# Jupyter Notebooklets Demo

### [@ianhellen](https://twitter.com/ianhellen)
#### Principal Dev - MSTIC, Azure Security

# What are notebooklets?

Collections of notebook cells that implement some useful reusable sequence

## Rationale
- Notebook code can quickly become complex and length:
  - Can obscure the information you are trying to display
  - Can be intimidating to non-developers
- Notebook code cells are not easily re-useable:
  - You can copy and paste but how do you sync changes back to original notebook?
  - Difficult to discover code snippets in notebooks
- Notebook code is often fragile:
  - Often not parameterized
  - Code blocks are frequently dependent on global values assigned earlier
  - Output data is not in any standard format
  - Difficult to test

## Characteristics of Notebooklets
- One or small number of entry points
- Must be paramertizable (e.g. you can supply hostname, IP Address, time range, etc.)
- Can query, process or visualize data (or any combination)
- Typically return a result or package of results for use later in the notebook


---
# Initializing the Notebook
Notebooklets depend on msticpy so we import/initialize this package.

In [2]:
import sys
import os
from IPython.display import display, HTML, Markdown

from msticpy.nbtools.nbinit import init_notebook
init_notebook(namespace=globals());

Processing imports....
Checking configuration....
No errors found.

 -------------------------------------------------
No AzureCLI section in settings.
Setting options....


---
# Notebooklets in use

## Import the package
- Discovers and imports notebooklet classes/modules

In [3]:
# pip install msticnb

In [4]:
import msticnb as nb

7 notebooklets loaded.


---
## Calling init()
Before using any of the notebooklets you need to initialize the providers.

Providers are the libraries that do the work of fetching data from external sources that are
then used by the notebooklet code.

init() does the following:
- Loads required data providers
- Authenticates to providers if required at startup
- Can supply list of providers to load
- Can pass parameters to each provider (settings loaded from config by default)

In [5]:
nb.init?

[1;31mSignature:[0m
[0mnb[0m[1;33m.[0m[0minit[0m[1;33m([0m[1;33m
[0m    [0mquery_provider[0m[1;33m:[0m[0mstr[0m[1;33m=[0m[1;34m'LogAnalytics'[0m[1;33m,[0m[1;33m
[0m    [0mproviders[0m[1;33m:[0m[0mUnion[0m[1;33m[[0m[0mList[0m[1;33m[[0m[0mstr[0m[1;33m][0m[1;33m,[0m [0mNoneType[0m[1;33m][0m[1;33m=[0m[1;32mNone[0m[1;33m,[0m[1;33m
[0m    [1;33m**[0m[0mkwargs[0m[1;33m,[0m[1;33m
[0m[1;33m)[0m[1;33m[0m[1;33m[0m[0m
[1;31mDocstring:[0m
Instantiate an instance of DataProviders.

Parameters
----------
query_provider : str, optional
    DataEnvironment name of the primary query provider.
    You can add addtional query providers by including them
    in the `providers` list.
providers : Optional[List[str]], optional
    A list of provider names, by default "LogAnalytics"

Other Parameters
----------------
kwargs
    You can pass parameters to individual providers using
    the following notation:
    `ProviderName_param_name="

### Available Providers

In [6]:
nb.DataProviders.list_providers()

['LogAnalytics',
 'AzureSentinel',
 'Kusto',
 'AzureSecurityCenter',
 'SecurityGraph',
 'MDATP',
 'LocalData',
 'Splunk',
 'tilookup',
 'geolitelookup',
 'ipstacklookup']

### Default Providers

In [7]:
nb.DataProviders.get_def_providers()

['tilookup', 'geolitelookup']

### Running init, adding ipstacklookup to the default set of providers.
You can also prefix a provider name with "-" to remove it from the default set.

You can also specify an explicit list of providers to override the defaults entirely. E.g
```
nb.init(query_provider="AzureSentinel", providers=["ipstacklookup", "tilookup"])
```

> **Note** you cannot mix the "+"/"-" with un-prefixed provider names.
> Doing this will cause an error to be thrown.
> e.g. <br>
> `nb.init(query_provider="AzureSentinel", providers=["+ipstacklookup", "tilookup"])`
> <br>is illegal.

