# Entity Explorer - Account
 <details>
     <summary>&nbsp;<u>Details...</u></summary>

 **Notebook Version:** 1.0<br>
 **Python Version:** Python 3.6 (including Python 3.6 - AzureML)<br>
 **Required Packages**: kqlmagic, msticpy, pandas, numpy, matplotlib, networkx, ipywidgets, ipython, dnspython, ipwhois, folium, maxminddb_geolite2<br>
 **Platforms Supported**:
 - Azure Notebooks Free Compute
 - Azure Notebooks DSVM
 - OS Independent

 **Data Sources Required**:
 - Log Analytics - SecurityAlert, SecurityEvent, HuntingBookmark, Syslog, AAD SigninLogs, AzureActivity, OfficeActivity, ThreatIndicator
 - (Optional) - VirusTotal, AlienVault OTX, IBM XForce, Open Page Rank, (all require accounts and API keys)
 </details>

 Brings together a series of queries and visualizations to help you determine the security state of an Account. The account can be a Windows or Linux account or an Azure Active Directory/Office 365 account.

The Notebook contains sections for reviewing activity for Host accounts (Linux and Windows) and for Azure Active Directory accounts. It also has a general section that looks for related items independent of the account type.

<h1>Contents<span class="tocSkip"></span></h1>
<div class="toc"><ul class="toc-item"><li><span><a href="#Hunting-Hypothesis" data-toc-modified-id="Hunting-Hypothesis-1"><span class="toc-item-num">1&nbsp;&nbsp;</span>Hunting Hypothesis</a></span></li><li><span><a href="#Notebook-Initialization" data-toc-modified-id="Notebook-Initialization-2"><span class="toc-item-num">2&nbsp;&nbsp;</span>Notebook Initialization</a></span><ul class="toc-item"><li><span><a href="#Get-Workspace-and-Authenticate" data-toc-modified-id="Get-Workspace-and-Authenticate-2.1"><span class="toc-item-num">2.1&nbsp;&nbsp;</span>Get Workspace and Authenticate</a></span><ul class="toc-item"><li><span><a href="#Authentication-and-Configuration-Problems" data-toc-modified-id="Authentication-and-Configuration-Problems-2.1.1"><span class="toc-item-num">2.1.1&nbsp;&nbsp;</span>Authentication and Configuration Problems</a></span></li></ul></li></ul></li><li><span><a href="#Enter-account-name-and-query-time-window" data-toc-modified-id="Enter-account-name-and-query-time-window-3"><span class="toc-item-num">3&nbsp;&nbsp;</span>Enter account name and query time window</a></span></li><li><span><a href="#Data-Sources-available-to-query" data-toc-modified-id="Data-Sources-available-to-query-4"><span class="toc-item-num">4&nbsp;&nbsp;</span>Data Sources available to query</a></span></li><li><span><a href="#Search-for-Account-Name-in-Host,-Azure-Active-Directory-(AAD),-Azure-and-Office-365-Data." data-toc-modified-id="Search-for-Account-Name-in-Host,-Azure-Active-Directory-(AAD),-Azure-and-Office-365-Data.-5"><span class="toc-item-num">5&nbsp;&nbsp;</span>Search for Account Name in Host, Azure Active Directory (AAD), Azure and Office 365 Data.</a></span><ul class="toc-item"><li><span><a href="#Query-Data-Sources" data-toc-modified-id="Query-Data-Sources-5.1"><span class="toc-item-num">5.1&nbsp;&nbsp;</span>Query Data Sources</a></span></li></ul></li><li><span><a href="#Display-logons-from-account-sources-and-choose-an-account-to-explore" data-toc-modified-id="Display-logons-from-account-sources-and-choose-an-account-to-explore-6"><span class="toc-item-num">6&nbsp;&nbsp;</span>Display logons from account sources and choose an account to explore</a></span></li><li><span><a href="#Related-Alerts-and-Hunting-Bookmarks" data-toc-modified-id="Related-Alerts-and-Hunting-Bookmarks-7"><span class="toc-item-num">7&nbsp;&nbsp;</span>Related Alerts and Hunting Bookmarks</a></span><ul class="toc-item"><li><span><a href="#Alerts" data-toc-modified-id="Alerts-7.1"><span class="toc-item-num">7.1&nbsp;&nbsp;</span>Alerts</a></span></li><li><span><a href="#Hunting/Investigation-Bookmarks" data-toc-modified-id="Hunting/Investigation-Bookmarks-7.2"><span class="toc-item-num">7.2&nbsp;&nbsp;</span>Hunting/Investigation Bookmarks</a></span></li></ul></li><li><span><a href="#Further-Investigation" data-toc-modified-id="Further-Investigation-8"><span class="toc-item-num">8&nbsp;&nbsp;</span>Further Investigation</a></span></li><li><span><a href="#Windows-Host" data-toc-modified-id="Windows-Host-9"><span class="toc-item-num">9&nbsp;&nbsp;</span>Windows Host</a></span><ul class="toc-item"><li><span><a href="#Host-Logon-Summary" data-toc-modified-id="Host-Logon-Summary-9.1"><span class="toc-item-num">9.1&nbsp;&nbsp;</span>Host Logon Summary</a></span></li><li><span><a href="#Threat-Intelligence-for-logon-IP-Addresses" data-toc-modified-id="Threat-Intelligence-for-logon-IP-Addresses-9.2"><span class="toc-item-num">9.2&nbsp;&nbsp;</span>Threat Intelligence for logon IP Addresses</a></span></li><li><span><a href="#Geolocation-and-ownership-for-source-logon-IP-addresses" data-toc-modified-id="Geolocation-and-ownership-for-source-logon-IP-addresses-9.3"><span class="toc-item-num">9.3&nbsp;&nbsp;</span>Geolocation and ownership for source logon IP addresses</a></span></li><li><span><a href="#Additional-Alerts-for-logged-on-hosts" data-toc-modified-id="Additional-Alerts-for-logged-on-hosts-9.4"><span class="toc-item-num">9.4&nbsp;&nbsp;</span>Additional Alerts for logged-on hosts</a></span><ul class="toc-item"><li><span><a href="#Additional-alerts-for-source-IP-addresses" data-toc-modified-id="Additional-alerts-for-source-IP-addresses-9.4.1"><span class="toc-item-num">9.4.1&nbsp;&nbsp;</span>Additional alerts for source IP addresses</a></span></li></ul></li><li><span><a href="#Additional-Investigation-Bookmarks-for-logged-on-hosts" data-toc-modified-id="Additional-Investigation-Bookmarks-for-logged-on-hosts-9.5"><span class="toc-item-num">9.5&nbsp;&nbsp;</span>Additional Investigation Bookmarks for logged-on hosts</a></span></li></ul></li><li><span><a href="#Linux-Host" data-toc-modified-id="Linux-Host-10"><span class="toc-item-num">10&nbsp;&nbsp;</span>Linux Host</a></span><ul class="toc-item"><li><span><a href="#Host-Logon-Summary" data-toc-modified-id="Host-Logon-Summary-10.1"><span class="toc-item-num">10.1&nbsp;&nbsp;</span>Host Logon Summary</a></span></li><li><span><a href="#Threat-Intelligence-for-logon-IP-Addresses" data-toc-modified-id="Threat-Intelligence-for-logon-IP-Addresses-10.2"><span class="toc-item-num">10.2&nbsp;&nbsp;</span>Threat Intelligence for logon IP Addresses</a></span></li><li><span><a href="#Geolocation-and-ownership-for-source-logon-IP-addresses" data-toc-modified-id="Geolocation-and-ownership-for-source-logon-IP-addresses-10.3"><span class="toc-item-num">10.3&nbsp;&nbsp;</span>Geolocation and ownership for source logon IP addresses</a></span></li><li><span><a href="#Additional-Alerts-for-logged-on-hosts" data-toc-modified-id="Additional-Alerts-for-logged-on-hosts-10.4"><span class="toc-item-num">10.4&nbsp;&nbsp;</span>Additional Alerts for logged-on hosts</a></span><ul class="toc-item"><li><span><a href="#Additional-alerts-for-source-IP-addresses" data-toc-modified-id="Additional-alerts-for-source-IP-addresses-10.4.1"><span class="toc-item-num">10.4.1&nbsp;&nbsp;</span>Additional alerts for source IP addresses</a></span></li></ul></li><li><span><a href="#Additional-Investigation-Bookmarks-for-logged-on-hosts" data-toc-modified-id="Additional-Investigation-Bookmarks-for-logged-on-hosts-10.5"><span class="toc-item-num">10.5&nbsp;&nbsp;</span>Additional Investigation Bookmarks for logged-on hosts</a></span></li></ul></li><li><span><a href="#AAD/Office-Account" data-toc-modified-id="AAD/Office-Account-11"><span class="toc-item-num">11&nbsp;&nbsp;</span>AAD/Office Account</a></span><ul class="toc-item"><li><span><a href="#Azure/Office-Summary" data-toc-modified-id="Azure/Office-Summary-11.1"><span class="toc-item-num">11.1&nbsp;&nbsp;</span>Azure/Office Summary</a></span></li><li><span><a href="#Threat-Intelligence-for-IP-Addresses" data-toc-modified-id="Threat-Intelligence-for-IP-Addresses-11.2"><span class="toc-item-num">11.2&nbsp;&nbsp;</span>Threat Intelligence for IP Addresses</a></span></li><li><span><a href="#Geolocation-and-ownership-for-source-IP-addresses" data-toc-modified-id="Geolocation-and-ownership-for-source-IP-addresses-11.3"><span class="toc-item-num">11.3&nbsp;&nbsp;</span>Geolocation and ownership for source IP addresses</a></span></li><li><span><a href="#Additional-alerts-for-source-IP-addresses" data-toc-modified-id="Additional-alerts-for-source-IP-addresses-11.4"><span class="toc-item-num">11.4&nbsp;&nbsp;</span>Additional alerts for source IP addresses</a></span></li></ul></li><li><span><a href="#Appendices" data-toc-modified-id="Appendices-12"><span class="toc-item-num">12&nbsp;&nbsp;</span>Appendices</a></span><ul class="toc-item"><li><span><a href="#Available-DataFrames" data-toc-modified-id="Available-DataFrames-12.1"><span class="toc-item-num">12.1&nbsp;&nbsp;</span>Available DataFrames</a></span></li><li><span><a href="#Saving-data-to-Excel" data-toc-modified-id="Saving-data-to-Excel-12.2"><span class="toc-item-num">12.2&nbsp;&nbsp;</span>Saving data to Excel</a></span></li></ul></li><li><span><a href="#Setup" data-toc-modified-id="Setup-13"><span class="toc-item-num">13&nbsp;&nbsp;</span>Setup</a></span><ul class="toc-item"><li><span><a href="#msticpyconfig.yaml-configuration-File" data-toc-modified-id="msticpyconfig.yaml-configuration-File-13.1"><span class="toc-item-num">13.1&nbsp;&nbsp;</span><code>msticpyconfig.yaml</code> configuration File</a></span></li></ul></li></ul></div>

