" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Example Alert Triage Notebook\n", "\n", "**Notebook Version:** 1.0
\n", "**Python Version:** Python 3.6 (including Python 3.6 - AzureML)
\n", "**Data Sources Required:** SecurityAlerts
\n", "\n", " \n", "This Notebook assists analysts in triage Alerts within Azure Sentinel by enriching them with Threat Intelligence and OSINT data. This purpose it to allow analysts to quickly triage a large number of alerts and identify those to focus investigation on.\n", "\n", "**How to use:**
\n", "Run the cells in this Notebook in order, at various points in the Notebook flow you will be prompted to enter or select options relevant to the scope of your triage.
\n", "This Notebook presumes you have Azure Sentinel Workspace settings and Threat Intelligence providers configured in a config file. If you do not have this in place please refer https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html# to https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/ConfiguringNotebookEnvironment.ipynb and to set this up." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Notebook Setup\n", "\n", "If this is your first time running this Notebook please run the cell below before proceeding to ensure you have the required packages installed correctly. ### Notebook Setup

If this is your first time running this Notebook please run the cell below before proceeding to ensure you have the required packages installed correctly. Please note you need to have auth details for each provider in order for this to operate. ### Select the alert types you are interested in:

You can choose to select a subset of alerts based on provider in order to narrow your triage scope. You can also select "All" to return security alerts from all providers. Once a provider is selected you can additionally filter by Alert Name in order to focus on a specific alert type. You can also select \"All\" to return security alerts from all providers. ### Pick an Alert to Examine

We can drill down into a specific alert by selecting it from the list below. This will return additional details on the alert as well as details of any threat intelligence matches. ### Alerts Timeline
The cell below displays a timeline of the alerts you are triaging, with the selected alert highlighted in order to provide context on the alert.

### Next Steps

Now that we have selected an alert of interest and triage key details we need to identify next investigative steps. The cell below identifies and extracts key entities from the selected alert. It provides additional enrichment to them using OSINT and based on their type recommends an additional Notebook to run for further investigation based on the Notebooks available at https://github.com/Azure/Azure-Sentinel-Notebooks/ or via the Azure Sentinel portal. # Based on the extracted entity enrich it with OSINT
def enhance(row):
    if row['Type'] == "ipaddress":
        return whois_desc(row['Entity'])
    elif row['Type'] == "host":
        return host_sum(row['Entity'])
    elif row['Type'] == "url":
        return whois_url(row['Entity'])
    
# If entity is a hostname, get key details of the host.
def host_sum(host):
    hb_q = f"Heartbeat | where TimeGenerated > datetime({query_times.start}) and TimeGenerated < datetime({query_times.end}) | where Computer == '{host}' | take 1"
    hb = qry_prov.exec_query(hb_q)
    if not hb.empty:
        hb_str = f"{host} - {hb['ComputerIP'][0]} - {hb['OSType'][0]} - {hb['ComputerEnvironment'][0]}"
    else:
        hb_str = "No host heartbeat"
    return hb_str
    
# If entity is IP address work out what type of address it is and if a public IP address get ASN name.
def whois_desc(ip_lookup, progress=False):
    try:
        ip = ip_address(ip_lookup)
    except ValueError:
        return "Not an IP Address"
    if ip.is_private:
        return "Private address space"
    if not ip.is_global:
        return "Other address space"
    ip_whois = IPWhois(ip)
    whois_result = ip_whois.lookup_whois()
    return whois_result["asn_description"]
    
# If entity is a URL get the name of the organisation that registered the domain.
def whois_url(url):
    _, domain,tld = tldextract.extract(url)
    wis = whois.whois(f"{domain}.{tld}")
    return wis['org']
    
# Based on the entity type suggest a Notebook for future investigation.
def notebook_suggestor(row):
    if row['Type'] in notebooks.keys():
        return notebooks[row['Type']]
    else:
        return "Write your own Notebook" 