In [28]:
nb.init(query_provider="AzureSentinel")

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank
Loaded providers: LogAnalytics, geolitelookup, tilookup


---
## Using LocalData Provider
The LocalData provider allows you to substitue local files for queries that you normally
make to online data sources such as AzureSentinel.

When we call init() we use the "LocalData_" prefix to pass the "query_paths" and "data_paths"
parameters to the underlying provider.

- Specify a folder where data files are stored with `LocalData_data_paths` (list[str])
- Specify a folder containing query definition files `LocalData_query_paths` (list[str])


In notebooklets queries are available as self.query_provider

In [26]:
nb.init(
    "LocalData", providers=["-tilookup"],
    LocalData_data_paths=["/src/msticnb/tests/testdata"],
    LocalData_query_paths=["/src/msticnb/tests/testdata"],
)

Loaded providers: LocalData, geolitelookup


---
## Notebooklet classes are discovered and imported at load time

Although you can manually initiate a a run to read more notebooklets.

#### The `nblts` attribute exposes notebooklets (niblets?) in a tree structure
- Useful for autocomplete when you more or less know what you're looking for

The top level in the hierarchy is the data environment (e.g. azsent == AzureSentinel). Beneath these the notebooklets are grouped into various categories such as host, network, etc.

In [10]:
print(nb.nblts)

azsent
  account
    AccountSummary (Notebooklet)
  alert
    EnrichAlerts (Notebooklet)
  host
    HostLogonsSummary (Notebooklet)
    HostSummary (Notebooklet)
    WinHostEvents (Notebooklet)
  network
    NetworkFlowSummary (Notebooklet)
template
  TemplateNB (Notebooklet)



Access an individual notebook using this path structure

In [11]:
nb.nblts.azsent.host.HostSummary?

[1;31mInit signature:[0m
[0mnb[0m[1;33m.[0m[0mnblts[0m[1;33m.[0m[0mazsent[0m[1;33m.[0m[0mhost[0m[1;33m.[0m[0mHostSummary[0m[1;33m([0m[1;33m
[0m    [0mdata_providers[0m[1;33m:[0m[0mUnion[0m[1;33m[[0m[1;33m<[0m[0mmsticnb[0m[1;33m.[0m[0mdata_providers[0m[1;33m.[0m[0mSingletonDecorator[0m [0mobject[0m [0mat[0m [1;36m0x00000223E99C63C8[0m[1;33m>[0m[1;33m,[0m [0mNoneType[0m[1;33m][0m[1;33m=[0m[1;32mNone[0m[1;33m,[0m[1;33m
[0m    [1;33m**[0m[0mkwargs[0m[1;33m,[0m[1;33m
[0m[1;33m)[0m[1;33m[0m[1;33m[0m[0m
[1;31mDocstring:[0m     
HostSummary Notebooklet class.

Queries and displays information about a host including:

- IP address assignment
- Related alerts
- Related hunting/investigation bookmarks
- Azure subscription/resource data.


Default Options
---------------
- heartbeat: Query Heartbeat table for host information.
- azure_net: Query AzureNetworkAnalytics table for host network topology information.
- al

### Notebooklets are exposed in `nb.nb_index`
The values reflect the physical path in which the notebooklets are stored (you can ignore this)

In [12]:
nb.nb_index

{'nblts.azsent.account.AccountSummary': msticnb.nb.azsent.account.account_summary.AccountSummary,
 'nblts.azsent.alert.EnrichAlerts': msticnb.nb.azsent.alert.ti_enrich.EnrichAlerts,
 'nblts.azsent.host.HostLogonsSummary': msticnb.nb.azsent.host.host_logons_summary.HostLogonsSummary,
 'nblts.azsent.host.HostSummary': msticnb.nb.azsent.host.host_summary.HostSummary,
 'nblts.azsent.host.WinHostEvents': msticnb.nb.azsent.host.win_host_events.WinHostEvents,
 'nblts.azsent.network.NetworkFlowSummary': msticnb.nb.azsent.network.network_flow_summary.NetworkFlowSummary,
 'nblts.template.TemplateNB': msticnb.nb.template.nb_template.TemplateNB}

## There is a find function that looks for:
- text or regulate expressions
- searches class docstring
- metadata such as entities supported and options supported

In [13]:
nb.find("host, net.*", full_match=True)

[('HostSummary', msticnb.nb.azsent.host.host_summary.HostSummary),
 ('NetworkFlowSummary',
  msticnb.nb.azsent.network.network_flow_summary.NetworkFlowSummary)]

---
# More detailed (and user-friendly) help in the `show_help()` method

In [None]:
nb.nblts.azsent.host.HostSummary.show_help()

---
# How are notebooklets used?

