +print_options +^^^^^^^^^^^^^ + +| print_options() +| Print options for Notebooklet run function. + +result +^^^^^^ + +result [property] Return result of the most recent notebooklet run. + +show_help +^^^^^^^^^ + +| show_help() +| Display Documentation for class. + +silent +^^^^^^ + +silent [property] Get the current instance setting for silent running. + +--------- + +``run`` function documentation +------------------------------ + +Return an enriched set of Alerts. + + +Parameters +~~~~~~~~~~ + + +timespan : TimeSpan + Timespan for queries + +options : Optional[Iterable[str]], optional + List of options to use, by default None. + A value of None means use default options. + Options prefixed with "+" will be added to the default options. + To see the list of available options type `help(cls)` where + "cls" is the notebooklet class or an instance of this class. + +value: Optional[str], optional + If you want to filter Alerts based on a specific entity specify + it as a string. + +data: Optional[pd.DataFrame], optional + If you have alerts in a DataFrame you can pass them rather than + having the notebooklet query alerts. + + +Returns +~~~~~~~ + + +TIEnrichResult + Result object with attributes for each result type. + + +Raises +~~~~~~ + + +MsticnbMissingParameterError + If required parameters are missing + + +MsticnbDataProviderError + If data is not avaliable + + + +Default Options +~~~~~~~~~~~~~~~ + +- TI: Uses TI to enrich alert data. Will use your primary TI providers. +- details: Displays a widget allowing you to see more detail about an alert. + + +Other Options +~~~~~~~~~~~~~ + +- secondary: Uses secondary TI providers in lookups. \ No newline at end of file diff --git a/docs/source/notebooklet_docs/HostLogonsSummary.rst b/docs/source/notebooklet_docs/HostLogonsSummary.rst new file mode 100644 index 0000000..3971d6d --- /dev/null +++ b/docs/source/notebooklet_docs/HostLogonsSummary.rst @@ -0,0 +1,275 @@ +Notebooklet Class - HostLogonsSummary +===================================== + +Host Logons Summary Notebooket class. + +Queries and displays information about logons to a host including: + +- Summary of sucessfull logons + +- Visualizations of logon event times + +- Geolocation of remote logon sources + +- Visualizations of various logon elements depending on host type + +- Data on users with failed and sucessful logons + +-------------- + +Display Sections +---------------- + +-------------- + +Results Class +------------- + +HostLogonsSummaryResult +~~~~~~~~~~~~~~~~~~~~~~~ + +Host Logons Summary Results. + +Attributes +~~~~~~~~~~ + +- | logon_sessions: pd.DataFrame + | A Dataframe summarizing all sucessfull and failed logon attempts + observed during the specified time period. + +- | + +- | logon_map: FoliumMap + | A map showing remote logon attempt source locations. Red points + represent failed logons, green successful. + +- | + +- | plots: Dict + | A collection of Bokeh plot figures showing various aspects of + observed logons. Keys are a descriptive name of the plot and values + are the plot figures. + +-------------- + +Methods +------- + +Instance Methods +~~~~~~~~~~~~~~~~ + +\__init_\_ +^^^^^^^^^^ + +| \__init__(self, data_providers: + Union[, NoneType] = None, \**kwargs) +| Intialize a new instance of the notebooklet class. + +run +^^^ + +| run(self, value: Any = None, data: Union[pandas.core.frame.DataFrame, + NoneType] = None, timespan: Union[msticpy.common.timespan.TimeSpan, + NoneType] = None, options: Union[Iterable[str], NoneType] = None, + \**kwargs) -> + msticnb.nb.azsent.host.host_logons_summary.HostLogonsSummaryResult +| Return host summary data. + +Inherited methods +~~~~~~~~~~~~~~~~~ + +check_table_exists +^^^^^^^^^^^^^^^^^^ + +| check_table_exists(self, table: str) -> bool +| Check to see if the table exists in the provider. + +check_valid_result_data +^^^^^^^^^^^^^^^^^^^^^^^ + +| check_valid_result_data(self, attrib: str = None, silent: bool = + False) -> bool +| Check that the result is valid and ``attrib`` contains data. + +get_methods +^^^^^^^^^^^ + +| get_methods(self) -> Dict[str, Callable[[Any], Any]] +| Return methods available for this class. + +get_pivot_run +^^^^^^^^^^^^^ + +| get_pivot_run(self, get_timespan: Callable[[], + msticpy.common.timespan.TimeSpan]) +| Return Pivot-wrappable run function. + +get_provider +^^^^^^^^^^^^ + +| get_provider(self, provider_name: str) +| Return data provider for the specified name. + +list_methods +^^^^^^^^^^^^ + +| list_methods(self) -> List[str] +| Return list of methods with descriptions. + +Other Methods +~~~~~~~~~~~~~ + +all_options +^^^^^^^^^^^ + +| all_options() -> List[str] +| Return supported options for Notebooklet run function. + +default_options +^^^^^^^^^^^^^^^ + +| default_options() -> List[str] +| Return default options for Notebooklet run function. + +description +^^^^^^^^^^^ + +| description() -> str +| Return description of the Notebooklet. + +entity_types +^^^^^^^^^^^^ + +| entity_types() -> List[str] +| Entity types supported by the notebooklet. + +get_help +^^^^^^^^ + +| get_help(fmt='html') -> str +| Return HTML document for class. + +get_settings +^^^^^^^^^^^^ + +| get_settings(print_settings=True) -> Union[str, NoneType] +| Print or return metadata for class. + +import_cell +^^^^^^^^^^^ + +| import_cell() +| Import the text of this module into a new cell. + +keywords +^^^^^^^^ + +| keywords() -> List[str] +| Return search keywords for Notebooklet. + +list_options +^^^^^^^^^^^^ + +| list_options() -> str +| Return options document for Notebooklet run function. + +match_terms +^^^^^^^^^^^ + +| match_terms(search_terms: str) -> Tuple[bool, int] +| Search class definition for ``search_terms``. + +name +^^^^ + +| name() -> str +| Return name of the Notebooklet. + +print_options +^^^^^^^^^^^^^ + +| print_options() +| Print options for Notebooklet run function. + +result +^^^^^^ + +result [property] Return result of the most recent notebooklet run. + +show_help +^^^^^^^^^ + +| show_help() +| Display Documentation for class. + +silent +^^^^^^ + +silent [property] Get the current instance setting for silent running. + +--------- + +``run`` function documentation +------------------------------ + +Return host summary data. + + +Parameters +~~~~~~~~~~ + + +value : str + Host name + +data : Optional[pd.DataFrame], optional + Optionally pass raw data to use for analysis, by default None + +timespan : TimeSpan + Timespan over which operations such as queries will be + performed, by default None. + This can be a TimeStamp object or another object that + has valid `start`, `end`, or `period` attributes. + Alternatively you can pass `start` and `end` datetime objects. + +options : Optional[Iterable[str]], optional + List of options to use, by default None + A value of None means use default options. + + +Returns +~~~~~~~ + + +HostLogonsSummaryResults + Result object with attributes for each result type. + + +Raises +~~~~~~ + + +MsticnbMissingParameterError + If required parameters are missing + + +MsticnbDataProviderError + If data is not avaliable + + + +Default Options +~~~~~~~~~~~~~~~ + +- map: Display a map of logon attempt locations. +- timeline: Display a timeline of logon atttempts. +- charts: Display a range of charts depicting different elements of logon events. +- failed_success: Displays a DataFrame of all users with both successful and failed logons. + + +Other Options +~~~~~~~~~~~~~ + + +None \ No newline at end of file diff --git a/docs/source/notebooklet_docs/HostSummary.rst b/docs/source/notebooklet_docs/HostSummary.rst new file mode 100644 index 0000000..05d08c2 --- /dev/null +++ b/docs/source/notebooklet_docs/HostSummary.rst @@ -0,0 +1,321 @@ +Notebooklet Class - HostSummary +=============================== + +HostSummary Notebooklet class. + +Queries and displays information about a host including: + +- IP address assignment + +- Related alerts + +- Related hunting/investigation bookmarks + +- Azure subscription/resource data. + +**Default Options** + +- heartbeat: Query Heartbeat table for host information. + +- azure_net: Query AzureNetworkAnalytics table for host network + topology information. + +- alerts: Query any alerts for the host. + +- bookmarks: Query any bookmarks for the host. + +- azure_api: Query Azure API for VM information. + +**Other Options** + +None + +-------------- + +Display Sections +---------------- + +Host Entity Summary +~~~~~~~~~~~~~~~~~~~ + +This shows a summary data for a host. It shows host properties obtained +from OMS Heartbeat and Azure API. It also lists Azure Sentinel alerts +and bookmakrs related to to the host. Data and plots are stored in the +result class returned by this function. + +Timeline of related alerts +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Each marker on the timeline indicates one or more alerts related to the +host. + +Host Entity details +^^^^^^^^^^^^^^^^^^^ + +These are the host entity details gathered from Heartbeat and, if +applicable, AzureNetworkAnalytics and Azure management API. The data +shows OS information, IP Addresses assigned the host and any Azure VM +information available. + +-------------- + +Results Class +------------- + +HostSummaryResult +~~~~~~~~~~~~~~~~~ + +Host Details Results. + +Attributes +~~~~~~~~~~ + +- | host_entity : msticpy.data.nbtools.entities.Host + | The host entity object contains data about the host such as name, + environment, operating system version, IP addresses and Azure VM + details. Depending on the type of host, not all of this data may be + populated. + +- | related_alerts : pd.DataFrame + | Pandas DataFrame of any alerts recorded for the host within the + query time span. + +- | alert_timeline: + | Bokeh time plot of alerts recorded for host. + +- | related_bookmarks: pd.DataFrame + | Pandas DataFrame of any investigation bookmarks relating to the + host. + +-------------- + +Methods +------- + +Instance Methods +~~~~~~~~~~~~~~~~ + +\__init_\_ +^^^^^^^^^^ + +| \__init__(self, data_providers: + Union[, NoneType] = None, \**kwargs) +| Intialize a new instance of the notebooklet class. + +run +^^^ + +| run(self, value: Any = None, data: Union[pandas.core.frame.DataFrame, + NoneType] = None, timespan: Union[msticpy.common.timespan.TimeSpan, + NoneType] = None, options: Union[Iterable[str], NoneType] = None, + \**kwargs) -> msticnb.nb.azsent.host.host_summary.HostSummaryResult +| Return host summary data. + +Inherited methods +~~~~~~~~~~~~~~~~~ + +check_table_exists +^^^^^^^^^^^^^^^^^^ + +| check_table_exists(self, table: str) -> bool +| Check to see if the table exists in the provider. + +check_valid_result_data +^^^^^^^^^^^^^^^^^^^^^^^ + +| check_valid_result_data(self, attrib: str = None, silent: bool = + False) -> bool +| Check that the result is valid and ``attrib`` contains data. + +get_methods +^^^^^^^^^^^ + +| get_methods(self) -> Dict[str, Callable[[Any], Any]] +| Return methods available for this class. + +get_pivot_run +^^^^^^^^^^^^^ + +| get_pivot_run(self, get_timespan: Callable[[], + msticpy.common.timespan.TimeSpan]) +| Return Pivot-wrappable run function. + +get_provider +^^^^^^^^^^^^ + +| get_provider(self, provider_name: