The following python modules will have to be imported for the notebook to work correctly:
import struct, socket import numpy as np import csv, json import os import urllib2 import datetime import operator import itertools import ipywidgets as widgets # For jupyter/ipython >= 1.4 from IPython.html import widgets from IPython.display import display, Javascript, clear_output
top_results
- This value defines the number of rows that will be displayed onscreen after the expanded search.
Data should exists in the following tables: dns dns_threat_investigation
Output The following tables will be populated after the threat investigation process: dns_storyboard dns_threat_dendro
This is not a function, but more like global code to set up styles and widgets to format the output of the notebook.
start_investigation():
- This function cleans the notebook from previous executions.
data_loader():
- , then calls the threats query to get the ip_dst
and dns_qry_name
values previously scored as high risk, merging both lists into a single dictionary to populate the ‘Suspicious DNS’ listbox, through the fill_list() function.
display_controls(ip_list):
- This function will only display the main widget box, containing:
fill_list(list_control,source):
- This function populates a listbox widget with the given data dictionary and appends an empty item at the top with the value ‘--Select--’ (Just for visualization sake)
search_ip(b):
- This function is triggered by the onclick event of the “Search” button. This calls the graphql threat / details query to find additional connections involving the selected IP or query name. The results will be displayed in the HTML table, ordered by amount of connections, listing the most active connections first. Here the “display_threat_box()” function will be invoqued.
display_threat_box(ip):
- Generates and displays the widgets for “Title” and “Comments” textboxes and the “Save” button on the notebook.
save_threat_summary(b):
- This function is triggered by the onclick event on the ‘Save’ button. This will take the contents of the form and create/update the threats.csv file.
removeWidget(index):
- Javascript function that removes a specific widget from the notebook.