## Most require time range parameters

Usually the notebooklet also the ID of the entity that you're running the notebooklet for. For example, a host name, an IP Address, etc.

Some notebooklets process data in the form of a dataframe. Use the `data` parameter to pass this.

> **Note** You can also pass other parameters used by the notebooklet as keyword arguments (`**kwargs`)

In [30]:
time_span = nbwidgets.QueryTime(auto_display=True, units="day", origin_time=pd.to_datetime("2019-02-10"), before=10)

HTML(value='<h4>Set query time boundaries</h4>')

HBox(children=(DatePicker(value=datetime.date(2019, 2, 10), description='Origin Date'), Text(value='00:00:00',…

VBox(children=(IntRangeSlider(value=(-10, 1), description='Time Range (day):', layout=Layout(width='80%'), max…

## Run the notebooklet using the `run()` method

>  **Note:** You'll want to assign the return value of `run()` to something or terminate with a semicolon<br>
>  Both the notebooklet and the return `result` class generate displayable output - so you'll get
>  a lot of duplicated output.

In [31]:
host_summary = nb.nblts.azsent.host.HostSummary()
host_sum_rslt = host_summary.run(value="Msticalertswin1", timespan=time_span)



Getting data from SecurityEvent...


<IPython.core.display.Javascript object>

Getting data from Syslog...


<IPython.core.display.Javascript object>

Unique host found: MSTICAlertsWin1


{ 'AdditionalData': {},
  'AzureDetails': { 'ResourceGroup': 'ASIHUNTOMSWORKSPACERG',
                    'ResourceId': '/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHUNTOMSWORKSPACERG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1',
                    'ResourceProvider': 'Microsoft.Compute',
                    'ResourceType': 'virtualMachines',
                    'Solutions': '"security", "changeTracking", "networkMonitoring", "serviceMap", '
                                 '"dnsAnalytics", "securityCenterFree", "securityInsights", '
                                 '"windowsEventForwarding"',
                    'SubscriptionId': '40dcc8bf-0478-4f3b-b275-ed0a94f2c013'},
  'Environment': 'Azure',
  'HostName': 'MSTICAlertsWin1',
  'IPAddress': { 'AdditionalData': {},
                 'Address': '40.76.43.124',
                 'Location': { 'AdditionalData': {},
                               'CountryName': 'United States',
                   

<IPython.core.display.Javascript object>

Getting data from Bookmarks...


<IPython.core.display.Javascript object>

## Result classes content can be displayed in the notebook
Use `display(result)` if you want to display the content in the middle of a cell

