# Title: msticpy - nbwidgets
## Description:
This contains a few aggregated widgets using IPyWidgets that help speed things up during an investigation.



<a id='contents'></a>
## Table of Contents
- [Setting query start/end times](#QueryTime)
- [Simple time range](#Lookback)
- [Selecting and Displaying Alerts](#AlertSelector)
- [Selecting from list or dict](#SelectString)
- [Getting a value from environment](#GetEnvironmentKey)


In [1]:
# Imports
import sys
MIN_REQ_PYTHON = (3,6)
if sys.version_info < MIN_REQ_PYTHON:
    print('Check the Kernel->Change Kernel menu and ensure that Python 3.6')
    print('or later is selected as the active kernel.')
    sys.exit("Python %s.%s or later is required.\n" % MIN_REQ_PYTHON)

from IPython.display import display, Markdown
import pandas as pd
# Import nbtools package
from msticpy.nbtools import *


Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank


<a id='QueryTime'></a>[Contents](#contents)
## QueryTime

This widget is used to specify time boundaries - designed to be used with the built-in msticpy queries and custom queries.
The `start` and `end` times are exposed as datetime properties.

```
QueryTime.

Composite widget to capture date and time origin
and set start and end times for queries.

Parameters
----------
QueryParamProvider : QueryParamProvider
    Abstract base class

Parameters
----------
origin_time : datetime, optional
    The origin time (the default is `datetime.utcnow()`)
label : str, optional
    The description to display
    (the default is 'Select time ({units}) to look back')
before : int, optional
    The default number of `units` before the `origin_time`
    (the default is 60)
after : int, optional
    The default number of `units` after the `origin_time`
    (the default is 10)
max_before : int, optional
    The largest value for `before` (the default is 600)
max_after : int, optional
    The largest value for `after` (the default is 100)
units : str, optional
    Time unit (the default is 'min')
    Permissable values are 'day', 'hour', 'minute', 'second'
    These can all be abbreviated down to initial characters
    ('d', 'm', etc.)
auto_display : bool, optional
    Whether to display on instantiation (the default is False)
```

In [2]:
q_times = nbwidgets.QueryTime(units='day', max_before=20, before=5, max_after=1)
q_times.display()

HTML(value='<h4>Set query time boundaries</h4>')

HBox(children=(DatePicker(value=datetime.date(2019, 12, 19), description='Origin Date'), Text(value='22:12:42.…

VBox(children=(IntRangeSlider(value=(-5, 1), description='Time Range (day):', layout=Layout(width='80%'), max=…

In [4]:
print(q_times.start, '....', q_times.end)

2019-08-28 23:36:59.410918 .... 2019-09-03 23:36:59.410918


Keep multiple query boundaries aligged by having QueryTime instances reference the time of the same alert or event.

In [4]:
from datetime import datetime, timedelta
class MyAlert:
    pass
alert = MyAlert()
alert.TimeGenerated = datetime.utcnow() - timedelta(15)
alert.TimeGenerated

q_times1 = nbwidgets.QueryTime(units='hour', max_before=20, before=1, max_after=1, 
                             origin_time=alert.TimeGenerated, auto_display=True)

q_times2 = nbwidgets.QueryTime(units='hour', max_before=20, before=4, max_after=2, 
                             origin_time=alert.TimeGenerated, auto_display=True)

HTML(value='<h4>Set query time boundaries</h4>')

HBox(children=(DatePicker(value=datetime.date(2019, 12, 4), description='Origin Date'), Text(value='22:29:50.8…

VBox(children=(IntRangeSlider(value=(-1, 1), description='Time Range (hour):', layout=Layout(width='80%'), max…

HTML(value='<h4>Set query time boundaries</h4>')

HBox(children=(DatePicker(value=datetime.date(2019, 12, 4), description='Origin Date'), Text(value='22:29:50.8…

VBox(children=(IntRangeSlider(value=(-4, 2), description='Time Range (hour):', layout=Layout(width='80%'), max…

