From 90b75b3abb23911fc5ca3142fda0ae7d5a3a6986 Mon Sep 17 00:00:00 2001
From: Ian Hellen Although you can view a notebook as a static document (GitHub, for example has a built-in\r\n",
- "static notebook renderer), if you want to run the code in a notebook, the notebook\r\n",
- "must be attached to a backend process, know as a Jupyter kernel. The kernel\r\n",
- "is really where your code is being run and where all of variables and objects\r\n",
- "created in the code are held. The browser is just the viewer for this data.\r\n",
- " In Azure ML, the kernel runs on a virtual machine known as an Azure ML Compute.\r\n",
- "The Compute instance can support the running of many notebooks simultaneously. \r\n",
- "Usually, the creation/attaching of a kernel for your notebook happens\r\n",
- "seamlessly - you don't need to do anything manually. One thing that you\r\n",
- "may need to check (especially if you are getting errors or the notebook\r\n",
- "doesn't seem to be executing) is the version and state of the kernel. Note: the notebook works with Python 3.6 or later.\r\n",
- "If you are using this notebook in another\r\n",
- "Jupyter environment you can choose any kernel that supports Python 3.6 or later\r\n",
- " Tip\r\n",
- "Sometimes, your notebook may \"hang\" or you want to just start over.\r\n",
- "To do this you can restart the kernel. Use the \"recycle\" button in the toolbar\r\n",
- "in the upper right of the screen above the notebook.\r\n",
- " \r\n",
- "If you are having trouble getting the notebook running you should review\r\n",
- "How to run Juptyer notebooks.\r\n",
- " Although you can view a notebook as a static document (GitHub, for example has a built-in\n",
+ "static notebook renderer), if you want to run the code in a notebook, the notebook\n",
+ "must be attached to a backend process, know as a Jupyter kernel. The kernel\n",
+ "is really where your code is being run and where all of variables and objects\n",
+ "created in the code are held. The browser is just the viewer for this data.\n",
+ " In Azure ML, the kernel runs on a virtual machine known as an Azure ML Compute.\n",
+ "The Compute instance can support the running of many notebooks simultaneously. \n",
+ "Usually, the creation/attaching of a kernel for your notebook happens\n",
+ "seamlessly - you don't need to do anything manually. One thing that you\n",
+ "may need to check (especially if you are getting errors or the notebook\n",
+ "doesn't seem to be executing) is the version and state of the kernel. Note: the notebook works with Python 3.6 or later.\n",
+ "If you are using this notebook in another\n",
+ "Jupyter environment you can choose any kernel that supports Python 3.6 or later\n",
+ " Tip:\n",
+ "Sometimes, your notebook may \"hang\" or you want to just start over.\n",
+ "To do this you can restart the kernel. Use the \"recycle\" button in the toolbar\n",
+ "in the upper right of the screen above the notebook.\n",
+ " \n",
+ "If you are having trouble getting the notebook running you should review\n",
+ "How to run Juptyer notebooks.\n",
+ "
"
- ],
- "metadata": {}
+ ]
},
{
"cell_type": "markdown",
+ "metadata": {},
"source": [
- "---\r\n",
- "\r\n",
- "# What is a Jupyter notebook?\r\n",
- "\r\n",
- "\r\n",
- "If you're familiar with notebooks, skip this section and go to \"Setting up the environment\" section.
\r\n",
- "\r\n",
- "You are currently reading a Jupyter notebook. [Jupyter](http://jupyter.org/) is an interactive\r\n",
- "development and data manipulation environment presented in a browser.\r\n",
- "\r\n",
- "Using Jupyter you can create documents, called **Notebooks**.\r\n",
- "These documents are made up of cells that contain interactive code, alongside that code's output,\r\n",
- "and other items such as text and images (what you are looking at now is a cell of Markdown text).\r\n",
- "\r\n",
- "The name, Jupyter, comes from the core supported programming languages that it supports: **Ju**lia, **Pyt**hon, and **R**.\r\n",
- "While you can use any of these languages (and others such as Powershell) we are going to use Python in this notebook.\r\n",
- "\r\n",
- "The majority of the notebooks on the [Azure Sentinel GitHub repo](https://github.com/Azure/Azure-Sentinel-Notebooks)\r\n",
- "are written in Python. Whilst there are pros, and cons to each language, Python is a well-established\r\n",
- "language that has a large number of materials and libraries well suited for\r\n",
- "data analysis and security investigation, making it ideal for our needs.\r\n",
- "\r\n",
- "
\r\n",
- "Learn more...
\r\n",
- " \r\n",
- "
\r\n",
- "\r\n",
- "
\r\n"
- ],
- "metadata": {}
+ "---\n",
+ "\n",
+ "# What is a Jupyter notebook?\n",
+ "\n",
+ "If you're familiar with notebooks, skip this section and go to \"Setting up the environment\" section.
\n",
+ "
\n",
+ "\n",
+ "You are currently reading a Jupyter notebook. [Jupyter](http://jupyter.org/) is an interactive\n",
+ "development and data manipulation environment presented in a browser.\n",
+ "\n",
+ "A Jupyter notebook is a document\n",
+ "made up of cells that contain interactive code, alongside that code's output,\n",
+ "and other items such as text and images (what you are looking at now is a cell of *Markdown* text).\n",
+ "\n",
+ "The name, Jupyter, comes from the core supported programming languages that it supports: **Ju**lia, **Pyt**hon, and **R**.\n",
+ "While you can use any of these languages (and others such as Powershell) we are going to use Python in this notebook.\n",
+ "\n",
+ "The majority of the notebooks on the [Azure Sentinel GitHub repo](https://github.com/Azure/Azure-Sentinel-Notebooks)\n",
+ "are written in Python. Whilst there are pros, and cons to each language, Python is a well-established\n",
+ "language that has a large number of materials and libraries well suited for\n",
+ "data analysis and security investigation, making it ideal for our needs.\n",
+ "\n",
+ "
\n",
+ "Learn more...
\n",
+ " \n",
+ "
\n",
+ "\n",
+ "
\n"
+ ]
},
{
"cell_type": "markdown",
+ "metadata": {},
"source": [
- "---\r\n",
- "\r\n",
- "## How to use a Jupyter notebook?\r\n",
- "\r\n",
- "To use a Jupyter notebook you need a Jupyter server that will render the notebook and execute the code within it.\r\n",
- "This can take the form of a local [Jupyter installation](https://pypi.org/project/jupyter/),\r\n",
- "or a remotely hosted version such as \r\n",
- "[Azure Machine Learning Notebooks](https://docs.microsoft.com/en-us/azure/machine-learning/how-to-run-jupyter-notebooks). \r\n",
- "\r\n",
- "## Using Azure Machine Learning (ML) Notebooks\r\n",
- "\r\n",
- "If you launched this notebook from Azure Sentinel, you will be running it in an Azure ML workspace.\r\n",
- "By default, the notebook is running in the built-in notebook editor. You can also open\r\n",
- "and run the notebook in Jupyterlab or Jupyter classic, if these environments are more familiar\r\n",
- "to you.\r\n",
- "\r\n",
- "Learn more...
\r\n",
- "\r\n",
- "
\r\n",
- "
\r\n",
- "You will need to re-run any initialization and authentication cells after doing\r\n",
- "this since restarting the kernel wipes all variables and other state.\r\n",
- "
\r\n",
- "Troubleshooting...
\r\n",
- " Learn more...
\n",
+ "\n",
+ "
\n",
+ "
\n",
+ "You will need to re-run any initialization and authentication cells after doing\n",
+ "this since restarting the kernel wipes all variables and other state.\n",
+ "
\n",
+ "Troubleshooting...
\n",
+ "
\r\n", - " Although you don't need to know these details now, you can find more information here:\r\n", - "
\r\n", - "If you need a more complete walk-through of configuration, we have a separate notebook to help you:
\r\n", - "\n", + " Although you don't need to know these details now, you can find more information here:\n", + "
\n", + "If you need a more complete walk-through of configuration, we have a separate notebook to help you:
\n", + "\r\n", - "You should not have to change anything here unless you need to add\r\n", - "one or more additional workspaces.
\r\n", - "\r\n", - "When you have verified that this looks OK. Click **Save Settings**\r\n", - "\r\n", - "\r\n", - "If you have multiple Azure Sentinel workspaces, you can add\r\n", - " them in the following configuration cell.
\r\n", - "You can choose to keep one as the default or just delete this entry\r\n", - " if you always want to name your workspaces explicitly when you \r\n", - " connect.\r\n", - "
\r\n", + "## Configuring Azure Sentinel settings\n", + "\n", + "When you launched this notebook from Azure Sentinel it copied a basic configuration file - `config.json` -\n", + "to your workspace folder.Tip\n",
+ "If you do not see a \"msticpyconfig.yaml\" file in your user folder, click the refresh button
\n",
+ "at the top of the file browser.\n",
+ "
Note:\n",
+ "In the Azure ML environment, the settings editor may take 10-20 seconds to appear.
\n",
+ "This is a known bug that we are working to fix.\n",
+ "
If you have multiple Azure Sentinel workspaces, you can add\n", + " them in the following configuration cell.
\n", + "You can choose to keep one as the default or just delete this entry\n", + " if you always want to name your workspaces explicitly when you \n", + " connect.\n", + "
\n", "\r\n",
- "Warning If you are using a VT enterprise key we do not recommend storing this\r\n",
- "in the msticpyconfig.yaml file.
\r\n",
- "MSTICPy supports storage of secrets in\r\n",
- "Azure Key Vault. You can read more about this\r\n",
- "in the MSTICPY docs
\r\n",
- "
\n",
+ "Warning If you are using a VT enterprise key we do not recommend storing this\n",
+ "in the msticpyconfig.yaml file.
\n",
+ "MSTICPy supports storage of secrets in\n",
+ "Azure Key Vault. You can read more about this\n",
+ "in the MSTICPY docs
\n",
+ "For the moment, you can sign up for a free acount, until you can take the time to\n",
+ "set up Key Vault storage.\n",
+ "
Parameters
Query
{table} \n", - "| where TimeGenerated >= datetime({start}) \n", - "| where TimeGenerated <= datetime({end}) \n", - "| extend Result = iif(ResultType==0, \"Sucess\", \"Failed\") \n", - "| extend Latitude = tostring(parse_json(tostring(LocationDetails.geoCoo\n", - " rdinates)).latitude)\n", - "| extend Longitude = tostring(parse_json(tostring(LocationDetails.geoCo\n", - " ordinates)).longitude)
Example
\n", - "{QueryProvider}[.QueryPath].QueryName(params...)
\n", - "qry_prov.Azure.list_all_signins_geo(start=start, end=end, hostname=host)\n", - " " - ] - }, - "metadata": {} + "output_type": "error", + "ename": "NameError", + "evalue": "name 'qry_prov' is not defined", + "traceback": [ + "\u001b[1;31m---------------------------------------------------------------------------\u001b[0m", + "\u001b[1;31mNameError\u001b[0m Traceback (most recent call last)", + "\u001b[1;32m
\n", - " | AlertName | \n", - "NumAlerts | \n", - "||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", - "Incident and Automation testing 01 | \n", - "342 | \n", - "||||||||||||||
1 | \n", + " OperationName OperationVersion Category ResultType ResultSignature \\\n", + "0 Sign-in activity 1.0 SignInLogs 0 None \n", + "1 Sign-in activity 1.0 SignInLogs 0 None \n", + "2 Sign-in activity 1.0 SignInLogs 0 None \n", + "3 Sign-in activity 1.0 SignInLogs 0 None \n", + "4 Sign-in activity 1.0 SignInLogs 0 None \n", + "\n", + " ResultDescription DurationMs CorrelationId \\\n", + "0 0 e4b1520c-f679-43cf-bc75-a6261f2bee64 \n", + "1 0 4959f2c2-ef4e-4581-938a-5235ea2c5e01 \n", + "2 0 4d221809-3717-4d27-8987-2dd38ec7a039 \n", + "3 0 0deab40a-18d3-4ef2-ae1b-978d37f347a3 \n", + "4 0 fe6bf41b-a54f-4a57-b228-91328821aeca \n", + "\n", + " Resource ResourceGroup ResourceProvider \\\n", + "0 Microsoft.aadiam Microsoft.aadiam \n", + "1 Microsoft.aadiam Microsoft.aadiam \n", + "2 Microsoft.aadiam Microsoft.aadiam \n", + "3 Microsoft.aadiam Microsoft.aadiam \n", + "4 Microsoft.aadiam Microsoft.aadiam \n", + "\n", + " Identity Level Location \\\n", + "0 On-Premises Directory Synchronization Service Account 4 US \n", + "1 On-Premises Directory Synchronization Service Account 4 \n", + "2 TARDIF Romain 4 FR \n", + "3 On-Premises Directory Synchronization Service Account 4 US \n", + "4 On-Premises Directory Synchronization Service Account 4 US \n", + "\n", + " AlternateSignInName \\\n", + "0 Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com \n", + "1 Sync_ContosoDc_d9f03d5ca7ff@seccxpninja.onmicrosoft.com \n", + "2 \n", + "3 Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com \n", + "4 Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com \n", + "\n", + " AppDisplayName \\\n", + "0 Microsoft Azure Active Directory Connect \n", + "1 Microsoft Azure Active Directory Connect \n", + "2 Azure Portal \n", + "3 Microsoft Azure Active Directory Connect \n", + "4 Microsoft Azure Active Directory Connect \n", + "\n", + " AppId \\\n", + "0 cb1056e2-e479-49de-ae31-7812af012ed8 \n", + "1 cb1056e2-e479-49de-ae31-7812af012ed8 \n", + "2 c44b4083-3bb0-49c1-b47d-974e53cbdf3c \n", + "3 cb1056e2-e479-49de-ae31-7812af012ed8 \n", + "4 cb1056e2-e479-49de-ae31-7812af012ed8 \n", + "\n", + " AuthenticationDetails \\\n", + "0 [\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-06-24T10:54:31.7816708+00:00\",\\r\\n \"authe... \n", + "1 [\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-06-24T10:59:01.605024+00:00\",\\r\\n \"authen... \n", + "2 [\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-06-24T12:13:08.5223794+00:00\",\\r\\n \"authe... \n", + "3 [\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-06-24T12:54:30.090702+00:00\",\\r\\n \"authen... \n", + "4 [\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-06-24T12:54:35.5030915+00:00\",\\r\\n \"authe... \n", + "\n", + " AuthenticationMethodsUsed \\\n", + "0 \n", + "1 \n", + "2 \n", + "3 \n", + "4 \n", + "\n", + " AuthenticationProcessingDetails \\\n", + "0 [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] \n", + "1 [\\r\\n {\\r\\n \"key\": \"Azure VNet private IP address\",\\r\\n \"value\": \"10.0.25.6\"\\r\\n },\\r\\n ... \n", + "2 [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] \n", + "3 [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] \n", + "4 [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] \n", + "\n", + " AuthenticationRequirement ... RiskLevelDuringSignIn RiskState \\\n", + "0 singleFactorAuthentication ... none none \n", + "1 singleFactorAuthentication ... none none \n", + "2 singleFactorAuthentication ... none none \n", + "3 singleFactorAuthentication ... none none \n", + "4 singleFactorAuthentication ... none none \n", + "\n", + " ResourceDisplayName ResourceIdentity \\\n", + "0 Windows Azure Active Directory 00000002-0000-0000-c000-000000000000 \n", + "1 Windows Azure Active Directory 00000002-0000-0000-c000-000000000000 \n", + "2 Windows Azure Service