str) +| Return data provider for the specified name. + +list_methods +^^^^^^^^^^^^ + +| list_methods(self) -> List[str] +| Return list of methods with descriptions. + +Other Methods +~~~~~~~~~~~~~ + +all_options +^^^^^^^^^^^ + +| all_options() -> List[str] +| Return supported options for Notebooklet run function. + +default_options +^^^^^^^^^^^^^^^ + +| default_options() -> List[str] +| Return default options for Notebooklet run function. + +description +^^^^^^^^^^^ + +| description() -> str +| Return description of the Notebooklet. + +entity_types +^^^^^^^^^^^^ + +| entity_types() -> List[str] +| Entity types supported by the notebooklet. + +get_help +^^^^^^^^ + +| get_help(fmt='html') -> str +| Return HTML document for class. + +get_settings +^^^^^^^^^^^^ + +| get_settings(print_settings=True) -> Union[str, NoneType] +| Print or return metadata for class. + +import_cell +^^^^^^^^^^^ + +| import_cell() +| Import the text of this module into a new cell. + +keywords +^^^^^^^^ + +| keywords() -> List[str] +| Return search keywords for Notebooklet. + +list_options +^^^^^^^^^^^^ + +| list_options() -> str +| Return options document for Notebooklet run function. + +match_terms +^^^^^^^^^^^ + +| match_terms(search_terms: str) -> Tuple[bool, int] +| Search class definition for ``search_terms``. + +name +^^^^ + +| name() -> str +| Return name of the Notebooklet. + +print_options +^^^^^^^^^^^^^ + +| print_options() +| Print options for Notebooklet run function. + +result +^^^^^^ + +result [property] Return result of the most recent notebooklet run. + +show_help +^^^^^^^^^ + +| show_help() +| Display Documentation for class. + +silent +^^^^^^ + +silent [property] Get the current instance setting for silent running. + +--------- + +``run`` function documentation +------------------------------ + +Return host summary data. + + +Parameters +~~~~~~~~~~ + + +value : str + Host name + +data : Optional[pd.DataFrame], optional + Not used, by default None + +timespan : TimeSpan + Timespan over which operations such as queries will be + performed, by default None. + This can be a TimeStamp object or another object that + has valid `start`, `end`, or `period` attributes. + +options : Optional[Iterable[str]], optional + List of options to use, by default None + A value of None means use default options. + Options prefixed with "+" will be added to the default options. + To see the list of available options type `help(cls)` where + "cls" is the notebooklet class or an instance of this class. + + +Other Parameters +~~~~~~~~~~~~~~~~ + + +start : Union[datetime, datelike-string] + Alternative to specifying timespan parameter. + +end : Union[datetime, datelike-string] + Alternative to specifying timespan parameter. + + +Returns +~~~~~~~ + + +HostSummaryResult + Result object with attributes for each result type. + + +Raises +~~~~~~ + + +MsticnbMissingParameterError + If required parameters are missing + + + +Default Options +~~~~~~~~~~~~~~~ + +- heartbeat: Query Heartbeat table for host information. +- azure_net: Query AzureNetworkAnalytics table for host network topology information. +- alerts: Query any alerts for the host. +- bookmarks: Query any bookmarks for the host. +- azure_api: Query Azure API for VM information. + + +Other Options +~~~~~~~~~~~~~ + + +None \ No newline at end of file diff --git a/docs/source/notebooklet_docs/IpAddressSummary.rst b/docs/source/notebooklet_docs/IpAddressSummary.rst new file mode 100644 index 0000000..f30b7cd --- /dev/null +++ b/docs/source/notebooklet_docs/IpAddressSummary.rst @@ -0,0 +1,462 @@ +Notebooklet Class - IpAddressSummary +==================================== + +IP Address Summary Notebooklet class. + +Queries and displays summary information about an IP address, including: + +- Basic IP address properties + +- IpAddress entity (and Host entity, if a host could be associated) + +- WhoIs and Geo-location + +- Azure activity and network data (optional) + +- Office activity summary (optional) + +- Threat intelligence reports + +- Related alerts and hunting bookmarks + +**Default Options** + +- geoip: Get geo location information for IP address. + +- alerts: Get any alerts listing the IP address. + +- heartbeat: Get the latest heartbeat record for for this IP Address. + +- az_net_if: Get the latest Azure network analytics interface data for + this IP Address. + +- vmcomputer: Get the latest VMComputer record for this IP Address. + +**Other Options** + +- bookmarks: Get any hunting bookmarks listing the IP address. + +- az_netflow: Get netflow information from AzureNetworkAnalytics table. + +- passive_dns: Force fetching passive DNS data from a TI Provider even + if IP is internal. + +- az_activity: AAD sign-ins and Azure Activity logs + +- office_365: Office 365 activity + +- ti: Force get threat intelligence reports even for internal public + IPs. + +-------------- + +Display Sections +---------------- + +Azure Sign-ins and audit activity from IP Address +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +(only available for Azure) + +Azure network analytics netflow data for IP. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +(only available for if Azure network analytics net flow enabled.) This +is is a list of netflow events for the IP. Timeline by protocol is +available in the ``result.az_network_flows_timeline`` property - Use +``nblt.netflow_total_by_protocol()`` method to view flow totals by +protocol - Use ``nblt.netflow_total_by_direction()`` to view a timeline +grouped by direction of flow + +Office 365 operations summary from IP Address +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +(only available for Office 365) + +Public IP data (GeoIP, ThreatIntel, Passive DNS, VPS membership) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Azure Sentinel alerts related to the IP. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Use ``nblt.browse_alerts()`` to retrieve a list of alerts. + +.. _azure-sentinel-alerts-related-to-the-ip.-1: + +Azure Sentinel alerts related to the IP. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Use ``nblt.browse_alerts()`` to retrieve a list of alerts. + +IP Address summary +~~~~~~~~~~~~~~~~~~ + +Retrieving data for IP Address Data and plots are stored in the result +class returned by this function. + +Azure Network Analytics Topology record for the IP. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +(only available for Azure VMs) + +Azure Sentinel heartbeat record for the IP. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +(only available for IP addresses that belong to the subscription) + +Azure VMComputer record for the IP. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +(only available for Azure VMs) + +Summary of network flow data for this IP Address +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +(only available for if Azure network analytics net flow enabled.) + +-------------- + +Results Class +------------- + +IpSummaryResult +~~~~~~~~~~~~~~~ + +IPSummary Results. + +Attributes +~~~~~~~~~~ + +- | ip_str : str + | The input IP address as a string. + +- | ip_address : Optional[Union[IPv4Address, IPv6Address]] + | Ip Address Python object + +- | ip_entity : IpAddress + | IpAddress entity + +- | ip_origin : str + | "External" or "Internal" + +- | host_entity : Host + | Host entity associated with IP Address + +- | ip_type : str + | IP address type - "Public", "Private", etc. + +- | vps_network : IPv4Network + | If this is not None, the address is part of a know VPS network. + +- | geoip : Optional[Dict[str, Any]] + | Geo location information as a dictionary. + +- | location : Optional[GeoLocation] + | Location entity context object. + +- | whois : pd.DataFrame + | WhoIs information for IP Address + +- | whois_nets : pd.DataFrame + | List of networks definitions from WhoIs data + +- | heartbeat : pd.DataFrame + | Heartbeat record for IP Address or host + +- | az_network_if : pd.DataFrame + | Azure Network analytics interface record, if available + +- | vmcomputer : pd.DataFrame + | VMComputer latest record + +- | az_network_flows : pd.DataFrame + | Azure Network analytics flows for IP, if available + +- | az_network_flows_timeline: Figure + | Azure Network analytics flows timeline, if data is available + +- | aad_signins : pd.DataFrame = None + | AAD signin activity + +- | azure_activity : pd.DataFrame = None + | Azure Activity log entries + +- | azure_activity_summary : pd.DataFrame = None + | Azure Activity (AAD and Az Activity) summarized view + +- | office_activity : pd.DataFrame = None + | Office 365 activity + +- | related_alerts : pd.DataFrame + | Alerts related to IP Address + +- | related_bookmarks : pd.DataFrame + | Bookmarks related to IP Address + +- | alert_timeline : Figure + | Timeline plot of alerts + +- | ti_results: pd.DataFrame + | Threat intel lookup results + +- | passive_dns: pd.DataFrame + | Passive DNS lookup results + +-------------- + +Methods +------- + +Instance Methods +~~~~~~~~~~~~~~~~ + +\__init_\_ +^^^^^^^^^^ + +| \__init__(self, data_providers: + Union[, NoneType] = None, \**kwargs) +| Intialize a new instance of the notebooklet class. + +browse_alerts +^^^^^^^^^^^^^ + +| browse_alerts(self) -> msticpy.nbtools.nbwidgets.SelectAlert +| Return alert browser/viewer. + +browse_ti_results +^^^^^^^^^^^^^^^^^ + +| browse_ti_results(self) +| Display Threat intel results. + +display_alert_timeline +^^^^^^^^^^^^^^^^^^^^^^ + +| display_alert_timeline(self) +| Display the alert timeline. + +netflow_by_direction +^^^^^^^^^^^^^^^^^^^^ + +| netflow_by_direction(self) -> bokeh.plotting.figure.Figure +| Display netflows grouped by direction. + +netflow_by_protocol +^^^^^^^^^^^^^^^^^^^ + +| netflow_by_protocol(self) -> bokeh.plotting.figure.Figure +| Display netflows grouped by protocol. + +netflow_total_by_protocol +^^^^^^^^^^^^^^^^^^^^^^^^^ + +| netflow_total_by_protocol(self) -> bokeh.plotting.figure.Figure +| Display netflows grouped by protocol. + +run +^^^ + +| run(self, value: Any = None, data: Union[pandas.core.frame.DataFrame, + NoneType] = None, timespan: Union[msticpy.common.timespan.TimeSpan, + NoneType] = None, options: Union[Iterable[str], NoneType] = None, + \**kwargs) -> msticnb.nb.azsent.network.ip_summary.IpSummaryResult +| Return XYZ summary. + +Inherited methods +~~~~~~~~~~~~~~~~~ + +check_table_exists +^^^^^^^^^^^^^^^^^^ + +| check_table_exists(self, table: str) -> bool +| Check to see if the table exists in the provider. + +check_valid_result_data +^^^^^^^^^^^^^^^^^^^^^^^ + +| check_valid_result_data(self, attrib: str = None, silent: bool = + False) -> bool +| Check that the result is valid and ``attrib`` contains data. + +get_methods +^^^^^^^^^^^ + +| get_methods(self) -> Dict[str, Callable[[Any], Any]] +| Return methods available for this class. + +get_pivot_run +^^^^^^^^^^^^^ + +| get_pivot_run(self, get_timespan: Callable[[], + msticpy.common.timespan.TimeSpan]) +| Return Pivot-wrappable run function. + +get_provider +^^^^^^^^^^^^ + +| get_provider(self, provider_name: str) +| Return data provider for the specified name. + +list_methods +^^^^^^^^^^^^ + +| list_methods(self) -> List[str] +| Return list of methods