Skip to content

Release 1.0 of MSTIC Notebooklets
Compare
Choose a tag to compare
@ianhelle ianhelle released this 18 Jul 22:01
· 22 commits to main since this release
v1.0.0
0562424
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

MSTIC Notebooklets has been around for a while but we are about to start using in production notebooks so decided it was time to make the transition to v 1.0.0.

New Features and major changes

New Notebooklets

Host Network Summary

Retrieves Azure NSG and/or MDE network connection summary for hosts retrieving TI, GeoIP and Whois information for the remote IPs. Also displays folium map of IP locations. See HostNetworkSummary for more details

URL Summary

Retrieves summary information about URLs and domains including the following:

  • Threat intelligence reports
  • WhoIs records
  • Certificate information
  • Optional screenshot of target web page
  • Relate Sentinel alerts and bookmarks
  • Host activity related to the endpoint using MDE connection data, syslog entries, Windows process command lines.
  • Network connection activity related to the endpoints

Updated notebooklets

Host Summary

Update to work with either Windows or Linux hosts. The data retrieved obviously varies a little between the two platforms but you can now invoke the summary on a host without having to worry about which OS is installed.

See HostSummary for more details

IP Summary

Updated to add several data sources such as CommonSecurityLog and MDE data. New data categories returned include accounts and hosts related to the IP (i.e. have connections to or from the IP).

See IPSummary for more details.

Support modules

msticnb.nblib.ti and msticnb.nblib.iptools

The TI module is new and provides high-level functions for using MSTICPy's TILookup functionality in notebooks.
Additional functionality added the iptools module.

Global changes

  • The notebooklets have been updated to work with MSTICPy 2.0 and should continue to work with recent prior releases.
  • Notebooklet base class has two new methods - data_properties and vis_properties - making it easy to list the different major categories of result data from the notebook results class.

Feature Refresher

Notebooklets via Pivots

Most of the notebooklets have Pivot version. When you import msticnb and run nb.init() pivot functions are created on the entities corresponding to the notebooklet functionality. E.g.

IpAddress.nblt.ip_summary()
Host.nblt.host_network_summary()

### Access Notebooklet properties and methods from the Notebooklet results class.

Something that we implemented a while ago that is worth remembering. The notebooklet results class returned from the notebooklets `run` method, contains data sets such as pandas dataframes, Bokeh visualizations and other data. The results class maintains a link to the Notebooklet that created it and lets you access the notebooklet attributes as if they were attributes of the results class.

```python
    result = my_notebooklet.run(value="my_host"....)
    # get_additional_data() is a method of the my_notebooklet class
    result.get_additional_data()

    # this also works
    result.data_properties()

This is especially helpful if you are invoking a notebooklet via a pivot function, since you never get to see the notebooklet class directly. Having everything accessible from the result class (which is returned from the pivot function) means that you can use it as a proxy for the notebooklet class instance attributes..

What's Changed

Full Changelog: v0.2.3...v1.0.0

Contributors

petebryan and ianhelle
Assets 2
Loading