386303b0eb | ||
---|---|---|
.azurepipelines | ||
.github | ||
docs | ||
msticnb | ||
tests | ||
.gitignore | ||
.pre-commit-config.yaml | ||
.pylintrc | ||
.readthedocs.yaml | ||
CODE_OF_CONDUCT.md | ||
CONTRIBUTING.md | ||
LICENSE | ||
MANIFEST.in | ||
README.md | ||
SECURITY.md | ||
azure-pipelines.yml | ||
mypy.ini | ||
prospector.yml | ||
pyproject.toml | ||
pytest.ini | ||
requirements-dev.txt | ||
requirements.txt | ||
setup.py |
README.md
msticnb - Notebooklets for Jupyter Notebooks
Read the full documentation at msticnb.readthedocs
msticnb is a companion package to msticpy. It is designed to be used in Jupyter notebooks by security operations engineers and analysts, to give them quick access to common notebook patterns such as retrieving summary information about a host or IP address.
Each notebooklet is equivalent to multiple cells and many lines of code in a traditional notebook. You can import and run a notebooklet with two lines of code (or even 1 line, if you are impatient). Typically, the input parameters to a notebooklet will be an identifier (e.g. a host name) and a time range (over which to query data). Some notebooklets (primarily packaged analytics) will take a pandas DataFrame as input.
host_summary = nb.nblts.azsent.host.HostSummary()
host_sum_rslt = host_summary.run(
value="Msticalertswin1", timespan=time_span
)
You can create your own notebooklets and use them in the same framework as the ones already in the package.
Notebooklets
What are notebooklets?
Notebooklets are collections of notebook cells that implement some useful reusable sequence. They are extensions of, and build upon the msticpy package and are design to streamline authoring of Jupyter notebooks for CyberSec hunters and investigators. The goal of notebooklets is to replace repetitive and lengthy boilerplate code in notebooks for common operations.
Some examples are:
- Get a host summary for a named host (IP address, cloud registration information, recent alerts)
- Get account activity for an account (host and cloud logons and failures, summary of recent activity)
- Triage alerts with Threat Intel data (prioritize your alerts by correlating with Threat intel sources)
Intended Audience
- Cyber security investigators and hunters using Jupyter notebooks for their work
- Security Ops Center (SOC) engineers/SecDevOps building reusable notebooks for SOC analysts
Why did we create notebooklets?
- Notebook code can quickly become complex and lengthy:
- obscures the information you are trying to display
- can be intimidating to non-developers
- Code in notebook code cells is not easily re-useable:
- You can copy and paste but how do you sync changes back to the original notebook?
- Difficult to discover code snippets in notebooks
- Notebook code is often fragile:
- Often not parameterized or modular
- Code blocks are frequently dependent on global values assigned earlier
- Output data is not in any standard format
- Difficult to test
Why aren't these part of msticpy?
- Msticpy aims to be platform-independent, whereas most if not all notebooklets assume a data schema that is specific to their data provider/SIEM.
- Msticpy is mostly for discrete functions such as data acquisition, analysis and visualization. Msticnb implements common SOC scenarios using this functionality.
Traditional Notebook vs. one using a Notebooklets
The notebook on the left is using mostly inline code (occupying more than 50% of the notebook). The one on the right is using a single notebooklet with only 3 or 4 lines of code.
Characteristics of Notebooklets
- They have one or small number of entry points/methods (typically a "run" method)
- They are parametrizable (e.g. you can supply hostname, IP Address, time range, etc.) and they may have runtime options to allow to skip unwanted processing or include optional processing
- They can query, process or visualize data (or any combination)
- They return a package of results that can be used later in the notebook
- The code can be imported into a notebook cell to be modified, if needed.
Limitations
- They are normally specific to a data backend/SIEM since the data schema and layout varies between SIEM vendors.
- Notebooklet code layout is typically more complex than standard notebook code
Using Notebooklets
For a more detailed explanation of these steps and illustration of other features see the Notebooklets notebook
Install the Package
pip install msticnb
Import and initialize
The init method loads data drivers and data providers relevant to the the chosen data platform.
Pick a notebooklet to use
You can pick a notebooklet from the commandline, using autocompletion. You can also search for a notebooklet using keywords and text from the notebooklet name and documentation.
The easiest way is using the nb.browse() method. This lists all of the available notebooklets and displays documentation, usage information and sample code snippet for each.
Instantiate the notebooklet and execute "run"
Notebooklets usually have a single run
method, which is the entry
point for the notebooklet. A notebooklet might have additional methods
to do further drill-down, data retrieval, visualization or other
operations once the run method has completed. Run typically requires
parameters such as a host or account identifier and a time range over
which to perform the operations.
The notebooklet displays output directly to the notebook (although this can be suppressed) - showing text, data tables and visualizations. This data is all saved to a Results object. The data items are simple properties of this results object, for example, DataFrames, plots, or simple Python dictionaries. You can access these individually and you can just display the results object using IPython display() or just typing its name into and emtpy cell and running the cell.
View extended help for a notebooklet
You can access detailed documentation from any notebooklet class or instance using the show_help() method. This help includes a high-level description and usage information (parameters, available methods, options). It also describes the major output sections that will be displayed and the the contents of the return results.
Note: the contents of this help are also displayed in the notebooklet browser shown earlier.
Current Notebooklets
AccountSummary
Retrieves account summary for the selected account.
Main operations:
- Searches for matches for the account name in Active Directory, Windows and Linux host logs.
- If one or more matches are found it will return a selection widget that you can use to pick the account.
- Selecting the account displays a summary of recent activity and retrieves any alerts and hunting bookmarks related to the account
- The alerts and bookmarks are browsable using the browse_alerts and browse_bookmarks methods
- You can call the find_additional_data method to retrieve and display more detailed activity information for the account (e.g. host logons, Azure and Office 365 activity)
EnrichAlerts
Alert Enrichment Notebooklet Class.
Enriches Azure Sentinel alerts with Threat Intelligence and other data.
HostLogonsSummary
Host Logons Summary Notebooklet class.
Queries and displays information about logons to a host including:
- Summary of successful logons
- Visualizations of logon event times
- Geolocation of remote logon sources
- Visualizations of various logon elements depending on host type
- Data on users with failed and successful logons
HostSummary
HostSummary Notebooklet class.
Queries and displays information about a host including:
- IP address assignment
- Related alerts
- Related hunting/investigation bookmarks
- Azure subscription/resource data.
WinHostEvents
Windows host Security Events Notebooklet class.
Queries and displays Windows Security Events including:
- All security events summary
- Extracting and displaying account management events
- Account management event timeline
- Optionally parsing packed event data into DataFrame columns
Process (4688) and Account Logon (4624, 4625) are not included in the event types processed by this module.
IpAddressSummary
Retrieves common data about an IP Address including:
- Tries to determine IP address is external or internal (i.e. owned by the organization)
- Azure Heartbeat, Network Analytics or VMComputer records
- Geo-IP and Whois data
- Threat intel reports
- Related alerts and hunting bookmarks
- Network flows involving IP address
- Azure activity (e.g. sign-ins) originating from IP address
NetworkFlowSummary
Network Flow Summary Notebooklet class.
Queries network data and plots time lines for network traffic to/from a host or IP address.
- Plot flows events by protocol and direction
- Plot flow count by protocol
- Display flow summary table
- Display flow summary by ASN
- Display results on map
TemplateNB
Template Notebooklet class.
A code template for creating additional notebooklets.