Release 1.0 of MSTIC Notebooklets
MSTIC Notebooklets has been around for a while but we are about to start using in production notebooks so decided it was time to make the transition to v 1.0.0.
New Features and major changes
New Notebooklets
Host Network Summary
Retrieves Azure NSG and/or MDE network connection summary for hosts retrieving TI, GeoIP and Whois information for the remote IPs. Also displays folium map of IP locations. See HostNetworkSummary for more details
URL Summary
Retrieves summary information about URLs and domains including the following:
- Threat intelligence reports
- WhoIs records
- Certificate information
- Optional screenshot of target web page
- Relate Sentinel alerts and bookmarks
- Host activity related to the endpoint using MDE connection data, syslog entries, Windows process command lines.
- Network connection activity related to the endpoints
Updated notebooklets
Host Summary
Update to work with either Windows or Linux hosts. The data retrieved obviously varies a little between the two platforms but you can now invoke the summary on a host without having to worry about which OS is installed.
See HostSummary for more details
IP Summary
Updated to add several data sources such as CommonSecurityLog and MDE data. New data categories returned include accounts and hosts related to the IP (i.e. have connections to or from the IP).
See IPSummary for more details.
Support modules
msticnb.nblib.ti and msticnb.nblib.iptools
The TI module is new and provides high-level functions for using MSTICPy's TILookup functionality in notebooks.
Additional functionality added the iptools module.
Global changes
- The notebooklets have been updated to work with MSTICPy 2.0 and should continue to work with recent prior releases.
- Notebooklet base class has two new methods - data_properties and vis_properties - making it easy to list the different major categories of result data from the notebook results class.
Feature Refresher
Notebooklets via Pivots
Most of the notebooklets have Pivot version. When you import msticnb and run nb.init() pivot functions are created on the entities corresponding to the notebooklet functionality. E.g.
IpAddress.nblt.ip_summary()
Host.nblt.host_network_summary()
### Access Notebooklet properties and methods from the Notebooklet results class.
Something that we implemented a while ago that is worth remembering. The notebooklet results class returned from the notebooklets `run` method, contains data sets such as pandas dataframes, Bokeh visualizations and other data. The results class maintains a link to the Notebooklet that created it and lets you access the notebooklet attributes as if they were attributes of the results class.
```python
result = my_notebooklet.run(value="my_host"....)
# get_additional_data() is a method of the my_notebooklet class
result.get_additional_data()
# this also works
result.data_properties()
This is especially helpful if you are invoking a notebooklet via a pivot function, since you never get to see the notebooklet class directly. Having everything accessible from the result class (which is returned from the pivot function) means that you can use it as a proxy for the notebooklet class instance attributes..
What's Changed
- Updating iPython requirement to avoid MSTICPy clash by @petebryan in #24
- Ianhelle/notebooklet fixes 2022 04 12 by @ianhelle in #26
- Updating docs for notebooklets by @ianhelle in #27
- URL Summary by @petebryan in #29
- Added HostNetworkSummary documentation by @petebryan in #30
- 1.0.0 release by @petebryan in #31
Full Changelog: v0.2.3...v1.0.0