Merge pull request #217 from maartengoet/master

tali-ash · web-flow · commit 92cbf2c1b648 · 2020-08-31T18:26:24.000+03:00
MTP advanced hunting Jupyter notebook
diff --git a/Notebooks/mtp_hunting.ipynb b/Notebooks/mtp_hunting.ipynb
@@ -0,0 +1 @@
+{"cells":[{"cell_type":"code","execution_count":52,"metadata":{},"outputs":[],"source":["# Microsoft Threat Protection advanced hunting notebook\n","\n","# Version 1.0\n","# Author: Maarten Goet, MVP & RD\n","# http://www.maartengoet.org \n","\n","import json\n","import pandas\n","import urllib.request\n","import urllib.parse\n","\n","# Your MTP environment\n","\n","tenantId = '00000000-0000-0000-0000-000000000000' # Replace with your Tenant ID\n","appId = '000000000000000000-0000-000000000000' # Replace with your Application ID\n","appSecret = '0000000000000000000000000000000000' # Replace with the Secret for your Application\n","\n","url = \"https://login.windows.net/%s/oauth2/token\" % (tenantId)\n","\n","resourceAppIdUri = 'https://api.security.microsoft.com' # Hello, MTP\n","\n","body = {\n","    'resource' : resourceAppIdUri,\n","    'client_id' : appId,\n","    'client_secret' : appSecret,\n","    'grant_type' : 'client_credentials'\n","}\n","\n","data = urllib.parse.urlencode(body).encode(\"utf-8\")\n","\n","req = urllib.request.Request(url, data)\n","response = urllib.request.urlopen(req)\n","jsonResponse = json.loads(response.read())\n","aadToken = jsonResponse[\"access_token\"] # Access token for the next hour"]},{"cell_type":"code","execution_count":53,"metadata":{},"outputs":[],"source":["# Specify your Advanced Hunting query (KQL)\n","# Sample: get indicators of comprise for COVID-19 campaigns\n","\n","query = ('''\n","\n","let Covid19IoC = (externaldata(Covid19Indicators:string )\n","[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.json\"] with (format=\"multijson\"));\n","Covid19IoC\n","| mv-expand(parse_json(Covid19Indicators))\n","| project Covid19Indicators = todynamic(Covid19Indicators)\n","| evaluate bag_unpack(Covid19Indicators) | evaluate bag_unpack(AdditionalMetadata)\n","| project FirstSeen, ThreatType, FileSha256=Indicator, FileMd5, FileSha1, ExternalId\n","\n","''') # KQL\n","\n","# Need inspiration? Here's a MTP cheat sheet: \n","# https://medium.com/threathunt/introducing-mtp-advance-hunting-cheat-sheet-1535862c5e84"]},{"cell_type":"code","execution_count":50,"metadata":{},"outputs":[],"source":["url = \"https://api.security.microsoft.com/api/advancedhunting/run\" # Query the MTP Advanced Hunting API\n","headers = { \n","\t'Content-Type' : 'application/json',\n","\t'Accept' : 'application/json',\n","\t'Authorization' : \"Bearer \" + aadToken\n","}\n","\n","data = json.dumps({ 'Query' : query }).encode(\"utf-8\")\n","\n","req = urllib.request.Request(url, data, headers)\n","response = urllib.request.urlopen(req)\n","jsonResponse = json.loads(response.read())\n","schema = jsonResponse[\"Schema\"]\n","results = jsonResponse[\"Results\"] # JSON response will be loaded in variable called 'results'"]},{"cell_type":"code","execution_count":54,"metadata":{},"outputs":[{"output_type":"execute_result","data":{"text/plain":"                FirstSeen ThreatType  \\\n0    2020-07-29T00:17:55Z      Phish   \n1    2020-07-07T20:55:05Z    Malware   \n2    2020-07-07T20:40:38Z    Malware   \n3    2020-07-07T19:58:21Z    Malware   \n4    2020-07-07T20:11:08Z    Malware   \n..                    ...        ...   \n357  2020-08-13T21:25:44Z      Phish   \n358  2020-08-10T10:05:35Z      Phish   \n359  2020-08-09T19:30:26Z      Phish   \n360  2020-08-09T15:52:39Z      Phish   \n361  2020-08-04T17:40:51Z      Phish   \n\n                                            FileSha256  \\\n0    1b0a0abb55a0d47ae9439947a022ccf4901876622a40ef...   \n1    064147ab90d91d91a642163b45fc1db3b93f7a0ee9ea34...   \n2    5f9a2e47545a9cafaefb332e7e1c4ae36d2fe7f0c04890...   \n3    dc9124c7f6cc9a45e5c6330f16d52b6b279e654cd974b4...   \n4    e055b8ceea393ed64596f0398f33d06d863fdb3ef843f7...   \n..                                                 ...   \n357  baca3c59494f002664d4993d683f190984ad8d4ba7705c...   \n358  037c58735813a7a287793b74ca113b73bdc61a8657e723...   \n359  6634cad00f3cf79d858882f2c1170bb9f6486c01f2e97c...   \n360  ffafe3c772ee00762745c0fdecfc910da06f043ef1cf96...   \n361  4118bfe7cac599cb88694af49c34bbd82fc8f0615934e5...   \n\n                              FileMd5  \\\n0    afde4667948a55f8539aa9425c7f62ef   \n1    070e8c59080ff8dadeb45e6f569185cb   \n2    500d9d25c3592ca97b0df084f9f5dbda   \n3    f236dd1fd018d7b2514204177e7ae2d7   \n4    ae24304e4d95499201e4a88577c17abe   \n..                                ...   \n357  ae3c4d5b384e72cf09d2412ce169f3aa   \n358  2082b9e191e5c929acc40a9a7d8392b6   \n359  4c6785476f3931151cbe34cd11634f7f   \n360  3ef12c53b77b13c179e8c91810850939   \n361  7a1c8a9ba5af265e8138bd36559c34fd   \n\n                                     FileSha1  \\\n0    988c1e37a8c3e9045c582080035ab8f95b774451   \n1    93affa95cd2d4c62beb3115b039ae7e44a12ca1c   \n2    289991696ffc5bec3da311b7b809a4d976f68e4f   \n3    ec4508b08b023d9a454f5c92adecc5516a4528f2   \n4    bbb9f4e30ce3b75e938dc67cd939e24520610082   \n..                                        ...   \n357  005616da7e72e428805f0e783e43dca8052c956a   \n358  2a3e2157a4351e53024275eb69db372a91e3b8ec   \n359  93a4f074e6b5c10657b9075ebc4940e2dcf3695f   \n360  c6988d37407d2105997281d977b6333f3eeb9024   \n361  7964435fee4fb5427d833c5b3987d0505f267a7a   \n\n                               ExternalId  \n0    58b808d3-30d1-ea11-b0a1-9cdc7141d162  \n1    8089daad-93c0-ea11-b0a5-9cdc7148e892  \n2    858a79a7-91c0-ea11-b0a8-040973d20fc2  \n3    251647c5-8bc0-ea11-b0aa-040973d37112  \n4    40747987-8dc0-ea11-b083-00155d012c08  \n..                                    ...  \n357  405ad461-abdd-ea11-b0a5-9cdc71462bf2  \n358  1a79a5f1-f0da-ea11-b0ac-9cdc7150a8b2  \n359  61ccca10-76da-ea11-b0aa-040973d2dbe2  \n360  6e2c7e1a-58da-ea11-b09a-e0071b7ca442  \n361  9e377876-79d6-ea11-b0a6-9cdc71475e92  \n\n[362 rows x 6 columns]","text/html":"<div>\n<style scoped>\n    .dataframe tbody tr th:only-of-type {\n        vertical-align: middle;\n    }\n\n    .dataframe tbody tr th {\n        vertical-align: top;\n    }\n\n    .dataframe thead th {\n        text-align: right;\n    }\n</style>\n<table border=\"1\" class=\"dataframe\">\n  <thead>\n    <tr style=\"text-align: right;\">\n      <th></th>\n      <th>FirstSeen</th>\n      <th>ThreatType</th>\n      <th>FileSha256</th>\n      <th>FileMd5</th>\n      <th>FileSha1</th>\n      <th>ExternalId</th>\n    </tr>\n  </thead>\n  <tbody>\n    <tr>\n      <th>0</th>\n      <td>2020-07-29T00:17:55Z</td>\n      <td>Phish</td>\n      <td>1b0a0abb55a0d47ae9439947a022ccf4901876622a40ef...</td>\n      <td>afde4667948a55f8539aa9425c7f62ef</td>\n      <td>988c1e37a8c3e9045c582080035ab8f95b774451</td>\n      <td>58b808d3-30d1-ea11-b0a1-9cdc7141d162</td>\n    </tr>\n    <tr>\n      <th>1</th>\n      <td>2020-07-07T20:55:05Z</td>\n      <td>Malware</td>\n      <td>064147ab90d91d91a642163b45fc1db3b93f7a0ee9ea34...</td>\n      <td>070e8c59080ff8dadeb45e6f569185cb</td>\n      <td>93affa95cd2d4c62beb3115b039ae7e44a12ca1c</td>\n      <td>8089daad-93c0-ea11-b0a5-9cdc7148e892</td>\n    </tr>\n    <tr>\n      <th>2</th>\n      <td>2020-07-07T20:40:38Z</td>\n      <td>Malware</td>\n      <td>5f9a2e47545a9cafaefb332e7e1c4ae36d2fe7f0c04890...</td>\n      <td>500d9d25c3592ca97b0df084f9f5dbda</td>\n      <td>289991696ffc5bec3da311b7b809a4d976f68e4f</td>\n      <td>858a79a7-91c0-ea11-b0a8-040973d20fc2</td>\n    </tr>\n    <tr>\n      <th>3</th>\n      <td>2020-07-07T19:58:21Z</td>\n      <td>Malware</td>\n      <td>dc9124c7f6cc9a45e5c6330f16d52b6b279e654cd974b4...</td>\n      <td>f236dd1fd018d7b2514204177e7ae2d7</td>\n      <td>ec4508b08b023d9a454f5c92adecc5516a4528f2</td>\n      <td>251647c5-8bc0-ea11-b0aa-040973d37112</td>\n    </tr>\n    <tr>\n      <th>4</th>\n      <td>2020-07-07T20:11:08Z</td>\n      <td>Malware</td>\n      <td>e055b8ceea393ed64596f0398f33d06d863fdb3ef843f7...</td>\n      <td>ae24304e4d95499201e4a88577c17abe</td>\n      <td>bbb9f4e30ce3b75e938dc67cd939e24520610082</td>\n      <td>40747987-8dc0-ea11-b083-00155d012c08</td>\n    </tr>\n    <tr>\n      <th>...</th>\n      <td>...</td>\n      <td>...</td>\n      <td>...</td>\n      <td>...</td>\n      <td>...</td>\n      <td>...</td>\n    </tr>\n    <tr>\n      <th>357</th>\n      <td>2020-08-13T21:25:44Z</td>\n      <td>Phish</td>\n      <td>baca3c59494f002664d4993d683f190984ad8d4ba7705c...