In [32]:
host_sum_rslt

Unnamed: 0,TenantId,TimeGenerated,AlertDisplayName,AlertName,Severity,Description,ProviderName,VendorName,VendorOriginalId,SystemAlertId,ResourceId,SourceComputerId,AlertType,ConfidenceLevel,ConfidenceScore,IsIncident,StartTimeUtc,EndTimeUtc,ProcessingEndTime,RemediationSteps,ExtendedProperties,Entities,SourceSystem,WorkspaceSubscriptionId,WorkspaceResourceGroup,ExtendedLinks,ProductName,ProductComponentName,AlertLink,Type,Computer,src_hostname,src_accountname,src_procname,host_match,acct_match,proc_match
0,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-10 05:38:41+00:00,Security incident with shared process detected,Security incident with shared process detected,High,The incident which started on 2019-02-09 23:26:48 UTC and recently detected on 2019-02-10 05:38:...,Detection,Microsoft,a346dd76-a51d-464e-afc5-c6e5c6a8fc6e,2518525459919272837_a346dd76-a51d-464e-afc5-c6e5c6a8fc6e,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/provide...,263a788b-6526-4cdc-8ed9-d79402fe4aa0,KillChainFusionIncident,Unknown,,True,2019-02-09 23:26:48+00:00,2019-02-09 23:26:48+00:00,2019-02-10 05:38:41+00:00,"[\r\n ""1. Escalate the alert to the information security team."",\r\n ""2. Review the remediatio...","{\r\n ""isincident"": ""true"",\r\n ""Detected Time (UTC)"": ""2019-02-10 05:38:41 UTC"",\r\n ""Incide...","[\r\n {\r\n ""$id"": ""4"",\r\n ""DisplayName"": ""Digital currency mining related behavior dete...",Detection,40dcc8bf-0478-4f3b-b275-ed0a94f2c013,asihuntomsworkspacerg,,,,,SecurityAlert,MSTICAlertsWin1,MSTICAlertsWin1,,,True,False,False
1,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-09 23:27:23+00:00,Digital currency mining related behavior detected,Digital currency mining related behavior detected,High,Analysis of host data on MSTICALERTSWIN1 detected the execution of a process or command normally...,Detection,Microsoft,b1d1c4df-4f84-455f-9280-35e3cfe8a313,2518525459919272837_b1d1c4df-4f84-455f-9280-35e3cfe8a313,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/provide...,263a788b-6526-4cdc-8ed9-d79402fe4aa0,SCUBA_RULE_DigitalCurrencyMiningTool,Unknown,,False,2019-02-09 23:26:48+00:00,2019-02-09 23:26:48+00:00,2019-02-09 23:27:24+00:00,"[\r\n ""1. Run Process Explorer and try to identify unknown running processes (see https://techn...","{\r\n ""Compromised Host"": ""MSTICALERTSWIN1"",\r\n ""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",\r...","[\r\n {\r\n ""$id"": ""4"",\r\n ""DnsDomain"": """",\r\n ""NTDomain"": """",\r\n ""HostName"": ""M...",Detection,40dcc8bf-0478-4f3b-b275-ed0a94f2c013,asihuntomsworkspacerg,,,,,SecurityAlert,MSTICAlertsWin1,MSTICAlertsWin1,,,True,False,False
2,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-09 23:27:25+00:00,Suspiciously named process detected,Suspiciously named process detected,High,Analysis of host data on MSTICALERTSWIN1 detected a process whose name is very similar to but di...,Detection,Microsoft,d4e28a5d-6267-414c-8c1f-50d0e27fe442,2518525459919272837_d4e28a5d-6267-414c-8c1f-50d0e27fe442,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/provide...,263a788b-6526-4cdc-8ed9-d79402fe4aa0,SCUBA_PROCESSNAMESIMILARITY,Unknown,,False,2019-02-09 23:26:48+00:00,2019-02-09 23:26:48+00:00,2019-02-09 23:27:25+00:00,"[\r\n ""Review with MSTICAlertsWin1\\MSTICAdmin the suspicious process identified in this alert ...","{\r\n ""Account Session Id"": ""0xab5a5ac"",\r\n ""Compromised Host"": ""MSTICALERTSWIN1"",\r\n ""Pare...","[\r\n {\r\n ""$id"": ""2"",\r\n ""HostName"": ""msticalertswin1"",\r\n ""AzureID"": ""/subscripti...",Detection,40dcc8bf-0478-4f3b-b275-ed0a94f2c013,asihuntomsworkspacerg,,,,,SecurityAlert,MSTICAlertsWin1,MSTICAlertsWin1,,,True,False,False
3,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-07 00:58:29+00:00,Sample Alert Rule,Sample Alert Rule,Medium,,CustomAlertRule,Alert Rule,1ff13f6a-481e-4a7c-8ab1-654a054f647e,4b955429-bea1-4fe8-9dce-661f861975e0,,,CustomAlertRule_d45eb79f-18e2-4f9b-aeb2-f242a8007960,Unknown,,False,2019-02-06 23:48:24+00:00,2019-02-07 00:48:24+00:00,2019-02-07 00:58:29+00:00,,"{\r\n ""Alert Mode"": ""Aggregated"",\r\n ""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subsc...","[\r\n {\r\n ""$id"": ""3"",\r\n ""HostName"": ""MSTICAlertsWin1"",\r\n ""Type"": ""host"",\r\n ...",Detection,40dcc8bf-0478-4f3b-b275-ed0a94f2c013,asihuntomsworkspacerg,,,,,SecurityAlert,MSTICAlertsWin1,MSTICAlertsWin1,,,True,False,False
4,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-07 00:06:32+00:00,Potential attempt to bypass AppLocker detected,Potential attempt to bypass AppLocker detected,High,Analysis of host data on MSTICALERTSWIN1 detected a potential attempt to bypass AppLocker restri...,Detection,Microsoft,46354390-3396-4e43-aad4-673568583988,2518528028434712203_46354390-3396-4e43-aad4-673568583988,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/provide...,263a788b-6526-4cdc-8ed9-d79402fe4aa0,SCUBA_RULE_Applocker_Bypass,Unknown,,False,2019-02-07 00:05:56+00:00,2019-02-07 00:05:56+00:00,2019-02-07 00:06:33+00:00,"[\r\n ""Review with WORKGROUP\\MSTICAlertsWin1$ the suspicious command line in this alert to see...","{\r\n ""Compromised Host"": ""MSTICALERTSWIN1"",\r\n ""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",\r...","[\r\n {\r\n ""$id"": ""4"",\r\n ""DnsDomain"": """",\r\n ""NTDomain"": """",\r\n ""HostName"": ""M...",Detection,40dcc8bf-0478-4f3b-b275-ed0a94f2c013,asihuntomsworkspacerg,,,,,SecurityAlert,MSTICAlertsWin1,MSTICAlertsWin1,,,True,False,False