## Hunting Hypothesis
Our broad initial hunting hypothesis is that a we have received account name entity which is suspected to be compromised and is being used malicious manner in internal networks, we will need to hunt from a range of different positions to validate or disprove this hypothesis.

Before you start hunting please run the cells in [Setup](#Setup) at the bottom of this Notebook.

## Notebook Initialization
If this is your first time running this Notebook please run the cells in in the <a href="#Setup">Setup</a> section before proceeding to ensure you have the required packages installed correctly. Similarly, if you see any import failures (ImportError) in the notebook, please make sure that you have read and run the cells <a href="#Setup">Setup</a> section first. This section is at the end of the notebook.


In [1]:
# Imports
import sys
import warnings

from msticpy.nbtools.utility import check_py_version

MIN_REQ_PYTHON = (3, 6)
check_py_version(MIN_REQ_PYTHON)

from IPython import get_ipython
from IPython.display import display, HTML, Markdown
import ipywidgets as widgets

import matplotlib.pyplot as plt
import seaborn as sns
sns.set()
import pandas as pd

pd.set_option("display.max_rows", 100)
pd.set_option("display.max_columns", 50)
pd.set_option("display.max_colwidth", 100)

from msticpy.data import QueryProvider
from msticpy.nbtools import *
from msticpy.sectools import *
from msticpy.nbtools.utility import md, md_warn
from msticpy.nbtools.wsconfig import WorkspaceConfig

WIDGET_DEFAULTS = {
    "layout": widgets.Layout(width="95%"),
    "style": {"description_width": "initial"},
}

# Some of our dependencies (networkx) still use deprecated Matplotlib
# APIs - we can't do anything about it so suppress them from view
from matplotlib import MatplotlibDeprecationWarning
warnings.simplefilter("ignore", category=MatplotlibDeprecationWarning)

ws_config = WorkspaceConfig()

Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank


### Get Workspace and Authenticate
<details>
    <summary>&nbsp;<u>Details...</u></summary>
If you are using user/device authentication, run the following cell. 
- Click the 'Copy code to clipboard and authenticate' button.
- This will pop up an Azure Active Directory authentication dialog (in a new tab or browser window). The device code will have been copied to the clipboard. 
- Select the text box and paste (Ctrl-V/Cmd-V) the copied value. 
- You should then be redirected to a user authentication page where you should authenticate with a user account that has permission to query your Log Analytics workspace.

Use the following syntax if you are authenticating using an Azure Active Directory AppId and Secret:
```
%kql loganalytics://tenant(aad_tenant).workspace(WORKSPACE_ID).clientid(client_id).clientsecret(client_secret)
```
instead of
```
%kql loganalytics://code().workspace(WORKSPACE_ID)
```

Note: you may occasionally see a JavaScript warning displayed at the end of the authentication - you can safely ignore this.<br>
On successful authentication you should see a ```popup schema``` button.
To find your Workspace Id go to [Log Analytics](https://ms.portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.OperationalInsights%2Fworkspaces). Look at the workspace properties to find the ID.
</details>

In [2]:
# Authentication
qry_prov = QueryProvider(data_environment="LogAnalytics")
qry_prov.connect(connection_str=ws_config.code_connect_str)
table_index = qry_prov.schema_tables

#### Authentication and Configuration Problems

<br>
<details>
    <summary>Click for details about configuring your authentication parameters</summary>
    
    
The notebook is expecting your Azure Sentinel Tenant ID and Workspace ID to be configured in one of the following places:
- `config.json` in the current folder
- `msticpyconfig.yaml` in the current folder or location specified by `MSTICPYCONFIG` environment variable.
    