</td>\n      <td>ae3c4d5b384e72cf09d2412ce169f3aa</td>\n      <td>005616da7e72e428805f0e783e43dca8052c956a</td>\n      <td>405ad461-abdd-ea11-b0a5-9cdc71462bf2</td>\n    </tr>\n    <tr>\n      <th>358</th>\n      <td>2020-08-10T10:05:35Z</td>\n      <td>Phish</td>\n      <td>037c58735813a7a287793b74ca113b73bdc61a8657e723...</td>\n      <td>2082b9e191e5c929acc40a9a7d8392b6</td>\n      <td>2a3e2157a4351e53024275eb69db372a91e3b8ec</td>\n      <td>1a79a5f1-f0da-ea11-b0ac-9cdc7150a8b2</td>\n    </tr>\n    <tr>\n      <th>359</th>\n      <td>2020-08-09T19:30:26Z</td>\n      <td>Phish</td>\n      <td>6634cad00f3cf79d858882f2c1170bb9f6486c01f2e97c...</td>\n      <td>4c6785476f3931151cbe34cd11634f7f</td>\n      <td>93a4f074e6b5c10657b9075ebc4940e2dcf3695f</td>\n      <td>61ccca10-76da-ea11-b0aa-040973d2dbe2</td>\n    </tr>\n    <tr>\n      <th>360</th>\n      <td>2020-08-09T15:52:39Z</td>\n      <td>Phish</td>\n      <td>ffafe3c772ee00762745c0fdecfc910da06f043ef1cf96...</td>\n      <td>3ef12c53b77b13c179e8c91810850939</td>\n      <td>c6988d37407d2105997281d977b6333f3eeb9024</td>\n      <td>6e2c7e1a-58da-ea11-b09a-e0071b7ca442</td>\n    </tr>\n    <tr>\n      <th>361</th>\n      <td>2020-08-04T17:40:51Z</td>\n      <td>Phish</td>\n      <td>4118bfe7cac599cb88694af49c34bbd82fc8f0615934e5...</td>\n      <td>7a1c8a9ba5af265e8138bd36559c34fd</td>\n      <td>7964435fee4fb5427d833c5b3987d0505f267a7a</td>\n      <td>9e377876-79d6-ea11-b0a6-9cdc71475e92</td>\n    </tr>\n  </tbody>\n</table>\n<p>362 rows × 6 columns</p>\n</div>"},"metadata":{},"execution_count":54}],"source":["from pandas.io.json import json_normalize\n","\n","json_normalize(results) # Convert JSON to a dataframe and display output"]}],"nbformat":4,"nbformat_minor":2,"metadata":{"language_info":{"name":"python","codemirror_mode":{"name":"ipython","version":3},"version":"3.7.6-final"},"orig_nbformat":2,"file_extension":".py","mimetype":"text/x-python","name":"python","npconvert_exporter":"python","pygments_lexer":"ipython3","version":3,"kernelspec":{"name":"python_defaultSpec_1598541066972","display_name":"Python 3.7.6 64-bit ('base': conda)"}}}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+{"cells":[{"cell_type":"code","execution_count":52,"metadata":{},"outputs":[],"source":["# Microsoft Threat Protection advanced hunting notebook\n","\n","# Version 1.0\n","# Author: Maarten Goet, MVP & RD\n","# http://www.maartengoet.org \n","\n","import json\n","import pandas\n","import urllib.request\n","import urllib.parse\n","\n","# Your MTP environment\n","\n","tenantId = '00000000-0000-0000-0000-000000000000' # Replace with your Tenant ID\n","appId = '000000000000000000-0000-000000000000' # Replace with your Application ID\n","appSecret = '0000000000000000000000000000000000' # Replace with the Secret for your Application\n","\n","url = \"https://login.windows.net/%s/oauth2/token\" % (tenantId)\n","\n","resourceAppIdUri = 'https://api.security.microsoft.com' # Hello, MTP\n","\n","body = {\n"," 'resource' : resourceAppIdUri,\n"," 'client_id' : appId,\n"," 'client_secret' : appSecret,\n"," 'grant_type' : 'client_credentials'\n","}\n","\n","data = urllib.parse.urlencode(body).encode(\"utf-8\")\n","\n","req = urllib.request.Request(url, data)\n","response = urllib.request.urlopen(req)\n","jsonResponse = json.loads(response.read())\n","aadToken = jsonResponse[\"access_token\"] # Access token for the next hour"]},{"cell_type":"code","execution_count":53,"metadata":{},"outputs":[],"source":["# Specify your Advanced Hunting query (KQL)\n","# Sample: get indicators of comprise for COVID-19 campaigns\n","\n","query = ('''\n","\n","let Covid19IoC = (externaldata(Covid19Indicators:string )\n","[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.json\"] with (format=\"multijson\"));\n","Covid19IoC\n","\| mv-expand(parse_json(Covid19Indicators))\n","\| project Covid19Indicators = todynamic(Covid19Indicators)\n","\| evaluate bag_unpack(Covid19Indicators) \| evaluate bag_unpack(AdditionalMetadata)\n","\| project FirstSeen, ThreatType, FileSha256=Indicator, FileMd5, FileSha1, ExternalId\n","\n","''') # KQL\n","\n","# Need inspiration? Here's a MTP cheat sheet: \n","# https://medium.com/threathunt/introducing-mtp-advance-hunting-cheat-sheet-1535862c5e84"]},{"cell_type":"code","execution_count":50,"metadata":{},"outputs":[],"source":["url = \"https://api.security.microsoft.com/api/advancedhunting/run\" # Query the MTP Advanced Hunting API\n","headers = { \n","\t'Content-Type' : 'application/json',\n","\t'Accept' : 'application/json',\n","\t'Authorization' : \"Bearer \" + aadToken\n","}\n","\n","data = json.dumps({ 'Query' : query }).encode(\"utf-8\")\n","\n","req = urllib.request.Request(url, data, headers)\n","response = urllib.request.urlopen(req)\n","jsonResponse = json.loads(response.read())\n","schema = jsonResponse[\"Schema\"]\n","results = jsonResponse[\"Results\"] # JSON response will be loaded in variable called 'results'"]},{"cell_type":"code","execution_count":54,"metadata":{},"outputs":[{"output_type":"execute_result","data":{"text/plain":" FirstSeen ThreatType \\\n0 2020-07-29T00:17:55Z Phish \n1 2020-07-07T20:55:05Z Malware \n2 2020-07-07T20:40:38Z Malware \n3 2020-07-07T19:58:21Z Malware \n4 2020-07-07T20:11:08Z Malware \n.. ... ... \n357 2020-08-13T21:25:44Z Phish \n358 2020-08-10T10:05:35Z Phish \n359 2020-08-09T19:30:26Z Phish \n360 2020-08-09T15:52:39Z Phish \n361 2020-08-04T17:40:51Z Phish \n\n FileSha256 \\\n0 1b0a0abb55a0d47ae9439947a022ccf4901876622a40ef... \n1 064147ab90d91d91a642163b45fc1db3b93f7a0ee9ea34... \n2 5f9a2e47545a9cafaefb332e7e1c4ae36d2fe7f0c04890... \n3 dc9124c7f6cc9a45e5c6330f16d52b6b279e654cd974b4... \n4 e055b8ceea393ed64596f0398f33d06d863fdb3ef843f7... \n.. ... \n357 