Management API 797f4846-ba00-4fd7-ba43-dac1f8f63013 \n", + "3 Windows Azure Active Directory 00000002-0000-0000-c000-000000000000 \n", + "4 Windows Azure Active Directory 00000002-0000-0000-c000-000000000000 \n", + "\n", + " ServicePrincipalId ServicePrincipalName Status TokenIssuerName \\\n", + "0 {'errorCode': 0} \n", + "1 {'errorCode': 0} \n", + "2 {'errorCode': 0} \n", + "3 {'errorCode': 0} \n", + "4 {'errorCode': 0} \n", + "\n", + " TokenIssuerType \\\n", + "0 AzureAD \n", + "1 AzureAD \n", + "2 AzureAD \n", + "3 AzureAD \n", + "4 AzureAD \n", + "\n", + " UserAgent \\\n", + "0 \n", + "1 \n", + "2 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.438... \n", + "3 \n", + "4 \n", + "\n", + " UserDisplayName \\\n", + "0 On-Premises Directory Synchronization Service Account \n", + "1 On-Premises Directory Synchronization Service Account \n", + "2 TARDIF Romain \n", + "3 On-Premises Directory Synchronization Service Account \n", + "4 On-Premises Directory Synchronization Service Account \n", + "\n", + " UserId \\\n", + "0 2235a468-ad9c-4375-8008-0a7be76994a7 \n", + "1 6aefab94-ed97-4f02-a063-a4e0eb43272d \n", + "2 8afe91b2-b2f3-4f0e-8fcd-7fe16be389a7 \n", + "3 2235a468-ad9c-4375-8008-0a7be76994a7 \n", + "4 2235a468-ad9c-4375-8008-0a7be76994a7 \n", + "\n", + " UserPrincipalName \\\n", + "0 sync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com \n", + "1 sync_contosodc_d9f03d5ca7ff@seccxpninja.onmicrosoft.com \n", + "2 romain.tardif@thalesgroup.com \n", + "3 sync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com \n", + "4 sync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com \n", + "\n", + " AADTenantId UserType FlaggedForReview \\\n", + "0 4b2462a4-bbee-495a-a0e1-f23ae524cc9c Member None \n", + "1 4b2462a4-bbee-495a-a0e1-f23ae524cc9c Member None \n", + "2 4b2462a4-bbee-495a-a0e1-f23ae524cc9c Guest None \n", + "3 4b2462a4-bbee-495a-a0e1-f23ae524cc9c Member None \n", + "4 4b2462a4-bbee-495a-a0e1-f23ae524cc9c Member None \n", + "\n", + " IPAddressFromResourceProvider \\\n", + "0 \n", + "1 \n", + "2 \n", + "3 \n", + "4 \n", + "\n", + " SignInIdentifier \\\n", + "0 Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com \n", + "1 Sync_ContosoDc_d9f03d5ca7ff@seccxpninja.onmicrosoft.com \n", + "2 \n", + "3 Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com \n", + "4 Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com \n", + "\n", + " SignInIdentifierType ResourceTenantId \\\n", + "0 4b2462a4-bbee-495a-a0e1-f23ae524cc9c \n", + "1 4b2462a4-bbee-495a-a0e1-f23ae524cc9c \n", + "2 4b2462a4-bbee-495a-a0e1-f23ae524cc9c \n", + "3 4b2462a4-bbee-495a-a0e1-f23ae524cc9c \n", + "4 4b2462a4-bbee-495a-a0e1-f23ae524cc9c \n", + "\n", + " HomeTenantId Type Result \\\n", + "0 4b2462a4-bbee-495a-a0e1-f23ae524cc9c SigninLogs Sucess \n", + "1 4b2462a4-bbee-495a-a0e1-f23ae524cc9c SigninLogs Sucess \n", + "2 6e603289-5e46-4e26-ac7c-03a85420a9a5 SigninLogs Sucess \n", + "3 4b2462a4-bbee-495a-a0e1-f23ae524cc9c SigninLogs Sucess \n", + "4 4b2462a4-bbee-495a-a0e1-f23ae524cc9c SigninLogs Sucess \n", + "\n", + " Latitude Longitude \n", + "0 38.73078155517578 -78.17196655273438 \n", + "1 \n", + "2 48.782901763916019 1.9601000547409056 \n", + "3 38.73078155517578 -78.17196655273438 \n", + "4 38.73078155517578 -78.17196655273438 \n", + "\n", + "[5 rows x 69 columns]" + ] + }, + "execution_count": 13, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "# You can just pass the QueryTime object directly to the query.\r\n", + "# The QueryProvider will automatically\r\n", + "# extract the \"start\" and \"end\" parameters from it to use in the query.\r\n", + "signins_df = qry_prov.Azure.list_all_signins_geo()\r\n", + "\r\n", + "if signins_df.empty:\r\n", + " md(\"The query returned no rows for this time range. You might want to increase the time range\")\r\n", + "\r\n", + "# display first 5 rows of any results\r\n", + "signins_df.head() # If you have no data you will just see the column headings displayed" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Customizable queries\r\n", + "\r\n", + "Most built-in queries support the \"add_query_items\" parameter.\r\n", + "You can use this to append additional filters or other operations to the built-in queries.\r\n", + "\r\n", + "Azure Sentinel queries use the Kusto Query Language (KQL).\r\n", + "\r\n", + "
\n", + " | AlertName | \n", + "NumAlerts | \n", + "
---|---|---|
0 | \n", + "Incident and Automation testing 01 | \n", + "342 | \n", + "
1 | \n", "Malicious credential theft tool execution detected | \n", "1361 | \n", "
168 | \n", "Mail.Read Permissions Granted to Application | \n", - "1 | \n", - "
169 | \n", - "Mass Download | \n", - "1 | \n", - "
170 rows × 2 columns
\n", - "170 rows × 2 columns
\n", + "\n", - " | TenantId | \n", - "SourceSystem | \n", - "TimeGenerated | \n", - "ResourceId | \n", - "OperationName | \n", - "OperationVersion | \n", - "Category | \n", - "ResultType | \n", - "ResultSignature | \n", - "ResultDescription | \n", - "DurationMs | \n", - "CorrelationId | \n", - "Resource | \n", - "ResourceGroup | \n", - "ResourceProvider | \n", - "Identity | \n", - "Level | \n", - "Location | \n", - "AlternateSignInName | \n", - "AppDisplayName | \n", - "AppId | \n", - "AuthenticationDetails | \n", - "AuthenticationMethodsUsed | \n", - "AuthenticationProcessingDetails | \n", - "AuthenticationRequirement | \n", - "... | \n", - "RiskLevelDuringSignIn | \n", - "RiskState | \n", - "ResourceDisplayName | \n", - "ResourceIdentity | \n", - "ServicePrincipalId | \n", - "ServicePrincipalName | \n", - "Status | \n", - "TokenIssuerName | \n", - "TokenIssuerType | \n", - "UserAgent | \n", - "UserDisplayName | \n", - "UserId | \n", - "UserPrincipalName | \n", - "AADTenantId | \n", - "UserType | \n", - "FlaggedForReview | \n", - "IPAddressFromResourceProvider | \n", - "SignInIdentifier | \n", - "SignInIdentifierType | \n", - "ResourceTenantId | \n", - "HomeTenantId | \n", - "Type | \n", - "Result | \n", - "Latitude | \n", - "Longitude | \n", - "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", - "8ecf8077-cf51-4820-aadd-14040956f35d | \n", - "Azure AD | \n", - "2021-06-24 10:54:31.781000+00:00 | \n", - "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", - "Sign-in activity | \n", - "1.0 | \n", - "SignInLogs | \n", - "0 | \n", - "None | \n", - "\n", - " | 0 | \n", - "e4b1520c-f679-43cf-bc75-a6261f2bee64 | \n", - "Microsoft.aadiam | \n", - "Microsoft.aadiam | \n", - "\n", - " | On-Premises Directory Synchronization Service Account | \n", - "4 | \n", - "US | \n", - "Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", - "Microsoft Azure Active Directory Connect | \n", - "cb1056e2-e479-49de-ae31-7812af012ed8 | \n", - "[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-06-24T10:54:31.7816708+00:00\",\\r\\n \"authe... | \n", - "\n", - " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", - "singleFactorAuthentication | \n", - "... | \n", - "none | \n", - "none | \n", - "Windows Azure Active Directory | \n", - "00000002-0000-0000-c000-000000000000 | \n", - "\n", - " | \n", - " | {'errorCode': 0} | \n", - "\n", - " | AzureAD | \n", - "\n", - " | On-Premises Directory Synchronization Service Account | \n", - "2235a468-ad9c-4375-8008-0a7be76994a7 | \n", - "sync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "Member | \n", - "None | \n", - "\n", - " | Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", - "\n", - " | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "SigninLogs | \n", - "Sucess | \n", - "38.73078155517578 | \n", - "-78.17196655273438 | \n", - "
1 | \n", - "8ecf8077-cf51-4820-aadd-14040956f35d | \n", - "Azure AD | \n", - "2021-06-24 10:59:01.605000+00:00 | \n", - "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", - "Sign-in activity | \n", - "1.0 | \n", - "SignInLogs | \n", - "0 | \n", - "None | \n", - "\n", - " | 0 | \n", - "4959f2c2-ef4e-4581-938a-5235ea2c5e01 | \n", - "Microsoft.aadiam | \n", - "Microsoft.aadiam | \n", - "\n", - " | On-Premises Directory Synchronization Service Account | \n", - "4 | \n", - "\n", - " | Sync_ContosoDc_d9f03d5ca7ff@seccxpninja.onmicrosoft.com | \n", - "Microsoft Azure Active Directory Connect | \n", - "cb1056e2-e479-49de-ae31-7812af012ed8 | \n", - "[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-06-24T10:59:01.605024+00:00\",\\r\\n \"authen... | \n", - "\n", - " | [\\r\\n {\\r\\n \"key\": \"Azure VNet private IP address\",\\r\\n \"value\": \"10.0.25.6\"\\r\\n },\\r\\n ... | \n", - "singleFactorAuthentication | \n", - "... | \n", - "none | \n", - "none | \n", - "Windows Azure Active Directory | \n", - "00000002-0000-0000-c000-000000000000 | \n", - "\n", - " | \n", - " | {'errorCode': 0} | \n", - "\n", - " | AzureAD | \n", - "\n", - " | On-Premises Directory Synchronization Service Account | \n", - "6aefab94-ed97-4f02-a063-a4e0eb43272d | \n", - "sync_contosodc_d9f03d5ca7ff@seccxpninja.onmicrosoft.com | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "Member | \n", - "None | \n", - "\n", - " | Sync_ContosoDc_d9f03d5ca7ff@seccxpninja.onmicrosoft.com | \n", - "\n", - " | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "SigninLogs | \n", - "Sucess | \n", - "\n", - " | \n", - " |
2 | \n", - "8ecf8077-cf51-4820-aadd-14040956f35d | \n", - "Azure AD | \n", - "2021-06-24 12:13:08.522000+00:00 | \n", - "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", - "Sign-in activity | \n", - "1.0 | \n", - "SignInLogs | \n", - "0 | \n", - "None | \n", - "\n", - " | 0 | \n", - "4d221809-3717-4d27-8987-2dd38ec7a039 | \n", - "Microsoft.aadiam | \n", - "Microsoft.aadiam | \n", - "\n", - " | TARDIF Romain | \n", - "4 | \n", - "FR | \n", - "\n", - " | Azure Portal | \n", - "c44b4083-3bb0-49c1-b47d-974e53cbdf3c | \n", - "[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-06-24T12:13:08.5223794+00:00\",\\r\\n \"authe... | \n", - "\n", - " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", - "singleFactorAuthentication | \n", - "... | \n", - "none | \n", - "none | \n", - "Windows Azure Service Management API | \n", - "797f4846-ba00-4fd7-ba43-dac1f8f63013 | \n", - "\n", - " | \n", - " | {'errorCode': 0} | \n", - "\n", - " | AzureAD | \n", - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.438... | \n", - "TARDIF Romain | \n", - "8afe91b2-b2f3-4f0e-8fcd-7fe16be389a7 | \n", - "romain.tardif@thalesgroup.com | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "Guest | \n", - "None | \n", - "\n", - " | \n", - " | \n", - " | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "6e603289-5e46-4e26-ac7c-03a85420a9a5 | \n", - "SigninLogs | \n", - "Sucess | \n", - "48.782901763916019 | \n", - "1.9601000547409056 | \n", - "
3 | \n", - "8ecf8077-cf51-4820-aadd-14040956f35d | \n", - "Azure AD | \n", - "2021-06-24 12:54:30.090000+00:00 | \n", - "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", - "Sign-in activity | \n", - "1.0 | \n", - "SignInLogs | \n", - "0 | \n", - "None | \n", - "\n", - " | 0 | \n", - "0deab40a-18d3-4ef2-ae1b-978d37f347a3 | \n", - "Microsoft.aadiam | \n", - "Microsoft.aadiam | \n", - "\n", - " | On-Premises Directory Synchronization Service Account | \n", - "4 | \n", - "US | \n", - "Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", - "Microsoft Azure Active Directory Connect | \n", - "cb1056e2-e479-49de-ae31-7812af012ed8 | \n", - "[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-06-24T12:54:30.090702+00:00\",\\r\\n \"authen... | \n", - "\n", - " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", - "singleFactorAuthentication | \n", - "... | \n", - "none | \n", - "none | \n", - "Windows Azure Active Directory | \n", - "00000002-0000-0000-c000-000000000000 | \n", - "\n", - " | \n", - " | {'errorCode': 0} | \n", - "\n", - " | AzureAD | \n", - "\n", - " | On-Premises Directory Synchronization Service Account | \n", - "2235a468-ad9c-4375-8008-0a7be76994a7 | \n", - "sync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "Member | \n", - "None | \n", - "\n", - " | Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", - "\n", - " | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "SigninLogs | \n", - "Sucess | \n", - "38.73078155517578 | \n", - "-78.17196655273438 | \n", - "
4 | \n", - "8ecf8077-cf51-4820-aadd-14040956f35d | \n", - "Azure AD | \n", - "2021-06-24 12:54:35.503000+00:00 | \n", - "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", - "Sign-in activity | \n", - "1.0 | \n", - "SignInLogs | \n", - "0 | \n", - "None | \n", - "\n", - " | 0 | \n", - "fe6bf41b-a54f-4a57-b228-91328821aeca | \n", - "Microsoft.aadiam | \n", - "Microsoft.aadiam | \n", - "\n", - " | On-Premises Directory Synchronization Service Account | \n", - "4 | \n", - "US | \n", - "Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", - "Microsoft Azure Active Directory Connect | \n", - "cb1056e2-e479-49de-ae31-7812af012ed8 | \n", - "[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-06-24T12:54:35.5030915+00:00\",\\r\\n \"authe... | \n", - "\n", - " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", - "singleFactorAuthentication | \n", - "... | \n", - "none | \n", - "none | \n", - "Windows Azure Active Directory | \n", - "00000002-0000-0000-c000-000000000000 | \n", - "\n", - " | \n", - " | {'errorCode': 0} | \n", - "\n", - " | AzureAD | \n", - "\n", - " | On-Premises Directory Synchronization Service Account | \n", - "2235a468-ad9c-4375-8008-0a7be76994a7 | \n", - "sync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "Member | \n", - "None | \n", - "\n", - " | Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", - "\n", - " | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "SigninLogs | \n", - "Sucess | \n", - "38.73078155517578 | \n", - "-78.17196655273438 | \n", - "
5 rows × 69 columns
\n", - "\n | TenantId | \nSourceSystem | \nTimeGenerated | \nResourceId | \nOperationName | \nOperationVersion | \nCategory | \nResultType | \nResultSignature | \nResultDescription | \nDurationMs | \nCorrelationId | \nResource | \nResourceGroup | \nResourceProvider | \nIdentity | \nLevel | \nLocation | \nAlternateSignInName | \nAppDisplayName | \nAppId | \nAuthenticationDetails | \nAuthenticationMethodsUsed | \nAuthenticationProcessingDetails | \nAuthenticationRequirement | \n... | \nRiskLevelDuringSignIn | \nRiskState | \nResourceDisplayName | \nResourceIdentity | \nServicePrincipalId | \nServicePrincipalName | \nStatus | \nTokenIssuerName | \nTokenIssuerType | \nUserAgent | \nUserDisplayName | \nUserId | \nUserPrincipalName | \nAADTenantId | \nUserType | \nFlaggedForReview | \nIPAddressFromResourceProvider | \nSignInIdentifier | \nSignInIdentifierType | \nResourceTenantId | \nHomeTenantId | \nType | \nResult | \nLatitude | \nLongitude | \n