For help with setting up your `config.json` file (if this hasn't been done automatically) see the [`ConfiguringNotebookEnvironment`](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/ConfiguringNotebookEnvironment.ipynb) notebook in the root folder of your Azure-Sentinel-Notebooks project. This shows you how to obtain your Workspace and Subscription IDs from the Azure Sentinel Portal. You can use the SubscriptionID to find your Tenant ID). To view the current `config.json` run the following in a code cell.

```%pfile config.json```

For help with setting up your `msticpyconfig.yaml` see the [Setup](#Setup) section at the end of this notebook and the [ConfigureNotebookEnvironment notebook](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/ConfiguringNotebookEnvironment.ipynb)
</details>

## Enter account name and query time window
Type the account name that you want to search for and the time bounds over which you want to search. 

You can specify the account as:

- a simple user name (e.g. `alice`)
- a user principal name (`alice@contoso.com`)
- a qualified windows user name `mydomain\alice`

In the second two cases the domain qualifier will be stripped off before the search. The search is not case sensitive and will match full substrings. E.g. `bob` will match `domain\bob` and `bob@contoso.com` but not `bobg` or `bo`.

In [3]:
accountname_text = widgets.Text(description='Enter the Account name to search for:', **WIDGET_DEFAULTS)
display(accountname_text)

Text(value='', description='Enter the Account name to search for:', layout=Layout(width='95%'), style=Descript…

In [4]:
query_times = nbwidgets.QueryTime(units='day', max_before=200, before=5, max_after=7)
query_times.display()

HTML(value='<h4>Set query time boundaries</h4>')

HBox(children=(DatePicker(value=datetime.date(2019, 10, 31), description='Origin Date'), Text(value='21:20:55.…

VBox(children=(IntRangeSlider(value=(-5, 7), description='Time Range (day):', layout=Layout(width='80%'), max=…

In [5]:
# Set up function to allow easy reference to common parameters for queries
def acct_query_params():
    return {
        "start": query_times.start,
        "end": query_times.end,
        "account_name": accountname_text.value,
    }

## Data Sources available to query
This shows all of the tables in the workspace with a string matching the account name entered.
Note that these matches may be accidental and not necessarily relate to the account that you are interested in.

In [6]:
# KQL query for full text search of IP address and display all datatypes 
datasource_status = '''
search \'{account_name}\'
| where TimeGenerated >= datetime({start}) and TimeGenerated <= datetime({end})
| summarize RowCount=count() by Table=$table
'''.format(**acct_query_params())
%kql -query datasource_status
datasource_status_df = _kql_raw_result_.to_dataframe()

#Display result as transposed matrix of datatypes availabel to query for the query period 
if len(datasource_status_df) > 0:
    display(Markdown("###  <span style='color:blue'> "
                     + "Datasources available to query for Account "
                     + f"*{acct_query_params()['account_name']}* </span>"))
    display(datasource_status_df)
else:
    display(Markdown(f'### <span style="color:orange"> No datasources available to query for the query period </span>'))

<IPython.core.display.Javascript object>

###  <span style='color:blue'> Datasources available to query for Account *alexw* </span>

Unnamed: 0,Table,RowCount
0,AzureActivity,96
1,SigninLogs,37
2,AuditLogs,4
3,OfficeActivity,17
4,SecurityAlert,206
5,SecurityEvent,4176
6,HuntingBookmark,16


## Search for Account Name in Host, Azure Active Directory (AAD), Azure and Office 365 Data.

This section searches for activity related to the account name entered earlier. It looks for the most recent activity in the following sources:
- Azure Active Directory Signin logs
- Azure Activity log
- Office Activity log
- Windows Security events for logon and logon failure
- Linux Security events for logons

### Query Data Sources

In [7]:
# AAD
md("Searching for AAD activity...")
summarize_clause = """
| summarize arg_max(TimeGenerated, *) by UserPrincipalName, OperationName, 
  Identity, IPAddress, tostring(LocationDetails)
| project TimeGenerated, UserPrincipalName, Identity, IPAddress, LocationDetails"""

aad_signin_df = (qry_prov.Azure
                 .list_aad_signins_for_account(**acct_query_params(),
                                               add_query_items=summarize_clause)
                )

md("Searching for Azure activity...")
# Azure Activity
summarize_clause = """
| summarize arg_max(TimeGenerated, *) by Caller, OperationName, 
  CallerIpAddress, ResourceId
| project TimeGenerated, UserPrincipalName=Caller, IPAddress=CallerIpAddress"""

azure_activity_df = (qry_prov.Azure
                     .list_azure_activity_for_account(**acct_query_params(),
                                                      add_query_items=summarize_clause)
                    )

md("Searching for Office365 activity...")
# Office Activity
summarize_clause = """
| project TimeGenerated, UserId = tolower(UserId), OfficeWorkload, Operation, ClientIP, UserType
| summarize arg_max(TimeGenerated, *) by UserId, OfficeWorkload, ClientIP
| order by TimeGenerated desc"""

o365_activity_df = (qry_prov.Office365
                    .list_activity_for_account(**acct_query_params(),
                                               add_query_items=summarize_clause)
                    )

md("Searching for Windows logon activity...")
# Windows Host
summarize_clause = """
| extend LogonStatus = iff(EventID == 4624, "success", "failed")
| project TimeGenerated, TargetUserName, TargetDomainName, Computer, LogonType, SubjectUserName, 
  SubjectDomainName, TargetUserSid, EventID, IpAddress, LogonStatus 
| summarize arg_max(TimeGenerated, *) by TargetUserName, TargetDomainName, LogonType, Computer, LogonStatus"""

win_logon_df = (qry_prov.WindowsSecurity
                .list_logon_attempts_by_account(**acct_query_params(),
                                                add_query_items=summarize_clause)
               )

md("Searching for Linux logon activity...")
# Linux host
summarize_clause = """
| summarize arg_max(TimeGenerated, *) by LogonType, SourceIP, Computer, LogonResult"""

linux_logon_df = (qry_prov.LinuxSyslog
                  .list_logons_for_account(**acct_query_params(),
                                           add_query_items=summarize_clause)
                 )

rec_count = (
    len(aad_signin_df) + len(azure_activity_df) 
    + len(o365_activity_df) + len(win_logon_df) 
    + len(linux_logon_df)
)
md(f"Found {rec_count} records...")
md(f"  {len(aad_signin_df)} records in AAD")
md(f"  {len(azure_activity_df)} records in Azure Activity")
md(f"  {len(o365_activity_df)} records in Office Activity")
md(f"  {len(win_logon_df)} records in Windows logon data")
md(f"  {len(linux_logon_df)} records in Linux logon data")

<p style=''>Searching for AAD activity...</p>

<p style=''>Searching for Azure activity...</p>

<p style=''>Searching for Office365 activity...</p>

<p style=''>Searching for Windows logon activity...</p>

<p style=''>Searching for Linux logon activity...</p>

<p style=''>Found 44 records...</p>

<p style=''>  16 records in AAD</p>

<p style=''>  21 records in Azure Activity</p>

<p style=''>  4 records in Office Activity</p>

<p style=''>  3 records in Windows logon data</p>

<p style=''>  0 records in Linux logon data</p>

## Display logons from account sources and choose an account to explore
If any records were found in the previous search these will be displayed in a selection list. You can filter this list to reduce the number of items shown. Unique combinations of Account name and activity source are displayed in this list. So yo may see the same account listed against multiple activity types. E.g. an entry for alex@xyz.com for Office O365Activity and alex@xyz.com for AADLogon.

As you select each account, the records from the previous search are displayed.

Following this selection list there is a general section (applicable to accounts from all sources) and sections that are specific to account in in specific domains (Linux, Windows or Azure/Office).

Choosing an account affects which later parts of the notebook are applicable. For example if the account chosen is from a Linux logon, only the Linux section will be applicable but Windows and AAD/Office will not. If you have multiple accounts listed you can come back and chose a different account and re-run the later parts of the notebook on each account.


In [8]:
from collections import namedtuple
AccountDFs = namedtuple("AccountDFs", ["linux", "windows", "aad", "azure", "o365"])
account_dfs = AccountDFs(
    linux=linux_logon_df,
    windows=win_logon_df,
    aad=aad_signin_df,
    azure=azure_activity_df,
    o365=o365_activity_df,
)

# Combine into single data frame

lx_df = (linux_logon_df[["AccountName", "TimeGenerated"]]
        .groupby("AccountName")
        .max()
        .reset_index()
        .assign(Source="LinuxHostLogon"))

win_df = (win_logon_df[["TargetUserName", "TimeGenerated"]]
          .groupby("TargetUserName")
          .max()
          .reset_index()
          .rename(columns={"TargetUserName": "AccountName"})
          .assign(Source="WindowsHostLogon"))

o365_df = (o365_activity_df[["UserId", "TimeGenerated"]]
           .groupby("UserId")
           .max()
           .reset_index()
           .rename(columns={"UserId": "AccountName"})
           .assign(Source="O365Activity"))

aad_df = (aad_signin_df[["UserPrincipalName", "TimeGenerated"]]
          .groupby("UserPrincipalName")