baca3c59494f002664d4993d683f190984ad8d4ba7705c... \n358 037c58735813a7a287793b74ca113b73bdc61a8657e723... \n359 6634cad00f3cf79d858882f2c1170bb9f6486c01f2e97c... \n360 ffafe3c772ee00762745c0fdecfc910da06f043ef1cf96... \n361 4118bfe7cac599cb88694af49c34bbd82fc8f0615934e5... \n\n FileMd5 \\\n0 afde4667948a55f8539aa9425c7f62ef \n1 070e8c59080ff8dadeb45e6f569185cb \n2 500d9d25c3592ca97b0df084f9f5dbda \n3 f236dd1fd018d7b2514204177e7ae2d7 \n4 ae24304e4d95499201e4a88577c17abe \n.. ... \n357 ae3c4d5b384e72cf09d2412ce169f3aa \n358 2082b9e191e5c929acc40a9a7d8392b6 \n359 4c6785476f3931151cbe34cd11634f7f \n360 3ef12c53b77b13c179e8c91810850939 \n361 7a1c8a9ba5af265e8138bd36559c34fd \n\n FileSha1 \\\n0 988c1e37a8c3e9045c582080035ab8f95b774451 \n1 93affa95cd2d4c62beb3115b039ae7e44a12ca1c \n2 289991696ffc5bec3da311b7b809a4d976f68e4f \n3 ec4508b08b023d9a454f5c92adecc5516a4528f2 \n4 bbb9f4e30ce3b75e938dc67cd939e24520610082 \n.. ... \n357 005616da7e72e428805f0e783e43dca8052c956a \n358 2a3e2157a4351e53024275eb69db372a91e3b8ec \n359 93a4f074e6b5c10657b9075ebc4940e2dcf3695f \n360 c6988d37407d2105997281d977b6333f3eeb9024 \n361 7964435fee4fb5427d833c5b3987d0505f267a7a \n\n ExternalId \n0 58b808d3-30d1-ea11-b0a1-9cdc7141d162 \n1 8089daad-93c0-ea11-b0a5-9cdc7148e892 \n2 858a79a7-91c0-ea11-b0a8-040973d20fc2 \n3 251647c5-8bc0-ea11-b0aa-040973d37112 \n4 40747987-8dc0-ea11-b083-00155d012c08 \n.. ... \n357 405ad461-abdd-ea11-b0a5-9cdc71462bf2 \n358 1a79a5f1-f0da-ea11-b0ac-9cdc7150a8b2 \n359 61ccca10-76da-ea11-b0aa-040973d2dbe2 \n360 6e2c7e1a-58da-ea11-b09a-e0071b7ca442 \n361 9e377876-79d6-ea11-b0a6-9cdc71475e92 \n\n[362 rows x 6 columns]","text/html":"<div>\n<style scoped>\n .dataframe tbody tr th:only-of-type {\n vertical-align: middle;\n }\n\n .dataframe tbody tr th {\n vertical-align: top;\n }\n\n .dataframe thead th {\n text-align: right;\n }\n</style>\n<table border=\"1\" class=\"dataframe\">\n <thead>\n <tr style=\"text-align: right;\">\n <th></th>\n <th>FirstSeen</th>\n <th>ThreatType</th>\n <th>FileSha256</th>\n <th>FileMd5</th>\n <th>FileSha1</th>\n <th>ExternalId</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <th>0</th>\n <td>2020-07-29T00:17:55Z</td>\n <td>Phish</td>\n <td>1b0a0abb55a0d47ae9439947a022ccf4901876622a40ef...</td>\n <td>afde4667948a55f8539aa9425c7f62ef</td>\n <td>988c1e37a8c3e9045c582080035ab8f95b774451</td>\n <td>58b808d3-30d1-ea11-b0a1-9cdc7141d162</td>\n </tr>\n <tr>\n <th>1</th>\n <td>2020-07-07T20:55:05Z</td>\n <td>Malware</td>\n <td>064147ab90d91d91a642163b45fc1db3b93f7a0ee9ea34...</td>\n <td>070e8c59080ff8dadeb45e6f569185cb</td>\n <td>93affa95cd2d4c62beb3115b039ae7e44a12ca1c</td>\n <td>8089daad-93c0-ea11-b0a5-9cdc7148e892</td>\n </tr>\n <tr>\n <th>2</th>\n <td>2020-07-07T20:40:38Z</td>\n <td>Malware</td>\n <td>5f9a2e47545a9cafaefb332e7e1c4ae36d2fe7f0c04890...