Google Git
Sign in
apache / incubator-spot / 74a61880f31d5610832c2189bac85d7336049fa8 / . / spot-oa / oa / dns / ipynb_templates / Edge_Investigation_master.ipynb
blob: ef3e10cfce562145507773303a69cdac7690eae5 [file] [log] [blame]
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Suspicious DNS"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"collapsed": false
},
"outputs": [],
"source": [
"import urllib2\n",
"import json\n",
"import os \n",
"import datetime\n",
"\n",
"# getting date from the parent path. \n",
"path = os.getcwd().split(\"/\") \n",
"date = path[len(path)-1] \n",
"dsource = path[len(path)-2]"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"collapsed": false
},
"outputs": [],
"source": [
"def apply_css_to_select(select):\n",
" select._css = (\n",
" (None, 'height', '90%'),\n",
" (None, 'width', '90%'),\n",
" ('select', 'overflow-x', 'auto'),\n",
" ('select', 'width', '100%'),\n",
" ('select', 'margin', 0)\n",
" )\n",
"\n",
"try:\n",
" import ipywidgets as widgets # For jupyter/ipython >= 1.4\n",
"except ImportError:\n",
" from IPython.html import widgets\n",
"from IPython.display import display, HTML, clear_output, Javascript \n",
"\n",
"def fill_list(list_control,source):\n",
" options_list = ['- Select -'] \n",
" options_list.extend([s for s in source])\n",
" list_control.options = options_list\n",
"\n",
"# client panel\n",
"client_header = widgets.HTML(value=\"Client IP\")\n",
"client_select = widgets.Select(height='90%')\n",
"apply_css_to_select(client_select)\n",
"\n",
"client_box = widgets.Box(width='20%', height='100%')\n",
"client_box.children = [client_header, client_select]\n",
"\n",
"# query panel\n",
"query_header = widgets.HTML(value=\"Query\")\n",
"query_select = widgets.Select(height='90%')\n",
"apply_css_to_select(query_select)\n",
"\n",
"query_box = widgets.Box(width='60%', height='100%')\n",
"query_box.children = [query_header, query_select]\n",
"\n",
"# Actions Panel\n",
"actions_header = widgets.HTML(value=\" \")\n",
"quick_text = widgets.Text(value='', width='100%', placeholder='Quick scoring')\n",
"quick_text._css = (\n",
" (None, 'width', '100%'),\n",
")\n",
"rating_btn = widgets.RadioButtons(description='Rating:', options=['1', '2', '3'], width='100%')\n",
"assign_btn = widgets.Button(description='Score', width='45%')\n",
"assign_btn.button_style = 'primary'\n",
"save_btn = widgets.Button(description='Save', width='45%')\n",
"save_btn.button_style = 'primary'\n",
"save_btn._css = (\n",
" (None, 'margin-left', '10%'),\n",
")\n",
"actions_box = widgets.Box(width='20%', height='100%')\n",
"actions_box.children = [actions_header,quick_text,rating_btn, assign_btn,save_btn]\n",
"\n",
"scoring_form = widgets.HBox(width='90%', height=250)\n",
"scoring_form.children = [client_box,query_box,actions_box]\n",
"\n",
"rest_msg_box = widgets.HTML()\n",
"\n",
"global score_values \n",
"\n",
"score_values = []\n",
"\n",
"def data_loader(): \n",
" us_ips = []\n",
" us_dns = []\n",
" scored = []\n",
" \n",
" global score_values\n",
" query=\"\"\"query($date:SpotDateType!) {\n",
" dns{\n",
" suspicious(date:$date){\n",
" dnsQuery\n",
" clientIp\n",
" }\n",
" }\n",
" }\"\"\"\n",
" variables={\n",
" 'date': datetime.datetime.strptime(date, '%Y%m%d').strftime('%Y-%m-%d')\n",
" }\n",
" \n",
" for item in score_values:\n",
" scored.append(item[0])\n",
" scored.append(item[1])\n",
" \n",
" response = GraphQLClient.request(query, variables)\n",
" \n",
" if not 'errors' in response:\n",
" for row in response['data']['dns']['suspicious']: \n",
" if row['clientIp'] not in us_ips and row['clientIp'] not in scored: \n",
" us_ips.append(row['clientIp'])\n",
" if row['dnsQuery'] not in us_dns and row['dnsQuery'] not in scored:\n",
" us_dns.append(row['dnsQuery']) \n",
"\n",
" fill_list(client_select,us_ips)\n",
" fill_list(query_select,us_dns)\n",