with descriptions. + +Other Methods +~~~~~~~~~~~~~ + +all_options +^^^^^^^^^^^ + +| all_options() -> List[str] +| Return supported options for Notebooklet run function. + +default_options +^^^^^^^^^^^^^^^ + +| default_options() -> List[str] +| Return default options for Notebooklet run function. + +description +^^^^^^^^^^^ + +| description() -> str +| Return description of the Notebooklet. + +entity_types +^^^^^^^^^^^^ + +| entity_types() -> List[str] +| Entity types supported by the notebooklet. + +get_help +^^^^^^^^ + +| get_help(fmt='html') -> str +| Return HTML document for class. + +get_settings +^^^^^^^^^^^^ + +| get_settings(print_settings=True) -> Union[str, NoneType] +| Print or return metadata for class. + +import_cell +^^^^^^^^^^^ + +| import_cell() +| Import the text of this module into a new cell. + +keywords +^^^^^^^^ + +| keywords() -> List[str] +| Return search keywords for Notebooklet. + +list_options +^^^^^^^^^^^^ + +| list_options() -> str +| Return options document for Notebooklet run function. + +match_terms +^^^^^^^^^^^ + +| match_terms(search_terms: str) -> Tuple[bool, int] +| Search class definition for ``search_terms``. + +name +^^^^ + +| name() -> str +| Return name of the Notebooklet. + +print_options +^^^^^^^^^^^^^ + +| print_options() +| Print options for Notebooklet run function. + +result +^^^^^^ + +result [property] Return result of the most recent notebooklet run. + +show_help +^^^^^^^^^ + +| show_help() +| Display Documentation for class. + +silent +^^^^^^ + +silent [property] Get the current instance setting for silent running. + +--------- + +``run`` function documentation +------------------------------ + +Return XYZ summary. + + +Parameters +~~~~~~~~~~ + + +value : str + IP Address - The key for searches + +data : Optional[pd.DataFrame], optional + Not supported for this notebooklet. + +timespan : TimeSpan + Timespan for queries + +options : Optional[Iterable[str]], optional + List of options to use, by default None. + A value of None means use default options. + Options prefixed with "+" will be added to the default options. + To see the list of available options type `help(cls)` where + "cls" is the notebooklet class or an instance of this class. + + +Returns +~~~~~~~ + + +IpSummaryResult + Result object with attributes for each result type. + + +Raises +~~~~~~ + + +MsticnbMissingParameterError + If required parameters are missing + + + +Default Options +~~~~~~~~~~~~~~~ + +- geoip: Get geo location information for IP address. +- alerts: Get any alerts listing the IP address. +- heartbeat: Get the latest heartbeat record for for this IP Address. +- az_net_if: Get the latest Azure network analytics interface data for this IP Address. +- vmcomputer: Get the latest VMComputer record for this IP Address. + + +Other Options +~~~~~~~~~~~~~ + +- bookmarks: Get any hunting bookmarks listing the IP address. +- az_netflow: Get netflow information from AzureNetworkAnalytics table. +- passive_dns: Force fetching passive DNS data from a TI Provider even if IP is internal. +- az_activity: AAD sign-ins and Azure Activity logs +- office_365: Office 365 activity +- ti: Force get threat intelligence reports even for internal public IPs. \ No newline at end of file diff --git a/docs/source/notebooklet_docs/NetworkFlowSummary.rst b/docs/source/notebooklet_docs/NetworkFlowSummary.rst new file mode 100644 index 0000000..8d2b42b --- /dev/null +++ b/docs/source/notebooklet_docs/NetworkFlowSummary.rst @@ -0,0 +1,418 @@ +Notebooklet Class - NetworkFlowSummary +====================================== + +Network Flow Summary Notebooklet class. + +Queries network data and plots time lines for network + +traffic to/from a host or IP address. + +- Plot flows events by protocol and direction + +- Plot flow count by protocol + +- Display flow summary table + +- Display flow summary by ASN + +- Display results on map + +**Methods** + +- run: main method for notebooklet. + +- select_asns: Open an interactive dialog to choose which ASNs to + +investigate further. + +- lookup_ti_for_asn_ips: For selected ASNs, lookup Threat Intelligence + +data for the IPs belonging to those ASNs. + +- show_selected_asn_map: Show IP address locations for selected IP + +(including any threats highlighted) + +**Default Options** + +- plot_flows: Create plots of flows by protocol and direction. + +- plot_flow_values: Plot flow county by protocol. + +- flow_summary: Create a summarization of all flows and all flows + grouped by ASN. + +- resolve_host: Try to resolve the host name before other operations. + +**Other Options** + +- geo_map: Plot a map of all IP address locations in communication with + the host (see the method below for plotting selected IPs only). + +-------------- + +Display Sections +---------------- + +Host Network Summary +~~~~~~~~~~~~~~~~~~~~ + +This shows a summary of network flows for this endpoint. Data and plots +are stored in the result class returned by this function. + +Map of geographic location of selected IPs communicating with host +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Numbered circles indicate multiple items - click to expand these. +Hovering over a location shows brief details, clicking on an IP location +shows more detail. Location marker key - Blue = outbound - Purple = +inbound - Green = Host - Red = Threats + +Map of geographic location of all IPs communicating with host +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Numbered circles indicate multiple items - click to expand these. +Hovering over a location shows brief details, clicking on an IP location +shows more detail. Location marker key - Blue = outbound - Purple = +inbound - Green = Host + +Flow Index. +^^^^^^^^^^^ + +List of flows grouped by source, dest, protocol and direction. + +Flow Summary with ASN details. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Gets the ASN details from WhoIs. The data shows flows grouped by source +and destination ASNs. All protocol types and all source IP addresses are +grouped into lists for each ASN. + +TI Lookup for IP Addresses in selected ASNs. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The remote IPs from each selected ASN are are searched for your selected +Threat Intelligence providers. Check the results to see if there are +indications of malicious activity associated with these IPs. + +Timeline of network flows quantity. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Each protocol is plotted as a separate colored series. The vertical axis +indicates the number for flows recorded for that time slot. + +Timeline of network flows by direction. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +I = inbound, O = outbound. + +Timeline of network flows by protocol type. +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Select the ASNs to process. +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Choose any unusual looking ASNs that you want to examine. The remote IPs +from each selected ASN will be sent to your selected Threat Intelligence +providers to check if there are indications of malicious activity +associated with these IPs. By default, the most infrequently accessed +ASNs are selected. + +-------------- + +Results Class +------------- + +NetworkFlowResult +~~~~~~~~~~~~~~~~~ + +Network Flow Details Results. + +Attributes +~~~~~~~~~~ + +- | host_entity : msticpy.data.nbtools.entities.Host + | The host entity object contains data about the host such as name, + environment, operating system version, IP addresses and Azure VM + details. Depending on the type of host, not all of this data may be + populated. + +- | network_flows : pd.DataFrame + | The raw network flows recorded for this host. + +- | plot_flows_by_protocol : Figure + | Bokeh timeline plot of flow events by protocol. + +- | plot_flows_by_direction : Figure + | Bokeh timeline plot of flow events by direction (in/out). + +- | plot_flow_values : Figure + | Bokeh values plot of flow events by protocol. + +- | flow_index : pd.DataFrame + | Summarized DataFrame of flows + +- | flow_index_data : pd.DataFrame + | Raw summary data of flows. + +- | flow_summary : pd.DataFrame + | Summarized flows grouped by ASN + +- | ti_results : pd.DataFrame + | Threat Intelligence results for selected IP Addreses. + +- | geo_map : foliummap.FoliumMap + | Folium map showing locations of all IP Addresses. + +- | geo_map_selected : foliummap.FoliumMap + | Folium map showing locations of selected IP Addresses. + +-------------- + +Methods +------- + +Instance Methods +~~~~~~~~~~~~~~~~ + +\__init_\_ +^^^^^^^^^^ + +| \__init__(self, data_providers: + Union[, NoneType] = None, \**kwargs) +| Intialize a new instance of the notebooklet class. + +lookup_ti_for_asn_ips +^^^^^^^^^^^^^^^^^^^^^ + +| lookup_ti_for_asn_ips(self) +| Lookup Threat Intel data for IPs of selected ASNs. + +run +^^^ + +| run(self, value: Any = None, data: Union[pandas.core.frame.DataFrame, + NoneType] = None, timespan: Union[msticpy.common.timespan.TimeSpan, + NoneType] = None, options: Union[Iterable[str], NoneType] = None, + \**kwargs) -> + msticnb.nb.azsent.network.network_flow_summary.NetworkFlowResult +| Return host summary data. + +select_asns +^^^^^^^^^^^ + +| select_asns(self) +| Show interactive selector to choose which ASNs to process. + +show_selected_asn_map +^^^^^^^^^^^^^^^^^^^^^ + +| show_selected_asn_map(self) -> msticpy.nbtools.foliummap.FoliumMap +| Display map of IP locations for selected ASNs. + +Inherited methods +~~~~~~~~~~~~~~~~~ + +check_table_exists +^^^^^^^^^^^^^^^^^^ + +| check_table_exists(self, table: str) -> bool +| Check to see if the table exists in the provider. + +check_valid_result_data +^^^^^^^^^^^^^^^^^^^^^^^ + +| check_valid_result_data(self, attrib: str = None, silent: bool = + False) -> bool +| Check that the result is valid and ``attrib`` contains data. + +get_methods +^^^^^^^^^^^ + +| get_methods(self) -> Dict[str, Callable[[Any], Any]] +| Return methods available for this class. + +get_pivot_run +^^^^^^^^^^^^^ + +| get_pivot_run(self, get_timespan: Callable[[], + msticpy.common.timespan.TimeSpan]) +| Return Pivot-wrappable run function. + +get_provider +^^^^^^^^^^^^ + +| get_provider(self, provider_name: str) +| Return data provider for the specified name. + +list_methods +^^^^^^^^^^^^ + +| list_methods(self) -> List[str] +| Return list of methods with descriptions. + +Other Methods +~~~~~~~~~~~~~ + +all_options +^^^^^^^^^^^ + +| all_options() -> List[str] +| Return supported options for Notebooklet run function. + +default_options +^^^^^^^^^^^^^^^ + +| default_options() -> List[str] +| Return default options for Notebooklet run function. + +description +^^^^^^^^^^^ + +| description() -> str +| Return description of the Notebooklet. + +entity_types +^^^^^^^^^^^^ + +| entity_types() -> List[str] +| Entity types supported by the notebooklet. + +get_help +^^^^^^^^ + +| get_help(fmt='html') -> str +| Return HTML document for class. + +get_settings +^^^^^^^^^^^^ + +| get_settings(print_settings=True) -> Union[str, NoneType] +| Print or return metadata for class. + +import_cell +^^^^^^^^^^^ + +| import_cell() +| Import the text of this module into