notebooks = {"ipaddress" : "Entity Explorer - IP Address",
             "host" : "Entity Explorer - Linux Host/Windows Host",
             "account" : "Entity Explorer - Account",
             "url" : "Entity Explorer - Domain and URL"} The cell below identifies and extracts key entities from the selected alert. It provides additional enrichment to them using OSINT and based on their type recommends an additional Notebook to run for further investigation based on the Notebooks available at https://github.com/Azure/Azure-Sentinel-Notebooks/ or via the Azure Sentinel portal." ] }, { "cell_type": "code", "execution_count": null, "metadata": { "ExecuteTime": { "end_time": "2020-03-20T17:28:11.183976Z", "start_time": "2020-03-20T17:28:11.165977Z" } }, "outputs": [], "source": [ "from ipwhois import IPWhois\n", "import whois\n", "from ipaddress import ip_address\n", "import tldextract\n", "\n", "# Based on the extracted entity enrich it with OSINT\n", "def enhance(row):\n", " if row['Type'] == \"ipaddress\":\n", " return whois_desc(row['Entity'])\n", " elif row['Type'] == \"host\":\n", " return host_sum(row['Entity'])\n", " elif row['Type'] == \"url\":\n", " return whois_url(row['Entity'])\n", " \n", "# If entity is a hostname, get key details of the host.\n", "def host_sum(host):\n", " hb_q = f\"Heartbeat | where TimeGenerated > datetime({query_times.start}) and TimeGenerated < datetime({query_times.end}) | where Computer == '{host}' | take 1\"\n", " hb = qry_prov.exec_query(hb_q)\n", " if not hb.empty:\n", " hb_str = f\"{host} - {hb['ComputerIP'][0]} - {hb['OSType'][0]} - {hb['ComputerEnvironment'][0]}\"\n", " else:\n", " hb_str = \"No host heartbeat\"\n", " return hb_str\n", " \n", "# If entity is IP address work out what type of address it is and if a public IP address get ASN name.\n", "def whois_desc(ip_lookup, progress=False):\n", " try:\n", " ip = ip_address(ip_lookup)\n", " except ValueError:\n", " return \"Not an IP Address\"\n", " if ip.is_private:\n", " return \"Private address space\"\n", " if not ip.is_global:\n", " return \"Other address space\"\n", " ip_whois = IPWhois(ip)\n", " whois_result = ip_whois.lookup_whois()\n", " return whois_result[\"asn_description\"]\n", " \n", "# If entity is a URL get the name of the organisation that registered the domain.\n", "def whois_url(url):\n", " _, domain,tld = tldextract.extract(url)\n", " wis = whois.whois(f\"{domain}.{tld}\")\n", " return wis['org']\n", " \n", "# Based on the entity type suggest a Notebook for future investigation.\n", "def notebook_suggestor(row):\n", " if row['Type'] in notebooks.keys():\n", " return notebooks[row['Type']]\n", " else:\n", " return \"Write your own Notebook\" \n", "\n", "notebooks = {\"ipaddress\" : \"Entity Explorer - IP Address\",\n", " \"host\" : \"Entity Explorer - Linux Host/Windows Host\",\n", " \"account\" : \"Entity Explorer - Account\",\n", " \"url\" : \"Entity Explorer - Domain and URL\"}\n", " \n", "md('Entities for further investigation:', 'bold')\n", "ents = security_alert.get_all_entities()\n", "if not ents.empty:\n", " ents['Notebook'] = ents.apply(notebook_suggestor, axis=1)\n", " ents['Enrichment'] = ents.apply(enhance, axis=1)\n", " display(ents.style.hide_index())\n", "\n", " # Save entity details into our summary.\n", " entities = Observation(caption=\"Entities for further investigation\", data=ents)\n", " summary.add_observation(entities)\n", "else:\n", " md('No entities found in this alert')" ] }, { "cell_type": "code", "execution_count": null, "metadata": { "ExecuteTime": { "end_time": "2020-03-20T17:28:11.192978Z", "start_time": "2020-03-20T17:28:11.187980Z" } }, "outputs": [], "source": [ "#Uncomment the line below to see a summary of this Notebook's output\n", "#summary.display_observations()" ] } ], "metadata": { "hide_input": false, "kernelspec": { "display_name": "Python 3.6", "language": "python", "name": "python36" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.6.7" }, "latex_envs": { "LaTeX_envs_menu_present": true, "autoclose": false, "autocomplete": true, "bibliofile": "biblio.bib", "cite_by": "apalike", "current_citInitial": 1, "eqLabelWithNumbers": true, "eqNumInitial": 1, "hotkeys": { "equation": "Ctrl-E", "itemize": "Ctrl-I" }, "labels_anchors": false, "latex_user_defs": false, "report_style_numbering": false, "user_envs_cfg": false }, "toc": { "base_numbering": 1, "nav_menu": {}, "number_sections": false, "sideBar": true, "skip_h1_title": false, "title_cell": "Table of Contents", "title_sidebar": "Contents", "toc_cell": true, "toc_position": {}, "toc_section_display": true, "toc_window_display": false }, "varInspector": { "cols": { "lenName": 16, "lenType": 16, "lenVar": 40 }, "kernels_config": { "python": { "delete_cmd_postfix": "", "delete_cmd_prefix": "del ", "library": "var_list.py", "varRefreshCmd": "print(var_dic_list())" }, "r": { "delete_cmd_postfix": ") ", "delete_cmd_prefix": "rm(", "library": "var_list.r", "varRefreshCmd": "cat(var_dic_list()) " } }, "types_to_exclude": [ "module", "function", "builtin_function_or_method", "instance", "_Feature" ], "window_display": false }, "widgets": { "application/vnd.jupyter.widget-state+json": { "state": {}, "version_major": 2, "version_minor": 0 } } }, "nbformat": 4, "nbformat_minor": 4 }