Unnamed: 0,TenantId,TimeGenerated,BookmarkId,BookmarkName,BookmarkType,CreatedBy,UpdatedBy,CreatedTime,LastUpdatedTime,EventTime,QueryText,QueryResultRow,QueryStartTime,QueryEndTime,Notes,SoftDeleted,Tags,SourceSystem,Type,_ResourceId,Computer,Account,Entities


---
## Simple Notebooklet browser

In [18]:
nb.browse()

VBox(children=(HBox(children=(VBox(children=(Select(options=(('AccountSummary', <class 'msticnb.nb.azsent.acco…

<msticnb.nb_browser.NBBrowser at 0x223ea1280f0>

In [23]:
win_host_events = nb.nblts.azsent.host.WinHostEvents()
timespan = TimeSpan(start="2020-05-07 00:10")
win_host_events_rslt = win_host_events.run(value="MSTICAlertsWin1", timespan=timespan)

Getting data from SecurityEvent...


Activity,DWM-1,DWM-2,IUSR,LOCAL SERVICE,MSTICAdmin,MSTICAlertsWin1$,NETWORK SERVICE,No Account,SYSTEM,ian
1100 - The event logging service has shut down.,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0
4608 - Windows is starting up.,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0
4616 - The system time was changed.,0.0,0.0,0.0,2.0,0.0,0.0,0.0,0.0,0.0,0.0
4625 - An account failed to log on.,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,2.0
4634 - An account was logged off.,0.0,4.0,0.0,0.0,12.0,0.0,0.0,0.0,0.0,2.0
4647 - User initiated logoff.,0.0,0.0,0.0,0.0,2.0,0.0,0.0,0.0,0.0,0.0
4648 - A logon was attempted using explicit credentials.,0.0,0.0,0.0,0.0,0.0,10.0,0.0,0.0,0.0,0.0
4672 - Special privileges assigned to new logon.,2.0,2.0,1.0,1.0,14.0,0.0,1.0,0.0,60.0,0.0
4720 - A user account was created.,0.0,0.0,0.0,0.0,2.0,0.0,0.0,0.0,0.0,0.0
4722 - A user account was enabled.,0.0,0.0,0.0,0.0,2.0,0.0,0.0,0.0,0.0,0.0


Activity,MSTICAdmin
4720 - A user account was created.,2
4722 - A user account was enabled.,2
4724 - An attempt was made to reset an account's password.,4
4726 - A user account was deleted.,2
4728 - A member was added to a security-enabled global group.,2
4729 - A member was removed from a security-enabled global group.,2
4732 - A member was added to a security-enabled local group.,4
4733 - A member was removed from a security-enabled local group.,3
4738 - A user account was changed.,5


## Additional operations apart from `run()`
We can use expand events to unpack the `EventData` column for selected EventIDs

In [20]:
win_host_events_rslt.account_events.head(5)