" client_select.value = \"- Select -\"\n",
" query_select.value = \"- Select -\" \n",
"\n",
"\n",
"display(Javascript(\"$('.widget-area > .widget-subarea > *').remove();\"))\n",
"data_loader()\n",
"display(scoring_form)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Update Suspicious DNS"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"collapsed": false
},
"outputs": [],
"source": [
"import csv\n",
"import datetime\n",
"import subprocess \n",
"\n",
"\n",
"def assign_score(b):\n",
" clear_output()\n",
" sev = int(rating_btn.selected_label) \n",
"\n",
" if quick_text.value: \n",
" ip = \"\"\n",
" dns = quick_text.value\n",
" dns_sev = int(rating_btn.selected_label) \n",
" for query in query_select.options:\n",
" if query.endswith(dns): \n",
" score_values.append((ip,query,sev))\n",
" else: \n",
" ip = client_select.value if not \"- Select -\" in client_select.value else \"\"\n",
" dns = query_select.value if not \"- Select -\" in query_select.value else \"\"\n",
" score_values.append((ip,dns,sev))\n",
" clear_output()\n",
" \n",
" if client_select.value != \"- Select -\": \n",
" display(Javascript(\"$(\\\"option:nth-of-type(0)[data-value='\" + client_select.value +\"']\\\").remove();\"))\n",
" if quick_text.value:\n",
" display(Javascript(\"$(\\\"option:nth-of-type(1)[data-value$='\" + dns +\"']\\\").remove();\"))\n",
" elif query_select.value != \"- Select -\":\n",
" display(Javascript(\"$(\\\"option:nth-of-type(1)[data-value='\" + query_select.value +\"']\\\").remove();\"))\n",
"\n",
" client_select.value = \"- Select -\"\n",
" query_select.value = \"- Select -\"\n",
" quick_text.value = \"\" \n",
" \n",
" rest_msg_box.visible = False\n",
" data_loader() \n",
" \n",
" print \"Click the 'Save' button when you're finished scoring\" \n",
"\n",
" \n",
"def reset_scoring():\n",
" response = GraphQLClient.request(\n",
" query=\"\"\"mutation($date:SpotDateType!) {\n",
" dns{\n",
" resetScoredConnections(date:$date){\n",
" success\n",
" }\n",
" }\n",
" }\"\"\",\n",
" variables={\n",
" 'date': datetime.datetime.strptime(date, '%Y%m%d').strftime('%Y-%m-%d')\n",
" }\n",
" ) \n",
" \n",
" if not 'errors' in response:\n",
" rest_msg_box.value=\"Suspicious connects successfully reset\"\n",
" data_loader()\n",
" rest_msg_box.visible = True\n",
" display(rest_msg_box)\n",
" else:\n",
" print \"An error ocurred: \" + response['errors'][0]['message']\n",
" \n",
" \n",
"def save(b): \n",
" variables=[]\n",
" global score_values\n",
" mutation=\"\"\"mutation($input:[DnsScoreType!]!)\n",
" {\n",
" dns{\n",
" score(input:$input)\n",
" {success}\n",
" }\n",
" }\"\"\" \n",
" \n",
" for row in score_values:\n",
" variables.append({\n",
" 'date': datetime.datetime.strptime(date, '%Y%m%d').strftime('%Y-%m-%d'),\n",
" 'clientIp': row[0] if row[0] != \"\" else None,\n",
" 'dnsQuery': row[1] if row[1] != \"\" else None,\n",
" 'score': row[2] if row[2] != \"\" else None \n",
" })\n",
"\n",
" var = {'input':variables}\n",
" response = GraphQLClient.request(mutation,var)\n",
" \n",
" score_values = []\n",
" if not 'errors' in response:\n",
" clear_output() \n",
" display(Javascript(\"$('.widget-area > .widget-subarea > *').remove();\"))\n",
" data_loader() \n",
" display(scoring_form)\n",
" display(Javascript('reloadParentData();')) \n",
" print \"Suspicious connects successfully updated\"\n",
" else:\n",
" print \"An error ocurred: \" + response['errors'][0]['message']\n",
" \n",
" \n",
"assign_btn.on_click(assign_score)\n",
"save_btn.on_click(save) "
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"# reset_scoring()"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 2",
"language": "python",
"name": "python2"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 2
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython2",
"version": "2.7.10"
}
},
"nbformat": 4,
"nbformat_minor": 0
}