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \nAzure AD | \n2021-07-14 10:56:30.062000+00:00 | \n/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \nSign-in activity | \n1.0 | \nSignInLogs | \n0 | \nNone | \n\n | 0 | \n0a4ca097-b33d-4ed7-a19e-ad34bc299cd0 | \nMicrosoft.aadiam | \nMicrosoft.aadiam | \n\n | On-Premises Directory Synchronization Service Account | \n4 | \nUS | \nSync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \nMicrosoft Azure Active Directory Connect | \ncb1056e2-e479-49de-ae31-7812af012ed8 | \n[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:56:30.0626249+00:00\",\\r\\n \"authe... | \n\n | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \nsingleFactorAuthentication | \n... | \nnone | \nnone | \nWindows Azure Active Directory | \n00000002-0000-0000-c000-000000000000 | \n\n | \n | {'errorCode': 0} | \n\n | AzureAD | \n\n | On-Premises Directory Synchronization Service Account | \nee856d98-cecd-4dbe-8833-bdeec67847d0 | \nsync_dc01_3862ce34675f@seccxpninja.onmicrosoft.com | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nMember | \nNone | \n\n | Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n\n | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nSigninLogs | \nSucess | \n38.73078155517578 | \n-78.17196655273438 | \n
1 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \nAzure AD | \n2021-07-14 10:56:34.868000+00:00 | \n/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \nSign-in activity | \n1.0 | \nSignInLogs | \n0 | \nNone | \n\n | 0 | \ndc57cafa-79fc-4c8e-83bc-c98e2ea9e3d8 | \nMicrosoft.aadiam | \nMicrosoft.aadiam | \n\n | On-Premises Directory Synchronization Service Account | \n4 | \nUS | \nSync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \nMicrosoft Azure Active Directory Connect | \ncb1056e2-e479-49de-ae31-7812af012ed8 | \n[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:56:34.8688399+00:00\",\\r\\n \"authe... | \n\n | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \nsingleFactorAuthentication | \n... | \nnone | \nnone | \nWindows Azure Active Directory | \n00000002-0000-0000-c000-000000000000 | \n\n | \n | {'errorCode': 0} | \n\n | AzureAD | \n\n | On-Premises Directory Synchronization Service Account | \nee856d98-cecd-4dbe-8833-bdeec67847d0 | \nsync_dc01_3862ce34675f@seccxpninja.onmicrosoft.com | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nMember | \nNone | \n\n | Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n\n | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nSigninLogs | \nSucess | \n38.73078155517578 | \n-78.17196655273438 | \n
2 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \nAzure AD | \n2021-07-14 10:58:50.835000+00:00 | \n/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \nSign-in activity | \n1.0 | \nSignInLogs | \n0 | \nNone | \n\n | 0 | \nc08798f2-1c1e-4aba-a21b-74f8980ba40b | \nMicrosoft.aadiam | \nMicrosoft.aadiam | \n\n | On-Premises Directory Synchronization Service Account | \n4 | \nUS | \nSync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \nMicrosoft Azure Active Directory Connect | \ncb1056e2-e479-49de-ae31-7812af012ed8 | \n[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:58:50.8358827+00:00\",\\r\\n \"authe... | \n\n | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \nsingleFactorAuthentication | \n... | \nnone | \nnone | \nWindows Azure Active Directory | \n00000002-0000-0000-c000-000000000000 | \n\n | \n | {'errorCode': 0} | \n\n | AzureAD | \n\n | On-Premises Directory Synchronization Service Account | \n2235a468-ad9c-4375-8008-0a7be76994a7 | \nsync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nMember | \nNone | \n\n | Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n\n | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nSigninLogs | \nSucess | \n38.7130012512207 | \n-78.15899658203125 | \n
3 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \nAzure AD | \n2021-07-14 10:58:56.135000+00:00 | \n/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \nSign-in activity | \n1.0 | \nSignInLogs | \n0 | \nNone | \n\n | 0 | \n7c229664-97a5-4621-b5f9-31fa223c5952 | \nMicrosoft.aadiam | \nMicrosoft.aadiam | \n\n | On-Premises Directory Synchronization Service Account | \n4 | \nUS | \nSync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \nMicrosoft Azure Active Directory Connect | \ncb1056e2-e479-49de-ae31-7812af012ed8 | \n[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:58:56.1354096+00:00\",\\r\\n \"authe... | \n\n | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \nsingleFactorAuthentication | \n... | \nnone | \nnone | \nWindows Azure Active Directory | \n00000002-0000-0000-c000-000000000000 | \n\n | \n | {'errorCode': 0} | \n\n | AzureAD | \n\n | On-Premises Directory Synchronization Service Account | \n2235a468-ad9c-4375-8008-0a7be76994a7 | \nsync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nMember | \nNone | \n\n | Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n\n | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nSigninLogs | \nSucess | \n38.7130012512207 | \n-78.15899658203125 | \n
4 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \nAzure AD | \n2021-07-14 11:26:30.812000+00:00 | \n/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \nSign-in activity | \n1.0 | \nSignInLogs | \n0 | \nNone | \n\n | 0 | \n5d31f207-8c2f-4c19-ada8-4a89630a7b1e | \nMicrosoft.aadiam | \nMicrosoft.aadiam | \n\n | On-Premises Directory Synchronization Service Account | \n4 | \nUS | \nSync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \nMicrosoft Azure Active Directory Connect | \ncb1056e2-e479-49de-ae31-7812af012ed8 | \n[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T11:26:30.8128251+00:00\",\\r\\n \"authe... | \n\n | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \nsingleFactorAuthentication | \n... | \nnone | \nnone | \nWindows Azure Active Directory | \n00000002-0000-0000-c000-000000000000 | \n\n | \n | {'errorCode': 0} | \n\n | AzureAD | \n\n | On-Premises Directory Synchronization Service Account | \nee856d98-cecd-4dbe-8833-bdeec67847d0 | \nsync_dc01_3862ce34675f@seccxpninja.onmicrosoft.com | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nMember | \nNone | \n\n | Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n\n | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nSigninLogs | \nSucess | \n38.7130012512207 | \n-78.15899658203125 | \n
5 rows × 69 columns
\n\n", - " | AlertName | \n", - "NumAlerts | \n", - "
---|---|---|
0 | \n", - "Incident and Automation testing 01 | \n", - "342 | \n", - "
1 | \n", - "Malicious credential theft tool execution detected | \n", - "1361 | \n", - "
2 | \n", - "TI map IP entity to AzureActivity (enriched) | \n", - "690 | \n", - "
3 | \n", - "Possible contact with a domain generated by a DGA | \n", - "24 | \n", - "
4 | \n", - "Potential Password Spray | \n", - "140 | \n", - "
... | \n", - "... | \n", - "... | \n", - "
165 | \n", - "PsExec execution detected | \n", - "1 | \n", - "
166 | \n", - "Rare application consent | \n", - "1 | \n", - "
167 | \n", - "Investigation priority score increase | \n", - "2 | \n", - "
168 | \n", - "Mail.Read Permissions Granted to Application | \n", - "1 | \n", - "
169 | \n", - "Mass Download | \n", - "1 | \n", - "
170 rows × 2 columns
\n", - "\n | AlertName | \nNumAlerts | \n
---|---|---|
0 | \nMalicious credential theft tool execution detected | \n47 | \n
1 | \nSuspicious PowerShell command line | \n22 | \n
2 | \nSuspected DCSync attack (replication of directory services) | \n13 | \n
3 | \nSuspicious service registration | \n15 | \n
4 | \nIrregular creation of Azure resources | \n13 | \n
... | \n... | \n... | \n
173 | \nPassword set to never expires | \n1 | \n
174 | \ntest | \n1 | \n
175 | \nSuspicion of NotPetya Malware - Illegal SMB Transaction Detected | \n1 | \n
176 | \nSuspicion of NotPetya Malware - Illegal SMB Parameters Detected | \n1 | \n
177 | \nInvalid SMB Message (DoublePulsar Backdoor Implant) | \n1 | \n
178 rows × 2 columns
\n\n", - " | TenantId | \n", - "Application | \n", - "UserDomain | \n", - "UserAgent | \n", - "RecordType | \n", - "TimeGenerated | \n", - "Operation | \n", - "OrganizationId | \n", - "OrganizationId_ | \n", - "UserType | \n", - "UserKey | \n", - "OfficeWorkload | \n", - "ResultStatus | \n", - "ResultReasonType | \n", - "OfficeObjectId | \n", - "UserId | \n", - "UserId_ | \n", - "ClientIP | \n", - "ClientIP_ | \n", - "Scope | \n", - "Site_ | \n", - "ItemType | \n", - "EventSource | \n", - "Source_Name | \n", - "MachineDomainInfo | \n", - "... | \n", - "ChannelType | \n", - "ChannelName | \n", - "ChannelGuid | \n", - "ExtraProperties | \n", - "AddOnType | \n", - "AddonName | \n", - "TabType | \n", - "Name | \n", - "OldValue | \n", - "NewValue | \n", - "ItemName | \n", - "ChatThreadId | \n", - "ChatName | \n", - "CommunicationType | \n", - "AADGroupId | \n", - "AddOnGuid | \n", - "AppDistributionMode | \n", - "TargetUserId | \n", - "OperationScope | \n", - "AzureADAppId | \n", - "OperationProperties | \n", - "AppId | \n", - "ClientAppId | \n", - "Type | \n", - "_ResourceId | \n", - "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", - "8ecf8077-cf51-4820-aadd-14040956f35d | \n", - "\n", - " | \n", - " | \n", - " | 50 | \n", - "2021-06-25 11:41:34+00:00 | \n", - "MailItemsAccessed | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "Regular | \n", - "1003BFFDAAD121E2 | \n", - "Exchange | \n", - "Succeeded | \n", - "Succeeded | \n", - "\n", - " | pcadmin@seccxpninja.onmicrosoft.com | \n", - "pcadmin@seccxpninja.onmicrosoft.com | \n", - "\n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | ... | \n", - "\n", - " | \n", - " | \n", - " | None | \n", - "\n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n", - "7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n", - "7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n", - "OfficeActivity | \n", - "\n", - " |
1 | \n", - "8ecf8077-cf51-4820-aadd-14040956f35d | \n", - "\n", - " | \n", - " | \n", - " | 50 | \n", - "2021-06-25 11:41:34+00:00 | \n", - "MailItemsAccessed | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "Regular | \n", - "1003BFFDAAD121E2 | \n", - "Exchange | \n", - "Succeeded | \n", - "Succeeded | \n", - "\n", - " | pcadmin@seccxpninja.onmicrosoft.com | \n", - "pcadmin@seccxpninja.onmicrosoft.com | \n", - "\n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | ... | \n", - "\n", - " | \n", - " | \n", - " | None | \n", - "\n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n", - "7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n", - "7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n", - "OfficeActivity | \n", - "\n", - " |
2 | \n", - "8ecf8077-cf51-4820-aadd-14040956f35d | \n", - "\n", - " | \n", - " | \n", - " | 50 | \n", - "2021-06-25 12:10:49+00:00 | \n", - "MailItemsAccessed | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "Regular | \n", - "100320003F88D275 | \n", - "Exchange | \n", - "Succeeded | \n", - "Succeeded | \n", - "\n", - " | seb@seccxp.ninja | \n", - "seb@seccxp.ninja | \n", - "\n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | ... | \n", - "\n", - " | \n", - " | \n", - " | None | \n", - "\n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n", - "7ab7862c-4c57-491e-8a45-d52a7e023983 | \n", - "\n", - " | OfficeActivity | \n", - "\n", - " |
3 | \n", - "8ecf8077-cf51-4820-aadd-14040956f35d | \n", - "\n", - " | \n", - " | \n", - " | 50 | \n", - "2021-06-25 12:55:30+00:00 | \n", - "MailItemsAccessed | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "Regular | \n", - "100320003F8A6FC7 | \n", - "Exchange | \n", - "Succeeded | \n", - "Succeeded | \n", - "\n", - " | MeganB@seccxp.ninja | \n", - "MeganB@seccxp.ninja | \n", - "\n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | ... | \n", - "\n", - " | \n", - " | \n", - " | None | \n", - "\n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n", - "414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n", - "\n", - " | OfficeActivity | \n", - "\n", - " |
4 | \n", - "8ecf8077-cf51-4820-aadd-14040956f35d | \n", - "\n", - " | \n", - " | \n", - " | 50 | \n", - "2021-06-25 12:55:30+00:00 | \n", - "MailItemsAccessed | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", - "Regular | \n", - "100320003F8A6FC7 | \n", - "Exchange | \n", - "Succeeded | \n", - "Succeeded | \n", - "\n", - " | MeganB@seccxp.ninja | \n", - "MeganB@seccxp.ninja | \n", - "\n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | ... | \n", - "\n", - " | \n", - " | \n", - " | None | \n", - "\n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | \n", - " | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n", - "414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n", - "\n", - " | OfficeActivity | \n", - "\n", - " |
5 rows × 131 columns
\n", - "\n | TenantId | \nApplication | \nUserDomain | \nUserAgent | \nRecordType | \nTimeGenerated | \nOperation | \nOrganizationId | \nOrganizationId_ | \nUserType | \nUserKey | \nOfficeWorkload | \nResultStatus | \nResultReasonType | \nOfficeObjectId | \nUserId | \nUserId_ | \nClientIP | \nClientIP_ | \nScope | \nSite_ | \nItemType | \nEventSource | \nSource_Name | \nMachineDomainInfo | \n... | \nChannelType | \nChannelName | \nChannelGuid | \nExtraProperties | \nAddOnType | \nAddonName | \nTabType | \nName | \nOldValue | \nNewValue | \nItemName | \nChatThreadId | \nChatName | \nCommunicationType | \nAADGroupId | \nAddOnGuid | \nAppDistributionMode | \nTargetUserId | \nOperationScope | \nAzureADAppId | \nOperationProperties | \nAppId | \nClientAppId | \nType | \n_ResourceId | \n
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n\n | \n | \n | 50 | \n2021-07-14 11:20:44+00:00 | \nMailItemsAccessed | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nRegular | \n100320003C017CC9 | \nExchange | \nSucceeded | \nSucceeded | \n\n | FMorris@seccxpninja.onmicrosoft.com | \nFMorris@seccxpninja.onmicrosoft.com | \n\n | \n | \n | \n | \n | \n | \n | \n | ... | \n\n | \n | \n | None | \n\n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \nOfficeActivity | \n\n |
1 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n\n | \n | \n | 50 | \n2021-07-14 11:20:44+00:00 | \nMailItemsAccessed | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nRegular | \n100320003C017CC9 | \nExchange | \nSucceeded | \nSucceeded | \n\n | FMorris@seccxpninja.onmicrosoft.com | \nFMorris@seccxpninja.onmicrosoft.com | \n\n | \n | \n | \n | \n | \n | \n | \n | ... | \n\n | \n | \n | None | \n\n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \nOfficeActivity | \n\n |
2 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n\n | \n | \n | 50 | \n2021-07-14 12:38:41+00:00 | \nMailItemsAccessed | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nRegular | \n100320003F8A6FC7 | \nExchange | \nSucceeded | \nSucceeded | \n\n | MeganB@seccxp.ninja | \nMeganB@seccxp.ninja | \n\n | \n | \n | \n | \n | \n | \n | \n | ... | \n\n | \n | \n | None | \n\n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n\n | OfficeActivity | \n\n |