a new cell. + +keywords +^^^^^^^^ + +| keywords() -> List[str] +| Return search keywords for Notebooklet. + +list_options +^^^^^^^^^^^^ + +| list_options() -> str +| Return options document for Notebooklet run function. + +match_terms +^^^^^^^^^^^ + +| match_terms(search_terms: str) -> Tuple[bool, int] +| Search class definition for ``search_terms``. + +name +^^^^ + +| name() -> str +| Return name of the Notebooklet. + +print_options +^^^^^^^^^^^^^ + +| print_options() +| Print options for Notebooklet run function. + +result +^^^^^^ + +result [property] Return result of the most recent notebooklet run. + +show_help +^^^^^^^^^ + +| show_help() +| Display Documentation for class. + +silent +^^^^^^ + +silent [property] Get the current instance setting for silent running. + +--------- + +``run`` function documentation +------------------------------ + +Return host summary data. + + +Parameters +~~~~~~~~~~ + + +value : str + Host entity, hostname or host IP Address + +data : Optional[pd.DataFrame], optional + Not used, by default None + +timespan : TimeSpan + Timespan over which operations such as queries will be + performed, by default None. + This can be a TimeStamp object or another object that + has valid `start`, `end`, or `period` attributes. + +options : Optional[Iterable[str]], optional + List of options to use, by default None + A value of None means use default options. + Options prefixed with "+" will be added to the default options. + To see the list of available options type `help(cls)` where + "cls" is the notebooklet class or an instance of this class. + + +Other Parameters +~~~~~~~~~~~~~~~~ + + +start : Union[datetime, datelike-string] + Alternative to specifying timespan parameter. + +end : Union[datetime, datelike-string] + Alternative to specifying timespan parameter. + + +Returns +~~~~~~~ + + +HostNetworkResult + Result object with attributes for each result type. + + +Raises +~~~~~~ + + +MsticnbMissingParameterError + If required parameters are missing + + + +Default Options +~~~~~~~~~~~~~~~ + +- plot_flows: Create plots of flows by protocol and direction. +- plot_flow_values: Plot flow county by protocol. +- flow_summary: Create a summarization of all flows and all flows grouped by ASN. +- resolve_host: Try to resolve the host name before other operations. + + +Other Options +~~~~~~~~~~~~~ + +- geo_map: Plot a map of all IP address locations in communication with the host (see the method below for plotting selected IPs only). \ No newline at end of file diff --git a/docs/source/notebooklet_docs/WinHostEvents.rst b/docs/source/notebooklet_docs/WinHostEvents.rst new file mode 100644 index 0000000..8a92458 --- /dev/null +++ b/docs/source/notebooklet_docs/WinHostEvents.rst @@ -0,0 +1,340 @@ +Notebooklet Class - WinHostEvents +================================= + +Windows host Security Events Notebooklet class. + +Queries and displays Windows Security Events including: + +- All security events summary + +- Extracting and displaying account management events + +- Account management event timeline + +- Optionally parsing packed event data into DataFrame columns + +Process (4688) and Account Logon (4624, 4625) are not included + +in the event types processed by this module. + +**Default Options** + +- event_pivot: Display a summary of all event types. + +- acct_events: Display a summary and timeline of account management + events. + +**Other Options** + +- expand_events: parses the XML EventData column into separate + DataFrame columns. This can be very expensive with a large event set. + We recommend using the expand_events() method to select a specific + subset of events to process. + +-------------- + +Display Sections +---------------- + +Host Security Events Summary +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This shows a summary of security events for the host. These are grouped +by EventID and Account. Data and plots are stored in the result class +returned by this function. + +Summary of Account Management Events on host +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This shows the subset of events related to account management, for +example, creation/deletion of accounts, changes to group membership, +etc. Yellow highlights indicate account with highest event count. + +Timeline of Account Management Events on host +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Summary of Security Events on host +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This is a summary of Security events for the host (excluding process +creation and account logon - 4688, 4624, 4625). Yellow highlights +indicate account with highest event count for an EventID. + +Parsing eventdata into columns +'''''''''''''''''''''''''''''' + +This may take some time to complete for large numbers of events. Since +event types have different schema, some of the columns will not be +populated for certain Event IDs and will show as ``NaN``. + +-------------- + +Results Class +------------- + +WinHostEventsResult +~~~~~~~~~~~~~~~~~~~ + +Windows Host Security Events Results. + +Attributes +~~~~~~~~~~ + +- | all_events : pd.DataFrame + | DataFrame of all raw events retrieved. + +- | event_pivot : pd.DataFrame + | DataFrame that is a pivot table of event ID vs. Account + +- | account_events : pd.DataFrame + | DataFrame containing a subset of account management events such as + account and group modification. + +- | acct_pivot : pd.DataFrame + | DataFrame that is a pivot table of event ID vs. Account of account + management events + +- | account_timeline : Union[Figure, LayoutDOM] + | Bokeh plot figure or Layout showing the account events on an + interactive timeline. + +- | expanded_events : pd.DataFrame + | If ``expand_events`` option is specified, this will contain the + parsed/expanded EventData as individual columns. + +-------------- + +Methods +------- + +Instance Methods +~~~~~~~~~~~~~~~~ + +\__init_\_ +^^^^^^^^^^ + +| \__init__(self, data_providers: + Union[, NoneType] = None, \**kwargs) +| Intialize a new instance of the notebooklet class. + +expand_events +^^^^^^^^^^^^^ + +| expand_events(self, event_ids: Union[int, Iterable[int], NoneType] = + None) -> pandas.core.frame.DataFrame +| Expand ``EventData`` for ``event_ids`` into separate columns. + +run +^^^ + +| run(self, value: Any = None, data: Union[pandas.core.frame.DataFrame, + NoneType] = None, timespan: Union[msticpy.common.timespan.TimeSpan, + NoneType] = None, options: Union[Iterable[str], NoneType] = None, + \**kwargs) -> + msticnb.nb.azsent.host.win_host_events.WinHostEventsResult +| Return Windows Security Event summary. + +Inherited methods +~~~~~~~~~~~~~~~~~ + +check_table_exists +^^^^^^^^^^^^^^^^^^ + +| check_table_exists(self, table: str) -> bool +| Check to see if the table exists in the provider. + +check_valid_result_data +^^^^^^^^^^^^^^^^^^^^^^^ + +| check_valid_result_data(self, attrib: str = None, silent: bool = + False) -> bool +| Check that the result is valid and ``attrib`` contains data. + +get_methods +^^^^^^^^^^^ + +| get_methods(self) -> Dict[str, Callable[[Any], Any]] +| Return methods available for this class. + +get_pivot_run +^^^^^^^^^^^^^ + +| get_pivot_run(self, get_timespan: Callable[[], + msticpy.common.timespan.TimeSpan]) +| Return Pivot-wrappable run function. + +get_provider +^^^^^^^^^^^^ + +| get_provider(self, provider_name: str) +| Return data provider for the specified name. + +list_methods +^^^^^^^^^^^^ + +| list_methods(self) -> List[str] +| Return list of methods with descriptions. + +Other Methods +~~~~~~~~~~~~~ + +all_options +^^^^^^^^^^^ + +| all_options() -> List[str] +| Return supported options for Notebooklet run function. + +default_options +^^^^^^^^^^^^^^^ + +| default_options() -> List[str] +| Return default options for Notebooklet run function. + +description +^^^^^^^^^^^ + +| description() -> str +| Return description of the Notebooklet. + +entity_types +^^^^^^^^^^^^ + +| entity_types() -> List[str] +| Entity types supported by the notebooklet. + +get_help +^^^^^^^^ + +| get_help(fmt='html') -> str +| Return HTML document for class. + +get_settings +^^^^^^^^^^^^ + +| get_settings(print_settings=True) -> Union[str, NoneType] +| Print or return metadata for class. + +import_cell +^^^^^^^^^^^ + +| import_cell() +| Import the text of this module into a new cell. + +keywords +^^^^^^^^ + +| keywords() -> List[str] +| Return search keywords for Notebooklet. + +list_options +^^^^^^^^^^^^ + +| list_options() -> str +| Return options document for Notebooklet run function. + +match_terms +^^^^^^^^^^^ + +| match_terms(search_terms: str) -> Tuple[bool, int] +| Search class definition for ``search_terms``. + +name +^^^^ + +| name() -> str +| Return name of the Notebooklet. + +print_options +^^^^^^^^^^^^^ + +| print_options() +| Print options for Notebooklet run function. + +result +^^^^^^ + +result [property] Return result of the most recent notebooklet run. + +show_help +^^^^^^^^^ + +| show_help() +| Display Documentation for class. + +silent +^^^^^^ + +silent [property] Get the current instance setting for silent running. + +--------- + +``run`` function documentation +------------------------------ + +Return Windows Security Event summary. + + +Parameters +~~~~~~~~~~ + + +value : str + Host name + +data : Optional[pd.DataFrame], optional + Not used, by default None + +timespan : TimeSpan + Timespan over which operations such as queries will be + performed, by default None. + This can be a TimeStamp object or another object that + has valid `start`, `end`, or `period` attributes. + +options : Optional[Iterable[str]], optional + List of options to use, by default None. + A value of None means use default options. + Options prefixed with "+" will be added to the default options. + To see the list of available options type `help(cls)` where + "cls" is the notebooklet class or an instance of this class. + + +Other Parameters +~~~~~~~~~~~~~~~~ + + +start : Union[datetime, datelike-string] + Alternative to specifying timespan parameter. + +end : Union[datetime, datelike-string] + Alternative to specifying timespan parameter. + + +Returns +~~~~~~~ + + +HostSummaryResult + Result object with attributes for each result type. + + +Raises +~~~~~~ + + +MsticnbMissingParameterError + If required parameters are missing + + + +Default Options +~~~~~~~~~~~~~~~ + +- event_pivot: Display a summary of all event types. +- acct_events: Display a summary and timeline of account management events. + + +Other Options +~~~~~~~~~~~~~ + +- expand_events: parses the XML EventData column into separate DataFrame columns. This can be very expensive with a large event set. We recommend using the expand_events() method to select a specific subset of events to process. \ No newline at end of file diff --git a/docs/source/notebooklets.rst b/docs/source/notebooklets_summary.rst similarity index 95% rename from docs/source/notebooklets.rst rename to docs/source/notebooklets_summary.rst index 794d838..f52eb5b 100644 --- a/docs/source/notebooklets.rst +++ b/docs/source/notebooklets_summary.rst @@ -1,5 +1,5 @@ -Notebooklets -============ +Notebooklets Overview +===================== What are