          .max()
          .reset_index()
          .rename(columns={"UserPrincipalName": "AccountName"})
          .assign(Source="AADLogon"))

azure_df = (azure_activity_df[["UserPrincipalName", "TimeGenerated"]]
            .groupby("UserPrincipalName")
            .max()
            .reset_index()
            .rename(columns={"UserPrincipalName": "AccountName"})
            .assign(Source="AzureActivity"))


all_sources_df = pd.concat([lx_df, win_df, o365_df, aad_df, azure_df])


# Display the results that we've found
format_tuple = (lambda x: 
                (x.AccountName + "   " + x.Source
                 + " (Last activity: " + str(x.TimeGenerated) + ")",
                 x.AccountName + " " + x.Source))
accts_dict = {item[0]: item[1] for item in all_sources_df.apply(format_tuple, axis=1)}


def display_activity(selected_item):
    acct, source = selected_account(selected_item)
    utils.md(f"{acct} (source: {source})", "bold")
    if source == "LinuxHostLogon":
        display(linux_logon_df[linux_logon_df["AccountName"] == acct]
               .sort_values("TimeGenerated", ascending=True))
    if source == "WindowsHostLogon":
        display(win_logon_df[win_logon_df["TargetUserName"] == acct]
               .sort_values("TimeGenerated", ascending=True))
    if source == "AADLogon":
        display(aad_signin_df[aad_signin_df["UserPrincipalName"] == acct]
               .sort_values("TimeGenerated", ascending=True))
    if source == "AzureActivity":
        display(azure_activity_df[azure_activity_df["UserPrincipalName"] == acct]
               .sort_values("TimeGenerated", ascending=True))
    if source == "O365Activity":
        display(o365_activity_df[o365_activity_df["UserId"] == acct]
               .sort_values("TimeGenerated", ascending=True))

def selected_account(selected_acct):
    if not selected_acct:
        return "", ""
    acct, source = selected_acct.split(" ")
    return acct, source

select_acct = nbwidgets.SelectString(
    item_dict=accts_dict,
    auto_display=True,
    description="Select an account to explore",
    action=display_activity,
    height="200px",
    width="100%")

VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…

## Related Alerts and Hunting Bookmarks
### Alerts
Any alerts with a matching account name are shown here. Select an alert to view the contents.

In [9]:
account_name, account_source = selected_account(select_acct.value)
related_alerts = qry_prov.SecurityAlert.list_related_alerts(
    **acct_query_params()
)

def print_related_alerts(alertDict, entityType, entityName):
    if len(alertDict) > 0:
        md(f"Found {len(alertDict)} different alert types related to this {entityType} (`{entityName}`)",
           "large, bold"
        )
        for (k, v) in alertDict.items():
            print(f"- {k}, # Alerts: {v}")
    else:
        md(f"No alerts for {entityType} entity `{entityName}`")


if isinstance(related_alerts, pd.DataFrame) and not related_alerts.empty:
    alert_items = (
        related_alerts[["AlertName", "TimeGenerated"]]
        .groupby("AlertName")
        .TimeGenerated.agg("count")
        .to_dict()
    )
    print_related_alerts(alert_items, "account", account_name)
    nbdisplay.display_timeline(
        data=related_alerts, title="Alerts", source_columns=["AlertName"], height=200
    )
else:
    display(Markdown("No related alerts found."))

def disp_full_alert(alert):
    global related_alert
    related_alert = SecurityAlert(alert)
    nbdisplay.display_alert(related_alert, show_entities=True)

if related_alerts is not None and not related_alerts.empty:
    related_alerts["CompromisedEntity"] = related_alerts["src_accountname"]
    display(Markdown("### Click on alert to view details."))
    rel_alert_select = nbwidgets.AlertSelector(
        alerts=related_alerts,
        action=disp_full_alert,
    )
    rel_alert_select.display()

<p style='font-size: 130%;font-weight: bold'>Found 29 different alert types related to this account (`alexw@m365x648731.onmicrosoft.com`)</p>

- A malicious PowerShell Cmdlet was invoked on the machine, # Alerts: 3
- A script with suspicious content was observed, # Alerts: 1
- A user was added to an administrative group, # Alerts: 2
- Activity from a Tor IP address, # Alerts: 1
- Activity from infrequent country, # Alerts: 2
- An active 'Mikatz' high-severity malware was detected, # Alerts: 4
- Anonymous IP address, # Alerts: 2
- AnonymousLogin, # Alerts: 1
- Encoded Powershell Run - Custom Alert, # Alerts: 6
- MDATP Detections, # Alerts: 3
- MDATP Suspicious Powershell Command Line, # Alerts: 2
- Malicious credential theft tool execution detected, # Alerts: 1
- Mass download, # Alerts: 2
- Network connection to a risky host, # Alerts: 4
- New group added suspiciously, # Alerts: 2
- PowerShell Downloads, # Alerts: 7
- PowerShell downloads - From Hunting Queries, # Alerts: 7
- Powershell Empire cmdlets seen in command line, # Alerts: 1
- Ransomware activity, # Alerts: 1
- Sensitive credential memory read, # Alerts: 6
- Sticky 

### Click on alert to view details.

VBox(children=(Text(value='', description='Filter alerts by title:', style=DescriptionStyle(description_width=…

### Hunting/Investigation Bookmarks
Any bookmarks created that reference the selected account are shown here. Select a bookmark to view the contents.

In [10]:
acct_name = acct_query_params()["account_name"]
related_bkmark_df = qry_prov.AzureSentinel.list_bookmarks_for_entity(
    **acct_query_params(), entity_id=acct_name
)

def print_related_bkmk(bookmarks, entityType, entityName):
    if len(bookmarks) > 0:
        md(f"Found {len(bookmarks)} different bookmarks related to this {entityType} (`{entityName}`)",
           "large, bold"
        )
    else:
        md(f"No alerts for {entityType} entity `{entityName}`")


if isinstance(related_bkmark_df, pd.DataFrame) and not related_bkmark_df.empty:
    bookmarks = (related_bkmark_df
                 .apply(lambda x: (f"{x.BookmarkName} {x.Tags}  {x.TimeGenerated}", x.BookmarkId),
                        axis=1)
                 .tolist())
    print_related_bkmk(bookmarks, "account", account_name)
    nbdisplay.display_timeline(
        data=related_bkmark_df,
        title="Bookmarks",
        source_columns=["BookmarkName", "Tags"], height=200
    )
else:
    display(Markdown("No related bookmarks found."))

def disp_bookmark(bookmark_id):
    display(related_bkmark_df[related_bkmark_df["BookmarkId"] == bookmark_id].T)

if related_bkmark_df is not None and not related_bkmark_df.empty:
    display(Markdown("### Click on bookmark to view details."))
    rel_bkmk_select = nbwidgets.SelectString(
        item_list=bookmarks,
        action=disp_bookmark,
        auto_display=True
    )
    

<p style='font-size: 130%;font-weight: bold'>Found 9 different bookmarks related to this account (`alexw@m365x648731.onmicrosoft.com`)</p>

### Click on bookmark to view details.

VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…

## Further Investigation
Depending on the type of account (AAD or Host/Endpoint account) we can drill deeper to look at data specific to that account type.

This cell determines which section of the notebook is applicable to the account type.

In [19]:
# Function definitions used below
# This cell should be executed before continuing further.

# WHOIS lookup function
from functools import lru_cache
from ipwhois import IPWhois
from ipaddress import ip_address

@lru_cache(maxsize=1024)
def get_whois_info(ip_lookup, show_progress=False):
    try:
        ip = ip_address(ip_lookup)
    except ValueError:
        return "Not an IP Address", {}
    if ip.is_private:
        return "private address", {}
    if not ip.is_global:
        return "other address", {}
    whois = IPWhois(ip)
    whois_result = whois.lookup_whois()
    if show_progress:
        print(".", end="")
    return whois_result["asn_description"], whois_result


ti_lookup = TILookup()
def check_ip_ti(df, ip_col):

    ip4_rgx = r"((?:[0-9]{1,3}\.){3}[0-9]{1,3})"
    df = (df
          .assign(IP_ext=lambda x: x[ip_col].str.extract(ip4_rgx, expand=False))
          .rename(columns={ip_col: ip_col + "_orig"})
          .rename(columns={"IP_ext": ip_col})
         )
    src_ip_addrs = (df[[ip_col]]
                    .dropna()
                    .drop_duplicates()
                   )
    md(f"Querying TI for {len(src_ip_addrs)} indicators...")
    ti_results = ti_lookup.lookup_iocs(data=src_ip_addrs, obs_col=ip_col)
    ti_results = ti_results[ti_results["Severity"] > 0]

    ti_merged_df = df.merge(ti_results, how="left", left_on=ip_col, right_on="Ioc")
    return ti_results, ti_merged_df, src_ip_addrs


geo_lookup = GeoLiteLookup()
def check_geo_whois(ip_df, df, ip_col):
    
    ip4_rgx = r"((?:[0-9]{1,3}\.){3}[0-9]{1,3})"
    df = (df
          .assign(IP_ext=lambda x: x[ip_col].str.extract(ip4_rgx, expand=False))
          .rename(columns={ip_col: ip_col + "_orig"})
          .rename(columns={"IP_ext": ip_col})
         )
    md(f"Querying geolocation for {len(ip_df)} ip addresses...")
    
    geo_ips = geo_lookup.lookup_ip(ip_addr_list=list(ip_df[ip_col].values))
    # TODO replace
    ip_dicts = [{**ent.Location.properties, "IpAddress": ent.Address} for ent in geo_ips[1]]
    df_out = pd.DataFrame(data=ip_dicts)
    geo_df = df.merge(df_out, how="left", left_on=ip_col, right_on="IpAddress")

    md(f"Querying WhoIs for {len(ip_df)} ip addresses...")
    whois_df = ip_df.copy()
    # Get the WhoIs results
    whois_df[["ASNDesc", "WhoisResult"]] = (
        ip_df
        .apply(lambda x: get_whois_info(x[ip_col], show_progress=True),
               axis=1, result_type="expand"))
    geo_whois_df = geo_df.merge(whois_df, how="left", right_on=ip_col, left_on=ip_col)