3 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n\n | \n | \n | 50 | \n2021-07-14 12:38:41+00:00 | \nMailItemsAccessed | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nRegular | \n100320003F8A6FC7 | \nExchange | \nSucceeded | \nSucceeded | \n\n | MeganB@seccxp.ninja | \nMeganB@seccxp.ninja | \n\n | \n | \n | \n | \n | \n | \n | \n | ... | \n\n | \n | \n | None | \n\n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n\n | OfficeActivity | \n\n |
4 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n\n | \n | \n | 50 | \n2021-07-14 12:38:41+00:00 | \nMailItemsAccessed | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nRegular | \n100320003F8A6FC7 | \nExchange | \nSucceeded | \nSucceeded | \n\n | MeganB@seccxp.ninja | \nMeganB@seccxp.ninja | \n\n | \n | \n | \n | \n | \n | \n | \n | ... | \n\n | \n | \n | None | \n\n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n\n | OfficeActivity | \n\n |
5 rows × 131 columns
\nVirusTotal | |
verbose_msg | IP address in dataset |
response_code | 1 |
positives | 346 |
detected_urls | ['http://85.214.149.236/sugarcrm/themes/default/images/', 'http://dockerupdate.anondns.net/', 'http://85.214.149.236/', 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/kube.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.jpg', 'http://85.214.149.236:443/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg', 'https://85.214.149.236/sugarcrm/themes/default/images', 'https://85.214.149.236/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/tshd.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images', 'http://85.214.149.236:443/sugarcrm/themes/default/images/default.jpg'] |
detected_downloaded_samples | ['a506c6cf25de202e6b2bf60fe0236911a6ff8aa33f12a78edad9165ab0851caf', 'e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3', '252bf8c685289759b90c1de6f9db345c2cfe62e6f8aad9a7f44dfb3c8508487a', '139f393594aabb20543543bd7d3192422b886f58e04a910637b41f14d0cad375'] |
detected_communicating_samples | ['ab12b5d03f8467a1089d3d40ef9c4a54fb16ee61bb68714040e9edf96b5e763f', '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b', '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce'] |
{'as_owner': 'Strato AG',\n", - "
'asn': 6724,
'country': 'DE',
'detected_communicating_samples': [{'date': '2021-06-11 01:23:22',
'positives': 13,
'sha256': 'ab12b5d03f8467a1089d3d40ef9c4a54fb16ee61bb68714040e9edf96b5e763f',
'total': 74},
{'date': '2021-06-10 07:31:53',
'positives': 30,
'sha256': '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b',
'total': 75},
{'date': '2021-06-09 02:36:09',
'positives': 30,
'sha256': '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce',
'total': 75},
{'date': '2021-05-17 21:40:23',
'positives': 13,
'sha256': '39ac019520a278e350065d12ebc0c24201584390724f3d8e0dc828664fee6cae',
'total': 74},
{'date': '2021-05-12 12:46:23',
'positives': 6,
'sha256': 'b60ffcc7153650d6a232b1cb249924b0c6384c27681860eb13b12f4705bc0a05',
'total': 75},
{'date': '2021-05-11 08:32:51',
'positives': 14,
'sha256': '1ad0104478301e73e3f49cdeb10f8c1a1d54bccf9248e34ff81352598f112e6b',
'total': 75},
{'date': '2021-04-21 10:08:11',
'positives': 16,
'sha256': '7b6f7c48256a8df2041e8726c3490ccb6987e1a76fee947e148ea68eee036889',
'total': 76},
{'date': '2021-03-31 15:34:40',
'positives': 20,
'sha256': 'ae3e4a1c8a2b661265e6c8c756e3ba472dc7177cae79fe1861ab0c2d1af5167a',
'total': 75},
{'date': '2021-03-27 04:35:12',
'positives': 22,
'sha256': '3b280a4017ef2c2aef4b3ed8bb47516b816166998462899935afb39b533890ad',
'total': 75},
{'date': '2020-08-18 19:53:07',
'positives': 3,
'sha256': '0742efecbd7af343213a50cc5fd5cd2f8475613cfe6fb51f4296a7ec4533940d',
'total': 74}],
'detected_downloaded_samples': [{'date': '2021-06-10 07:31:49',
'positives': 34,
'sha256': 'a506c6cf25de202e6b2bf60fe0236911a6ff8aa33f12a78edad9165ab0851caf',
'total': 75},
{'date': '2021-06-09 02:33:10',
'positives': 39,
'sha256': 'e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3',
'total': 75},
{'date': '2021-06-09 02:33:23',
'positives': 37,
'sha256': '252bf8c685289759b90c1de6f9db345c2cfe62e6f8aad9a7f44dfb3c8508487a',
'total': 75},
{'date': '2021-06-08 14:22:25',
'positives': 35,
'sha256': '139f393594aabb20543543bd7d3192422b886f58e04a910637b41f14d0cad375',
'total': 75},
{'date': '2021-03-02 07:13:18',
'positives': 33,
'sha256': 'feb0a0f5ffba9d7b7d6878a8890a6d67d3f8ef6106e4e88719a63c3351e46a06',
'total': 76},
{'date': '2021-02-08 02:39:20',
'positives': 18,
'sha256': '230e2a06df2cd7574ee15cb13714d77182f28d50f83a6ed58af39f1966177769',
'total': 76},
{'date': '2020-10-31 16:15:20',
'positives': 30,
'sha256': '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce',
'total': 76},
{'date': '2020-10-19 16:08:06',
'positives': 28,
'sha256': '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b',
'total': 75},
{'date': '2020-09-09 11:54:11',
'positives': 24,
'sha256': '9750b3be953bd31322dd173ca18f29e5997029b28b24fbeb5fec7ebb1974cb09',
'total': 73},
{'date': '2020-09-06 07:41:39',
'positives': 23,
'sha256': 'c0ab7d1caabdd090b2399cd1193d2cc2334218d3f3f0d3164b61b6014fd308e9',
'total': 73},
{'date': '2020-09-09 11:30:10',
'positives': 1,
'sha256': '767fc7ae032403bce2dbcefa525cf1a9fd02bbb185e45aa88d9bc28a5f22a2b6',
'total': 73},
{'date': '2020-07-22 02:02:29',
'positives': 26,
'sha256': '132df864f6750d29bf9f762b298f377c13b899aa8d07c0a6bda58adcffd0d6f7',
'total': 76},
{'date': '2020-08-20 06:57:04',
'positives': 30,
'sha256': '2c40b76408d59f906f60db97ea36503bfc59aed22a154f5d564d8449c300594f',
'total': 75}],
'detected_referrer_samples': [{'date': '2020-09-09 11:30:10',
'positives': 1,
'sha256': '767fc7ae032403bce2dbcefa525cf1a9fd02bbb185e45aa88d9bc28a5f22a2b6',
'total': 73}],
'detected_urls': [{'positives': 10,
'scan_date': '2021-06-25 14:23:59',
'total': 89,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/'},
{'positives': 12,
'scan_date': '2021-06-23 12:00:19',
'total': 88,
'url': 'http://dockerupdate.anondns.net/'},
{'positives': 8,
'scan_date': '2021-06-23 11:49:31',
'total': 89,
'url': 'http://85.214.149.236/'},
{'positives': 12,
'scan_date': '2021-06-21 01:57:07',
'total': 88,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/'},
{'positives': 8,
'scan_date': '2021-06-21 01:50:52',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/'},
{'positives': 9,
'scan_date': '2021-06-19 00:07:04',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/kube.jpg'},
{'positives': 8,
'scan_date': '2021-06-18 06:32:59',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.jpg'},
{'positives': 7,
'scan_date': '2021-06-16 08:08:57',
'total': 89,
'url': 'http://85.214.149.236:443/'},
{'positives': 12,
'scan_date': '2021-06-09 15:47:20',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg'},
{'positives': 8,
'scan_date': '2021-06-09 03:40:07',
'total': 89,
'url': 'https://85.214.149.236/sugarcrm/themes/default/images'},
{'positives': 7,
'scan_date': '2021-06-09 03:18:37',
'total': 89,
'url': 'https://85.214.149.236/sugarcrm/themes/default/images/'},
{'positives': 11,
'scan_date': '2021-06-09 02:36:55',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/tshd.jpg'},
{'positives': 8,
'scan_date': '2021-06-08 15:50:06',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images'},
{'positives': 8,
'scan_date': '2021-06-08 14:23:47',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/default.jpg'},
{'positives': 6,
'scan_date': '2021-04-21 00:07:34',
'total': 87,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/stock.jpg'},
{'positives': 5,
'scan_date': '2021-04-01 13:42:58',
'total': 85,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/mod.jpg'},
{'positives': 9,
'scan_date': '2021-03-19 18:12:09',
'total': 85,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/Carray.jpg'},
{'positives': 6,
'scan_date': '2021-01-12 10:34:27',
'total': 83,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/kube.jpg'},
{'positives': 10,
'scan_date': '2020-12-28 02:17:00',
'total': 83,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/'},
{'positives': 6,
'scan_date': '2020-12-19 10:34:37',
'total': 83,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/default.jpg'},
{'positives': 6,
'scan_date': '2020-11-12 16:50:51',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes'},
{'positives': 14,
'scan_date': '2020-11-10 11:01:42',
'total': 81,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/mos.jpg'},
{'positives': 14,
'scan_date': '2020-11-08 15:00:49',
'total': 81,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/nk.jpg'},
{'positives': 6,
'scan_date': '2020-11-04 19:21:25',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes/default'},
{'positives': 6,
'scan_date': '2020-10-29 00:55:07',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images'},
{'positives': 12,
'scan_date': '2020-09-28 03:26:34',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm'},
{'positives': 9,
'scan_date': '2020-09-28 03:06:19',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm/.../dns'},
{'positives': 11,
'scan_date': '2020-09-24 14:01:08',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images'},
{'positives': 12,
'scan_date': '2020-09-21 17:20:19',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/carray.jpg'},
{'positives': 6,
'scan_date': '2020-09-20 16:04:57',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm'},
{'positives': 9,
'scan_date': '2020-09-17 17:36:08',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/banner.php'},
{'positives': 11,
'scan_date': '2020-09-10 07:55:21',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/'},
{'positives': 10,
'scan_date': '2020-09-09 12:06:14',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/Carray.jpg/'},
{'positives': 4,
'scan_date': '2020-09-09 12:05:12',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg/'},
{'positives': 11,
'scan_date': '2020-09-09 11:59:35',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/mos.jpg'},
{'positives': 5,
'scan_date': '2020-09-09 11:48:55',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/.../run'},
{'positives': 4,
'scan_date': '2020-09-09 11:44:28',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.js'},
{'positives': 6,
'scan_date': '2020-09-09 11:35:26',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/.../cron.sh'},
{'positives': 11,
'scan_date': '2020-09-09 11:30:00',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/nk.jpg'},
{'positives': 5,
'scan_date': '2020-09-05 03:44:35',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm/...'},
{'positives': 8,
'scan_date': '2020-09-02 06:09:23',
'total': 80,
'url': 'https://dockerupdate.anondns.net/'},
{'positives': 6,
'scan_date': '2020-09-01 17:37:50',
'total': 79,
'url': 'http://85.214.149.236:443/sugarcrm/.../dns'},
{'positives': 1,
'scan_date': '2020-08-28 08:15:47',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.js\"'},
{'positives': 2,
'scan_date': '2020-08-27 13:22:06',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/zgrab.jpg'},
{'positives': 7,
'scan_date': '2020-08-25 14:52:00',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/portjoe.jpg'},
{'positives': 7,
'scan_date': '2020-08-25 07:02:55',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images'},
{'positives': 4,
'scan_date': '2020-08-24 07:34:44',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/01.jpg'},
{'positives': 2,
'scan_date': '2020-08-20 16:37:39',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/stock.jpg'}],
'resolutions': [{'hostname': 'dockerupdate.anondns.net',
'last_resolved': '2020-08-14 18:56:08'},
{'hostname': 'h2381205.stratoserver.net',
'last_resolved': '2020-08-06 12:19:57'}],
'response_code': 1,
'undetected_communicating_samples': [{'date': '2021-06-09 10:51:49',
'positives': 0,
'sha256': '45cc4f38340bf1d4bb0010114ccf03112d14dee7815aa797d20854605fdca2d2',
'total': 74},
{'date': '2021-06-12 19:00:20',
'positives': 0,
'sha256': '020531aef7e069ee6e384f2fe9c49db9d99292d559c72da95276c2788b17d386',
'total': 74},
{'date': '2020-12-10 15:39:02',
'positives': 0,
'sha256': 'd9c46904d5bb808f2f0c28e819a31703f5155c4df66c4c4669f5d9e81f25dc66',
'total': 75},
{'date': '2020-08-28 07:36:29',
'positives': 0,
'sha256': 'd333c3cfb8b9ad1da5ee50f96a55dfbe70196f05fd88b5f04e925e32305cfff8',
'total': 73},
{'date': '2020-08-28 07:40:32',
'positives': 0,
'sha256': '18c178fb224ec17718e5f70a92041e721d9e380e70063cc4bfe3f61d6feb72d9',
'total': 73},
{'date': '2020-08-28 07:35:10',
'positives': 0,
'sha256': 'a5d14bb053b03e81e58101516c782360fe64d6469852c6aa06fc47c08b30b127',
'total': 73},
{'date': '2020-08-26 22:30:40',
'positives': 0,
'sha256': 'ba16f24e6294e8da28782c1d8e00189950dd4cbbb061ef13d1a4d84305651768',
'total': 73},
{'date': '2020-08-26 14:29:14',
'positives': 0,
'sha256': '1861eee8333dadcfe0d0dc10461f5f82fada8e42db9aa9efba6f258182e9c546',
'total': 73},
{'date': '2020-08-24 07:12:27',
'positives': 0,
'sha256': 'b485e6ccc9cfeb9c2034cebfeaf1bb3b3db0ac9996e5260fc1e95ce852b757c4',
'total': 73}],
'undetected_downloaded_samples': [{'date': '2020-09-09 11:44:35',
'positives': 0,
'sha256': 'e8812c8ff47b0542c7ee4d6bdff5bfbfd488a8e363d884074089c54b6ffc9789',
'total': 73},
{'date': '2020-07-16 04:03:02',
'positives': 0,
'sha256': '1474298ed7a5c63ca8098794cd743a276807cca0e678e046160718626bb038f3',
'total': 76}],
'undetected_referrer_samples': [],
'undetected_urls': [['http://h2381205.stratoserver.net/',
'011bcc2795245bb9fac15c54e0e189b0c6e2f24c42c57fec7cfc654a8bb95106',
0,
80,
'2020-11-02 13:02:39'],
['http://85.214.149.236:443/sugarcrm/.../',
'9ffbd9455f6aa190b4270b0d8bfe2c863c6495b94b0f510169999135476e4ed4',
0,
79,
'2020-07-14 10:52:05']],
'verbose_msg': 'IP address in dataset'}
VirusTotal | |
verbose_msg | IP address in dataset |
response_code | 1 |
positives | 217 |
detected_urls | ['http://85.214.149.236/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/stock.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/tshd.jpg', 'http://85.214.149.236/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/default.jpg', 'http://dockerupdate.anondns.net/', 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/kube.jpg', 'http://85.214.149.236:443/'] |
detected_downloaded_samples | ['75a733d99d72d1d0d6ca99ec852d97ae8c515ed136e12195e96adf6df7bbad41', '252bf8c685289759b90c1de6f9db345c2cfe62e6f8aad9a7f44dfb3c8508487a', 'e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3'] |
detected_communicating_samples | [] |
{'as_owner': 'Strato AG',\n
'asn': 6724,
'country': 'DE',
'detected_communicating_samples': [{'date': '2021-06-11 01:23:22',
'positives': 13,
'sha256': 'ab12b5d03f8467a1089d3d40ef9c4a54fb16ee61bb68714040e9edf96b5e763f',
'total': 74},
{'date': '2021-06-10 07:31:53',
'positives': 30,
'sha256': '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b',
'total': 75},
{'date': '2021-06-09 02:36:09',
'positives': 30,
'sha256': '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce',