notebooklets? @@ -265,7 +265,19 @@ Queries and displays Windows Security Events including: Process (4688) and Account Logon (4624, 4625) are not included in the event types processed by this module. -  + +IpAddressSummary +---------------- + +Retrieves common data about an IP Address including: + +- Tries to determine IP address is external or internal (i.e. owned by the organization) +- Azure Heartbeat, Network Analytics or VMComputer records +- Geo-IP and Whois data +- Threat intel reports +- Related alerts and hunting bookmarks +- Network flows involving IP address +- Azure activity (e.g. sign-ins) originating from IP address NetworkFlowSummary ------------------ diff --git a/msticnb/nb/azsent/network/ip_summary.yaml b/msticnb/nb/azsent/network/ip_summary.yaml index 7082ad1..8e34f11 100644 --- a/msticnb/nb/azsent/network/ip_summary.yaml +++ b/msticnb/nb/azsent/network/ip_summary.yaml @@ -35,6 +35,7 @@ output: get_az_netflow: title: Azure network analytics netflow data for IP. text: + (only available for if Azure network analytics net flow enabled.) This is is a list of netflow events for the IP. Timeline by protocol is available in the `result.az_network_flows_timeline` property @@ -58,9 +59,12 @@ output: text: (only available for Azure VMs) get_az_activity: title: Azure Sign-ins and audit activity from IP Address + text: (only available for Azure) get_office_activity: title: Office 365 operations summary from IP Address + text: (only available for Office 365) get_public_ip_data: title: Public IP data (GeoIP, ThreatIntel, Passive DNS, VPS membership) netflow_summary: title: Summary of network flow data for this IP Address + text: (only available for if Azure network analytics net flow enabled.) diff --git a/msticnb/nb_pivot.py b/msticnb/nb_pivot.py index 1b7201c..9127dcb 100644 --- a/msticnb/nb_pivot.py +++ b/msticnb/nb_pivot.py @@ -44,7 +44,10 @@ def add_pivot_funcs(pivot: Pivot = None, **kwargs): """ if not pivot: - pivot = Pivot.current or Pivot(**kwargs) + piv_kwargs = { + key: arg for key, arg in kwargs.items() if key in ("namespace", "providers") + } + pivot = Pivot.current or Pivot(**piv_kwargs) for nb_name, nb_class in nblts.iter_classes(): if not issubclass(nb_class, Notebooklet) or nb_name == "TemplateNB": continue From 631a57d1d62437d926f968bb515f0c6c7c7c7bb8 Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Mon, 3 May 2021 07:57:03 -0700 Subject: [PATCH 03/10] Fixing docstring in ip_summary --- msticnb/nb/azsent/network/ip_summary.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msticnb/nb/azsent/network/ip_summary.py b/msticnb/nb/azsent/network/ip_summary.py index 7d16d51..150c2a7 100644 --- a/msticnb/nb/azsent/network/ip_summary.py +++ b/msticnb/nb/azsent/network/ip_summary.py @@ -190,7 +190,7 @@ def run( **kwargs, ) -> IpSummaryResult: """ - Return XYZ summary. + Return IP Address activity summary. Parameters ---------- From e3bc125665afa18aade587385ec8500a1fb130c6 Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Mon, 3 May 2021 19:24:33 -0700 Subject: [PATCH 04/10] Logon session rarity notebooklet. --- docs/source/nb_doc_details.rst | 1 + .../notebooklet_docs/LogonSessionsRarity.rst | 297 ++++++++++++++++ msticnb/common.py | 4 +- .../nb/azsent/host/logon_session_rarity.py | 336 ++++++++++++++++++ .../nb/azsent/host/logon_session_rarity.yaml | 34 ++ msticnb/nb_metadata.py | 43 ++- .../azsent/host/test_logon_session_rarity.py | 42 +++ tests/test_nb_pivot.py | 3 +- tests/test_notebooklet.py | 4 +- 9 files changed, 743 insertions(+), 21 deletions(-) create mode 100644 docs/source/notebooklet_docs/LogonSessionsRarity.rst create mode 100644 msticnb/nb/azsent/host/logon_session_rarity.py create mode 100644 msticnb/nb/azsent/host/logon_session_rarity.yaml create mode 100644 tests/nb/azsent/host/test_logon_session_rarity.py diff --git a/docs/source/nb_doc_details.rst b/docs/source/nb_doc_details.rst index 7b04695..a9ac3a4 100644 --- a/docs/source/nb_doc_details.rst +++ b/docs/source/nb_doc_details.rst @@ -8,6 +8,7 @@ Notebooklets Details notebooklet_docs/EnrichAlerts.rst notebooklet_docs/HostLogonsSummary.rst notebooklet_docs/HostSummary.rst + notebooklet_docs/LogonSessionsRarity notebooklet_docs/IpAddressSummary.rst notebooklet_docs/NetworkFlowSummary.rst notebooklet_docs/WinHostEvents.rst \ No newline at end of file diff --git a/docs/source/notebooklet_docs/LogonSessionsRarity.rst b/docs/source/notebooklet_docs/LogonSessionsRarity.rst new file mode 100644 index 0000000..c8deaea --- /dev/null +++ b/docs/source/notebooklet_docs/LogonSessionsRarity.rst @@ -0,0 +1,297 @@ +Notebooklet Class - LogonSessionsRarity +======================================= + +Calculates the relative rarity of logon sessions. + +It clusters the data based on process, command line and account. + +Then calculates the rarity of the process pattern. + +Then returns a result containing a summary of the logon sessions by +rarity. + +To see the methods available for the class and result class, run + +cls.list_methods() + +**Default Options** + +None + +**Other Options** + +None + +-------------- + +Display Sections +---------------- + +Calculate process rarity statistics for logon sessions +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This first transforms the input data into features suitable for a +clustering algorithm. It then clusters the data based on process, +command line and account and calculates the rarity of the process +pattern. It returns a result containing a summary of the logon sessions +along with full results of the clustering. Methods available to view +this data graphically include - list_sessions_by_rarity - table of +sessions ordered by degree of rarity - plot_sessions_by_rarity - +timeline plot of processes grouped by account and showing relative +rarity of each process. - process_tree - a process tree of all processes +or processes belonging to a single account. + +-------------- + +Results Class +------------- + +LogonSessionsRarityResult +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Logon Sessions rarity. + +Attributes +~~~~~~~~~~ + +- | process_clusters : pd.DataFrame + | Process clusters based on account, process, commandline. + +- | processes_with_cluster : pd.DataFrame + | Merged data with rarity value assigned to each process event. + +- | session_rarity: pd.DataFrame + | List of sessions with averaged process rarity. + +-------------- + +Methods +------- + +Instance Methods +~~~~~~~~~~~~~~~~ + +\__init_\_ +^^^^^^^^^^ + +| \__init__(self, \**kwargs) +| Initialize instance of LogonSessionRarity. + +list_sessions_by_rarity +^^^^^^^^^^^^^^^^^^^^^^^ + +| list_sessions_by_rarity(self) +| Display sessions by process rarity. + +plot_sessions_by_rarity +^^^^^^^^^^^^^^^^^^^^^^^ + +| plot_sessions_by_rarity(self) +| Display timeline plot of processes by rarity. + +process_tree +^^^^^^^^^^^^ + +| process_tree(self, account: Union[str, NoneType] = None) +| Display process tree of processes by rarity. + +run +^^^ + +| run(self, value: Any = None, data: Union[pandas.core.frame.DataFrame, + NoneType] = None, timespan: Union[msticpy.common.timespan.TimeSpan, + NoneType] = None, options: Union[Iterable[str], NoneType] = None, + \**kwargs) -> + msticnb.nb.azsent.host.logon_session_rarity.LogonSessionsRarityResult +| Calculate Logon sessions ordered by process rarity summary. + +Inherited methods +~~~~~~~~~~~~~~~~~ + +check_table_exists +^^^^^^^^^^^^^^^^^^ + +| check_table_exists(self, table: str) -> bool +| Check to see if the table exists in the provider. + +check_valid_result_data +^^^^^^^^^^^^^^^^^^^^^^^ + +| check_valid_result_data(self, attrib: str = None, silent: bool = + False) -> bool +| Check that the result is valid and ``attrib`` contains data. + +get_methods +^^^^^^^^^^^ + +| get_methods(self) -> Dict[str, Callable[[Any], Any]] +| Return methods available for this class. + +get_pivot_run +^^^^^^^^^^^^^ + +| get_pivot_run(self, get_timespan: Callable[[], + msticpy.common.timespan.TimeSpan]) +| Return Pivot-wrappable run function. + +get_provider +^^^^^^^^^^^^ + +| get_provider(self, provider_name: str) +| Return data provider for the specified name. + +list_methods +^^^^^^^^^^^^ + +| list_methods(self) -> List[str] +| Return list of methods with descriptions. + +Other Methods +~~~~~~~~~~~~~ + +all_options +^^^^^^^^^^^ + +| all_options() -> List[str] +| Return supported options for Notebooklet run function. + +default_options +^^^^^^^^^^^^^^^ + +| default_options() -> List[str] +| Return default options for Notebooklet run function. + +description +^^^^^^^^^^^ + +| description() -> str +| Return description of the Notebooklet. + +entity_types +^^^^^^^^^^^^ + +| entity_types() -> List[str] +| Entity types supported by the notebooklet. + +get_help +^^^^^^^^ + +| get_help(fmt='html') -> str +| Return HTML document for class. + +get_settings +^^^^^^^^^^^^ + +| get_settings(print_settings=True) -> Union[str, NoneType] +| Print or return metadata for class. + +import_cell +^^^^^^^^^^^ + +| import_cell() +| Import the text of this module into a new cell. + +keywords +^^^^^^^^ + +| keywords() -> List[str] +| Return search keywords for Notebooklet. + +list_options +^^^^^^^^^^^^ + +| list_options() -> str +| Return options document for Notebooklet run function. + +match_terms +^^^^^^^^^^^ + +| match_terms(search_terms: str) -> Tuple[bool, int] +| Search class definition for ``search_terms``. + +name +^^^^ + +| name() -> str +| Return name of the Notebooklet. + +print_options +^^^^^^^^^^^^^ + +| print_options() +| Print options for Notebooklet run function. + +result +^^^^^^ + +result [property] Return result of the most recent notebooklet run. + +show_help +^^^^^^^^^ + +| show_help() +| Display Documentation for class. + +silent +^^^^^^ + +silent [property] Get the current instance setting for silent running. + +--------- + +``run`` function documentation +------------------------------ + +Calculate Logon sessions ordered by process rarity summary. + + +Parameters +~~~~~~~~~~ + + +value : str + Not used + +data : Optional[pd.DataFrame], optional + Process event data. + +timespan : TimeSpan + Not used + +options : Optional[Iterable[str]], optional + List of options to use, by default None. + A value of None means use default options. + Options prefixed with "+" will be added to the default options. + To see the list of available options type `help(cls)` where + "cls" is the notebooklet class or an instance of this class. + + +Returns +~~~~~~~ + + +LogonSessionsRarityResult + LogonSessionsRarityResult. + + +Raises +~~~~~~ + + +MsticnbMissingParameterError + If required parameters are missing + + + +Default Options +~~~~~~~~~~~~~~~ + + +None + + +Other Options +~~~~~~~~~~~~~ + + +None \ No newline at end of file diff --git a/msticnb/common.py b/msticnb/common.py index 30232e7..053f9d0 100644 --- a/msticnb/common.py +++ b/msticnb/common.py @@ -68,7 +68,7 @@ def iter_classes(self) -> Iterable[Tuple[str, Any]]: yield key, val -def nb_print(*args): +def nb_print(*args, **kwargs): """ Print output but suppress if "silent". @@ -79,7 +79,7 @@ def nb_print(*args): """ if get_opt("verbose") and not get_opt("silent"): - print(*args) + print(*args, **kwargs) def