In [5]:
alert.TimeGenerated = datetime.utcnow()
q_times1 = nbwidgets.QueryTime(units='hour', max_before=20, before=1, max_after=1, 
                             origin_time=alert.TimeGenerated, auto_display=True)

q_times2 = nbwidgets.QueryTime(units='hour', max_before=20, before=4, max_after=2, 
                             origin_time=alert.TimeGenerated, auto_display=True)

HTML(value='<h4>Set query time boundaries</h4>')

HBox(children=(DatePicker(value=datetime.date(2019, 12, 19), description='Origin Date'), Text(value='22:29:53.…

VBox(children=(IntRangeSlider(value=(-1, 1), description='Time Range (hour):', layout=Layout(width='80%'), max…

HTML(value='<h4>Set query time boundaries</h4>')

HBox(children=(DatePicker(value=datetime.date(2019, 12, 19), description='Origin Date'), Text(value='22:29:53.…

VBox(children=(IntRangeSlider(value=(-4, 2), description='Time Range (hour):', layout=Layout(width='80%'), max…

In [7]:
# Use in a query
my_kql = f'''
SecurityAlert 
| where TimeGenerated >= datetime({q_times1.start})
| where TimeGenerated <= datetime({q_times1.end})'''
print(my_kql)


SecurityAlert 
| where TimeGenerated >= datetime(2019-09-02 22:37:03.860216)
| where TimeGenerated <= datetime(2019-09-03 00:37:03.860216)


<a id='Lookback'></a>[Contents](#contents)
## Lookback
Simpler version with single slider value

Docstring:
`nbtools.Lookback?`

In [6]:
alert.TimeGenerated = datetime.utcnow() - timedelta(5)
lb = nbwidgets.Lookback(origin_time=alert.TimeGenerated, auto_display=True, max_value=48)

IntSlider(value=4, description='Select time (hour) to look back', layout=Layout(height='50px', width='60%'), m…

In [9]:
print(lb.start, '....', lb.end)

2019-08-28 19:37:06.883677 .... 2019-08-28 23:37:06.883677


<a id='AlertSelector'></a>[Contents](#contents)
## AlertSelector

```
AlertSelector.

View list of alerts and select one for investigation.
Optionally provide and action to call with the selected alert as a parameter
(typically used to display the alert.)

Attributes:
    selected_alert: the selected alert
    alert_id: the ID of the selected alert
    alerts: the current alert list (DataFrame)
Init docstring:
Create a new instance of AlertSelector.

Parameters
----------
alerts : pd.DataFrame
    DataFrame of alerts.
action : Callable[..., None], optional
    Optional function to execute for each selected alert.
    (the default is None)
columns : list, optional
    Override the default column names to use from `alerts`
    (the default is ['StartTimeUtc', 'AlertName',
    'CompromisedEntity', 'SystemAlertId'])
auto_display : bool, optional
    Whether to display on instantiation (the default is False)
```

In [7]:
# Load test data
alerts = pd.read_csv('data/alertlist.csv')

display(Markdown('### Simple alert selector'))
alert_select = nbwidgets.AlertSelector(alerts=alerts)
alert_select.display()

### Simple alert selector

VBox(children=(Text(value='', description='Filter alerts by title:', style=DescriptionStyle(description_width=…

In [8]:
alert_select = nbwidgets.AlertSelector(alerts=alerts, action=nbdisplay.display_alert)
display(Markdown('### Alert selector with action=DisplayAlert'))
alert_select.display()

### Alert selector with action=DisplayAlert

VBox(children=(Text(value='', description='Filter alerts by title:', style=DescriptionStyle(description_width=…

In [10]:
security_alert = None
def show_full_alert(selected_alert):
    global security_alert, alert_ip_entities
    security_alert = SecurityAlert(alert_select.selected_alert)
    nbdisplay.display_alert(security_alert, show_entities=True)
        
alert_select = nbwidgets.AlertSelector(alerts=alerts.query('CompromisedEntity == "MSTICALERTSWIN1"'), 
                                     action=show_full_alert)
display(Markdown('### Or a more detailed display with extracted entities'))
alert_select.display()