    return geo_whois_df

# Based on the account type, advice the user where to go next.

acct, source = selected_account(select_acct.value)
md(f"Account '{acct}'. Source is '{source}'", "bold, large, blue")

goto = lambda x: display(Markdown(f"### For further analysis go to {x}"))
if source == "LinuxHostLogon":
    goto("go to [LinuxHostLogon](#Linux-Host)")
if source == "WindowsHostLogon":
    goto("go to [WindowsHostLogon](#Windows-Host)")
if source in ["AADLogon", "AzureActivity", "O365Activity"]:
    goto("go to [AAD/Office Account](#AAD/Office-Account)")

<p style='font-weight: bold;font-size: 130%;color: blue'>Account 'alexw@m365x648731.onmicrosoft.com'. Source is 'O365Activity'</p>

### For further analysis go to go to [AAD/Office Account](#AAD/Office-Account)

## Windows Host
For Windows accounts we look for the following types of data:

- Logon Summary
- Threat Intelligence reports for logon source IP Address(es)
- Geo location and Whois lookup for logon source IP Address(es)
- Additional alerts for the hosts where the account had logged on
- Additional bookmarks for the hosts where the account had logged on

In [18]:
md("Fetching logon data...")
ext_logon_status = "| extend LogonStatus = iff(EventID == 4624, 'success', 'failed')"
all_win_logons = (qry_prov.WindowsSecurity
                  .list_logon_attempts_by_account(**acct_query_params(),
                                                 add_query_items=ext_logon_status))
md("done")

<p style=''>Fetching logon data...</p>

<p style=''>done</p>

### Host Logon Summary

In [15]:
logon_summary = (all_win_logons
 .groupby("Computer")
 .agg(
     TotalLogons=pd.NamedAgg(column="EventID", aggfunc="count"),
     LogonResult=pd.NamedAgg(column="LogonStatus", aggfunc=lambda x: x.value_counts().to_dict()),
     IPAddresses=pd.NamedAgg(column="IpAddress", aggfunc=lambda x: x.unique().tolist()),
     LogonTypeCount=pd.NamedAgg(column="LogonType", aggfunc=lambda x: x.value_counts().to_dict()),
     FirstLogon=pd.NamedAgg(column="TimeGenerated", aggfunc="min"),
     LastLogon=pd.NamedAgg(column="TimeGenerated", aggfunc="max"),
  )
)

display(logon_summary)
nbdisplay.display_timeline(data=all_win_logons,
                           group_by="IpAddress",
                           source_columns=["Computer", "LogonStatus", "LogonType"],
                           title="Logons")

Unnamed: 0_level_0,TotalLogons,LogonResult,IPAddresses,LogonTypeCount,FirstLogon,LastLogon
Computer,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1
FusionTest3.M365x648731.onmicrosoft.com,2,{'success': 2},[-],{3: 2},2019-10-18 01:12:44.860,2019-10-28 16:12:44.620
IgniteDemo2.M365x648731.onmicrosoft.com,6,{'success': 6},[131.107.159.105],"{3: 4, 10: 2}",2019-10-16 17:40:08.097,2019-10-16 17:42:15.680


### Threat Intelligence for logon IP Addresses
<details>
    <summary>TI Configuration</summary>
If you have not used msticpy threat intelligence lookups before you will need to supply API keys for the 
TI Providers that you want to use. Please see the section on configuring [msticpyconfig.yaml](#msticpyconfig.yaml-configuration-File)

Then reload provider settings:
```
mylookup = TILookup()
mylookup.reload_provider_settings()
```
</details>

In [16]:
ti_results, all_win_logons_ti, src_ip_addrs_win = check_ip_ti(df=all_win_logons, ip_col="IpAddress")
if not ti_results.empty:
    md(f"{len(ti_results)} threat intelligence hits have been "
       + "matched on one or more source IP addresses.", "bold, red, large")
    md(" You should investigate the hosts accessed from these adddresses "
       + "(see previous cell for host name accessed by IP Address)"
       + "the 'Entity Explorer - Windows Host' notebook", "bold, red" )
    md("Logon details for TI matches are in the `all_win_logons_ti` DataFrame")
    display(ti_results)
else:
    md("No additional items found for logged on hosts")

<p style=''>Querying TI for 1 indicators...</p>

<p style=''>No additional items found for logged on hosts</p>

### Geolocation and ownership for source logon IP addresses
We use the source IP addresses for the activity to perform and Geo-location lookup and a WhoIs lookup to try to identify the IP address owner.

In [17]:
all_win_logons_geo = check_geo_whois(src_ip_addrs_win, all_win_logons, "IpAddress")
md("Geolocations and ASN Owner for account logon source IP addresses. Information only", "bold")

(all_win_logons_geo[~all_win_logons_geo["CountryName"].isna()]
 .groupby(["Computer", "IpAddress", "CountryCode","CountryName", "City", "ASNDesc"])
 .agg(
     TotalLogons=pd.NamedAgg(column="EventID", aggfunc="count"),
     LogonResult=pd.NamedAgg(column="LogonStatus", aggfunc=lambda x: x.value_counts().to_dict()),
     LogonTypeCount=pd.NamedAgg(column="LogonType", aggfunc=lambda x: x.value_counts().to_dict()),
     FirstLogon=pd.NamedAgg(column="TimeGenerated", aggfunc="min"),
     LastLogon=pd.NamedAgg(column="TimeGenerated", aggfunc="max"),
  )
)


<p style=''>Querying geolocation for 1 ip addresses...</p>

<p style=''>Querying WhoIs for 1 ip addresses...</p>

.

<p style='font-weight: bold'>Geolocations and ASN Owner for account logon source IP addresses. Information only</p>

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,Unnamed: 4_level_0,Unnamed: 5_level_0,TotalLogons,LogonResult,LogonTypeCount,FirstLogon,LastLogon
Computer,IpAddress,CountryCode,CountryName,City,ASNDesc,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1
IgniteDemo2.M365x648731.onmicrosoft.com,131.107.159.105,US,United States,Redmond,"MICROSOFT-CORP-AS - Microsoft Corporation, US",6,{'success': 6},"{3: 4, 10: 2}",2019-10-16 17:40:08.097,2019-10-16 17:42:15.680


### Additional Alerts for logged-on hosts

In [23]:
related_host_alerts = []
for host in all_win_logons["Computer"].unique():
    host_alerts = qry_prov.SecurityAlert.list_related_alerts(
        start=acct_query_params()["start"],
        end=acct_query_params()["end"],
        host_name=host
    )
    related_host_alerts.append(host_alerts)
    
related_host_alerts_df = pd.concat(related_host_alerts)

# Show host alerts that were not in the Account alerts list
related_host_alerts_df = related_host_alerts_df[~related_host_alerts_df["SystemAlertId"]
                                                .isin(related_alerts["SystemAlertId"])]
if not related_host_alerts_df.empty:
    md(f"{len(related_host_alerts_df)} additional alerts have been "
       + "triggered on one or more hosts.", "bold, red, large")
    md(" You should investigate these hosts using "
       + "the 'Entity Explorer - Windows Host' notebook", "bold, red" )
    display(related_host_alerts_df)
else:
    md("No additional alerts found")

<p style=''>No additional alerts found</p>

#### Additional alerts for source IP addresses
We can also search for alerts that contain the IP addresses that were the origin of logons to the host.

In [24]:
ip_list = ",".join(list(all_win_logons["IpAddress"].unique()))
related_ip_alerts_df = qry_prov.SecurityAlert.list_alerts_for_ip(
    start=acct_query_params()["start"],
    end=acct_query_params()["end"],
    source_ip_list=ip_list
)
# remove Account and host alerts already seen
related_ip_alerts_df = related_ip_alerts_df[~related_ip_alerts_df["SystemAlertId"]
                                            .isin(related_alerts["SystemAlertId"])]
related_ip_alerts_df = related_ip_alerts_df[~related_ip_alerts_df["SystemAlertId"]
                                            .isin(related_host_alerts_df["SystemAlertId"])]
if not related_ip_alerts_df.empty:
    md(f"{len(related_ip_alerts_df)} additional alerts have been "
       + "triggered from one or more source IPs.", "bold, red, large")
    md(" You should investigate these IPs using "
       + "the 'Entity Explorer - IP Address' notebook", "bold, red" )
    display(related_ip_alerts_df)
else:
    md("No additional alerts found.")

<p style=''>No additional alerts found.</p>

### Additional Investigation Bookmarks for logged-on hosts

In [25]:
related_host_bkmks = []
for host in all_win_logons["Computer"].unique():
    host_bkmks = qry_prov.AzureSentinel.list_bookmarks_for_entity(
        start=acct_query_params()["start"],
        end=acct_query_params()["end"],
        entity_id=f"'{host}'"
    )
    related_host_bkmks.append(host_bkmks)
    
related_host_bkmks_df = pd.concat(related_host_bkmks)

# Show host bookmarks that were not in the Account bookmarks list
related_host_bkmks_df = related_host_bkmks_df[~related_host_bkmks_df["BookmarkId"]
                                              .isin(related_bkmark_df["BookmarkId"])]
if not related_host_bkmks_df.empty:
    md(f"{len(related_host_bkmks_df)} additional investigation bookmarks have been "
       + "found for one or more hosts.", "bold, red, large")
    md(" You should investigate these hosts using "
       + "the 'Entity Explorer - Windows Host' notebook", "bold, red" )
    display(related_host_bkmks_df)
else:
    md("No additional items found for logged on hosts")

<p style=''>No additional items found for logged on hosts</p>

## Linux Host
For Linux accounts we look for the following types of data:
- Logon Summary
- Threat Intelligence reports for logon source IP Address(es)
- Geo location and Whois lookup for logon source IP Address(es)
- Additional alerts for the hosts where the account had logged on
- Additional bookmarks for the hosts where the account had logged on


In [None]:
md("Fetching logon data...")
all_lx_logons = (qry_prov.LinuxSyslog
                 .list_logons_for_account(**acct_query_params()))
md("done")

### Host Logon Summary

In [None]:
logon_summary = (all_lx_logons
 .groupby("Computer")
 .agg(