</td>\n <td>500d9d25c3592ca97b0df084f9f5dbda</td>\n <td>289991696ffc5bec3da311b7b809a4d976f68e4f</td>\n <td>858a79a7-91c0-ea11-b0a8-040973d20fc2</td>\n </tr>\n <tr>\n <th>3</th>\n <td>2020-07-07T19:58:21Z</td>\n <td>Malware</td>\n <td>dc9124c7f6cc9a45e5c6330f16d52b6b279e654cd974b4...</td>\n <td>f236dd1fd018d7b2514204177e7ae2d7</td>\n <td>ec4508b08b023d9a454f5c92adecc5516a4528f2</td>\n <td>251647c5-8bc0-ea11-b0aa-040973d37112</td>\n </tr>\n <tr>\n <th>4</th>\n <td>2020-07-07T20:11:08Z</td>\n <td>Malware</td>\n <td>e055b8ceea393ed64596f0398f33d06d863fdb3ef843f7...</td>\n <td>ae24304e4d95499201e4a88577c17abe</td>\n <td>bbb9f4e30ce3b75e938dc67cd939e24520610082</td>\n <td>40747987-8dc0-ea11-b083-00155d012c08</td>\n </tr>\n <tr>\n <th>...</th>\n <td>...</td>\n <td>...</td>\n <td>...</td>\n <td>...</td>\n <td>...</td>\n <td>...</td>\n </tr>\n <tr>\n <th>357</th>\n <td>2020-08-13T21:25:44Z</td>\n <td>Phish</td>\n <td>baca3c59494f002664d4993d683f190984ad8d4ba7705c...</td>\n <td>ae3c4d5b384e72cf09d2412ce169f3aa</td>\n <td>005616da7e72e428805f0e783e43dca8052c956a</td>\n <td>405ad461-abdd-ea11-b0a5-9cdc71462bf2</td>\n </tr>\n <tr>\n <th>358</th>\n <td>2020-08-10T10:05:35Z</td>\n <td>Phish</td>\n <td>037c58735813a7a287793b74ca113b73bdc61a8657e723...</td>\n <td>2082b9e191e5c929acc40a9a7d8392b6</td>\n <td>2a3e2157a4351e53024275eb69db372a91e3b8ec</td>\n <td>1a79a5f1-f0da-ea11-b0ac-9cdc7150a8b2</td>\n </tr>\n <tr>\n <th>359</th>\n <td>2020-08-09T19:30:26Z</td>\n <td>Phish</td>\n <td>6634cad00f3cf79d858882f2c1170bb9f6486c01f2e97c...</td>\n <td>4c6785476f3931151cbe34cd11634f7f</td>\n <td>93a4f074e6b5c10657b9075ebc4940e2dcf3695f</td>\n <td>61ccca10-76da-ea11-b0aa-040973d2dbe2</td>\n </tr>\n <tr>\n <th>360</th>\n <td>2020-08-09T15:52:39Z</td>\n <td>Phish</td>\n <td>ffafe3c772ee00762745c0fdecfc910da06f043ef1cf96...</td>\n <td>3ef12c53b77b13c179e8c91810850939</td>\n <td>c6988d37407d2105997281d977b6333f3eeb9024</td>\n <td>6e2c7e1a-58da-ea11-b09a-e0071b7ca442</td>\n </tr>\n <tr>\n <th>361</th>\n <td>2020-08-04T17:40:51Z</td>\n <td>Phish</td>\n <td>4118bfe7cac599cb88694af49c34bbd82fc8f0615934e5...</td>\n <td>7a1c8a9ba5af265e8138bd36559c34fd</td>\n <td>7964435fee4fb5427d833c5b3987d0505f267a7a</td>\n <td>9e377876-79d6-ea11-b0a6-9cdc71475e92</td>\n </tr>\n </tbody>\n</table>\n<p>362 rows × 6 columns</p>\n</div>"},"metadata":{},"execution_count":54}],"source":["from pandas.io.json import json_normalize\n","\n","json_normalize(results) # Convert JSON to a dataframe and display output"]}],"nbformat":4,"nbformat_minor":2,"metadata":{"language_info":{"name":"python","codemirror_mode":{"name":"ipython","version":3},"version":"3.7.6-final"},"orig_nbformat":2,"file_extension":".py","mimetype":"text/x-python","name":"python","npconvert_exporter":"python","pygments_lexer":"ipython3","version":3,"kernelspec":{"name":"python_defaultSpec_1598541066972","display_name":"Python 3.7.6 64-bit ('base': conda)"}}}