Unnamed: 0,TenantId,TimeGenerated,SourceSystem,Account,AccountType,Computer,EventSourceName,Channel,Task,Level,EventData,EventID,Activity,PartitionKey,RowKey,StorageAccount,AzureDeploymentID,AzureTableName,AccessList,AccessMask,AccessReason,AccountDomain,AccountExpires,AccountName,AccountSessionIdentifier,...,TargetUserSid,TemplateContent,TemplateDSObjectFQDN,TemplateInternalName,TemplateOID,TemplateSchemaVersion,TemplateVersion,TokenElevationType,TransmittedServices,UserAccountControl,UserParameters,UserPrincipalName,UserWorkstations,VirtualAccount,VendorIds,Workstation,WorkstationName,SourceComputerId,EventOriginId,MG,TimeCollected,ManagementGroupName,Type,_ResourceId,EventProperties
47,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-11 09:58:50.173,OpsManager,MSTICAlertsWin1\MSTICAdmin,User,MSTICAlertsWin1,Microsoft-Windows-Security-Auditing,Security,13826,8,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">\r\n <Data Name=""Membe...",4728,4728 - A member was added to a security-enabled global group.,,,,,,,,,,,,,...,,,,,,,,,,,,,,,,,,263a788b-6526-4cdc-8ed9-d79402fe4aa0,27df6071-1e81-4e24-934c-dc96667b83ab,00000000-0000-0000-0000-000000000001,2019-02-11 09:58:51.400,AOI-52b1ab41-869e-4138-9e40-2a4457f09bf0,SecurityEvent,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/provide...,"{'MemberName': '-', 'MemberSid': 'S-1-5-21-996632719-2361334927-4038480536-1118', 'TargetUserNam..."
48,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-11 09:58:50.173,OpsManager,MSTICAlertsWin1\MSTICAdmin,User,MSTICAlertsWin1,Microsoft-Windows-Security-Auditing,Security,13824,8,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">\r\n <Data Name=""Targe...",4720,4720 - A user account was created.,,,,,,,,,,%%1794,,,...,,,,,,,,,,\t\t%%2080 \t\t%%2082 \t\t%%2084,%%1793,-,%%1793,,,,,263a788b-6526-4cdc-8ed9-d79402fe4aa0,2c09036a-5ca7-4115-9ddf-e9eb49c14247,00000000-0000-0000-0000-000000000001,2019-02-11 09:58:51.400,AOI-52b1ab41-869e-4138-9e40-2a4457f09bf0,SecurityEvent,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/provide...,"{'TargetUserName': 'abai$', 'TargetDomainName': 'MSTICAlertsWin1', 'TargetSid': 'S-1-5-21-996632..."
49,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-11 09:58:50.183,OpsManager,MSTICAlertsWin1\MSTICAdmin,User,MSTICAlertsWin1,Microsoft-Windows-Security-Auditing,Security,13824,8,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">\r\n <Data Name=""Targe...",4722,4722 - A user account was enabled.,,,,,,,,,,,,,...,,,,,,,,,,,,,,,,,,263a788b-6526-4cdc-8ed9-d79402fe4aa0,fefd6761-e431-4cfa-9cd2-c5700f6186df,00000000-0000-0000-0000-000000000001,2019-02-11 09:58:51.400,AOI-52b1ab41-869e-4138-9e40-2a4457f09bf0,SecurityEvent,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/provide...,"{'TargetUserName': 'abai$', 'TargetDomainName': 'MSTICAlertsWin1', 'TargetSid': 'S-1-5-21-996632..."
50,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-11 09:58:50.183,OpsManager,MSTICAlertsWin1\MSTICAdmin,User,MSTICAlertsWin1,Microsoft-Windows-Security-Auditing,Security,13824,8,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">\r\n <Data Name=""Dummy...",4738,4738 - A user account was changed.,,,,,,,,,,%%1794,,,...,,,,,,,,,,\t\t%%2048 \t\t%%2050,-,-,%%1793,,,,,263a788b-6526-4cdc-8ed9-d79402fe4aa0,1d3997a3-9ede-4f9b-877a-eaabc63a3c1e,00000000-0000-0000-0000-000000000001,2019-02-11 09:58:51.400,AOI-52b1ab41-869e-4138-9e40-2a4457f09bf0,SecurityEvent,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/provide...,"{'Dummy': '-', 'TargetUserName': 'abai$', 'TargetDomainName': 'MSTICAlertsWin1', 'TargetSid': 'S..."
51,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-11 09:58:50.183,OpsManager,MSTICAlertsWin1\MSTICAdmin,User,MSTICAlertsWin1,Microsoft-Windows-Security-Auditing,Security,13824,8,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">\r\n <Data Name=""Targe...",4724,4724 - An attempt was made to reset an account's password.,,,,,,,,,,,,,...,,,,,,,,,,,,,,,,,,263a788b-6526-4cdc-8ed9-d79402fe4aa0,66e7e96a-d33d-4eb7-bc89-f4e654d74009,00000000-0000-0000-0000-000000000001,2019-02-11 09:58:51.400,AOI-52b1ab41-869e-4138-9e40-2a4457f09bf0,SecurityEvent,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/provide...,"{'TargetUserName': 'abai$', 'TargetDomainName': 'MSTICAlertsWin1', 'TargetSid': 'S-1-5-21-996632..."