     TotalLogons=pd.NamedAgg(column="Computer", aggfunc="count"),
     FailedLogons=pd.NamedAgg(column="LogonResult", aggfunc=lambda x: x.value_counts().to_dict()),
     IPAddresses=pd.NamedAgg(column="SourceIP", aggfunc=lambda x: x.unique().tolist()),
     LogonTypeCount=pd.NamedAgg(column="LogonType", aggfunc=lambda x: x.value_counts().to_dict()),
     FirstLogon=pd.NamedAgg(column="TimeGenerated", aggfunc="min"),
     LastLogon=pd.NamedAgg(column="TimeGenerated", aggfunc="max"),
  )
)

display(logon_summary)
nbdisplay.display_timeline(data=all_lx_logons,
                           group_by="SourceIP",
                           source_columns=["Computer", "LogonResult", "LogonType"],
                           title="Logons");

### Threat Intelligence for logon IP Addresses
<details>
    <summary>TI Configuration</summary>
If you have not used msticpy threat intelligence lookups before you will need to supply API keys for the 
TI Providers that you want to use. Please see the section on configuring [msticpyconfig.yaml](#msticpyconfig.yaml-configuration-File)

Then reload provider settings:
```
mylookup = TILookup()
mylookup.reload_provider_settings()
```
</details>

In [None]:
ti_results_lx, all_lx_logons_ti, src_ip_addrs_lx = check_ip_ti(df=all_lx_logons, ip_col="SourceIP")

if not ti_results_lx.empty:
    md(f"{len(ti_results_lx)} threat intelligence hits have been "
       + "matched on one or more source IP addresses.", "bold, red, large")
    md(" You should investigate these hosts accessed from these adddresses "
       + "(see previous cell for host name accessed by IP Address)"
       + "the 'Entity Explorer - Linux Host' notebook", "bold, red" )
    display(ti_results_lx)
else:
    md("No additional items found for logged on hosts")

### Geolocation and ownership for source logon IP addresses
We use the source IP addresses for the activity to perform and Geo-location lookup and a WhoIs lookup to try to identify the IP address owner.

In [None]:
all_lx_logons_geo = check_geo_whois(src_ip_addrs_lx, all_lx_logons, "SourceIP")

md("Geolocations and ASN Owner for account logon source IP addresses. Information only", "bold")

(all_lx_logons_geo[~all_lx_logons_geo["CountryName"].isna()]
 .groupby(["Computer", "SourceIP", "CountryCode","CountryName", "City", "ASNDesc"])
 .agg(
     TotalLogons=pd.NamedAgg(column="SourceSystem", aggfunc="count"),
     LogonResult=pd.NamedAgg(column="LogonResult", aggfunc=lambda x: x.value_counts().to_dict()),
     LogonTypeCount=pd.NamedAgg(column="LogonType", aggfunc=lambda x: x.value_counts().to_dict()),
     FirstLogon=pd.NamedAgg(column="TimeGenerated", aggfunc="min"),
     LastLogon=pd.NamedAgg(column="TimeGenerated", aggfunc="max"),
  )
)

### Additional Alerts for logged-on hosts

In [None]:
related_host_alerts = []
for host in all_lx_logons["Computer"].unique():
    host_alerts = qry_prov.SecurityAlert.list_related_alerts(
        start=acct_query_params()["start"],
        end=acct_query_params()["end"],
        host_name=host
    )
    related_host_alerts.append(host_alerts)
    
related_host_alerts_df = pd.concat(related_host_alerts)

# Show host alerts that were not in the Account alerts list
related_host_alerts_df = related_host_alerts_df[~related_host_alerts_df["SystemAlertId"]
                                                .isin(related_alerts["SystemAlertId"])]
if not related_host_alerts_df.empty:
    md(f"{len(related_host_alerts_df)} additional alerts have been "
       + "triggered on one or more hosts.", "bold, red, large")
    md(" You should investigate these hosts using "
       + "the 'Entity Explorer - Linux Host' notebook", "bold, red" )
    display(related_host_alerts_df[['TenantId','TimeGenerated','AlertDisplayName','ConfidenceLevel','ConfidenceScore','Computer','ExtendedProperties','Entities']])
else:
    md("No additional items found for logged on hosts")

#### Additional alerts for source IP addresses
We can also search for alerts that contain the IP addresses that were the origin of logons to the host.

In [None]:
ip_list = ",".join(list(all_lx_logons["SourceIP"].unique()))
related_ip_alerts_df = qry_prov.SecurityAlert.list_alerts_for_ip(
    start=acct_query_params()["start"],
    end=acct_query_params()["end"],
    source_ip_list=ip_list
)
# remove Account and host alerts already seen
related_ip_alerts_df = related_ip_alerts_df[~related_ip_alerts_df["SystemAlertId"]
                                            .isin(related_alerts["SystemAlertId"])]
related_ip_alerts_df = related_ip_alerts_df[~related_ip_alerts_df["SystemAlertId"]
                                            .isin(related_host_alerts_df["SystemAlertId"])]
if not related_ip_alerts_df.empty:
    md(f"{len(related_ip_alerts_df)} additional alerts have been "
       + "triggered from one or more source IPs.", "bold, red, large")
    md(" You should investigate these IPs using "
       + "the 'Entity Explorer - IP Address' notebook", "bold, red" )
    display(related_ip_alerts_df)
else:
    md("No additional alerts found.")

### Additional Investigation Bookmarks for logged-on hosts

In [None]:
related_host_bkmks = []
for host in all_lx_logons["Computer"].unique():
    host_bkmks = qry_prov.AzureSentinel.list_bookmarks_for_entity(
        start=acct_query_params()["start"],
        end=acct_query_params()["end"],
        entity_id=host
    )
    related_host_bkmks.append(host_bkmks)
    
related_host_bkmks_df = pd.concat(related_host_bkmks)

# Show host bookmarks that were not in the Account bookmarks list
related_host_bkmks_df = related_host_bkmks_df[~related_host_bkmks_df["BookmarkId"]
                                              .isin(related_bkmark_df["BookmarkId"])]
if not related_host_bkmks_df.empty:
    md(f"{len(related_host_bkmks_df)} additional investigation bookmarks have been "
       + "found for one or more hosts.", "bold, red, large")
    md(" You should investigate these hosts using "
       + "the 'Entity Explorer - Windows Host' notebook", "bold, red" )
    display(related_host_bkmks_df)
else:
    md("No additional items found for logged on hosts")

## AAD/Office Account
For an Azure Active Directory account we look for the following data:
- AAD Sign-on activity
- Azure Activity
- Office 365 operations
- Threat intelligence reports for the client IP Address used in any of these activities
- Geo location and Whois lookup for logon source IP Address(es)
- Additional alerts for the logon source IP Address(es)

In [20]:
md("Fetching Azure/Office data...")
# Fetch the data
aad_sum_qry = """
| extend UserPrincipalName=tolower(UserPrincipalName)
| project-rename Operation=OperationName, AppResourceProvider=AppDisplayName"""
aad_signin_df = (qry_prov.Azure
                 .list_aad_signins_for_account(**acct_query_params(),
                                              add_query_items=aad_sum_qry)
                )

az_sum_qry = """
| extend UserPrincipalName=tolower(Caller)
| project-rename IPAddress=CallerIpAddress, Operation=OperationName,
  AppResourceProvider=ResourceProvider"""
azure_activity_df = (qry_prov.Azure
                     .list_azure_activity_for_account(**acct_query_params(),
                                                      add_query_items=az_sum_qry)
                    )

o365_sum_qry = """
| extend UserPrincipalName=tolower(UserId)
| project-rename IPAddress=ClientIP, ResourceId=OfficeObjectId,
  AppResourceProvider=OfficeWorkload"""
o365_activity_df = (qry_prov.Office365
                    .list_activity_for_account(**acct_query_params(),
                                               add_query_items=o365_sum_qry)
                    )
md("done")

<p style=''>Fetching Azure/Office data...</p>

<p style=''>done</p>

### Azure/Office Summary

In [21]:
az_all_data = pd.concat([aad_signin_df, azure_activity_df, o365_activity_df], sort=False)

nbdisplay.display_timeline(data=az_all_data,
                          group_by="AppResourceProvider",
                          source_columns=["Operation", "IPAddress", "AppResourceProvider"],
                          title="Azure Signin activity by Provider")
nbdisplay.display_timeline(data=az_all_data,
                          group_by="IPAddress",
                          source_columns=["Operation", "IPAddress", "AppResourceProvider"],
                          title="Azure Operations by Source IP")
nbdisplay.display_timeline(data=az_all_data,
                          group_by="Operation",
                          source_columns=["Operation", "IPAddress", "AppResourceProvider"],
                          title="Azure Operations by Operation");

In [22]:
(az_all_data
.groupby(["UserPrincipalName", "Type", "IPAddress", "AppResourceProvider", "UserType"])
.agg(
     OperationCount=pd.NamedAgg(column="Type", aggfunc="count"),
     OperationTypes=pd.NamedAgg(column="Operation", aggfunc=lambda x: x.unique().tolist()),
     Resources=pd.NamedAgg(column="ResourceId", aggfunc="nunique"),
     FirstOperation=pd.NamedAgg(column="TimeGenerated", aggfunc="min"),
     LastOperation=pd.NamedAgg(column="TimeGenerated", aggfunc="max"),
  )
)

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,Unnamed: 4_level_0,OperationCount,OperationTypes,Resources,FirstOperation,LastOperation
UserPrincipalName,Type,IPAddress,AppResourceProvider,UserType,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1
alexw@m365x648731.onmicrosoft.com,OfficeActivity,185.220.101.1,SharePoint,Regular,7,[FilePreviewed],3,2019-10-16 18:09:39,2019-10-16 18:09:41
alexw@m365x648731.onmicrosoft.com,OfficeActivity,40.126.9.49,SharePoint,Regular,2,[FilePreviewed],1,2019-10-16 18:09:38,2019-10-16 18:09:38
alexw@m365x648731.onmicrosoft.com,OfficeActivity,40.126.9.51,SharePoint,Regular,4,[FilePreviewed],2,2019-10-16 18:09:36,2019-10-16 18:09:36