### Or a more detailed display with extracted entities

VBox(children=(Text(value='', description='Filter alerts by title:', style=DescriptionStyle(description_width=…

<a id='SelectString'></a>[Contents](#contents)
## SelectString

Similar to AlertSelector but simpler and allows you to use any list or dictionary of items.

```
Selection list from list or dict.

Attributes:
    value : The selected value.
Init docstring:
Select an item from a list or dict.

Parameters
----------
description : str, optional
    The widget label to display (the default is None)
item_list : List[str], optional
    A `list` of items to select from (the default is None)
item_dict : Mapping[str, str], optional
    A `dict` of items to select from. When using `item_dict`
    the keys are displayed as the selectable items and value
    corresponding to the selected key is set as the `value`
    property.
    (the default is None)
action : Callable[..., None], optional
    function to call when item selected (passed a single
    parameter - the value of the currently selected item)
    (the default is None)
auto_display : bool, optional
    Whether to display on instantiation (the default is False)
height : str, optional
    Selection list height (the default is '100px')
width : str, optional
    Selection list width (the default is '50%')
```

In [11]:
if security_alert is None:
    security_alert = SecurityAlert(alerts.iloc[0])
ent_dict = {ent['Type']:ent for ent in security_alert.entities}

nbwidgets.SelectString(item_dict=ent_dict,
                       description='Select an item',
                       action=print,
                       auto_display=True);


VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…

<a id='GetEnvironmentKey'></a>[Contents](#contents)
## GetEnvironmentKey
Get editable value of environment variable. Common use would be retrieving an API key from your environment or allowing you to paste in a value if the environment key isn't set.

Note setting the variable only persists in the python kernel process running at the time. So you can retrieve it later in the notebook but not in other processes.

In [12]:
nbwidgets.GetEnvironmentKey(env_var='userprofile', auto_display=True);

HBox(children=(Text(value='C:\\Users\\Ian', description='Enter the value: ', layout=Layout(width='50%'), style…

<a id='SelectSubset'></a>[Contents](#contents)
## SelectSubset
Allows you to select one or multiple items from a list to populate an output set.

```
Class to select a subset from an input list.

    Attributes
    ----------
    selected_values : List[Any]
        The selected item values.
    selected_items : List[Any]
        The selected items label and value
        
Init docstring:
Create instance of SelectSubset widget.

Parameters
----------
source_items : Union[Dict[str, str], List[Any]]
    List of source items - either a dictionary(label, value),
    a simple list or
    a list of (label, value) tuples.
default_selected : Union[Dict[str, str], List[Any]]
    Populate the selected list with values - either
    a dictionary(label, value),
    a simple list or
    a list of (label, value) tuples.
```

In [13]:
# Simple list
items = list(alerts["AlertName"].values)
sel_sub = nbwidgets.SelectSubset(source_items=items)

VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), HBo…

In [14]:
# Label/Value pair items with a a subset of pre-selected items
items = {v: k for k, v in alerts["AlertName"].to_dict().items()}
pre_selected = {v: k for k, v in alerts["AlertName"].to_dict().items() if "commandline" in v}
sel_sub = nbwidgets.SelectSubset(source_items=items, default_selected=pre_selected)


VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), HBo…

In [46]:
print("Values:", sel_sub.selected_values, "\n")
print("Items:", sel_sub.selected_items)

Values: [79, 109, 83] 

Items: [('Detected suspicious commandline arguments', 79), ('Detected suspicious commandline used to start all executables in a directory', 109), ('Detected suspicious credentials in commandline', 83)]


## Progress Indicator

In [24]:
from time import sleep
progress = nbwidgets.Progress(completed_len=2000)
for i in range(0, 2100, 100):
    progress.update_progress(new_total=i)
    sleep(0.1)
    
inc_progress = nbwidgets.Progress(completed_len=2000)
for i in range(0, 2100, 100):
    inc_progress.update_progress(delta=100)
    sleep(0.1)

HBox(children=(IntProgress(value=0, bar_style='info', description='Progress:'), Label(value='0%')))

HBox(children=(IntProgress(value=0, bar_style='info', description='Progress:'), Label(value='0%')))