'total': 75},
{'date': '2021-05-17 21:40:23',
'positives': 13,
'sha256': '39ac019520a278e350065d12ebc0c24201584390724f3d8e0dc828664fee6cae',
'total': 74},
{'date': '2021-05-12 12:46:23',
'positives': 6,
'sha256': 'b60ffcc7153650d6a232b1cb249924b0c6384c27681860eb13b12f4705bc0a05',
'total': 75},
{'date': '2021-05-11 08:32:51',
'positives': 14,
'sha256': '1ad0104478301e73e3f49cdeb10f8c1a1d54bccf9248e34ff81352598f112e6b',
'total': 75},
{'date': '2021-04-21 10:08:11',
'positives': 16,
'sha256': '7b6f7c48256a8df2041e8726c3490ccb6987e1a76fee947e148ea68eee036889',
'total': 76},
{'date': '2021-03-31 15:34:40',
'positives': 20,
'sha256': 'ae3e4a1c8a2b661265e6c8c756e3ba472dc7177cae79fe1861ab0c2d1af5167a',
'total': 75},
{'date': '2021-03-27 04:35:12',
'positives': 22,
'sha256': '3b280a4017ef2c2aef4b3ed8bb47516b816166998462899935afb39b533890ad',
'total': 75},
{'date': '2020-08-18 19:53:07',
'positives': 3,
'sha256': '0742efecbd7af343213a50cc5fd5cd2f8475613cfe6fb51f4296a7ec4533940d',
'total': 74}],
'detected_downloaded_samples': [{'date': '2021-06-29 11:54:16',
'positives': 26,
'sha256': '75a733d99d72d1d0d6ca99ec852d97ae8c515ed136e12195e96adf6df7bbad41',
'total': 75},
{'date': '2021-07-08 08:53:31',
'positives': 36,
'sha256': '252bf8c685289759b90c1de6f9db345c2cfe62e6f8aad9a7f44dfb3c8508487a',
'total': 74},
{'date': '2021-07-08 08:53:30',
'positives': 38,
'sha256': 'e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3',
'total': 74},
{'date': '2021-06-10 07:32:43',
'positives': 33,
'sha256': '139f393594aabb20543543bd7d3192422b886f58e04a910637b41f14d0cad375',
'total': 75},
{'date': '2021-06-10 07:31:49',
'positives': 34,
'sha256': 'a506c6cf25de202e6b2bf60fe0236911a6ff8aa33f12a78edad9165ab0851caf',
'total': 75},
{'date': '2021-03-02 07:13:18',
'positives': 33,
'sha256': 'feb0a0f5ffba9d7b7d6878a8890a6d67d3f8ef6106e4e88719a63c3351e46a06',
'total': 76},
{'date': '2021-02-08 02:39:20',
'positives': 18,
'sha256': '230e2a06df2cd7574ee15cb13714d77182f28d50f83a6ed58af39f1966177769',
'total': 76},
{'date': '2020-10-31 16:15:20',
'positives': 30,
'sha256': '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce',
'total': 76},
{'date': '2020-10-19 16:08:06',
'positives': 28,
'sha256': '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b',
'total': 75},
{'date': '2020-09-09 11:54:11',
'positives': 24,
'sha256': '9750b3be953bd31322dd173ca18f29e5997029b28b24fbeb5fec7ebb1974cb09',
'total': 73},
{'date': '2020-09-06 07:41:39',
'positives': 23,
'sha256': 'c0ab7d1caabdd090b2399cd1193d2cc2334218d3f3f0d3164b61b6014fd308e9',
'total': 73},
{'date': '2020-09-09 11:30:10',
'positives': 1,
'sha256': '767fc7ae032403bce2dbcefa525cf1a9fd02bbb185e45aa88d9bc28a5f22a2b6',
'total': 73},
{'date': '2020-07-22 02:02:29',
'positives': 26,
'sha256': '132df864f6750d29bf9f762b298f377c13b899aa8d07c0a6bda58adcffd0d6f7',
'total': 76},
{'date': '2020-08-20 06:57:04',
'positives': 30,
'sha256': '2c40b76408d59f906f60db97ea36503bfc59aed22a154f5d564d8449c300594f',
'total': 75}],
'detected_referrer_samples': [{'date': '2020-09-09 11:30:10',
'positives': 1,
'sha256': '767fc7ae032403bce2dbcefa525cf1a9fd02bbb185e45aa88d9bc28a5f22a2b6',
'total': 73}],
'detected_urls': [{'positives': 10,
'scan_date': '2021-07-14 02:19:07',
'total': 89,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/'},
{'positives': 9,
'scan_date': '2021-07-14 00:09:39',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/stock.jpg'},
{'positives': 11,
'scan_date': '2021-07-09 11:00:43',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/tshd.jpg'},
{'positives': 8,
'scan_date': '2021-07-08 11:39:22',
'total': 89,
'url': 'http://85.214.149.236/'},
{'positives': 12,
'scan_date': '2021-07-08 08:55:14',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg'},
{'positives': 9,
'scan_date': '2021-06-28 02:32:40',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.jpg'},
{'positives': 10,
'scan_date': '2021-06-26 00:05:01',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/default.jpg'},
{'positives': 12,
'scan_date': '2021-06-23 12:00:19',
'total': 88,
'url': 'http://dockerupdate.anondns.net/'},
{'positives': 12,
'scan_date': '2021-06-21 01:57:07',
'total': 88,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/'},
{'positives': 8,
'scan_date': '2021-06-21 01:50:52',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/'},
{'positives': 9,
'scan_date': '2021-06-19 00:07:04',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/kube.jpg'},
{'positives': 7,
'scan_date': '2021-06-16 08:08:57',
'total': 89,
'url': 'http://85.214.149.236:443/'},
{'positives': 8,
'scan_date': '2021-06-09 03:40:07',
'total': 89,
'url': 'https://85.214.149.236/sugarcrm/themes/default/images'},
{'positives': 7,
'scan_date': '2021-06-09 03:18:37',
'total': 89,
'url': 'https://85.214.149.236/sugarcrm/themes/default/images/'},
{'positives': 8,
'scan_date': '2021-06-08 15:50:06',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images'},
{'positives': 6,
'scan_date': '2021-04-21 00:07:34',
'total': 87,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/stock.jpg'},
{'positives': 5,
'scan_date': '2021-04-01 13:42:58',
'total': 85,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/mod.jpg'},
{'positives': 9,
'scan_date': '2021-03-19 18:12:09',
'total': 85,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/Carray.jpg'},
{'positives': 6,
'scan_date': '2021-01-12 10:34:27',
'total': 83,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/kube.jpg'},
{'positives': 10,
'scan_date': '2020-12-28 02:17:00',
'total': 83,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/'},
{'positives': 6,
'scan_date': '2020-12-19 10:34:37',
'total': 83,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/default.jpg'},
{'positives': 6,
'scan_date': '2020-11-12 16:50:51',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes'},
{'positives': 14,
'scan_date': '2020-11-10 11:01:42',
'total': 81,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/mos.jpg'},
{'positives': 14,
'scan_date': '2020-11-08 15:00:49',
'total': 81,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/nk.jpg'},
{'positives': 6,
'scan_date': '2020-11-04 19:21:25',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes/default'},
{'positives': 6,
'scan_date': '2020-10-29 00:55:07',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images'},
{'positives': 12,
'scan_date': '2020-09-28 03:26:34',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm'},
{'positives': 9,
'scan_date': '2020-09-28 03:06:19',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm/.../dns'},
{'positives': 11,
'scan_date': '2020-09-24 14:01:08',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images'},
{'positives': 12,
'scan_date': '2020-09-21 17:20:19',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/carray.jpg'},
{'positives': 6,
'scan_date': '2020-09-20 16:04:57',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm'},
{'positives': 9,
'scan_date': '2020-09-17 17:36:08',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/banner.php'},
{'positives': 11,
'scan_date': '2020-09-10 07:55:21',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/'},
{'positives': 10,
'scan_date': '2020-09-09 12:06:14',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/Carray.jpg/'},
{'positives': 4,
'scan_date': '2020-09-09 12:05:12',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg/'},
{'positives': 11,
'scan_date': '2020-09-09 11:59:35',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/mos.jpg'},
{'positives': 5,
'scan_date': '2020-09-09 11:48:55',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/.../run'},
{'positives': 4,
'scan_date': '2020-09-09 11:44:28',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.js'},
{'positives': 6,
'scan_date': '2020-09-09 11:35:26',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/.../cron.sh'},
{'positives': 11,
'scan_date': '2020-09-09 11:30:00',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/nk.jpg'},
{'positives': 5,
'scan_date': '2020-09-05 03:44:35',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm/...'},
{'positives': 8,
'scan_date': '2020-09-02 06:09:23',
'total': 80,
'url': 'https://dockerupdate.anondns.net/'},
{'positives': 6,
'scan_date': '2020-09-01 17:37:50',
'total': 79,
'url': 'http://85.214.149.236:443/sugarcrm/.../dns'},
{'positives': 1,
'scan_date': '2020-08-28 08:15:47',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.js\"'},
{'positives': 2,
'scan_date': '2020-08-27 13:22:06',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/zgrab.jpg'},
{'positives': 7,
'scan_date': '2020-08-25 14:52:00',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/portjoe.jpg'},
{'positives': 7,
'scan_date': '2020-08-25 07:02:55',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images'},
{'positives': 4,
'scan_date': '2020-08-24 07:34:44',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/01.jpg'}],
'resolutions': [{'hostname': 'dockerupdate.anondns.net',
'last_resolved': '2020-08-14 18:56:08'},
{'hostname': 'h2381205.stratoserver.net',
'last_resolved': '2020-08-06 12:19:57'}],
'response_code': 1,
'undetected_communicating_samples': [{'date': '2021-06-24 10:15:37',
'positives': 0,
'sha256': '7149b53e4a3f9de2a7d47190af64f8b609618ed09f8440a64175049a90336775',
'total': 75},
{'date': '2021-06-09 10:51:49',
'positives': 0,
'sha256': '45cc4f38340bf1d4bb0010114ccf03112d14dee7815aa797d20854605fdca2d2',
'total': 74},
{'date': '2021-06-12 19:00:20',
'positives': 0,
'sha256': '020531aef7e069ee6e384f2fe9c49db9d99292d559c72da95276c2788b17d386',
'total': 74},
{'date': '2020-12-10 15:39:02',
'positives': 0,
'sha256': 'd9c46904d5bb808f2f0c28e819a31703f5155c4df66c4c4669f5d9e81f25dc66',
'total': 75},
{'date': '2020-08-28 07:36:29',
'positives': 0,
'sha256': 'd333c3cfb8b9ad1da5ee50f96a55dfbe70196f05fd88b5f04e925e32305cfff8',
'total': 73},
{'date': '2020-08-28 07:40:32',
'positives': 0,
'sha256': '18c178fb224ec17718e5f70a92041e721d9e380e70063cc4bfe3f61d6feb72d9',
'total': 73},
{'date': '2020-08-28 07:35:10',
'positives': 0,
'sha256': 'a5d14bb053b03e81e58101516c782360fe64d6469852c6aa06fc47c08b30b127',
'total': 73},
{'date': '2020-08-26 22:30:40',
'positives': 0,
'sha256': 'ba16f24e6294e8da28782c1d8e00189950dd4cbbb061ef13d1a4d84305651768',
'total': 73},
{'date': '2020-08-26 14:29:14',
'positives': 0,
'sha256': '1861eee8333dadcfe0d0dc10461f5f82fada8e42db9aa9efba6f258182e9c546',
'total': 73},
{'date': '2020-08-24 07:12:27',
'positives': 0,
'sha256': 'b485e6ccc9cfeb9c2034cebfeaf1bb3b3db0ac9996e5260fc1e95ce852b757c4',
'total': 73}],
'undetected_downloaded_samples': [{'date': '2020-09-09 11:44:35',
'positives': 0,
'sha256': 'e8812c8ff47b0542c7ee4d6bdff5bfbfd488a8e363d884074089c54b6ffc9789',
'total': 73},
{'date': '2020-07-16 04:03:02',
'positives': 0,
'sha256': '1474298ed7a5c63ca8098794cd743a276807cca0e678e046160718626bb038f3',
'total': 76}],
'undetected_referrer_samples': [],
'undetected_urls': [['http://h2381205.stratoserver.net/',
'011bcc2795245bb9fac15c54e0e189b0c6e2f24c42c57fec7cfc654a8bb95106',
0,
80,
'2020-11-02 13:02:39'],
['http://85.214.149.236:443/sugarcrm/.../',
'9ffbd9455f6aa190b4270b0d8bfe2c863c6495b94b0f510169999135476e4ed4',
0,
79,
'2020-07-14 10:52:05']],
'verbose_msg': 'IP address in dataset'}
tag --- ...uide For Azure Sentinel ML Notebooks.ipynb | 1604 ++++++++++++++--- 1 file changed, 1383 insertions(+), 221 deletions(-) diff --git a/A Getting Started Guide For Azure Sentinel ML Notebooks.ipynb b/A Getting Started Guide For Azure Sentinel ML Notebooks.ipynb index 5e92fb7..a97a4ce 100644 --- a/A Getting Started Guide For Azure Sentinel ML Notebooks.ipynb +++ b/A Getting Started Guide For Azure Sentinel ML Notebooks.ipynb @@ -4,52 +4,52 @@ "cell_type": "markdown", "metadata": {}, "source": [ - "# Getting Started with Azure ML Notebooks and Azure Sentinel\r\n", - "\r\n", - "---\r\n", - "\r\n", - "# Contents\r\n", - "\r\n", - "- Introduction\r\n", - "- What is a Jupyter Notebook\r\n", - "- Setting up the notebook environment\r\n", - "- Notebook/MSTICPy configuration\r\n", - "- Querying data from Azure Sentinel\r\n", - "- Testing Threat Intelligence and IP Geolocation lookups\r\n", - "- Further Resources\r\n", - "- FAQs - Frequently Asked Questions\r\n", - "\r\n", - "---\r\n", - "\r\n", - "# Introduction\r\n", - "\r\n", - "This notebook takes you through the basics needed to get started with Azure Machine Learning (ML) Notebooks and Azure Sentinel.\r\n", - "\r\n", - "It focuses on getting things set up and basic steps to query data.\r\n", - "\r\n", - "After you've finished running this notebook you can go on to look at the following notebooks:\r\n", - "\r\n", - "- **A Tour of Cybersec notebook features** - this takes you through some of the basic\r\n", - " features for CyberSec investigation/hunting available to you in notebooks.\r\n", - "- **Configuring your environment** - this covers all of the configuration options for \r\n", - " accessing external cybersec resources\r\n", - "\r\n", - "\r\n", - "Each topic includes 'learn more' sections to provide you with the resource to deep\r\n", - "dive into each of these topics. We encourage you to work through the notebook from start\r\n", - "to finish.\r\n", - "\r\n", - "
Note: \r\n",
- "This notebook assumes that you are running in Azure ML\r\n",
- "but most of the guidance is applicable to other notebook environments, include local notebooks.\r\n",
- "\r\n",
- "\r\n",
- "
\r\n",
- "\r\n",
- "
Note: \n", + "This notebook assumes that you are running in Azure ML\n", + "but most of the guidance is applicable to other notebook environments, include local notebooks.\n", + "
\n", + "\n", + "\r\n", - " For more details see the\r\n", - " \r\n", - " MSTICPy GeoIP Providers documentation\r\n", - "
\r\n", - "\n", + " For more details see the\n", + " \n", + " MSTICPy GeoIP Providers documentation\n", + "
\n", + "Parameters
Query
{table} {query_project} HuntingBookmark \n| where BookmarkId =~ \"{bookmark_id}\" \n| extend QryResults = todynamic(QueryResultRow) \n| extend Computer = QryResults[\"Computer\"] \n| extend Account = QryResults[\"Account\"] \n| extend Entities = QryResults.__entityMapping \n| project-away QryResults \n| where SoftDeleted == false {add_query_items}
Example
\n{QueryProvider}[.QueryPath].QueryName(params...)
\nqry_prov.AzureSentinel.get_bookmark_by_id(start=start, end=end, hostname=host)\n " + "text/html": [ + "
Parameters
Query
{table} {query_project} HuntingBookmark \n", + "| where BookmarkId =~ \"{bookmark_id}\" \n", + "| extend QryResults = todynamic(QueryResultRow) \n", + "| extend Computer = QryResults[\"Computer\"] \n", + "| extend Account = QryResults[\"Account\"] \n", + "| extend Entities = QryResults.__entityMapping \n", + "| project-away QryResults \n", + "| where SoftDeleted == false {add_query_items}
Example
\n", + "{QueryProvider}[.QueryPath].QueryName(params...)