alexw@m365x648731.onmicrosoft.com,OfficeActivity,52.109.6.30,SharePoint,Regular,2,[FileAccessed],1,2019-10-16 18:09:42,2019-10-16 18:09:42


### Threat Intelligence for IP Addresses
<details>
    <summary>TI Configuration</summary>
If you have not used msticpy threat intelligence lookups before you will need to supply API keys for the 
TI Providers that you want to use. Please see the section on configuring [msticpyconfig.yaml](#msticpyconfig.yaml-configuration-File)

Then reload provider settings:
```
mylookup = TILookup()
mylookup.reload_provider_settings()
```
</details>

In [23]:
ti_results_az, all_az_ti, src_ip_addrs_az = check_ip_ti(df=az_all_data, ip_col="IPAddress")

if not ti_results_az.empty:
    md(f"{len(ti_results_az)} threat intelligence hits have been "
       + "matched on one or more source IP addresses.", "bold, red, large")
    md(" You should investigate these IP addresses using "
       + "the 'Entity Explorer - IP Address' notebook", "bold, red" )
    display(ti_results_az)
else:
    md("No additional items found")

<p style=''>Querying TI for 20 indicators...</p>

<p style='font-weight: bold;color: red;font-size: 130%'>2 threat intelligence hits have been matched on one or more source IP addresses.</p>

<p style='font-weight: bold;color: red'> You should investigate these IP addresses using the 'Entity Explorer - IP Address' notebook</p>

Unnamed: 0,Ioc,IocType,QuerySubtype,Provider,Result,Severity,Details,RawResult,Reference,Status
5,176.10.99.200,ipv4,,OTX,True,2,"{'pulse_count': 50, 'names': ['Webscanners 2018-02-09 thru current day', 'RDP honeypot logs for...","{'sections': ['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', 'nids_list',...",https://otx.alienvault.com/api/v1/indicators/IPv4/176.10.99.200/general,0
19,185.220.101.1,ipv4,,OTX,True,2,"{'pulse_count': 45, 'names': ['Webscanners 2018-02-09 thru current day', 'TOR Nodes', 'N6 Torli...","{'sections': ['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', 'nids_list',...",https://otx.alienvault.com/api/v1/indicators/IPv4/185.220.101.1/general,0


### Geolocation and ownership for source IP addresses
We use the source IP addresses for the activity to perform and Geo-location lookup and a WhoIs lookup to try to identify the IP address owner.

In [103]:
all_az_geo = check_geo_whois(src_ip_addrs_az.iloc[0:50], az_all_data, "IPAddress")

md("Geolocations and ASN Owner for source IP addresses. Information only", "bold")

(all_az_geo[~all_az_geo["CountryName"].isna()]
 .groupby(["UserPrincipalName", "IPAddress", "CountryCode","CountryName", "City", "ASNDesc"])
 .agg(
     TotalOperations=pd.NamedAgg(column="SourceSystem", aggfunc="count"),
     Operations=pd.NamedAgg(column="Operation", aggfunc=lambda x: x.value_counts().to_dict()),
     AppResources=pd.NamedAgg(column="AppResourceProvider", aggfunc=lambda x: x.unique().tolist()),
     FirstLogon=pd.NamedAgg(column="TimeGenerated", aggfunc="min"),
     LastLogon=pd.NamedAgg(column="TimeGenerated", aggfunc="max"),
  )
)

<p style=''>Querying geolocation for 44 ip addresses...</p>

<p style=''>Querying WhoIs for 44 ip addresses...</p>

<p style='font-weight: bold'>Geolocations and ASN Owner for source IP addresses. Information only</p>

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,Unnamed: 4_level_0,Unnamed: 5_level_0,TotalOperations,Operations,AppResources,FirstLogon,LastLogon
UserPrincipalName,IPAddress,CountryCode,CountryName,City,ASNDesc,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1
alexw@m365x648731.onmicrosoft.com,104.41.146.53,US,United States,Washington,"MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US",7,{'SearchQueryPerformed': 7},[SharePoint],2019-09-19 19:16:20.000,2019-09-20 18:20:49.000
alexw@m365x648731.onmicrosoft.com,109.70.100.24,AT,Austria,Vienna,"APPLIEDPRIVACY-AS, AT",6,{'Sign-in activity': 6},[Office 365 Exchange Online],2019-09-25 16:21:43.562,2019-09-29 17:35:00.099
alexw@m365x648731.onmicrosoft.com,109.70.100.26,AT,Austria,Vienna,"APPLIEDPRIVACY-AS, AT",17,"{'Sign-in activity': 10, 'FilePreviewed': 7}","[O365 Suite UX, Office 365 SharePoint Online, SharePoint]",2019-09-19 19:15:59.381,2019-09-20 18:20:50.000
alexw@m365x648731.onmicrosoft.com,131.107.147.105,US,United States,Redmond,"MICROSOFT-CORP-AS - Microsoft Corporation, US",36,"{'Create Saved Search': 14, 'Update Case Investigation': 12, 'Sign-in activity': 6, 'Gets workfl...","[Azure Notebooks, Azure Portal, Microsoft.OperationalInsights, Microsoft.Logic, Microsoft.Securi...",2019-10-14 21:23:46.112,2019-10-16 00:02:03.868
alexw@m365x648731.onmicrosoft.com,131.107.147.205,US,United States,Redmond,"MICROSOFT-CORP-AS - Microsoft Corporation, US",40,"{'Update Case Investigation': 34, 'Update Cases': 4, 'Gets workflow recommend operation groups': 2}","[Microsoft.SecurityInsights, Microsoft.Logic]",2019-10-15 15:58:35.552,2019-10-23 16:39:05.220
alexw@m365x648731.onmicrosoft.com,131.107.159.143,US,United States,Redmond,"MICROSOFT-CORP-AS - Microsoft Corporation, US",1,{'Sign-in activity': 1},[Azure Portal],2019-10-17 16:27:42.396,2019-10-17 16:27:42.396
alexw@m365x648731.onmicrosoft.com,131.107.159.181,US,United States,Redmond,"MICROSOFT-CORP-AS - Microsoft Corporation, US",1,{'Sign-in activity': 1},[Azure Portal],2019-10-29 23:41:38.870,2019-10-29 23:41:38.870
alexw@m365x648731.onmicrosoft.com,131.107.159.205,US,United States,Redmond,"MICROSOFT-CORP-AS - Microsoft Corporation, US",3,{'Sign-in activity': 3},[Azure Portal],2019-10-17 15:27:34.722,2019-10-22 15:26:25.738
alexw@m365x648731.onmicrosoft.com,131.107.160.181,US,United States,Redmond,"MICROSOFT-CORP-AS - Microsoft Corporation, US",1,{'Sign-in activity': 1},[Azure Portal],2019-10-29 23:44:32.382,2019-10-29 23:44:32.382
alexw@m365x648731.onmicrosoft.com,131.107.160.205,US,United States,Redmond,"MICROSOFT-CORP-AS - Microsoft Corporation, US",2,{'Sign-in activity': 2},[Azure Portal],2019-10-17 20:39:51.333,2019-10-18 15:42:59.049


### Additional alerts for source IP addresses

In [104]:
ip_list = ",".join(list(src_ip_addrs_az["IPAddress"].unique()))
related_ip_alerts_df = qry_prov.SecurityAlert.list_alerts_for_ip(
    start=acct_query_params()["start"],
    end=acct_query_params()["end"],
    source_ip_list=ip_list
)
# remove Account and host alerts already seen
related_ip_alerts_df = related_ip_alerts_df[~related_ip_alerts_df["SystemAlertId"]
                                            .isin(related_alerts["SystemAlertId"])]
if not related_ip_alerts_df.empty:
    md(f"{len(related_ip_alerts_df)} additional alerts have been "
       + "triggered from one or more source IPs.", "bold, red, large")
    md(" You should investigate these IPs using "
       + "the 'Entity Explorer - IP Address' notebook", "bold, red" )
    display(related_ip_alerts_df)

<p style='font-weight: bold;color: red;font-size: 130%'>13 additional alerts have been triggered from one or more source IPs.</p>

<p style='font-weight: bold;color: red'> You should investigate these IPs using the 'Entity Explorer - IP Address' notebook</p>

Unnamed: 0,TenantId,TimeGenerated,AlertDisplayName,AlertName,Severity,Description,ProviderName,VendorName,VendorOriginalId,SystemAlertId,ResourceId,SourceComputerId,AlertType,ConfidenceLevel,ConfidenceScore,IsIncident,StartTimeUtc,EndTimeUtc,ProcessingEndTime,RemediationSteps,ExtendedProperties,Entities,SourceSystem,WorkspaceSubscriptionId,WorkspaceResourceGroup,ExtendedLinks,ProductName,ProductComponentName,Type,SystemAlertId1,ExtendedProperties1,Entities1,MatchingIps
19,a927809c-8142-43e1-96b3-4ad87cfe95a3,2019-10-16 22:11:41,Access from a suspicious IP leading to suspicious endpoint activity,Access from a suspicious IP leading to suspicious endpoint activity,High,Access from a suspicious IP leading to suspicious endpoint activity,ASI Scheduled Alerts,Microsoft,2df2d792-aca7-43b5-9e31-fa4e0618ad8c,61787eba-f903-4b71-b211-dc1d6ec9b5f8,,,a927809c-8142-43e1-96b3-4ad87cfe95a3_62bc82a0-1f59-49b6-82f2-266a836d072c,Unknown,,False,2019-10-16 21:56:35,2019-10-16 22:06:35,2019-10-16 22:11:41,,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",Detection,1c4b4612-7123-47db-bb74-f3b6fde75431,RedmondSentinelDemoRG,,Azure Sentinel,Scheduled Alerts,SecurityAlert,61787eba-f903-4b71-b211-dc1d6ec9b5f8,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",[176.10.99.200]
20,a927809c-8142-43e1-96b3-4ad87cfe95a3,2019-10-16 22:03:33,Access from a suspicious IP leading to suspicious endpoint activity,Access from a suspicious IP leading to suspicious endpoint activity,High,Access from a suspicious IP leading to suspicious endpoint activity,ASI Scheduled Alerts,Microsoft,1d2be0b9-aded-4750-a372-47fbf1bf98b6,2519550e-4850-4616-974f-422b4867a161,,,a927809c-8142-43e1-96b3-4ad87cfe95a3_62bc82a0-1f59-49b6-82f2-266a836d072c,Unknown,,False,2019-10-16 21:48:26,2019-10-16 21:58:26,2019-10-16 22:03:33,,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",Detection,1c4b4612-7123-47db-bb74-f3b6fde75431,RedmondSentinelDemoRG,,Azure Sentinel,Scheduled Alerts,SecurityAlert,2519550e-4850-4616-974f-422b4867a161,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",[176.10.99.200]
21,a927809c-8142-43e1-96b3-4ad87cfe95a3,2019-10-16 22:21:52,Access from a suspicious IP leading to suspicious endpoint activity,Access from a suspicious IP leading to suspicious endpoint activity,High,Access from a suspicious IP leading to suspicious endpoint activity,ASI Scheduled Alerts,Microsoft,227353f7-f56b-4500-b843-564dec775729,695d982e-de0b-4dad-90fb-5ddc9ece3344,,,a927809c-8142-43e1-96b3-4ad87cfe95a3_62bc82a0-1f59-49b6-82f2-266a836d072c,Unknown,,False,2019-10-16 22:06:35,2019-10-16 22:16:35,2019-10-16 22:21:52,,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""https://bit.ly/35CsnLI""\r\n },...",Detection,1c4b4612-7123-47db-bb74-f3b6fde75431,RedmondSentinelDemoRG,,Azure Sentinel,Scheduled Alerts,SecurityAlert,695d982e-de0b-4dad-90fb-5ddc9ece3344,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""https://bit.ly/35CsnLI""\r\n },...",[176.10.99.200]