nb_data_wait(source: str): diff --git a/msticnb/nb/azsent/host/logon_session_rarity.py b/msticnb/nb/azsent/host/logon_session_rarity.py new file mode 100644 index 0000000..5c08a03 --- /dev/null +++ b/msticnb/nb/azsent/host/logon_session_rarity.py @@ -0,0 +1,336 @@ +# ------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for +# license information. +# -------------------------------------------------------------------------- +"""Logon sessions rarity analysis.""" +from typing import Any, Dict, Iterable, Optional + +import pandas as pd +from msticpy.common.timespan import TimeSpan +from msticpy.sectools.eventcluster import dbcluster_events, delim_count, char_ord_score + +from .... import nb_metadata +from ...._version import VERSION +from ....common import ( + MsticnbMissingParameterError, + nb_display, + nb_markdown, + nb_print, + set_text, +) +from ....notebooklet import NBMetadata, Notebooklet, NotebookletResult + +__version__ = VERSION +__author__ = "Ian Hellen" + + +# Read module metadata from YAML +_CLS_METADATA: NBMetadata +_CELL_DOCS: Dict[str, Any] +_CLS_METADATA, _CELL_DOCS = nb_metadata.read_mod_metadata(__file__, __name__) + + +# pylint: disable=too-few-public-methods +# Rename this class +class LogonSessionsRarityResult(NotebookletResult): + """ + Logon Sessions rarity. + + Attributes + ---------- + process_clusters : pd.DataFrame + Process clusters based on account, process, commandline. + processes_with_cluster : pd.DataFrame + Merged data with rarity value assigned to each process event. + session_rarity: pd.DataFrame + List of sessions with averaged process rarity. + + """ + + def __init__( + self, + description: Optional[str] = None, + timespan: Optional[TimeSpan] = None, + notebooklet: Optional["Notebooklet"] = None, + ): + """ + Create new Notebooklet result instance. + + Parameters + ---------- + description : Optional[str], optional + Result description, by default None + timespan : Optional[TimeSpan], optional + TimeSpan for the results, by default None + notebooklet : Optional[, optional + Originating notebooklet, by default None + + """ + super().__init__(description, timespan, notebooklet) + self.description: str = "Windows Host Security Events" + + # Add attributes as needed here. + # Make sure they are documented in the Attributes section + # above. + self.process_clusters: pd.DataFrame = None + self.processes_with_cluster: pd.DataFrame = None + self.session_rarity: pd.DataFrame = None + + +# pylint: enable=too-few-public-methods + + +# Rename this class +class LogonSessionsRarity(Notebooklet): + """ + Calculates the relative rarity of logon sessions. + + It clusters the data based on process, command line and account. + Then calculates the rarity of the process pattern. + Then returns a result containing a summary of the logon sessions by rarity. + + To see the methods available for the class and result class, run + cls.list_methods() + + """ + + # assign metadata from YAML to class variable + metadata = _CLS_METADATA + __doc__ = nb_metadata.update_class_doc(__doc__, metadata) + _cell_docs = _CELL_DOCS + + def __init__(self, **kwargs): + """Initialize instance of LogonSessionRarity.""" + super().__init__(**kwargs) + self.column_map = {} + + # @set_text decorator will display the title and text every time + # this method is run. + # The key value refers to an entry in the `output` section of + # the notebooklet yaml file. + @set_text(docs=_CELL_DOCS, key="run") + def run( + self, + value: Any = None, + data: Optional[pd.DataFrame] = None, + timespan: Optional[TimeSpan] = None, + options: Optional[Iterable[str]] = None, + **kwargs, + ) -> LogonSessionsRarityResult: + """ + Calculate Logon sessions ordered by process rarity summary. + + Parameters + ---------- + value : str + Not used + data : Optional[pd.DataFrame], optional + Process event data. + timespan : TimeSpan + Not used + options : Optional[Iterable[str]], optional + List of options to use, by default None. + A value of None means use default options. + Options prefixed with "+" will be added to the default options. + To see the list of available options type `help(cls)` where + "cls" is the notebooklet class or an instance of this class. + + Returns + ------- + LogonSessionsRarityResult + LogonSessionsRarityResult. + + Raises + ------ + MsticnbMissingParameterError + If required parameters are missing + + """ + # This line use logic in the superclass to populate options + # (including default options) into this class. + super().run( + value=value, data=data, timespan=timespan, options=options, **kwargs + ) + + if data is None: + raise MsticnbMissingParameterError("data") + + # Create a result class + result = LogonSessionsRarityResult( + notebooklet=self, description=self.metadata.description, timespan=timespan + ) + + self.column_map = _get_column_map(data) + feat_data, cols = _add_session_features(data=data, column_map=self.column_map) + result.process_clusters = _cluster_sessions( + data=feat_data, columns=list(cols.keys()) + ) + ( + result.processes_with_cluster, + result.session_rarity, + ) = _merge_cluster_with_procs( + data=data, + clustered_data=result.process_clusters, + merge_cols=list(cols.values()), + column_map=self.column_map, + ) + + self._last_result = result # pylint: disable=attribute-defined-outside-init + nb_markdown("

View the returned results object for more details.

") + nb_markdown( + f"Additional methods for this class:
{'
'.join(self.list_methods())}" + ) + return self._last_result + + def list_sessions_by_rarity(self): + """Display sessions by process rarity.""" + if self.check_valid_result_data("session_rarity"): + nb_display( + self._last_result.session_rarity.sort_values( + "MeanRarity", ascending=False + ).style.bar(subset=["MeanRarity"], color="#d65f5f") + ) + + def plot_sessions_by_rarity(self): + """Display timeline plot of processes by rarity.""" + if self.check_valid_result_data("processes_with_cluster"): + data = self._last_result.processes_with_cluster + acct_col = self.column_map.get(COL_ACCT) + data.mp_timeline.plot_values( + y="Rarity", + group_by=acct_col, + height=600, + kind=["vbar", "circle"], + source_columns=[self.column_map[COL_PROC], self.column_map[COL_CMD]], + ) + + def process_tree(self, account: Optional[str] = None): + """Display process tree of processes by rarity.""" + if self.check_valid_result_data("processes_with_cluster"): + if not account: + self._last_result.processes_with_cluster.mp_process_tree.plot( + legend_col="Rarity" + ) + else: + acct_col = self.column_map.get(COL_ACCT) + data = self._last_result.processes_with_cluster + data = data[data[acct_col] == account] + data.mp_process_tree.plot(legend_col="Rarity") + + +# % +# Get the column mapping for the data +COL_ACCT = "acct" +COL_TS = "timestamp" +COL_PROC = "process_name" +COL_CMD = "command" +COL_SESS = "sess" + + +def _find_column(data, column_opts, default=None): + for col in column_opts: + if col in data.columns: + return col + return default + + +def _get_column_map(data): + return { + COL_ACCT: _find_column(data, ["Account", "SubjectLogonName", "acct", "uid"]), + COL_TS: _find_column(data, ["TimeGenerated", "EventStartTime", "TimeStamp"]), + COL_CMD: _find_column(data, ["CommandLine", "cmd"]), + COL_PROC: _find_column(data, ["NewProcessName", "exe"]), + COL_SESS: _find_column(data, ["SubjectLogonId", "ses"]), + } + + +CMD_LINE_TOKS = "CommandlineTokensFull" +PATH_SCORE = "PathScore" +ACCT_NUM = "AccountNum" +SYS_SESS = "IsSystemSession" +CLUSTER_COLUMNS = [CMD_LINE_TOKS, PATH_SCORE, ACCT_NUM, SYS_SESS] + + +# %% +def _add_session_features(data, column_map: Dict[str, str]): + """Create clustering features.""" + nb_markdown(f"Input data: {len(data)} events") + nb_markdown("Extracting features...", end="") + data = data.copy() + + cluster_cols = {} + proc_name = column_map.get(COL_PROC) + if proc_name: + cluster_cols[PATH_SCORE] = proc_name + data[PATH_SCORE] = data.apply(lambda x: char_ord_score(x[proc_name]), axis=1) + nb_print(".", end="") + cmd_line = column_map.get("command", "CommandLine") + if cmd_line: + cluster_cols[CMD_LINE_TOKS] = cmd_line + data[CMD_LINE_TOKS] = data.apply(lambda x: delim_count(x[cmd_line]), axis=1) + nb_print(".", end="") + acct = column_map.get("account", "Account") + if acct: + cluster_cols[ACCT_NUM] = acct + data[ACCT_NUM] = data.apply(lambda x: char_ord_score(x[acct]), axis=1) + nb_print(".", end="") + sess = column_map.get("logon_id", "SubjectLogonId") + if sess: + cluster_cols[SYS_SESS] = sess + data[SYS_SESS] = data[sess].isin(["0x3e7", "-1"]) + nb_markdown("done.") + return data, cluster_cols + + +def _cluster_sessions(data, columns=None): + """Cluster data using DBSCAN.""" + # you might need to play around with the max_cluster_distance parameter. + # decreasing this gives more clusters. + columns = columns or CLUSTER_COLUMNS + nb_markdown("Clustering...") + (clus_events, _, _) = dbcluster_events( + data=data, + cluster_columns=columns, + max_cluster_distance=0.0001, + ) + nb_markdown("done") + nb_markdown(f"Number of input events: {len(data)}") + nb_markdown(f"Number of clustered events: {len(clus_events)}") + return clus_events + + +def _merge_cluster_with_procs(data, clustered_data, merge_cols, column_map): + """Merge clustered data with original.""" + nb_markdown("Merging with source data and computing rarity...") + + merge_cols = merge_cols or CLUSTER_COLUMNS + # Join the clustered results back to the original process frame + procs_with_cluster = data.merge( + clustered_data[[*merge_cols, "ClusterSize"]], + on=merge_cols, + ) + + # Compute Process pattern Rarity = inverse of cluster size + procs_with_cluster["Rarity"] = 1 / procs_with_cluster["ClusterSize"] + + # count the number of processes for each logon ID + sess = column_map.get("logon_id", "SubjectLogonId") + acct = column_map.get("account", "Account") + timestamp = column_map.get("timestamp", "TimeGenerated") + session_rarity = ( + procs_with_cluster.groupby([acct, sess]) + .agg( + MeanRarity=pd.NamedAgg("Rarity", "mean"), + MaxRarity=pd.NamedAgg("Rarity", "max"), + ProcessCount=pd.NamedAgg(timestamp, "count"), + ) + .reset_index() + ) + + nb_markdown("done") + # Display the results + nb_markdown("