\n", + "qry_prov.AzureSentinel.get_bookmark_by_id(start=start, end=end, hostname=host)\n", + " " + ], + "text/plain": [ + "
\n", + " | TenantId | \n", + "SourceSystem | \n", + "TimeGenerated | \n", + "ResourceId | \n", + "OperationName | \n", + "OperationVersion | \n", + "Category | \n", + "ResultType | \n", + "ResultSignature | \n", + "ResultDescription | \n", + "DurationMs | \n", + "CorrelationId | \n", + "Resource | \n", + "ResourceGroup | \n", + "ResourceProvider | \n", + "Identity | \n", + "Level | \n", + "Location | \n", + "AlternateSignInName | \n", + "AppDisplayName | \n", + "AppId | \n", + "AuthenticationDetails | \n", + "AuthenticationMethodsUsed | \n", + "AuthenticationProcessingDetails | \n", + "AuthenticationRequirement | \n", + "... | \n", + "RiskLevelDuringSignIn | \n", + "RiskState | \n", + "ResourceDisplayName | \n", + "ResourceIdentity | \n", + "ServicePrincipalId | \n", + "ServicePrincipalName | \n", + "Status | \n", + "TokenIssuerName | \n", + "TokenIssuerType | \n", + "UserAgent | \n", + "UserDisplayName | \n", + "UserId | \n", + "UserPrincipalName | \n", + "AADTenantId | \n", + "UserType | \n", + "FlaggedForReview | \n", + "IPAddressFromResourceProvider | \n", + "SignInIdentifier | \n", + "SignInIdentifierType | \n", + "ResourceTenantId | \n", + "HomeTenantId | \n", + "Type | \n", + "Result | \n", + "Latitude | \n", + "Longitude | \n", + "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", + "8ecf8077-cf51-4820-aadd-14040956f35d | \n", + "Azure AD | \n", + "2021-07-14 10:56:30.062000+00:00 | \n", + "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", + "Sign-in activity | \n", + "1.0 | \n", + "SignInLogs | \n", + "0 | \n", + "None | \n", + "\n", + " | 0 | \n", + "0a4ca097-b33d-4ed7-a19e-ad34bc299cd0 | \n", + "Microsoft.aadiam | \n", + "Microsoft.aadiam | \n", + "\n", + " | On-Premises Directory Synchronization Service Account | \n", + "4 | \n", + "US | \n", + "Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n", + "Microsoft Azure Active Directory Connect | \n", + "cb1056e2-e479-49de-ae31-7812af012ed8 | \n", + "[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:56:30.0626249+00:00\",\\r\\n \"authe... | \n", + "\n", + " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", + "singleFactorAuthentication | \n", + "... | \n", + "none | \n", + "none | \n", + "Windows Azure Active Directory | \n", + "00000002-0000-0000-c000-000000000000 | \n", + "\n", + " | \n", + " | {'errorCode': 0} | \n", + "\n", + " | AzureAD | \n", + "\n", + " | On-Premises Directory Synchronization Service Account | \n", + "ee856d98-cecd-4dbe-8833-bdeec67847d0 | \n", + "sync_dc01_3862ce34675f@seccxpninja.onmicrosoft.com | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "Member | \n", + "None | \n", + "\n", + " | Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n", + "\n", + " | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "SigninLogs | \n", + "Sucess | \n", + "38.73078155517578 | \n", + "-78.17196655273438 | \n", + "
1 | \n", + "8ecf8077-cf51-4820-aadd-14040956f35d | \n", + "Azure AD | \n", + "2021-07-14 10:56:34.868000+00:00 | \n", + "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", + "Sign-in activity | \n", + "1.0 | \n", + "SignInLogs | \n", + "0 | \n", + "None | \n", + "\n", + " | 0 | \n", + "dc57cafa-79fc-4c8e-83bc-c98e2ea9e3d8 | \n", + "Microsoft.aadiam | \n", + "Microsoft.aadiam | \n", + "\n", + " | On-Premises Directory Synchronization Service Account | \n", + "4 | \n", + "US | \n", + "Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n", + "Microsoft Azure Active Directory Connect | \n", + "cb1056e2-e479-49de-ae31-7812af012ed8 | \n", + "[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:56:34.8688399+00:00\",\\r\\n \"authe... | \n", + "\n", + " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", + "singleFactorAuthentication | \n", + "... | \n", + "none | \n", + "none | \n", + "Windows Azure Active Directory | \n", + "00000002-0000-0000-c000-000000000000 | \n", + "\n", + " | \n", + " | {'errorCode': 0} | \n", + "\n", + " | AzureAD | \n", + "\n", + " | On-Premises Directory Synchronization Service Account | \n", + "ee856d98-cecd-4dbe-8833-bdeec67847d0 | \n", + "sync_dc01_3862ce34675f@seccxpninja.onmicrosoft.com | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "Member | \n", + "None | \n", + "\n", + " | Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n", + "\n", + " | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "SigninLogs | \n", + "Sucess | \n", + "38.73078155517578 | \n", + "-78.17196655273438 | \n", + "
2 | \n", + "8ecf8077-cf51-4820-aadd-14040956f35d | \n", + "Azure AD | \n", + "2021-07-14 10:58:50.835000+00:00 | \n", + "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", + "Sign-in activity | \n", + "1.0 | \n", + "SignInLogs | \n", + "0 | \n", + "None | \n", + "\n", + " | 0 | \n", + "c08798f2-1c1e-4aba-a21b-74f8980ba40b | \n", + "Microsoft.aadiam | \n", + "Microsoft.aadiam | \n", + "\n", + " | On-Premises Directory Synchronization Service Account | \n", + "4 | \n", + "US | \n", + "Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", + "Microsoft Azure Active Directory Connect | \n", + "cb1056e2-e479-49de-ae31-7812af012ed8 | \n", + "[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:58:50.8358827+00:00\",\\r\\n \"authe... | \n", + "\n", + " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", + "singleFactorAuthentication | \n", + "... | \n", + "none | \n", + "none | \n", + "Windows Azure Active Directory | \n", + "00000002-0000-0000-c000-000000000000 | \n", + "\n", + " | \n", + " | {'errorCode': 0} | \n", + "\n", + " | AzureAD | \n", + "\n", + " | On-Premises Directory Synchronization Service Account | \n", + "2235a468-ad9c-4375-8008-0a7be76994a7 | \n", + "sync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "Member | \n", + "None | \n", + "\n", + " | Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", + "\n", + " | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "SigninLogs | \n", + "Sucess | \n", + "38.7130012512207 | \n", + "-78.15899658203125 | \n", + "
3 | \n", + "8ecf8077-cf51-4820-aadd-14040956f35d | \n", + "Azure AD | \n", + "2021-07-14 10:58:56.135000+00:00 | \n", + "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", + "Sign-in activity | \n", + "1.0 | \n", + "SignInLogs | \n", + "0 | \n", + "None | \n", + "\n", + " | 0 | \n", + "7c229664-97a5-4621-b5f9-31fa223c5952 | \n", + "Microsoft.aadiam | \n", + "Microsoft.aadiam | \n", + "\n", + " | On-Premises Directory Synchronization Service Account | \n", + "4 | \n", + "US | \n", + "Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", + "Microsoft Azure Active Directory Connect | \n", + "cb1056e2-e479-49de-ae31-7812af012ed8 | \n", + "[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:58:56.1354096+00:00\",\\r\\n \"authe... | \n", + "\n", + " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", + "singleFactorAuthentication | \n", + "... | \n", + "none | \n", + "none | \n", + "Windows Azure Active Directory | \n", + "00000002-0000-0000-c000-000000000000 | \n", + "\n", + " | \n", + " | {'errorCode': 0} | \n", + "\n", + " | AzureAD | \n", + "\n", + " | On-Premises Directory Synchronization Service Account | \n", + "2235a468-ad9c-4375-8008-0a7be76994a7 | \n", + "sync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "Member | \n", + "None | \n", + "\n", + " | Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n", + "\n", + " | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "SigninLogs | \n", + "Sucess | \n", + "38.7130012512207 | \n", + "-78.15899658203125 | \n", + "
4 | \n", + "8ecf8077-cf51-4820-aadd-14040956f35d | \n", + "Azure AD | \n", + "2021-07-14 11:26:30.812000+00:00 | \n", + "/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \n", + "Sign-in activity | \n", + "1.0 | \n", + "SignInLogs | \n", + "0 | \n", + "None | \n", + "\n", + " | 0 | \n", + "5d31f207-8c2f-4c19-ada8-4a89630a7b1e | \n", + "Microsoft.aadiam | \n", + "Microsoft.aadiam | \n", + "\n", + " | On-Premises Directory Synchronization Service Account | \n", + "4 | \n", + "US | \n", + "Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n", + "Microsoft Azure Active Directory Connect | \n", + "cb1056e2-e479-49de-ae31-7812af012ed8 | \n", + "[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T11:26:30.8128251+00:00\",\\r\\n \"authe... | \n", + "\n", + " | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \n", + "singleFactorAuthentication | \n", + "... | \n", + "none | \n", + "none | \n", + "Windows Azure Active Directory | \n", + "00000002-0000-0000-c000-000000000000 | \n", + "\n", + " | \n", + " | {'errorCode': 0} | \n", + "\n", + " | AzureAD | \n", + "\n", + " | On-Premises Directory Synchronization Service Account | \n", + "ee856d98-cecd-4dbe-8833-bdeec67847d0 | \n", + "sync_dc01_3862ce34675f@seccxpninja.onmicrosoft.com | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "Member | \n", + "None | \n", + "\n", + " | Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n", + "\n", + " | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "SigninLogs | \n", + "Sucess | \n", + "38.7130012512207 | \n", + "-78.15899658203125 | \n", + "
5 rows × 69 columns
\n", + "\n | TenantId | \nSourceSystem | \nTimeGenerated | \nResourceId | \nOperationName | \nOperationVersion | \nCategory | \nResultType | \nResultSignature | \nResultDescription | \nDurationMs | \nCorrelationId | \nResource | \nResourceGroup | \nResourceProvider | \nIdentity | \nLevel | \nLocation | \nAlternateSignInName | \nAppDisplayName | \nAppId | \nAuthenticationDetails | \nAuthenticationMethodsUsed | \nAuthenticationProcessingDetails | \nAuthenticationRequirement | \n... | \nRiskLevelDuringSignIn | \nRiskState | \nResourceDisplayName | \nResourceIdentity | \nServicePrincipalId | \nServicePrincipalName | \nStatus | \nTokenIssuerName | \nTokenIssuerType | \nUserAgent | \nUserDisplayName | \nUserId | \nUserPrincipalName | \nAADTenantId | \nUserType | \nFlaggedForReview | \nIPAddressFromResourceProvider | \nSignInIdentifier | \nSignInIdentifierType | \nResourceTenantId | \nHomeTenantId | \nType | \nResult | \nLatitude | \nLongitude | \n
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \nAzure AD | \n2021-07-14 10:56:30.062000+00:00 | \n/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \nSign-in activity | \n1.0 | \nSignInLogs | \n0 | \nNone | \n\n | 0 | \n0a4ca097-b33d-4ed7-a19e-ad34bc299cd0 | \nMicrosoft.aadiam | \nMicrosoft.aadiam | \n\n | On-Premises Directory Synchronization Service Account | \n4 | \nUS | \nSync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \nMicrosoft Azure Active Directory Connect | \ncb1056e2-e479-49de-ae31-7812af012ed8 | \n[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:56:30.0626249+00:00\",\\r\\n \"authe... | \n\n | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \nsingleFactorAuthentication | \n... | \nnone | \nnone | \nWindows Azure Active Directory | \n00000002-0000-0000-c000-000000000000 | \n\n | \n | {'errorCode': 0} | \n\n | AzureAD | \n\n | On-Premises Directory Synchronization Service Account | \nee856d98-cecd-4dbe-8833-bdeec67847d0 | \nsync_dc01_3862ce34675f@seccxpninja.onmicrosoft.com | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nMember | \nNone | \n\n | Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n\n | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nSigninLogs | \nSucess | \n38.73078155517578 | \n-78.17196655273438 | \n
1 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \nAzure AD | \n2021-07-14 10:56:34.868000+00:00 | \n/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \nSign-in activity | \n1.0 | \nSignInLogs | \n0 | \nNone | \n\n | 0 | \ndc57cafa-79fc-4c8e-83bc-c98e2ea9e3d8 | \nMicrosoft.aadiam | \nMicrosoft.aadiam | \n\n | On-Premises Directory Synchronization Service Account | \n4 | \nUS | \nSync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \nMicrosoft Azure Active Directory Connect | \ncb1056e2-e479-49de-ae31-7812af012ed8 | \n[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:56:34.8688399+00:00\",\\r\\n \"authe... | \n\n | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \nsingleFactorAuthentication | \n... | \nnone | \nnone | \nWindows Azure Active Directory | \n00000002-0000-0000-c000-000000000000 | \n\n | \n | {'errorCode': 0} | \n\n | AzureAD | \n\n | On-Premises Directory Synchronization Service Account | \nee856d98-cecd-4dbe-8833-bdeec67847d0 | \nsync_dc01_3862ce34675f@seccxpninja.onmicrosoft.com | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nMember | \nNone | \n\n | Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n\n | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nSigninLogs | \nSucess | \n38.73078155517578 | \n-78.17196655273438 | \n
2 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \nAzure AD | \n2021-07-14 10:58:50.835000+00:00 | \n/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \nSign-in activity | \n1.0 | \nSignInLogs | \n0 | \nNone | \n\n | 0 | \nc08798f2-1c1e-4aba-a21b-74f8980ba40b | \nMicrosoft.aadiam | \nMicrosoft.aadiam | \n\n | On-Premises Directory Synchronization Service Account | \n4 | \nUS | \nSync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \nMicrosoft Azure Active Directory Connect | \ncb1056e2-e479-49de-ae31-7812af012ed8 | \n[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:58:50.8358827+00:00\",\\r\\n \"authe... | \n\n | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \nsingleFactorAuthentication | \n... | \nnone | \nnone | \nWindows Azure Active Directory | \n00000002-0000-0000-c000-000000000000 | \n\n | \n | {'errorCode': 0} | \n\n | AzureAD | \n\n | On-Premises Directory Synchronization Service Account | \n2235a468-ad9c-4375-8008-0a7be76994a7 | \nsync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nMember | \nNone | \n\n | Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n\n | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nSigninLogs | \nSucess | \n38.7130012512207 | \n-78.15899658203125 | \n
3 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \nAzure AD | \n2021-07-14 10:58:56.135000+00:00 | \n/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \nSign-in activity | \n1.0 | \nSignInLogs | \n0 | \nNone | \n\n | 0 | \n7c229664-97a5-4621-b5f9-31fa223c5952 | \nMicrosoft.aadiam | \nMicrosoft.aadiam | \n\n | On-Premises Directory Synchronization Service Account | \n4 | \nUS | \nSync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \nMicrosoft Azure Active Directory Connect | \ncb1056e2-e479-49de-ae31-7812af012ed8 | \n[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T10:58:56.1354096+00:00\",\\r\\n \"authe... | \n\n | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \nsingleFactorAuthentication | \n... | \nnone | \nnone | \nWindows Azure Active Directory | \n00000002-0000-0000-c000-000000000000 | \n\n | \n | {'errorCode': 0} | \n\n | AzureAD | \n\n | On-Premises Directory Synchronization Service Account | \n2235a468-ad9c-4375-8008-0a7be76994a7 | \nsync_aadcon_a5225d32ba79@seccxpninja.onmicrosoft.com | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nMember | \nNone | \n\n | Sync_AADCON_a5225d32ba79@seccxpninja.onmicrosoft.com | \n\n | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nSigninLogs | \nSucess | \n38.7130012512207 | \n-78.15899658203125 | \n
4 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \nAzure AD | \n2021-07-14 11:26:30.812000+00:00 | \n/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam | \nSign-in activity | \n1.0 | \nSignInLogs | \n0 | \nNone | \n\n | 0 | \n5d31f207-8c2f-4c19-ada8-4a89630a7b1e | \nMicrosoft.aadiam | \nMicrosoft.aadiam | \n\n | On-Premises Directory Synchronization Service Account | \n4 | \nUS | \nSync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \nMicrosoft Azure Active Directory Connect | \ncb1056e2-e479-49de-ae31-7812af012ed8 | \n[\\r\\n {\\r\\n \"authenticationStepDateTime\": \"2021-07-14T11:26:30.8128251+00:00\",\\r\\n \"authe... | \n\n | [\\r\\n {\\r\\n \"key\": \"IsCAEToken\",\\r\\n \"value\": \"False\"\\r\\n }\\r\\n] | \nsingleFactorAuthentication | \n... | \nnone | \nnone | \nWindows Azure Active Directory | \n00000002-0000-0000-c000-000000000000 | \n\n | \n | {'errorCode': 0} | \n\n | AzureAD | \n\n | On-Premises Directory Synchronization Service Account | \nee856d98-cecd-4dbe-8833-bdeec67847d0 | \nsync_dc01_3862ce34675f@seccxpninja.onmicrosoft.com | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nMember | \nNone | \n\n | Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com | \n\n | 4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nSigninLogs | \nSucess | \n38.7130012512207 | \n-78.15899658203125 | \n
5 rows × 69 columns
\n\n", + " | AlertName | \n", + "NumAlerts | \n", + "
---|---|---|
0 | \n", + "Malicious credential theft tool execution detected | \n", + "47 | \n", + "
1 | \n", + "Suspicious PowerShell command line | \n", + "22 | \n", + "
2 | \n", + "Suspected DCSync attack (replication of directory services) | \n", + "13 | \n", + "
3 | \n", + "Suspicious service registration | \n", + "15 | \n", + "
4 | \n", + "Irregular creation of Azure resources | \n", + "13 | \n", + "