In [21]:
win_host_events.expand_events(event_ids=4728).head(5)

Unnamed: 0,TenantId,TimeGenerated,SourceSystem,Account,AccountType,Computer,EventSourceName,Channel,Task,Level,EventData,EventID,Activity,MemberName,MemberSid,PrivilegeList,SubjectAccount,SubjectDomainName,SubjectLogonId,SubjectUserName,SubjectUserSid,TargetAccount,TargetDomainName,TargetSid,TargetUserName,SourceComputerId,EventOriginId,MG,TimeCollected,ManagementGroupName,Type,_ResourceId
47,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-11 09:58:50.173,OpsManager,MSTICAlertsWin1\MSTICAdmin,User,MSTICAlertsWin1,Microsoft-Windows-Security-Auditing,Security,13826,8,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">\r\n <Data Name=""Membe...",4728,4728 - A member was added to a security-enabled global group.,-,S-1-5-21-996632719-2361334927-4038480536-1118,-,MSTICAlertsWin1\MSTICAdmin,MSTICAlertsWin1,0xbd57571,MSTICAdmin,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAlertsWin1\None,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-513,,263a788b-6526-4cdc-8ed9-d79402fe4aa0,27df6071-1e81-4e24-934c-dc96667b83ab,00000000-0000-0000-0000-000000000001,2019-02-11 09:58:51.400,AOI-52b1ab41-869e-4138-9e40-2a4457f09bf0,SecurityEvent,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/provide...
58,52b1ab41-869e-4138-9e40-2a4457f09bf0,2019-02-11 09:58:50.447,OpsManager,MSTICAlertsWin1\MSTICAdmin,User,MSTICAlertsWin1,Microsoft-Windows-Security-Auditing,Security,13826,8,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">\r\n <Data Name=""Membe...",4728,4728 - A member was added to a security-enabled global group.,-,S-1-5-21-996632719-2361334927-4038480536-1119,-,MSTICAlertsWin1\MSTICAdmin,MSTICAlertsWin1,0xbd57571,MSTICAdmin,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAlertsWin1\None,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-513,,263a788b-6526-4cdc-8ed9-d79402fe4aa0,73b0fe4e-9886-43ab-afa6-b43eb7434402,00000000-0000-0000-0000-000000000001,2019-02-11 09:58:51.400,AOI-52b1ab41-869e-4138-9e40-2a4457f09bf0,SecurityEvent,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/provide...


---
# Anatomy of a Notebooklet

# Three sections:
- Results class - what is it going to return
- Notebooklet class - `run()` defines what the notebooklet does
- Code - series of functions that do the actual work

Run the following cell to import the code.

In [None]:
nb.nblts.template.TemplateNB.import_cell()

---
# More Info

## msticpy
- Documentation - https://msticpy.readthedocs.io
- GitHub - https://github.com/microsoft/msticpy
- PyPI - https://pypi.org/project/msticpy/

## msticnb - Notebooklets
- GitHub - https://github.com/microsoft/msticnb

## Notebooks
- Azure-Sentinel-Notebooks - https://github.com/Azure/Azure-Sentinel-Notebooks
- Binder-able demo - https://github.com/Azure/Azure-Sentinel-Notebooks/tree/master/nbdemo