Sessions ordered by process rarity", "large, bold") + nb_markdown("Higher score indicates higher number of unusual processes") + + return procs_with_cluster, session_rarity diff --git a/msticnb/nb/azsent/host/logon_session_rarity.yaml b/msticnb/nb/azsent/host/logon_session_rarity.yaml new file mode 100644 index 0000000..e094c2e --- /dev/null +++ b/msticnb/nb/azsent/host/logon_session_rarity.yaml @@ -0,0 +1,34 @@ +metadata: + name: LogonSessionRarity + description: Calculates sessions with most unusual process activity. + default_options: + other_options: + keywords: + - host + - computer + - logon + - windows + - linux + entity_types: + - host + req_providers: +output: + run: + title: Calculate process rarity statistics for logon sessions + hd_level: 1 + text: + This first transforms the input data into features suitable + for a clustering algorithm. + + It then clusters the data based on process, command line and account + and calculates the rarity of the process pattern. + + It returns a result containing a summary of the logon sessions + along with full results of the clustering. Methods available to view + this data graphically include + - list_sessions_by_rarity - table of sessions ordered by degree of rarity + - plot_sessions_by_rarity - timeline plot of processes grouped by + account and showing relative rarity of each process. + - process_tree - a process tree of all processes or processes belonging + to a single account. + md: True diff --git a/msticnb/nb_metadata.py b/msticnb/nb_metadata.py index bac3c05..448333c 100644 --- a/msticnb/nb_metadata.py +++ b/msticnb/nb_metadata.py @@ -50,16 +50,18 @@ def __str__(self): def all_options(self) -> List[str]: """Return combination of default and other options.""" opts = [] - for opt in self.default_options: - if isinstance(opt, str): - opts.append(opt) - elif isinstance(opt, dict): - opts.append(next(iter(opt.keys()))) - for opt in self.other_options: - if isinstance(opt, str): - opts.append(opt) - elif isinstance(opt, dict): - opts.append(next(iter(opt.keys()))) + if self.default_options: + for opt in self.default_options: + if isinstance(opt, str): + opts.append(opt) + elif isinstance(opt, dict): + opts.append(next(iter(opt.keys()))) + if self.other_options: + for opt in self.other_options: + if isinstance(opt, str): + opts.append(opt) + elif isinstance(opt, dict): + opts.append(next(iter(opt.keys()))) return sorted(opts) def get_options(self, option_set: str = "all") -> List[Tuple[str, Optional[str]]]: @@ -79,13 +81,13 @@ def get_options(self, option_set: str = "all") -> List[Tuple[str, Optional[str]] """ opt_list: List[Tuple[str, Optional[str]]] = [] - if option_set.casefold() in ["all", "default"]: + if option_set.casefold() in ["all", "default"] and self.default_options: for opt in self.default_options: if isinstance(opt, str): opt_list.append((opt, None)) elif isinstance(opt, dict): opt_list.extend(opt.items()) - if option_set.casefold() in ["all", "other"]: + if option_set.casefold() in ["all", "other"] and self.other_options: for opt in self.other_options: if isinstance(opt, str): opt_list.append((opt, None)) @@ -96,15 +98,24 @@ def get_options(self, option_set: str = "all") -> List[Tuple[str, Optional[str]] @property def options_doc(self) -> str: """Return list of options and documentation.""" + def_options = self.get_options("default") + opt_list = [ "", " Default Options", " ---------------", - *[f" - {key}: {value}" for key, value in self.get_options("default")], - "", - " Other Options", - " -------------", ] + if def_options: + opt_list.extend([f" - {key}: {value}" for key, value in def_options]) + else: + opt_list.append(" None") + opt_list.extend( + [ + "", + " Other Options", + " -------------", + ] + ) if self.get_options("other"): opt_list.extend( diff --git a/tests/nb/azsent/host/test_logon_session_rarity.py b/tests/nb/azsent/host/test_logon_session_rarity.py new file mode 100644 index 0000000..fc334a5 --- /dev/null +++ b/tests/nb/azsent/host/test_logon_session_rarity.py @@ -0,0 +1,42 @@ +# ------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for +# license information. +# -------------------------------------------------------------------------- +"""Test the nb_template class.""" +# from contextlib import redirect_stdout +from pathlib import Path + +import pandas as pd +import pytest_check as check +from msticnb import nblts +from msticnb import data_providers + +from ....unit_test_lib import TEST_DATA_PATH, GeoIPLiteMock + +# pylint: disable=no-member + + +def test_logon_session_rarity_notebooklet(monkeypatch): + """Test basic run of notebooklet.""" + monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) + test_data = str(Path(TEST_DATA_PATH).absolute()) + data_providers.init( + query_provider="LocalData", + LocalData_data_paths=[test_data], + LocalData_query_paths=[test_data], + ) + d_path = Path(TEST_DATA_PATH).joinpath("processes_on_host.pkl") + raw_data = pd.read_pickle(d_path) + filt_sess = raw_data[raw_data["Account"] == "MSTICAlertsWin1\\MSTICAdmin"] + data = pd.concat([raw_data.iloc[:1000], filt_sess]) + + test_nb = nblts.azsent.host.LogonSessionsRarity() + + result = test_nb.run(data=data) + check.is_instance(result.process_clusters, pd.DataFrame) + check.is_instance(result.processes_with_cluster, pd.DataFrame) + check.is_instance(result.session_rarity, pd.DataFrame) + result.list_sessions_by_rarity() + result.plot_sessions_by_rarity() + result.process_tree(account="MSTICAlertsWin1\\MSTICAdmin") diff --git a/tests/test_nb_pivot.py b/tests/test_nb_pivot.py index e3bac2b..0014a36 100644 --- a/tests/test_nb_pivot.py +++ b/tests/test_nb_pivot.py @@ -66,7 +66,6 @@ def test_add_pivot_funcs(_init_pivot, ent_name, funcs, test_val): @pytest.mark.parametrize("ent_name, funcs, test_val", _EXPECTED_FUNCS) def test_run_pivot_funcs(_init_pivot, ent_name, funcs, test_val): """Test running notebooklets run functions.""" - del funcs add_pivot_funcs(_init_pivot) entity = getattr(entities, ent_name) @@ -74,6 +73,8 @@ def test_run_pivot_funcs(_init_pivot, ent_name, funcs, test_val): check.is_true(hasattr(entity, "nblt")) container = getattr(entity, "nblt") for _, p_func in container: + if p_func.__name__ not in funcs: + continue check.is_true(callable(p_func)) result = p_func(value=test_val) test_result = result[0] if isinstance(result, list) else result diff --git a/tests/test_notebooklet.py b/tests/test_notebooklet.py index 6c2aaea..40bc8af 100644 --- a/tests/test_notebooklet.py +++ b/tests/test_notebooklet.py @@ -132,8 +132,8 @@ def test_class_methods(): for _, nblt in nblts.iter_classes(): check.is_not_none(nblt.description()) check.is_not_none(nblt.name()) - check.greater(len(nblt.all_options()), 0) - check.greater(len(nblt.default_options()), 0) + all_opts = len(nblt.all_options()) + check.greater_equal(all_opts, len(nblt.default_options())) check.greater(len(nblt.keywords()), 0) check.greater(len(nblt.entity_types()), 0) metadata = nblt.get_settings(print_settings=False) From 66570ca4112370fcf5817ed28adade66f4a63d43 Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Wed, 5 May 2021 19:06:24 -0700 Subject: [PATCH 05/10] Some fixes to logon_session_rarity to compensate for the clustering module not doing what I wanted/thought. TODO - will need to fix this in MSTICPy Added browse_events method Made process_tree method a bit more flexible - browse by account or session id Added browse_alerts method to host_summary Fixed a template docstring in IpAddressSummary.rst --- .../notebooklet_docs/IpAddressSummary.rst | 6 +- msticnb/nb/azsent/host/host_summary.py | 9 +- .../nb/azsent/host/logon_session_rarity.py | 122 ++++++++++++++---- 3 files changed, 111 insertions(+), 26 deletions(-) diff --git a/docs/source/notebooklet_docs/IpAddressSummary.rst b/docs/source/notebooklet_docs/IpAddressSummary.rst index f30b7cd..de284c0 100644 --- a/docs/source/notebooklet_docs/IpAddressSummary.rst +++ b/docs/source/notebooklet_docs/IpAddressSummary.rst @@ -215,7 +215,7 @@ Instance Methods | \__init__(self, data_providers: Union[, NoneType] = None, \**kwargs) + 0x00000130B3F78788>, NoneType] = None, \**kwargs) | Intialize a new instance of the notebooklet class. browse_alerts @@ -261,7 +261,7 @@ run NoneType] = None, timespan: Union[msticpy.common.timespan.TimeSpan, NoneType] = None, options: Union[Iterable[str], NoneType] = None, \**kwargs) -> msticnb.nb.azsent.network.ip_summary.IpSummaryResult -| Return XYZ summary. +| Return IP Address activity summary. Inherited methods ~~~~~~~~~~~~~~~~~ @@ -400,7 +400,7 @@ silent [property] Get the current instance setting for silent running. ``run`` function documentation ------------------------------ -Return XYZ summary. +Return IP Address activity summary. Parameters diff --git a/msticnb/nb/azsent/host/host_summary.py b/msticnb/nb/azsent/host/host_summary.py index a980834..d7ff743 100644 --- a/msticnb/nb/azsent/host/host_summary.py +++ b/msticnb/nb/azsent/host/host_summary.py @@ -11,7 +11,7 @@ from azure.common.exceptions import CloudError from bokeh.models import LayoutDOM from bokeh.plotting.figure import Figure -from msticpy.nbtools import nbdisplay +from msticpy.nbtools import nbdisplay, nbwidgets from msticpy.common.timespan import TimeSpan from msticpy.datamodel import entities from msticpy.common.utility import md @@ -24,6 +24,7 @@ nb_markdown, ) from ....notebooklet import Notebooklet, NotebookletResult, NBMetadata +from ....nblib.azsent.alert import browse_alerts from ....nblib.azsent.host import get_heartbeat, get_aznet_topology, verify_host_name from ....nb_metadata import read_mod_metadata, update_class_doc from ...._version import VERSION @@ -231,6 +232,12 @@ def run( self._last_result = result return self._last_result + def browse_alerts(self) -> nbwidgets.SelectAlert: + """Return alert browser/viewer.""" + if self.check_valid_result_data("related_alerts"): + return browse_alerts(self._last_result) + return None + # Get Azure Resource details from API @lru_cache() diff --git a/msticnb/nb/azsent/host/logon_session_rarity.py b/msticnb/nb/azsent/host/logon_session_rarity.py index 5c08a03..48aac60 100644 --- a/msticnb/nb/azsent/host/logon_session_rarity.py +++ b/msticnb/nb/azsent/host/logon_session_rarity.py @@ -8,6 +8,7 @@ import pandas as pd from msticpy.common.timespan import TimeSpan +from msticpy.nbtools import nbwidgets from msticpy.sectools.eventcluster import dbcluster_events, delim_count, char_ord_score from .... import nb_metadata @@ -40,7 +41,8 @@ class LogonSessionsRarityResult(NotebookletResult): Attributes ---------- process_clusters : pd.DataFrame - Process clusters based on account, process, commandline. + Process clusters based on account, process, commandline and + showing the an example process from each cluster processes_with_cluster : pd.DataFrame Merged data with rarity value assigned to each process event. session_rarity: pd.DataFrame @@ -104,6 +106,7 @@ def __init__(self, **kwargs): """Initialize instance of LogonSessionRarity.""" super().__init__(**kwargs) self.column_map = {} + self._event_browser = None # @set_text decorator will display the title and text every time # this method is run. @@ -163,20 +166,31 @@ def run( self.column_map = _get_column_map(data) feat_data, cols = _add_session_features(data=data, column_map=self.column_map) - result.process_clusters = _cluster_sessions( + result.process_clusters, labeled_events = _cluster_sessions( data=feat_data, columns=list(cols.keys()) ) + ( result.processes_with_cluster, result.session_rarity, ) = _merge_cluster_with_procs( - data=data, + data=labeled_events, clustered_data=result.process_clusters, - merge_cols=list(cols.values()), + column_map=self.column_map, + ) + # save the result + self._last_result = result + + if not self.silent: + self.list_sessions_by_rarity() + self.plot_sessions_by_rarity() + + self._event_browser = _create_session_browser( + summ_data=result.session_rarity, + data=result.processes_with_cluster, column_map=self.column_map, ) - self._last_result = result # pylint: disable=attribute-defined-outside-init nb_markdown("

View the returned results object for more details.