... | \n", + "... | \n", + "... | \n", + "
173 | \n", + "Password set to never expires | \n", + "1 | \n", + "
174 | \n", + "test | \n", + "1 | \n", + "
175 | \n", + "Suspicion of NotPetya Malware - Illegal SMB Transaction Detected | \n", + "1 | \n", + "
176 | \n", + "Suspicion of NotPetya Malware - Illegal SMB Parameters Detected | \n", + "1 | \n", + "
177 | \n", + "Invalid SMB Message (DoublePulsar Backdoor Implant) | \n", + "1 | \n", + "
178 rows × 2 columns
\n", + "\n | AlertName | \nNumAlerts | \n
---|---|---|
0 | \nMalicious credential theft tool execution detected | \n47 | \n
1 | \nSuspicious PowerShell command line | \n22 | \n
2 | \nSuspected DCSync attack (replication of directory services) | \n13 | \n
3 | \nSuspicious service registration | \n15 | \n
4 | \nIrregular creation of Azure resources | \n13 | \n
... | \n... | \n... | \n
173 | \nPassword set to never expires | \n1 | \n
174 | \ntest | \n1 | \n
175 | \nSuspicion of NotPetya Malware - Illegal SMB Transaction Detected | \n1 | \n
176 | \nSuspicion of NotPetya Malware - Illegal SMB Parameters Detected | \n1 | \n
177 | \nInvalid SMB Message (DoublePulsar Backdoor Implant) | \n1 | \n
178 rows × 2 columns
\n\n | TenantId | \nApplication | \nUserDomain | \nUserAgent | \nRecordType | \nTimeGenerated | \nOperation | \nOrganizationId | \nOrganizationId_ | \nUserType | \nUserKey | \nOfficeWorkload | \nResultStatus | \nResultReasonType | \nOfficeObjectId | \nUserId | \nUserId_ | \nClientIP | \nClientIP_ | \nScope | \nSite_ | \nItemType | \nEventSource | \nSource_Name | \nMachineDomainInfo | \n... | \nChannelType | \nChannelName | \nChannelGuid | \nExtraProperties | \nAddOnType | \nAddonName | \nTabType | \nName | \nOldValue | \nNewValue | \nItemName | \nChatThreadId | \nChatName | \nCommunicationType | \nAADGroupId | \nAddOnGuid | \nAppDistributionMode | \nTargetUserId | \nOperationScope | \nAzureADAppId | \nOperationProperties | \nAppId | \nClientAppId | \nType | \n_ResourceId | \n
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n\n | \n | \n | 50 | \n2021-07-14 11:20:44+00:00 | \nMailItemsAccessed | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nRegular | \n100320003C017CC9 | \nExchange | \nSucceeded | \nSucceeded | \n\n | FMorris@seccxpninja.onmicrosoft.com | \nFMorris@seccxpninja.onmicrosoft.com | \n\n | \n | \n | \n | \n | \n | \n | \n | ... | \n\n | \n | \n | None | \n\n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \nOfficeActivity | \n\n |
1 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n\n | \n | \n | 50 | \n2021-07-14 11:20:44+00:00 | \nMailItemsAccessed | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nRegular | \n100320003C017CC9 | \nExchange | \nSucceeded | \nSucceeded | \n\n | FMorris@seccxpninja.onmicrosoft.com | \nFMorris@seccxpninja.onmicrosoft.com | \n\n | \n | \n | \n | \n | \n | \n | \n | ... | \n\n | \n | \n | None | \n\n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \nOfficeActivity | \n\n |
2 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n\n | \n | \n | 50 | \n2021-07-14 12:38:41+00:00 | \nMailItemsAccessed | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nRegular | \n100320003F8A6FC7 | \nExchange | \nSucceeded | \nSucceeded | \n\n | MeganB@seccxp.ninja | \nMeganB@seccxp.ninja | \n\n | \n | \n | \n | \n | \n | \n | \n | ... | \n\n | \n | \n | None | \n\n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n\n | OfficeActivity | \n\n |
3 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n\n | \n | \n | 50 | \n2021-07-14 12:38:41+00:00 | \nMailItemsAccessed | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nRegular | \n100320003F8A6FC7 | \nExchange | \nSucceeded | \nSucceeded | \n\n | MeganB@seccxp.ninja | \nMeganB@seccxp.ninja | \n\n | \n | \n | \n | \n | \n | \n | \n | ... | \n\n | \n | \n | None | \n\n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n\n | OfficeActivity | \n\n |
4 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n\n | \n | \n | 50 | \n2021-07-14 12:38:41+00:00 | \nMailItemsAccessed | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \nRegular | \n100320003F8A6FC7 | \nExchange | \nSucceeded | \nSucceeded | \n\n | MeganB@seccxp.ninja | \nMeganB@seccxp.ninja | \n\n | \n | \n | \n | \n | \n | \n | \n | ... | \n\n | \n | \n | None | \n\n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | \n | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n\n | OfficeActivity | \n\n |
5 rows × 131 columns
\n\n", + " | TenantId | \n", + "Application | \n", + "UserDomain | \n", + "UserAgent | \n", + "RecordType | \n", + "TimeGenerated | \n", + "Operation | \n", + "OrganizationId | \n", + "OrganizationId_ | \n", + "UserType | \n", + "UserKey | \n", + "OfficeWorkload | \n", + "ResultStatus | \n", + "ResultReasonType | \n", + "OfficeObjectId | \n", + "UserId | \n", + "UserId_ | \n", + "ClientIP | \n", + "ClientIP_ | \n", + "Scope | \n", + "Site_ | \n", + "ItemType | \n", + "EventSource | \n", + "Source_Name | \n", + "MachineDomainInfo | \n", + "... | \n", + "ChannelType | \n", + "ChannelName | \n", + "ChannelGuid | \n", + "ExtraProperties | \n", + "AddOnType | \n", + "AddonName | \n", + "TabType | \n", + "Name | \n", + "OldValue | \n", + "NewValue | \n", + "ItemName | \n", + "ChatThreadId | \n", + "ChatName | \n", + "CommunicationType | \n", + "AADGroupId | \n", + "AddOnGuid | \n", + "AppDistributionMode | \n", + "TargetUserId | \n", + "OperationScope | \n", + "AzureADAppId | \n", + "OperationProperties | \n", + "AppId | \n", + "ClientAppId | \n", + "Type | \n", + "_ResourceId | \n", + "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", + "8ecf8077-cf51-4820-aadd-14040956f35d | \n", + "\n", + " | \n", + " | \n", + " | 50 | \n", + "2021-07-14 11:20:44+00:00 | \n", + "MailItemsAccessed | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "Regular | \n", + "100320003C017CC9 | \n", + "Exchange | \n", + "Succeeded | \n", + "Succeeded | \n", + "\n", + " | FMorris@seccxpninja.onmicrosoft.com | \n", + "FMorris@seccxpninja.onmicrosoft.com | \n", + "\n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | ... | \n", + "\n", + " | \n", + " | \n", + " | None | \n", + "\n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n", + "7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n", + "7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n", + "OfficeActivity | \n", + "\n", + " |
1 | \n", + "8ecf8077-cf51-4820-aadd-14040956f35d | \n", + "\n", + " | \n", + " | \n", + " | 50 | \n", + "2021-07-14 11:20:44+00:00 | \n", + "MailItemsAccessed | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "Regular | \n", + "100320003C017CC9 | \n", + "Exchange | \n", + "Succeeded | \n", + "Succeeded | \n", + "\n", + " | FMorris@seccxpninja.onmicrosoft.com | \n", + "FMorris@seccxpninja.onmicrosoft.com | \n", + "\n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | ... | \n", + "\n", + " | \n", + " | \n", + " | None | \n", + "\n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n", + "7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n", + "7a5fbd1c-3e6d-461a-9075-83049393b3a7 | \n", + "OfficeActivity | \n", + "\n", + " |
2 | \n", + "8ecf8077-cf51-4820-aadd-14040956f35d | \n", + "\n", + " | \n", + " | \n", + " | 50 | \n", + "2021-07-14 12:38:41+00:00 | \n", + "MailItemsAccessed | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "Regular | \n", + "100320003F8A6FC7 | \n", + "Exchange | \n", + "Succeeded | \n", + "Succeeded | \n", + "\n", + " | MeganB@seccxp.ninja | \n", + "MeganB@seccxp.ninja | \n", + "\n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | ... | \n", + "\n", + " | \n", + " | \n", + " | None | \n", + "\n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n", + "414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n", + "\n", + " | OfficeActivity | \n", + "\n", + " |
3 | \n", + "8ecf8077-cf51-4820-aadd-14040956f35d | \n", + "\n", + " | \n", + " | \n", + " | 50 | \n", + "2021-07-14 12:38:41+00:00 | \n", + "MailItemsAccessed | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "Regular | \n", + "100320003F8A6FC7 | \n", + "Exchange | \n", + "Succeeded | \n", + "Succeeded | \n", + "\n", + " | MeganB@seccxp.ninja | \n", + "MeganB@seccxp.ninja | \n", + "\n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | ... | \n", + "\n", + " | \n", + " | \n", + " | None | \n", + "\n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n", + "414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n", + "\n", + " | OfficeActivity | \n", + "\n", + " |
4 | \n", + "8ecf8077-cf51-4820-aadd-14040956f35d | \n", + "\n", + " | \n", + " | \n", + " | 50 | \n", + "2021-07-14 12:38:41+00:00 | \n", + "MailItemsAccessed | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "4b2462a4-bbee-495a-a0e1-f23ae524cc9c | \n", + "Regular | \n", + "100320003F8A6FC7 | \n", + "Exchange | \n", + "Succeeded | \n", + "Succeeded | \n", + "\n", + " | MeganB@seccxp.ninja | \n", + "MeganB@seccxp.ninja | \n", + "\n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | ... | \n", + "\n", + " | \n", + " | \n", + " | None | \n", + "\n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | \n", + " | [{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}] | \n", + "414a677a-e50f-46ea-b89c-aebb8a9efbe2 | \n", + "\n", + " | OfficeActivity | \n", + "\n", + " |
5 rows × 131 columns
\n", + "VirusTotal | |
verbose_msg | IP address in dataset |
response_code | 1 |
positives | 217 |
detected_urls | ['http://85.214.149.236/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/stock.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/tshd.jpg', 'http://85.214.149.236/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/default.jpg', 'http://dockerupdate.anondns.net/', 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/kube.jpg', 'http://85.214.149.236:443/'] |
detected_downloaded_samples | ['75a733d99d72d1d0d6ca99ec852d97ae8c515ed136e12195e96adf6df7bbad41', '252bf8c685289759b90c1de6f9db345c2cfe62e6f8aad9a7f44dfb3c8508487a', 'e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3'] |
detected_communicating_samples | [] |
{'as_owner': 'Strato AG',\n
'asn': 6724,
'country': 'DE',
'detected_communicating_samples': [{'date': '2021-06-11 01:23:22',
'positives': 13,
'sha256': 'ab12b5d03f8467a1089d3d40ef9c4a54fb16ee61bb68714040e9edf96b5e763f',
'total': 74},
{'date': '2021-06-10 07:31:53',
'positives': 30,
'sha256': '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b',
'total': 75},
{'date': '2021-06-09 02:36:09',
'positives': 30,
'sha256': '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce',
'total': 75},
{'date': '2021-05-17 21:40:23',
'positives': 13,
'sha256': '39ac019520a278e350065d12ebc0c24201584390724f3d8e0dc828664fee6cae',
'total': 74},
{'date': '2021-05-12 12:46:23',
'positives': 6,
'sha256': 'b60ffcc7153650d6a232b1cb249924b0c6384c27681860eb13b12f4705bc0a05',
'total': 75},
{'date': '2021-05-11 08:32:51',
'positives': 14,
'sha256': '1ad0104478301e73e3f49cdeb10f8c1a1d54bccf9248e34ff81352598f112e6b',
'total': 75},
{'date': '2021-04-21 10:08:11',
'positives': 16,
'sha256': '7b6f7c48256a8df2041e8726c3490ccb6987e1a76fee947e148ea68eee036889',
'total': 76},
{'date': '2021-03-31 15:34:40',
'positives': 20,
'sha256': 'ae3e4a1c8a2b661265e6c8c756e3ba472dc7177cae79fe1861ab0c2d1af5167a',
'total': 75},
{'date': '2021-03-27 04:35:12',
'positives': 22,
'sha256': '3b280a4017ef2c2aef4b3ed8bb47516b816166998462899935afb39b533890ad',
'total': 75},
{'date': '2020-08-18 19:53:07',
'positives': 3,
'sha256': '0742efecbd7af343213a50cc5fd5cd2f8475613cfe6fb51f4296a7ec4533940d',
'total': 74}],
'detected_downloaded_samples': [{'date': '2021-06-29 11:54:16',
'positives': 26,
'sha256': '75a733d99d72d1d0d6ca99ec852d97ae8c515ed136e12195e96adf6df7bbad41',
'total': 75},
{'date': '2021-07-08 08:53:31',
'positives': 36,
'sha256': '252bf8c685289759b90c1de6f9db345c2cfe62e6f8aad9a7f44dfb3c8508487a',
'total': 74},
{'date': '2021-07-08 08:53:30',
'positives': 38,
'sha256': 'e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3',
'total': 74},
{'date': '2021-06-10 07:32:43',
'positives': 33,
'sha256': '139f393594aabb20543543bd7d3192422b886f58e04a910637b41f14d0cad375',
'total': 75},
{'date': '2021-06-10 07:31:49',
'positives': 34,
'sha256': 'a506c6cf25de202e6b2bf60fe0236911a6ff8aa33f12a78edad9165ab0851caf',
'total': 75},
{'date': '2021-03-02 07:13:18',
'positives': 33,
'sha256': 'feb0a0f5ffba9d7b7d6878a8890a6d67d3f8ef6106e4e88719a63c3351e46a06',
'total': 76},
{'date': '2021-02-08 02:39:20',
'positives': 18,
'sha256': '230e2a06df2cd7574ee15cb13714d77182f28d50f83a6ed58af39f1966177769',
'total': 76},
{'date': '2020-10-31 16:15:20',
'positives': 30,
'sha256': '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce',
'total': 76},
{'date': '2020-10-19 16:08:06',
'positives': 28,
'sha256': '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b',
'total': 75},
{'date': '2020-09-09 11:54:11',
'positives': 24,
'sha256': '9750b3be953bd31322dd173ca18f29e5997029b28b24fbeb5fec7ebb1974cb09',
'total': 73},
{'date': '2020-09-06 07:41:39',
'positives': 23,
'sha256': 'c0ab7d1caabdd090b2399cd1193d2cc2334218d3f3f0d3164b61b6014fd308e9',
'total': 73},
{'date': '2020-09-09 11:30:10',
'positives': 1,
'sha256': '767fc7ae032403bce2dbcefa525cf1a9fd02bbb185e45aa88d9bc28a5f22a2b6',
'total': 73},
{'date': '2020-07-22 02:02:29',
'positives': 26,
'sha256': '132df864f6750d29bf9f762b298f377c13b899aa8d07c0a6bda58adcffd0d6f7',
'total': 76},
{'date': '2020-08-20 06:57:04',
'positives': 30,
'sha256': '2c40b76408d59f906f60db97ea36503bfc59aed22a154f5d564d8449c300594f',
'total': 75}],
'detected_referrer_samples': [{'date': '2020-09-09 11:30:10',
'positives': 1,
'sha256': '767fc7ae032403bce2dbcefa525cf1a9fd02bbb185e45aa88d9bc28a5f22a2b6',
'total': 73}],
'detected_urls': [{'positives': 10,
'scan_date': '2021-07-14 02:19:07',
'total': 89,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/'},
{'positives': 9,
'scan_date': '2021-07-14 00:09:39',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/stock.jpg'},
{'positives': 11,
'scan_date': '2021-07-09 11:00:43',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/tshd.jpg'},
{'positives': 8,
'scan_date': '2021-07-08 11:39:22',
'total': 89,
'url': 'http://85.214.149.236/'},
{'positives': 12,
'scan_date': '2021-07-08 08:55:14',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg'},
{'positives': 9,
'scan_date': '2021-06-28 02:32:40',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.jpg'},
{'positives': 10,
'scan_date': '2021-06-26 00:05:01',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/default.jpg'},
{'positives': 12,
'scan_date': '2021-06-23 12:00:19',
'total': 88,
'url': 'http://dockerupdate.anondns.net/'},
{'positives': 12,
'scan_date': '2021-06-21 01:57:07',
'total': 88,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/'},
{'positives': 8,
'scan_date': '2021-06-21 01:50:52',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/'},
{'positives': 9,
'scan_date': '2021-06-19 00:07:04',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/kube.jpg'},
{'positives': 7,
'scan_date': '2021-06-16 08:08:57',
'total': 89,
'url': 'http://85.214.149.236:443/'},
{'positives': 8,
'scan_date': '2021-06-09 03:40:07',
'total': 89,
'url': 'https://85.214.149.236/sugarcrm/themes/default/images'},
{'positives': 7,
'scan_date': '2021-06-09 03:18:37',
'total': 89,
'url': 'https://85.214.149.236/sugarcrm/themes/default/images/'},
{'positives': 8,
'scan_date': '2021-06-08 15:50:06',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images'},
{'positives': 6,
'scan_date': '2021-04-21 00:07:34',
'total': 87,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/stock.jpg'},
{'positives': 5,
'scan_date': '2021-04-01 13:42:58',
'total': 85,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/mod.jpg'},
{'positives': 9,
'scan_date': '2021-03-19 18:12:09',
'total': 85,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/Carray.jpg'},
{'positives': 6,
'scan_date': '2021-01-12 10:34:27',
'total': 83,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/kube.jpg'},
{'positives': 10,
'scan_date': '2020-12-28 02:17:00',
'total': 83,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/'},
{'positives': 6,
'scan_date': '2020-12-19 10:34:37',
'total': 83,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/default.jpg'},
{'positives': 6,
'scan_date': '2020-11-12 16:50:51',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes'},
{'positives': 14,
'scan_date': '2020-11-10 11:01:42',
'total': 81,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/mos.jpg'},
{'positives': 14,
'scan_date': '2020-11-08 15:00:49',
'total': 81,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/nk.jpg'},
{'positives': 6,
'scan_date': '2020-11-04 19:21:25',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes/default'},
{'positives': 6,
'scan_date': '2020-10-29 00:55:07',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images'},
{'positives': 12,
'scan_date': '2020-09-28 03:26:34',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm'},
{'positives': 9,
'scan_date': '2020-09-28 03:06:19',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm/.../dns'},
{'positives': 11,