22,a927809c-8142-43e1-96b3-4ad87cfe95a3,2019-10-16 22:48:10,Access from a suspicious IP leading to suspicious endpoint activity,Access from a suspicious IP leading to suspicious endpoint activity,High,Access from a suspicious IP leading to suspicious endpoint activity,ASI Scheduled Alerts,Microsoft,8168f50f-5776-4f3b-99a0-0d32b8fb9ecd,3d0e8da1-c877-48db-a36f-978828669c25,,,a927809c-8142-43e1-96b3-4ad87cfe95a3_62bc82a0-1f59-49b6-82f2-266a836d072c,Unknown,,False,2019-10-16 21:43:04,2019-10-16 22:43:04,2019-10-16 22:48:10,,"{\r\n ""Query"": ""ZScaler\r\n| where SourceIP == \""137.135.26.148\""\r\n| where Url contains \""bit...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""https://bit.ly/35CsnLI""\r\n },...",Detection,1c4b4612-7123-47db-bb74-f3b6fde75431,RedmondSentinelDemoRG,,Azure Sentinel,Scheduled Alerts,SecurityAlert,3d0e8da1-c877-48db-a36f-978828669c25,"{\r\n ""Query"": ""ZScaler\r\n| where SourceIP == \""137.135.26.148\""\r\n| where Url contains \""bit...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""https://bit.ly/35CsnLI""\r\n },...",[176.10.99.200]
23,a927809c-8142-43e1-96b3-4ad87cfe95a3,2019-10-16 22:33:12,Access from a suspicious IP leading to suspicious endpoint activity,Access from a suspicious IP leading to suspicious endpoint activity,High,Access from a suspicious IP leading to suspicious endpoint activity,ASI Scheduled Alerts,Microsoft,3ef5d7e4-dae9-4a97-b51f-74ee823362d5,7aef8c9f-6e0f-49cd-b651-2327f9a1c801,,,a927809c-8142-43e1-96b3-4ad87cfe95a3_62bc82a0-1f59-49b6-82f2-266a836d072c,Unknown,,False,2019-10-16 22:18:05,2019-10-16 22:28:05,2019-10-16 22:33:12,,"{\r\n ""Query"": ""ZScaler\r\n| where SourceIP == \""137.135.26.148\""\r\n| where Url contains \""bit...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""https://bit.ly/35CsnLI""\r\n },...",Detection,1c4b4612-7123-47db-bb74-f3b6fde75431,RedmondSentinelDemoRG,,Azure Sentinel,Scheduled Alerts,SecurityAlert,7aef8c9f-6e0f-49cd-b651-2327f9a1c801,"{\r\n ""Query"": ""ZScaler\r\n| where SourceIP == \""137.135.26.148\""\r\n| where Url contains \""bit...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""https://bit.ly/35CsnLI""\r\n },...",[176.10.99.200]
26,a927809c-8142-43e1-96b3-4ad87cfe95a3,2019-09-27 08:23:08,Activity from infrequent country,Activity from infrequent country,Medium,Megan Bowen (meganb@m365x648731.onmicrosoft.com) performed an activity. No activity was performe...,MCAS,Microsoft,B048A8BF-01C1-3C1A-9985-66191429FD36,4ea929d7-94f2-25b3-da0a-0247f9f7c206,,,MCAS_ALERT_ANUBIS_DETECTION_NEW_COUNTRY,Unknown,,False,2019-09-27 08:18:42,2019-09-27 08:18:42,2019-09-27 08:23:07,,"{\r\n ""Cloud Applications"": ""Microsoft Azure"",\r\n ""Countries"": ""US"",\r\n ""IP Addresses"": ""50...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Address"": ""50.35.65.178"",\r\n ""Type"": ""ip""\r\n },\r\n {...",Detection,,,"[\r\n {\r\n ""Href"": ""https://m365x648731.portal.cloudappsecurity.com/#/policy/?id=eq(5d77739...",Microsoft Cloud App Security,,SecurityAlert,4ea929d7-94f2-25b3-da0a-0247f9f7c206,"{\r\n ""Cloud Applications"": ""Microsoft Azure"",\r\n ""Countries"": ""US"",\r\n ""IP Addresses"": ""50...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Address"": ""50.35.65.178"",\r\n ""Type"": ""ip""\r\n },\r\n {...",[50.35.65.178]
56,a927809c-8142-43e1-96b3-4ad87cfe95a3,2019-10-16 20:11:36,Access from a suspicious IP leading to suspicious endpoint activity,Access from a suspicious IP leading to suspicious endpoint activity,High,Access from a suspicious IP leading to suspicious endpoint activity,ASI Scheduled Alerts,Microsoft,e4d06ca1-3bf4-4e8b-a6da-787091dc63ae,42925d1c-236c-4175-a2a6-39643b223902,,,a927809c-8142-43e1-96b3-4ad87cfe95a3_62bc82a0-1f59-49b6-82f2-266a836d072c,Unknown,,False,2019-10-16 19:06:30,2019-10-16 20:06:30,2019-10-16 20:11:36,,"{\r\n ""Query"": ""ZScaler_CL\r\n| extend Url = Url_s\r\n| where DeviceAction_s contains \""allow\""...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",Detection,1c4b4612-7123-47db-bb74-f3b6fde75431,RedmondSentinelDemoRG,,Azure Sentinel,Scheduled Alerts,SecurityAlert,42925d1c-236c-4175-a2a6-39643b223902,"{\r\n ""Query"": ""ZScaler_CL\r\n| extend Url = Url_s\r\n| where DeviceAction_s contains \""allow\""...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",[176.10.99.200]
57,a927809c-8142-43e1-96b3-4ad87cfe95a3,2019-10-16 20:19:18,Access from a suspicious IP leading to suspicious endpoint activity,Access from a suspicious IP leading to suspicious endpoint activity,High,Access from a suspicious IP leading to suspicious endpoint activity,ASI Scheduled Alerts,Microsoft,4dcea248-aebc-4b38-a1e3-575afe5a0277,b8eb1175-5262-434c-9de2-8b5854693c1f,,,a927809c-8142-43e1-96b3-4ad87cfe95a3_62bc82a0-1f59-49b6-82f2-266a836d072c,Unknown,,False,2019-10-16 19:14:11,2019-10-16 20:14:11,2019-10-16 20:19:18,,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",Detection,1c4b4612-7123-47db-bb74-f3b6fde75431,RedmondSentinelDemoRG,,Azure Sentinel,Scheduled Alerts,SecurityAlert,b8eb1175-5262-434c-9de2-8b5854693c1f,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",[176.10.99.200]
58,a927809c-8142-43e1-96b3-4ad87cfe95a3,2019-10-16 20:29:17,Access from a suspicious IP leading to suspicious endpoint activity,Access from a suspicious IP leading to suspicious endpoint activity,High,Access from a suspicious IP leading to suspicious endpoint activity,ASI Scheduled Alerts,Microsoft,52ba3b53-76b7-47f4-a8ca-707785c9315c,944e2de6-8c77-43b8-ac1e-feb2e893d33d,,,a927809c-8142-43e1-96b3-4ad87cfe95a3_62bc82a0-1f59-49b6-82f2-266a836d072c,Unknown,,False,2019-10-16 19:24:12,2019-10-16 20:24:12,2019-10-16 20:29:17,,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",Detection,1c4b4612-7123-47db-bb74-f3b6fde75431,RedmondSentinelDemoRG,,Azure Sentinel,Scheduled Alerts,SecurityAlert,944e2de6-8c77-43b8-ac1e-feb2e893d33d,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",[176.10.99.200]
59,a927809c-8142-43e1-96b3-4ad87cfe95a3,2019-10-16 20:49:18,Access from a suspicious IP leading to suspicious endpoint activity,Access from a suspicious IP leading to suspicious endpoint activity,High,Access from a suspicious IP leading to suspicious endpoint activity,ASI Scheduled Alerts,Microsoft,643a03f9-4899-4a0e-90a0-4c59cf30f183,22db1193-9161-43db-bf1c-6c489878a1f2,,,a927809c-8142-43e1-96b3-4ad87cfe95a3_62bc82a0-1f59-49b6-82f2-266a836d072c,Unknown,,False,2019-10-16 19:44:12,2019-10-16 20:44:12,2019-10-16 20:49:18,,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",Detection,1c4b4612-7123-47db-bb74-f3b6fde75431,RedmondSentinelDemoRG,,Azure Sentinel,Scheduled Alerts,SecurityAlert,22db1193-9161-43db-bf1c-6c489878a1f2,"{\r\n ""Query"": ""ZScaler\r\n| where DeviceAction contains \""allow\""\r\n| join kind=inner (\r\nHe...","[\r\n {\r\n ""$id"": ""3"",\r\n ""Type"": ""url"",\r\n ""Url"": ""http://host.gomencom.website/Do...",[176.10.99.200]


## Appendices

### Available DataFrames

In [None]:
print('List of current DataFrames in Notebook')
print('-' * 50)
current_vars = list(locals().keys())
for var_name in current_vars:
    if isinstance(locals()[var_name], pd.DataFrame) and not var_name.startswith('_'):
        print(var_name)

### Saving data to Excel
To save the contents of a pandas DataFrame to an Excel spreadsheet
use the following syntax
```
writer = pd.ExcelWriter('myWorksheet.xlsx')
my_data_frame.to_excel(writer,'Sheet1')
writer.save()
```

## Setup
If you have not run this Notebook before please run this cell before running the rest of the Notebook.

In [None]:
import sys
import warnings
warnings.filterwarnings("ignore",category=DeprecationWarning)


MIN_REQ_PYTHON = (3,6)
if sys.version_info < MIN_REQ_PYTHON:
    print('Check the Kernel->Change Kernel menu and ensure that Python 3.6')
    print('or later is selected as the active kernel.')
    sys.exit("Python %s.%s or later is required.\n" % MIN_REQ_PYTHON)

# Package Installs - try to avoid if they are already installed
try:
    import Kqlmagic
    from ipwhois import IPWhois
    print('If you answer "n" this cell will exit with an error in order to avoid the pip install calls,')
    print('This error can safely be ignored.')
    resp = input('msticpy and Kqlmagic packages are already loaded. Do you want to re-install? (y/n)')
    if resp.strip().lower() != 'y':
        sys.exit('pip install aborted - you may skip this error and continue.')
    else:
        print('After installation has completed, restart the current kernel and run '
              'the notebook again skipping this cell.')
except ImportError:
    pass

print('\nPlease wait. Installing required packages. This may take a few minutes...')
!pip install msticpy --upgrade --user
!pip install ipwhois --upgrade --user
 
# Uncomment to refresh the maxminddb database
# !pip install maxminddb-geolite2 --upgrade 
print('To ensure that the latest versions of the installed libraries '
      'are used, please restart the current kernel and run '
      'the notebook again skipping this cell.')

### `msticpyconfig.yaml` configuration File
You can configure primary and secondary TI providers and any required parameters in the `msticpyconfig.yaml` file. This is read from the current directory or you can set an environment variable (`MSTICPYCONFIG`) pointing to its location.

To configure this file see the [ConfigureNotebookEnvironment notebook](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/ConfiguringNotebookEnvironment.ipynb)