") nb_markdown( f"Additional methods for this class:
{'
'.join(self.list_methods())}" @@ -205,18 +219,42 @@ def plot_sessions_by_rarity(self): source_columns=[self.column_map[COL_PROC], self.column_map[COL_CMD]], ) - def process_tree(self, account: Optional[str] = None): - """Display process tree of processes by rarity.""" + def process_tree( + self, account: Optional[str] = None, session: Optional[str] = None + ): + """ + View a process tree of current session. + + Parameters + ---------- + account : Optional[str], optional + The account name to view, by default None + session : Optional[str], optional + The logon session to view, by default None + """ if self.check_valid_result_data("processes_with_cluster"): - if not account: + if (not account and not session) or account == "all": self._last_result.processes_with_cluster.mp_process_tree.plot( legend_col="Rarity" ) - else: + return + if account: acct_col = self.column_map.get(COL_ACCT) data = self._last_result.processes_with_cluster data = data[data[acct_col] == account] data.mp_process_tree.plot(legend_col="Rarity") + return + session = session or self._event_browser.value + sess_col = self.column_map.get(COL_SESS) + data = self._last_result.processes_with_cluster + data = data[data[sess_col] == session] + data.mp_process_tree.plot(legend_col="Rarity") + + def browse_events(self): + """Browse the events by logon session.""" + if self.check_valid_result_data("processes_with_cluster"): + return self._event_browser + return None # % @@ -226,6 +264,7 @@ def process_tree(self, account: Optional[str] = None): COL_PROC = "process_name" COL_CMD = "command" COL_SESS = "sess" +COL_PID = "pid" def _find_column(data, column_opts, default=None): @@ -242,6 +281,7 @@ def _get_column_map(data): COL_CMD: _find_column(data, ["CommandLine", "cmd"]), COL_PROC: _find_column(data, ["NewProcessName", "exe"]), COL_SESS: _find_column(data, ["SubjectLogonId", "ses"]), + COL_PID: _find_column(data, ["NewProcessId", "pip"]), } @@ -256,7 +296,7 @@ def _get_column_map(data): def _add_session_features(data, column_map: Dict[str, str]): """Create clustering features.""" nb_markdown(f"Input data: {len(data)} events") - nb_markdown("Extracting features...", end="") + nb_print("Extracting features...", end="") data = data.copy() cluster_cols = {} @@ -289,35 +329,43 @@ def _cluster_sessions(data, columns=None): # decreasing this gives more clusters. columns = columns or CLUSTER_COLUMNS nb_markdown("Clustering...") - (clus_events, _, _) = dbcluster_events( + (clus_events, db_cluster, _) = dbcluster_events( data=data, cluster_columns=columns, max_cluster_distance=0.0001, ) + labeled_events = data + labeled_events["ClusterId"] = db_cluster.labels_ nb_markdown("done") nb_markdown(f"Number of input events: {len(data)}") - nb_markdown(f"Number of clustered events: {len(clus_events)}") - return clus_events + nb_markdown( + f"Number of clusters: {len(clus_events[clus_events['ClusterId'] != -1])}" + ) + nb_markdown( + "Number of unique (unclustered) events: " + f"{len(clus_events[clus_events['ClusterId'] == -1])}" + ) + return clus_events, labeled_events -def _merge_cluster_with_procs(data, clustered_data, merge_cols, column_map): +def _merge_cluster_with_procs(data, clustered_data, column_map): """Merge clustered data with original.""" nb_markdown("Merging with source data and computing rarity...") - merge_cols = merge_cols or CLUSTER_COLUMNS # Join the clustered results back to the original process frame - procs_with_cluster = data.merge( - clustered_data[[*merge_cols, "ClusterSize"]], - on=merge_cols, + noise_points = data[data["ClusterId"] == -1].assign(ClusterId=-1, ClusterSize=1) + clusters = data[data["ClusterId"] != -1].merge( + clustered_data[["ClusterId", "ClusterSize"]], + on="ClusterId", ) - + procs_with_cluster = pd.concat([clusters, noise_points]) # Compute Process pattern Rarity = inverse of cluster size procs_with_cluster["Rarity"] = 1 / procs_with_cluster["ClusterSize"] # count the number of processes for each logon ID - sess = column_map.get("logon_id", "SubjectLogonId") - acct = column_map.get("account", "Account") - timestamp = column_map.get("timestamp", "TimeGenerated") + sess = column_map.get(COL_SESS, "SubjectLogonId") + acct = column_map.get(COL_ACCT, "Account") + timestamp = column_map.get(COL_TS, "TimeGenerated") session_rarity = ( procs_with_cluster.groupby([acct, sess]) .agg( @@ -334,3 +382,33 @@ def _merge_cluster_with_procs(data, clustered_data, merge_cols, column_map): nb_markdown("Higher score indicates higher number of unusual processes") return procs_with_cluster, session_rarity + + +def _create_session_browser(summ_data, data, column_map): + browse_cols = [ + column_map[COL_ACCT], + column_map[COL_TS], + column_map[COL_SESS], + column_map[COL_PID], + column_map[COL_PROC], + column_map[COL_CMD], + ] + if "ParentProcessName" in data: + browse_cols.append("ParentProcessName") + browse_cols.append("Rarity") + + item_dict = { + f"{item[1]} - {item[0]}, mean rarity: {item[2]}": item[0] + for item in summ_data[ + [column_map[COL_SESS], column_map[COL_ACCT], "MeanRarity"] + ].values + } + + def show_events(logon_id): + return ( + data[browse_cols] + .query(f"{column_map[COL_SESS]} == '{logon_id}'") + .sort_values(column_map[COL_TS]) + ) + + return nbwidgets.SelectItem(item_dict=item_dict, action=show_events) From 577b2ab9bf20ac0b0dae898bc3cb12439e0670a1 Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Wed, 12 May 2021 12:22:25 -0700 Subject: [PATCH 06/10] Adding title to logon_session_rarity event timeline graph --- msticnb/nb/azsent/host/logon_session_rarity.py | 1 + 1 file changed, 1 insertion(+) diff --git a/msticnb/nb/azsent/host/logon_session_rarity.py b/msticnb/nb/azsent/host/logon_session_rarity.py index 48aac60..091510f 100644 --- a/msticnb/nb/azsent/host/logon_session_rarity.py +++ b/msticnb/nb/azsent/host/logon_session_rarity.py @@ -212,6 +212,7 @@ def plot_sessions_by_rarity(self): data = self._last_result.processes_with_cluster acct_col = self.column_map.get(COL_ACCT) data.mp_timeline.plot_values( + title="Processes with relative rarity score groubed by Account", y="Rarity", group_by=acct_col, height=600, From 27db47ebfe5bc253918551e8a8353de092cd595c Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Wed, 12 May 2021 12:34:32 -0700 Subject: [PATCH 07/10] Changed requirements for msticpy to be >=1.0.0 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 80939b3..3e0656f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ ipython>=7.14.0 ipywidgets>=7.5.1 lxml>=4.4.2 Markdown>=3.2.1 -msticpy==1.0.0 +msticpy>=1.0.0 numpy>=1.17.3 pandas>=0.25.3 python-dateutil>=2.8.1 From a34966d84ce04ada0686eb8caa5688652c5aef9d Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Wed, 12 May 2021 15:11:40 -0700 Subject: [PATCH 08/10] Fixes for build failure --- msticnb/__init__.py | 2 +- msticnb/nb/azsent/host/logon_session_rarity.py | 1 + requirements.txt | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/msticnb/__init__.py b/msticnb/__init__.py index f09e164..edcceee 100644 --- a/msticnb/__init__.py +++ b/msticnb/__init__.py @@ -72,7 +72,7 @@ def init( providers : Optional[List[str]], optional A list of other provider names to load - Other parameters + Other Parameters ---------------- kwargs : Optional keyword arguments to pass to DataProviders diff --git a/msticnb/nb/azsent/host/logon_session_rarity.py b/msticnb/nb/azsent/host/logon_session_rarity.py index 091510f..095393e 100644 --- a/msticnb/nb/azsent/host/logon_session_rarity.py +++ b/msticnb/nb/azsent/host/logon_session_rarity.py @@ -232,6 +232,7 @@ def process_tree( The account name to view, by default None session : Optional[str], optional The logon session to view, by default None + """ if self.check_valid_result_data("processes_with_cluster"): if (not account and not session) or account == "all": diff --git a/requirements.txt b/requirements.txt index 3e0656f..a51240a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ ipython>=7.14.0 ipywidgets>=7.5.1 lxml>=4.4.2 Markdown>=3.2.1 -msticpy>=1.0.0 +msticpy[azure]>=1.0.0 numpy>=1.17.3 pandas>=0.25.3 python-dateutil>=2.8.1 From 871632fc17761c4d907eccb9a4622fca5c89ea8f Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Wed, 12 May 2021 17:18:28 -0700 Subject: [PATCH 09/10] Updating ip_summary.yaml with correct name for Azure NSG logs Adding more info to test for CI test failure. --- msticnb/nb/azsent/network/ip_summary.yaml | 4 ++-- tests/nb/azsent/host/test_logon_session_rarity.py | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/msticnb/nb/azsent/network/ip_summary.yaml b/msticnb/nb/azsent/network/ip_summary.yaml index 8e34f11..f2e28e3 100644 --- a/msticnb/nb/azsent/network/ip_summary.yaml +++ b/msticnb/nb/azsent/network/ip_summary.yaml @@ -33,7 +33,7 @@ output: Data and plots are stored in the result class returned by this function. md: True get_az_netflow: - title: Azure network analytics netflow data for IP. + title: Azure Azure NSG Flow Logs for IP. text: (only available for if Azure network analytics net flow enabled.) This is is a list of netflow events for the IP. @@ -66,5 +66,5 @@ output: get_public_ip_data: title: Public IP data (GeoIP, ThreatIntel, Passive DNS, VPS membership) netflow_summary: - title: Summary of network flow data for this IP Address + title: Summary of Azure NSG network flow data for this IP Address text: (only available for if Azure network analytics net flow enabled.) diff --git a/tests/nb/azsent/host/test_logon_session_rarity.py b/tests/nb/azsent/host/test_logon_session_rarity.py index fc334a5..d3e0a08 100644 --- a/tests/nb/azsent/host/test_logon_session_rarity.py +++ b/tests/nb/azsent/host/test_logon_session_rarity.py @@ -31,6 +31,9 @@ def test_logon_session_rarity_notebooklet(monkeypatch): filt_sess = raw_data[raw_data["Account"] == "MSTICAlertsWin1\\MSTICAdmin"] data = pd.concat([raw_data.iloc[:1000], filt_sess]) + check.is_true(hasattr(nblts.azsent.host, "LogonSessionsRarity")) + if not hasattr(nblts.azsent.host, "LogonSessionsRarity"): + print(nblts.azsent.host()) test_nb = nblts.azsent.host.LogonSessionsRarity() result = test_nb.run(data=data) From ec781d403da24f10044871b1783cd598f905a822 Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Wed, 12 May 2021 17:28:50 -0700 Subject: [PATCH 10/10] More renaming for Azure NSG data --- msticnb/nb/azsent/network/ip_summary.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/msticnb/nb/azsent/network/ip_summary.py b/msticnb/nb/azsent/network/ip_summary.py index 150c2a7..f292d6a 100644 --- a/msticnb/nb/azsent/network/ip_summary.py +++ b/msticnb/nb/azsent/network/ip_summary.py @@ -74,13 +74,13 @@ class IpSummaryResult(NotebookletResult): heartbeat : pd.DataFrame Heartbeat record for IP Address or host az_network_if : pd.DataFrame - Azure Network analytics interface record, if available + Azure NSG analytics interface record, if available vmcomputer : pd.DataFrame VMComputer latest record az_network_flows : pd.DataFrame - Azure Network analytics flows for IP, if available + Azure NSG flows for IP, if available az_network_flows_timeline: Figure - Azure Network analytics flows timeline, if data is available + Azure NSG flows timeline, if data is available aad_signins : pd.DataFrame = None AAD signin activity azure_activity : pd.DataFrame = None