'scan_date': '2020-09-24 14:01:08',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images'},
{'positives': 12,
'scan_date': '2020-09-21 17:20:19',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/carray.jpg'},
{'positives': 6,
'scan_date': '2020-09-20 16:04:57',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm'},
{'positives': 9,
'scan_date': '2020-09-17 17:36:08',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/banner.php'},
{'positives': 11,
'scan_date': '2020-09-10 07:55:21',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/'},
{'positives': 10,
'scan_date': '2020-09-09 12:06:14',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/Carray.jpg/'},
{'positives': 4,
'scan_date': '2020-09-09 12:05:12',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg/'},
{'positives': 11,
'scan_date': '2020-09-09 11:59:35',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/mos.jpg'},
{'positives': 5,
'scan_date': '2020-09-09 11:48:55',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/.../run'},
{'positives': 4,
'scan_date': '2020-09-09 11:44:28',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.js'},
{'positives': 6,
'scan_date': '2020-09-09 11:35:26',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/.../cron.sh'},
{'positives': 11,
'scan_date': '2020-09-09 11:30:00',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/nk.jpg'},
{'positives': 5,
'scan_date': '2020-09-05 03:44:35',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm/...'},
{'positives': 8,
'scan_date': '2020-09-02 06:09:23',
'total': 80,
'url': 'https://dockerupdate.anondns.net/'},
{'positives': 6,
'scan_date': '2020-09-01 17:37:50',
'total': 79,
'url': 'http://85.214.149.236:443/sugarcrm/.../dns'},
{'positives': 1,
'scan_date': '2020-08-28 08:15:47',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.js\"'},
{'positives': 2,
'scan_date': '2020-08-27 13:22:06',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/zgrab.jpg'},
{'positives': 7,
'scan_date': '2020-08-25 14:52:00',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/portjoe.jpg'},
{'positives': 7,
'scan_date': '2020-08-25 07:02:55',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images'},
{'positives': 4,
'scan_date': '2020-08-24 07:34:44',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/01.jpg'}],
'resolutions': [{'hostname': 'dockerupdate.anondns.net',
'last_resolved': '2020-08-14 18:56:08'},
{'hostname': 'h2381205.stratoserver.net',
'last_resolved': '2020-08-06 12:19:57'}],
'response_code': 1,
'undetected_communicating_samples': [{'date': '2021-06-24 10:15:37',
'positives': 0,
'sha256': '7149b53e4a3f9de2a7d47190af64f8b609618ed09f8440a64175049a90336775',
'total': 75},
{'date': '2021-06-09 10:51:49',
'positives': 0,
'sha256': '45cc4f38340bf1d4bb0010114ccf03112d14dee7815aa797d20854605fdca2d2',
'total': 74},
{'date': '2021-06-12 19:00:20',
'positives': 0,
'sha256': '020531aef7e069ee6e384f2fe9c49db9d99292d559c72da95276c2788b17d386',
'total': 74},
{'date': '2020-12-10 15:39:02',
'positives': 0,
'sha256': 'd9c46904d5bb808f2f0c28e819a31703f5155c4df66c4c4669f5d9e81f25dc66',
'total': 75},
{'date': '2020-08-28 07:36:29',
'positives': 0,
'sha256': 'd333c3cfb8b9ad1da5ee50f96a55dfbe70196f05fd88b5f04e925e32305cfff8',
'total': 73},
{'date': '2020-08-28 07:40:32',
'positives': 0,
'sha256': '18c178fb224ec17718e5f70a92041e721d9e380e70063cc4bfe3f61d6feb72d9',
'total': 73},
{'date': '2020-08-28 07:35:10',
'positives': 0,
'sha256': 'a5d14bb053b03e81e58101516c782360fe64d6469852c6aa06fc47c08b30b127',
'total': 73},
{'date': '2020-08-26 22:30:40',
'positives': 0,
'sha256': 'ba16f24e6294e8da28782c1d8e00189950dd4cbbb061ef13d1a4d84305651768',
'total': 73},
{'date': '2020-08-26 14:29:14',
'positives': 0,
'sha256': '1861eee8333dadcfe0d0dc10461f5f82fada8e42db9aa9efba6f258182e9c546',
'total': 73},
{'date': '2020-08-24 07:12:27',
'positives': 0,
'sha256': 'b485e6ccc9cfeb9c2034cebfeaf1bb3b3db0ac9996e5260fc1e95ce852b757c4',
'total': 73}],
'undetected_downloaded_samples': [{'date': '2020-09-09 11:44:35',
'positives': 0,
'sha256': 'e8812c8ff47b0542c7ee4d6bdff5bfbfd488a8e363d884074089c54b6ffc9789',
'total': 73},
{'date': '2020-07-16 04:03:02',
'positives': 0,
'sha256': '1474298ed7a5c63ca8098794cd743a276807cca0e678e046160718626bb038f3',
'total': 76}],
'undetected_referrer_samples': [],
'undetected_urls': [['http://h2381205.stratoserver.net/',
'011bcc2795245bb9fac15c54e0e189b0c6e2f24c42c57fec7cfc654a8bb95106',
0,
80,
'2020-11-02 13:02:39'],
['http://85.214.149.236:443/sugarcrm/.../',
'9ffbd9455f6aa190b4270b0d8bfe2c863c6495b94b0f510169999135476e4ed4',
0,
79,
'2020-07-14 10:52:05']],
'verbose_msg': 'IP address in dataset'}
VirusTotal | |
verbose_msg | IP address in dataset |
response_code | 1 |
positives | 217 |
detected_urls | ['http://85.214.149.236/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/stock.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/tshd.jpg', 'http://85.214.149.236/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/default.jpg', 'http://dockerupdate.anondns.net/', 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/kube.jpg', 'http://85.214.149.236:443/'] |
detected_downloaded_samples | ['75a733d99d72d1d0d6ca99ec852d97ae8c515ed136e12195e96adf6df7bbad41', '252bf8c685289759b90c1de6f9db345c2cfe62e6f8aad9a7f44dfb3c8508487a', 'e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3'] |
detected_communicating_samples | [] |
{'as_owner': 'Strato AG',\n", + "
'asn': 6724,
'country': 'DE',
'detected_communicating_samples': [{'date': '2021-06-11 01:23:22',
'positives': 13,
'sha256': 'ab12b5d03f8467a1089d3d40ef9c4a54fb16ee61bb68714040e9edf96b5e763f',
'total': 74},
{'date': '2021-06-10 07:31:53',
'positives': 30,
'sha256': '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b',
'total': 75},
{'date': '2021-06-09 02:36:09',
'positives': 30,
'sha256': '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce',
'total': 75},
{'date': '2021-05-17 21:40:23',
'positives': 13,
'sha256': '39ac019520a278e350065d12ebc0c24201584390724f3d8e0dc828664fee6cae',
'total': 74},
{'date': '2021-05-12 12:46:23',
'positives': 6,
'sha256': 'b60ffcc7153650d6a232b1cb249924b0c6384c27681860eb13b12f4705bc0a05',
'total': 75},
{'date': '2021-05-11 08:32:51',
'positives': 14,
'sha256': '1ad0104478301e73e3f49cdeb10f8c1a1d54bccf9248e34ff81352598f112e6b',
'total': 75},
{'date': '2021-04-21 10:08:11',
'positives': 16,
'sha256': '7b6f7c48256a8df2041e8726c3490ccb6987e1a76fee947e148ea68eee036889',
'total': 76},
{'date': '2021-03-31 15:34:40',
'positives': 20,
'sha256': 'ae3e4a1c8a2b661265e6c8c756e3ba472dc7177cae79fe1861ab0c2d1af5167a',
'total': 75},
{'date': '2021-03-27 04:35:12',
'positives': 22,
'sha256': '3b280a4017ef2c2aef4b3ed8bb47516b816166998462899935afb39b533890ad',
'total': 75},
{'date': '2020-08-18 19:53:07',
'positives': 3,
'sha256': '0742efecbd7af343213a50cc5fd5cd2f8475613cfe6fb51f4296a7ec4533940d',
'total': 74}],
'detected_downloaded_samples': [{'date': '2021-06-29 11:54:16',
'positives': 26,
'sha256': '75a733d99d72d1d0d6ca99ec852d97ae8c515ed136e12195e96adf6df7bbad41',
'total': 75},
{'date': '2021-07-08 08:53:31',
'positives': 36,
'sha256': '252bf8c685289759b90c1de6f9db345c2cfe62e6f8aad9a7f44dfb3c8508487a',
'total': 74},
{'date': '2021-07-08 08:53:30',
'positives': 38,
'sha256': 'e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3',
'total': 74},
{'date': '2021-06-10 07:32:43',
'positives': 33,
'sha256': '139f393594aabb20543543bd7d3192422b886f58e04a910637b41f14d0cad375',
'total': 75},
{'date': '2021-06-10 07:31:49',
'positives': 34,
'sha256': 'a506c6cf25de202e6b2bf60fe0236911a6ff8aa33f12a78edad9165ab0851caf',
'total': 75},
{'date': '2021-03-02 07:13:18',
'positives': 33,
'sha256': 'feb0a0f5ffba9d7b7d6878a8890a6d67d3f8ef6106e4e88719a63c3351e46a06',
'total': 76},
{'date': '2021-02-08 02:39:20',
'positives': 18,
'sha256': '230e2a06df2cd7574ee15cb13714d77182f28d50f83a6ed58af39f1966177769',
'total': 76},
{'date': '2020-10-31 16:15:20',
'positives': 30,
'sha256': '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce',
'total': 76},
{'date': '2020-10-19 16:08:06',
'positives': 28,
'sha256': '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b',
'total': 75},
{'date': '2020-09-09 11:54:11',
'positives': 24,
'sha256': '9750b3be953bd31322dd173ca18f29e5997029b28b24fbeb5fec7ebb1974cb09',
'total': 73},
{'date': '2020-09-06 07:41:39',
'positives': 23,
'sha256': 'c0ab7d1caabdd090b2399cd1193d2cc2334218d3f3f0d3164b61b6014fd308e9',
'total': 73},
{'date': '2020-09-09 11:30:10',
'positives': 1,
'sha256': '767fc7ae032403bce2dbcefa525cf1a9fd02bbb185e45aa88d9bc28a5f22a2b6',
'total': 73},
{'date': '2020-07-22 02:02:29',
'positives': 26,
'sha256': '132df864f6750d29bf9f762b298f377c13b899aa8d07c0a6bda58adcffd0d6f7',
'total': 76},
{'date': '2020-08-20 06:57:04',
'positives': 30,
'sha256': '2c40b76408d59f906f60db97ea36503bfc59aed22a154f5d564d8449c300594f',
'total': 75}],
'detected_referrer_samples': [{'date': '2020-09-09 11:30:10',
'positives': 1,
'sha256': '767fc7ae032403bce2dbcefa525cf1a9fd02bbb185e45aa88d9bc28a5f22a2b6',
'total': 73}],
'detected_urls': [{'positives': 10,
'scan_date': '2021-07-14 02:19:07',
'total': 89,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/'},
{'positives': 9,
'scan_date': '2021-07-14 00:09:39',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/stock.jpg'},
{'positives': 11,
'scan_date': '2021-07-09 11:00:43',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/tshd.jpg'},
{'positives': 8,
'scan_date': '2021-07-08 11:39:22',
'total': 89,
'url': 'http://85.214.149.236/'},
{'positives': 12,
'scan_date': '2021-07-08 08:55:14',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg'},
{'positives': 9,
'scan_date': '2021-06-28 02:32:40',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.jpg'},
{'positives': 10,
'scan_date': '2021-06-26 00:05:01',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/default.jpg'},
{'positives': 12,
'scan_date': '2021-06-23 12:00:19',
'total': 88,
'url': 'http://dockerupdate.anondns.net/'},
{'positives': 12,
'scan_date': '2021-06-21 01:57:07',
'total': 88,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/'},
{'positives': 8,
'scan_date': '2021-06-21 01:50:52',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/'},
{'positives': 9,
'scan_date': '2021-06-19 00:07:04',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/kube.jpg'},
{'positives': 7,
'scan_date': '2021-06-16 08:08:57',
'total': 89,
'url': 'http://85.214.149.236:443/'},
{'positives': 8,
'scan_date': '2021-06-09 03:40:07',
'total': 89,
'url': 'https://85.214.149.236/sugarcrm/themes/default/images'},
{'positives': 7,
'scan_date': '2021-06-09 03:18:37',
'total': 89,
'url': 'https://85.214.149.236/sugarcrm/themes/default/images/'},
{'positives': 8,
'scan_date': '2021-06-08 15:50:06',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images'},
{'positives': 6,
'scan_date': '2021-04-21 00:07:34',
'total': 87,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/stock.jpg'},
{'positives': 5,
'scan_date': '2021-04-01 13:42:58',
'total': 85,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/mod.jpg'},
{'positives': 9,
'scan_date': '2021-03-19 18:12:09',
'total': 85,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/Carray.jpg'},
{'positives': 6,
'scan_date': '2021-01-12 10:34:27',
'total': 83,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/kube.jpg'},
{'positives': 10,
'scan_date': '2020-12-28 02:17:00',
'total': 83,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/'},
{'positives': 6,
'scan_date': '2020-12-19 10:34:37',
'total': 83,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/default.jpg'},
{'positives': 6,
'scan_date': '2020-11-12 16:50:51',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes'},
{'positives': 14,
'scan_date': '2020-11-10 11:01:42',
'total': 81,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/mos.jpg'},
{'positives': 14,
'scan_date': '2020-11-08 15:00:49',
'total': 81,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/nk.jpg'},
{'positives': 6,
'scan_date': '2020-11-04 19:21:25',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes/default'},
{'positives': 6,
'scan_date': '2020-10-29 00:55:07',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images'},
{'positives': 12,
'scan_date': '2020-09-28 03:26:34',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm'},
{'positives': 9,
'scan_date': '2020-09-28 03:06:19',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm/.../dns'},
{'positives': 11,
'scan_date': '2020-09-24 14:01:08',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images'},
{'positives': 12,
'scan_date': '2020-09-21 17:20:19',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/carray.jpg'},
{'positives': 6,
'scan_date': '2020-09-20 16:04:57',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm'},
{'positives': 9,
'scan_date': '2020-09-17 17:36:08',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/banner.php'},
{'positives': 11,
'scan_date': '2020-09-10 07:55:21',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/'},
{'positives': 10,
'scan_date': '2020-09-09 12:06:14',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/Carray.jpg/'},
{'positives': 4,
'scan_date': '2020-09-09 12:05:12',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg/'},
{'positives': 11,
'scan_date': '2020-09-09 11:59:35',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/mos.jpg'},
{'positives': 5,
'scan_date': '2020-09-09 11:48:55',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/.../run'},
{'positives': 4,
'scan_date': '2020-09-09 11:44:28',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.js'},
{'positives': 6,
'scan_date': '2020-09-09 11:35:26',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/.../cron.sh'},
{'positives': 11,
'scan_date': '2020-09-09 11:30:00',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/nk.jpg'},
{'positives': 5,
'scan_date': '2020-09-05 03:44:35',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm/...'},
{'positives': 8,
'scan_date': '2020-09-02 06:09:23',
'total': 80,
'url': 'https://dockerupdate.anondns.net/'},
{'positives': 6,
'scan_date': '2020-09-01 17:37:50',
'total': 79,
'url': 'http://85.214.149.236:443/sugarcrm/.../dns'},
{'positives': 1,
'scan_date': '2020-08-28 08:15:47',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.js\"'},
{'positives': 2,
'scan_date': '2020-08-27 13:22:06',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/zgrab.jpg'},
{'positives': 7,
'scan_date': '2020-08-25 14:52:00',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/portjoe.jpg'},
{'positives': 7,
'scan_date': '2020-08-25 07:02:55',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images'},
{'positives': 4,
'scan_date': '2020-08-24 07:34:44',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/01.jpg'}],
'resolutions': [{'hostname': 'dockerupdate.anondns.net',
'last_resolved': '2020-08-14 18:56:08'},
{'hostname': 'h2381205.stratoserver.net',
'last_resolved': '2020-08-06 12:19:57'}],
'response_code': 1,
'undetected_communicating_samples': [{'date': '2021-06-24 10:15:37',
'positives': 0,
'sha256': '7149b53e4a3f9de2a7d47190af64f8b609618ed09f8440a64175049a90336775',
'total': 75},
{'date': '2021-06-09 10:51:49',
'positives': 0,
'sha256': '45cc4f38340bf1d4bb0010114ccf03112d14dee7815aa797d20854605fdca2d2',
'total': 74},
{'date': '2021-06-12 19:00:20',
'positives': 0,
'sha256': '020531aef7e069ee6e384f2fe9c49db9d99292d559c72da95276c2788b17d386',
'total': 74},
{'date': '2020-12-10 15:39:02',
'positives': 0,
'sha256': 'd9c46904d5bb808f2f0c28e819a31703f5155c4df66c4c4669f5d9e81f25dc66',
'total': 75},
{'date': '2020-08-28 07:36:29',
'positives': 0,
'sha256': 'd333c3cfb8b9ad1da5ee50f96a55dfbe70196f05fd88b5f04e925e32305cfff8',
'total': 73},
{'date': '2020-08-28 07:40:32',
'positives': 0,
'sha256': '18c178fb224ec17718e5f70a92041e721d9e380e70063cc4bfe3f61d6feb72d9',
'total': 73},
{'date': '2020-08-28 07:35:10',
'positives': 0,
'sha256': 'a5d14bb053b03e81e58101516c782360fe64d6469852c6aa06fc47c08b30b127',
'total': 73},
{'date': '2020-08-26 22:30:40',
'positives': 0,
'sha256': 'ba16f24e6294e8da28782c1d8e00189950dd4cbbb061ef13d1a4d84305651768',
'total': 73},
{'date': '2020-08-26 14:29:14',
'positives': 0,
'sha256': '1861eee8333dadcfe0d0dc10461f5f82fada8e42db9aa9efba6f258182e9c546',
'total': 73},
{'date': '2020-08-24 07:12:27',
'positives': 0,
'sha256': 'b485e6ccc9cfeb9c2034cebfeaf1bb3b3db0ac9996e5260fc1e95ce852b757c4',
'total': 73}],
'undetected_downloaded_samples': [{'date': '2020-09-09 11:44:35',
'positives': 0,
'sha256': 'e8812c8ff47b0542c7ee4d6bdff5bfbfd488a8e363d884074089c54b6ffc9789',
'total': 73},
{'date': '2020-07-16 04:03:02',
'positives': 0,
'sha256': '1474298ed7a5c63ca8098794cd743a276807cca0e678e046160718626bb038f3',
'total': 76}],
'undetected_referrer_samples': [],
'undetected_urls': [['http://h2381205.stratoserver.net/',
'011bcc2795245bb9fac15c54e0e189b0c6e2f24c42c57fec7cfc654a8bb95106',
0,
80,
'2020-11-02 13:02:39'],
['http://85.214.149.236:443/sugarcrm/.../',
'9ffbd9455f6aa190b4270b0d8bfe2c863c6495b94b0f510169999135476e4ed4',
0,
79,
'2020-07-14 10:52:05']],
'verbose_msg': 'IP address in dataset'}