{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Notebook Title\n", "
\n", "  Details...\n", "\n", " **Notebook Version:** 1.0
\n", " **Python Version:** Python 3.6 (including Python 3.6 - AzureML)
\n", " **Required Packages**: kqlmagic, msticpy, pandas, pandas_bokeh, numpy, matplotlib, networkx, seaborn, datetime, ipywidgets, ipython, dnspython, ipwhois, folium, maxminddb_geolite2
\n", " **Platforms Supported**:\n", " - Azure Notebooks Free Compute\n", " - Azure Notebooks DSVM\n", " - OS Independent\n", "\n", " **Data Sources Required**:\n", " - Log Analytics/Azure Sentinel - Syslog, Secuirty Alerts, Auditd, Azure Network Analytics.\n", " - (Optional) - AlienVault OTX (requires account and API key)\n", "
\n", "\n", "Notebook description...." ] }, { "cell_type": "markdown", "metadata": { "toc": true }, "source": [ "

Table of Contents

\n", "
" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "---\n", "### Notebook initialization\n", "The next cell:\n", "- Checks for the correct Python version\n", "- Checks versions and optionally installs required packages\n", "- Imports the required packages into the notebook\n", "- Sets a number of configuration options.\n", "\n", "This should complete without errors. If you encounter errors or warnings look at the following two notebooks:\n", "- [TroubleShootingNotebooks](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/TroubleShootingNotebooks.ipynb)\n", "- [ConfiguringNotebookEnvironment](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/ConfiguringNotebookEnvironment.ipynb)\n", "\n", "If you are running in the Azure Sentinel Notebooks environment (Azure Notebooks or Azure ML) you can run live versions of these notebooks:\n", "- [Run TroubleShootingNotebooks](./TroubleShootingNotebooks.ipynb)\n", "- [Run ConfiguringNotebookEnvironment](./ConfiguringNotebookEnvironment.ipynb)\n", "\n", "You may also need to do some additional configuration to successfully use functions such as Threat Intelligence service lookup and Geo IP lookup. \n", "There are more details about this in the `ConfiguringNotebookEnvironment` notebook and in these documents:\n", "- [msticpy configuration](https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html)\n", "- [Threat intelligence provider configuration](https://msticpy.readthedocs.io/en/latest/data_acquisition/TIProviders.html#configuration-file)\n" ] }, { "cell_type": "code", "execution_count": 1, "metadata": { "gather": { "logged": 1617932075325 } }, "outputs": [ { "data": { "text/html": [ "

Starting Notebook setup...

" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "Note: you may need to scroll down this cell to see the full output." ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "

Starting notebook pre-checks...

" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "Checking Python kernel version..." ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "Info: Python kernel version 3.8.1 OK
" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "Checking msticpy version...
" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "Info: msticpy version 1.0.0rc5 OK
" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "

Notebook pre-checks complete.

" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "

Starting Notebook initialization...

" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "msticpy version installed: 1.0.0rc5 latest published: 0.9.0
Latest version is installed.

" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "Processing imports....
" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "Imported: pd (pandas), IPython.get_ipython, IPython.display.display, IPython.display.HTML, IPython.display.Markdown, widgets (ipywidgets), pathlib.Path, plt (matplotlib.pyplot), matplotlib.MatplotlibDeprecationWarning, sns (seaborn), np (numpy), msticpy.data.QueryProvider, msticpy.nbtools.foliummap.FoliumMap, msticpy.common.utility.md, msticpy.common.utility.md_warn, msticpy.common.wsconfig.WorkspaceConfig, msticpy.datamodel.pivot.Pivot, msticpy.datamodel.entities
" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "Checking configuration....
" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "
The following configuration errors were found:
-----------------------------------------------
Missing or empty 'AzureSentinel' section

The following configuration warnings were found:
-------------------------------------------------
'TIProviders' section has no settings.

" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "Setting notebook options....
" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "

Notebook initialization complete

" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "from pathlib import Path\r\n", "from IPython.display import display, HTML\r\n", "\r\n", "REQ_PYTHON_VER=\"3.6\"\r\n", "REQ_MSTICPY_VER=\"1.4.2\"\r\n", "\r\n", "# If not using Azure Notebooks, install msticpy with\r\n", "# !pip install msticpy\r\n", "\r\n", "extra_imports = []\r\n", "# Usually there is no advantage to using nbinit to do your imports - just import them\r\n", "# as normal. \"init_notebook\" imports a few standard packages (pandas, numpy, etc)\r\n", "# and several common msticpy modules and classes.\r\n", "# If you really want to use this mechanism the syntax is as follows:\r\n", "# Each line is a string:\r\n", "# - if just importing a module (e.g. \"re\"), just the name is enough\r\n", "# - if importing an item from a module (e.g. from datetime import timedelta)\r\n", "# the string would be \"datetime, delta\"\r\n", "# - if you want to import and alias something (e.g. import pandas as pd) us\r\n", "# \"source_mod, , alias\" (note you need the extra comma)\r\n", "# - if you're importing an object from a module and want to alias it (e.g.\r\n", "# from datetime import timedelta as td - use \"datetime, timedelta, td\"\r\n", "# extra_imports = [\r\n", "# \"module.src [,target] [,alias\",\r\n", "# \"pandas, , pd\",\r\n", "# \"bokeh.plotting, show\"\r\n", "# ]\r\n", "\r\n", "additional_packages = []\r\n", "# specify the name of the package to install. It will not be installed if it\r\n", "# is already. You can provide a package specification - e.g. pkg==version,\r\n", "# as shown below\r\n", "# additional_packages = [\"seaborn\", \"another_pkg>=1.2.0\"]\r\n", "\r\n", "from msticpy.nbtools import nbinit\r\n", "nbinit.init_notebook(\r\n", " namespace=globals(),\r\n", " extra_imports=extra_imports,\r\n", " additional_packages=additional_packages,\r\n", ");\r\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "[Contents](#toc)\n", "### Get WorkspaceId and Authenticate to Log Analytics \n", "\n", "If you are using user/device authentication (the default), run the following cell. \n", "- Click the 'Copy code to clipboard and authenticate' button.\n", "- This will pop up an Azure Active Directory authentication dialog (in a new tab or browser window).\n", " The device code will have been copied to the clipboard. \n", "- Select the text box and paste (Ctrl-V/Cmd-V) the copied value. \n", "- You should then be redirected to a user authentication page where you should \n", " authenticate with a user account that has permission to query your Log Analytics workspace.\n", "\n", "
\n", " Using an AppID and App Secret\n", "Use the following syntax if you are authenticating using an Azure Active Directory AppId and Secret:
\n", "
\n",
    "connect_str = \"loganalytics://tenant(TENANT_ID).workspace(WORKSPACE_ID).clientid(client_id).clientsecret(client_secret)\"\n",
    "qry_prov.connect(connect_str)\n",
    "
\n", "instead of
\n", "
\n",
    "qry_prov.connect(ws_config)\n",
    "
\n", "\n", "To find your Workspace Id go to\n", "[Azure Sentinel Workspaces](https://ms.portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.OperationalInsights%2Fworkspaces).\n", "Look at the workspace properties to find the ID.\n", "
" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# List Workspaces available\r\n", "# WorkspaceConfig().list_workspaces()\r\n", "\r\n", "# To use a specific workspace create a WorkspaceConfig using the\r\n", "# workspace parameter\r\n", "# ws_config = WorkspaceConfig(workspace='MyWorkspace')" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# See if we have an Azure Sentinel Workspace defined in our config file.\r\n", "# If not, let the user specify Workspace and Tenant IDs\r\n", "\r\n", "ws_config = WorkspaceConfig()\r\n", "if not ws_config.config_loaded:\r\n", " ws_config.prompt_for_ws()\r\n", " \r\n", "qry_prov = QueryProvider(data_environment=\"AzureSentinel\")\r\n", "print(\"done\")\r\n" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Authenticate to Azure Sentinel workspace\r\n", "qry_prov.connect(ws_config)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "query_scope = nbwidgets.QueryTime(auto_display=True)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Example query" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "qry_prov.SecurityAlert.list_alerts(query_scope)" ] } ], "metadata": { "hide_input": false, "kernel_info": { "name": "python38-azureml" }, "kernelspec": { "display_name": "Python 3.8 - AzureML", "language": "python", "name": "python38-azureml" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.7.10" }, "latex_envs": { "LaTeX_envs_menu_present": true, "autoclose": false, "autocomplete": true, "bibliofile": "biblio.bib", "cite_by": "apalike", "current_citInitial": 1, "eqLabelWithNumbers": true, "eqNumInitial": 1, "hotkeys": { "equation": "Ctrl-E", "itemize": "Ctrl-I" }, "labels_anchors": false, "latex_user_defs": false, "report_style_numbering": false, "user_envs_cfg": false }, "nteract": { "version": "nteract-front-end@1.0.0" }, "toc": { "base_numbering": 1, "nav_menu": {}, "number_sections": false, "sideBar": true, "skip_h1_title": false, "title_cell": "Table of Contents", "title_sidebar": "Contents", "toc_cell": true, "toc_position": {}, "toc_section_display": true, "toc_window_display": true }, "varInspector": { "cols": { "lenName": 16, "lenType": 16, "lenVar": 40 }, "kernels_config": { "python": { "delete_cmd_postfix": "", "delete_cmd_prefix": "del ", "library": "var_list.py", "varRefreshCmd": "print(var_dic_list())" }, "r": { "delete_cmd_postfix": ") ", "delete_cmd_prefix": "rm(", "library": "var_list.r", "varRefreshCmd": "cat(var_dic_list()) " } }, "types_to_exclude": [ "module", "function", "builtin_function_or_method", "instance", "_Feature" ], "window_display": false }, "widgets": { "application/vnd.jupyter.widget-state+json": { "state": {}, "version_major": 2, "version_minor": 0 } } }, "nbformat": 4, "nbformat_minor": 4 }