{ "cells": [ { "cell_type": "markdown", "metadata": { "toc": true }, "source": [ "

Table of Contents

\n", "
" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Azure Sentinel API Calls\n", "\n", "MSTICpy versions > 0.8.5\n", "\n", "### Description\n", "\n", "This Notebook provides an example of using the Azure Sentinel API features of MSTICpy in order retrieve specific data from Azure Sentinel\n", "\n", "### Installation and imports" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "!pip install --upgrade msticpy[azsentinel]" ] }, { "cell_type": "code", "execution_count": 1, "metadata": { "ExecuteTime": { "end_time": "2020-10-28T00:46:14.769939Z", "start_time": "2020-10-28T00:46:12.006888Z" } }, "outputs": [], "source": [ "from msticpy.data.azure_sentinel import AzureSentinel\n", "import msticpy.nbtools.nbwidgets as widgets\n", "from msticpy.data import data_obfus as mask" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Authentication\n", "The first step to be able to use the features is to call the AzureSentinel class and connect to it. Authentication uses the standardized Azure authentication options of using environment variables, Azure CLI credentials, Managed Identities, and interactive logons." ] }, { "cell_type": "code", "execution_count": 2, "metadata": { "ExecuteTime": { "end_time": "2020-10-28T00:46:21.283503Z", "start_time": "2020-10-28T00:46:16.357954Z" } }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Attempting to sign-in with environment variable credentials...\n" ] } ], "source": [ "azs = AzureSentinel()\n", "azs.connect()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Once connected we need to select an Azure Sentinel workspace to get details from. The easies way to do this is with the get_subscriptions() and get_sentinel_workspaces() functions to select the subscription and workspace you with to connect to. If you already know which workspace you wish to connect to you can skip straight to the other functions and enter these details." ] }, { "cell_type": "code", "execution_count": 3, "metadata": { "ExecuteTime": { "end_time": "2020-10-28T01:39:48.623598Z", "start_time": "2020-10-28T01:39:48.258598Z" } }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Attempting to sign-in with environment variable credentials...\n", "obfuscating columns:\n", "Display Name, \n", "done\n", "Select a subscription:\n" ] }, { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "830b967ed650424692fa54a55234a9a9", "version_major": 2, "version_minor": 0 }, "text/plain": [ "VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "
" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "# Query for our subscriptions\n", "subs = azs.get_subscriptions()\n", "subs = subs.mp_obf.obfuscate(column_map={\"Display Name\": \"str\"})\n", "\n", "# Display subscriptions (masked names) in a pick list\n", "print(\"Select a subscription:\")\n", "sub = widgets.SelectItem(\n", " item_list=subs['Display Name'].to_list(),\n", " auto_display=True\n", ")" ] }, { "cell_type": "code", "execution_count": 4, "metadata": { "ExecuteTime": { "end_time": "2020-10-28T01:44:53.170848Z", "start_time": "2020-10-28T01:44:47.548676Z" } }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Finding Azure Sentinel Workspaces...\n", "Attempting to sign-in with environment variable credentials...\n", "Select an Azure Sentinel Workspace:\n" ] }, { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "c24a0d08d4614340907a64b1039eadf6", "version_major": 2, "version_minor": 0 }, "text/plain": [ "VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "
" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "# Get the subscription ID\n", "sub_id = subs[subs['Display Name'] == sub.value].iloc[0]['Subscription ID']\n", "# Query for workspaces in that subscription\n", "workspaces = azs.get_sentinel_workspaces(sub_id = sub_id)\n", "# Display workspaces in a list\n", "print(\"Select an Azure Sentinel Workspace:\")\n", "ws = widgets.SelectItem(\n", " item_dict=workspaces,\n", " auto_display=True\n", ")" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Now that we have selected our workspace we can call various functions to get details about content in the workspace. These are typically returned as DataFrames. Below we get a list of hunting queries configured in our workspace." ] }, { "cell_type": "code", "execution_count": 5, "metadata": { "ExecuteTime": { "end_time": "2020-10-28T01:45:10.962506Z", "start_time": "2020-10-28T01:45:09.792474Z" } }, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
typeproperties.Categoryproperties.DisplayNameproperties.Queryproperties.Versionproperties.Tagsproperties.FunctionAliasproperties.FunctionParameters
2Microsoft.OperationalInsights/savedSearchesHunting QueriesPowershellSecurityEvent\\r\\n| where ParentProcessName con...2NaNNaNNaN
5Microsoft.OperationalInsights/savedSearchesHunting QueriesAnomalous AAD Account Creation\\nBehaviorAnalytics\\n| where ActionType == \"Ad...2[{'Name': 'description', 'Value': ''}, {'Name'...NaNNaN
7Microsoft.OperationalInsights/savedSearchesHunting QueriesEntropy for Processes for a given Host\\n// May need to reduce the number of days if ...2[{'Name': 'description', 'Value': ''}, {'Name'...NaNNaN
9Microsoft.OperationalInsights/savedSearchesHunting QueriesRareDNSLookupWithDataTransfer\\nlet lookbackint = 7;\\nlet lookupThreshold = ...2[{'Name': 'description', 'Value': ''}, {'Name'...NaNNaN
12Microsoft.OperationalInsights/savedSearchesHunting QueriesLeast Common Processes by Command Line\\nlet Allowlist = dynamic (['foo.exe', 'baz.ex...2[{'Name': 'description', 'Value': ''}, {'Name'...NaNNaN
\n", "
" ], "text/plain": [ " type properties.Category \\\n", "2 Microsoft.OperationalInsights/savedSearches Hunting Queries \n", "5 Microsoft.OperationalInsights/savedSearches Hunting Queries \n", "7 Microsoft.OperationalInsights/savedSearches Hunting Queries \n", "9 Microsoft.OperationalInsights/savedSearches Hunting Queries \n", "12 Microsoft.OperationalInsights/savedSearches Hunting Queries \n", "\n", " properties.DisplayName \\\n", "2 Powershell \n", "5 Anomalous AAD Account Creation \n", "7 Entropy for Processes for a given Host \n", "9 RareDNSLookupWithDataTransfer \n", "12 Least Common Processes by Command Line \n", "\n", " properties.Query properties.Version \\\n", "2 SecurityEvent\\r\\n| where ParentProcessName con... 2 \n", "5 \\nBehaviorAnalytics\\n| where ActionType == \"Ad... 2 \n", "7 \\n// May need to reduce the number of days if ... 2 \n", "9 \\nlet lookbackint = 7;\\nlet lookupThreshold = ... 2 \n", "12 \\nlet Allowlist = dynamic (['foo.exe', 'baz.ex... 2 \n", "\n", " properties.Tags \\\n", "2 NaN \n", "5 [{'Name': 'description', 'Value': ''}, {'Name'... \n", "7 [{'Name': 'description', 'Value': ''}, {'Name'... \n", "9 [{'Name': 'description', 'Value': ''}, {'Name'... \n", "12 [{'Name': 'description', 'Value': ''}, {'Name'... \n", "\n", " properties.FunctionAlias properties.FunctionParameters \n", "2 NaN NaN \n", "5 NaN NaN \n", "7 NaN NaN \n", "9 NaN NaN \n", "12 NaN NaN " ] }, "execution_count": 5, "metadata": {}, "output_type": "execute_result" } ], "source": [ "queries = azs.get_hunting_queries(ws.value)\n", "queries.head().drop(columns=[\"id\", \"etag\", \"name\"])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Hunting queries return the raw queries associated with them, this allows us to pass the query directly to a QueryProvider in order to get the results of the hunting query within the notebook." ] }, { "cell_type": "code", "execution_count": 13, "metadata": { "ExecuteTime": { "end_time": "2020-10-28T00:52:19.961283Z", "start_time": "2020-10-28T00:52:16.730666Z" } }, "outputs": [ { "data": { "application/javascript": [ "try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "application/javascript": [ "try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "application/javascript": [ "try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
TimeGeneratedEventIDComputerSubjectUserSidAccountWeightAdjustedProcessEntropyFullDecimalProcessEntropyProcessNewProcessNameCommandLineParentProcessNameTotalProcessCountOnHostProcessCountOnHostDistinctComputersWithProcessCounttimestampHostCustomEntityAccountCustomEntity
02020-11-21 21:18:51.317000+00:004688WinAttackSimS-1-5-18WORKGROUP\\WinAttackSim$10.74336110.7433610.001074Defrag.exeC:\\Windows\\System32\\Defrag.exeC:\\windows\\system32\\defrag.exe -c -h -k -g -$C:\\Windows\\System32\\svchost.exe12688112020-11-21 21:18:51.317000+00:00WinAttackSimWORKGROUP\\WinAttackSim$
12020-11-23 01:31:49.930000+00:004688WinAttackSimS-1-5-18WORKGROUP\\WinAttackSim$10.74336110.7433610.001074SppExtComObj.ExeC:\\Windows\\System32\\SppExtComObj.ExeC:\\windows\\system32\\SppExtComObj.exe -EmbeddingC:\\Windows\\System32\\svchost.exe12688112020-11-23 01:31:49.930000+00:00WinAttackSimWORKGROUP\\WinAttackSim$
22020-11-20 17:18:36.960000+00:004688WinAttackSimS-1-5-18WORKGROUP\\WinAttackSim$10.74336110.7433610.001074makecab.exeC:\\Windows\\System32\\makecab.exe\"C:\\windows\\system32\\makecab.exe\" C:\\windows\\L...C:\\Windows\\WinSxS\\amd64_microsoft-windows-serv...12688112020-11-20 17:18:36.960000+00:00WinAttackSimWORKGROUP\\WinAttackSim$
32020-11-21 21:18:51.303000+00:004688WinAttackSimS-1-5-18WORKGROUP\\WinAttackSim$10.74336110.7433610.001074rundll32.exeC:\\Windows\\System32\\rundll32.exeC:\\windows\\system32\\rundll32.exe Windows.Stora...C:\\Windows\\System32\\svchost.exe12688112020-11-21 21:18:51.303000+00:00WinAttackSimWORKGROUP\\WinAttackSim$
42020-11-21 21:18:51.310000+00:004688WinAttackSimS-1-5-18WORKGROUP\\WinAttackSim$10.74336110.7433610.001074tzsync.exeC:\\Windows\\System32\\tzsync.exeC:\\windows\\system32\\tzsync.exeC:\\Windows\\System32\\svchost.exe12688112020-11-21 21:18:51.310000+00:00WinAttackSimWORKGROUP\\WinAttackSim$
52020-11-18 01:18:36.913000+00:004688WinAttackSimS-1-5-18WORKGROUP\\WinAttackSim$39.82086119.9104300.001991lpremove.exeC:\\Windows\\System32\\lpremove.exeC:\\windows\\system32\\lpremove.exeC:\\Windows\\System32\\svchost.exe12688212020-11-18 01:18:36.913000+00:00WinAttackSimWORKGROUP\\WinAttackSim$
62020-11-21 03:18:49.223000+00:004688WinAttackSimS-1-5-18WORKGROUP\\WinAttackSim$39.82086119.9104300.001991lpremove.exeC:\\Windows\\System32\\lpremove.exeC:\\windows\\system32\\lpremove.exeC:\\Windows\\System32\\svchost.exe12688212020-11-21 03:18:49.223000+00:00WinAttackSimWORKGROUP\\WinAttackSim$
72020-11-23 01:31:49.957000+00:004688WinAttackSimS-1-5-20WORKGROUP\\WinAttackSim$39.82086119.9104300.001991slui.exeC:\\Windows\\System32\\slui.exe\"C:\\windows\\System32\\SLUI.exe\" RuleId=502ff3ba...C:\\Windows\\System32\\SppExtComObj.Exe12688212020-11-23 01:31:49.957000+00:00WinAttackSimWORKGROUP\\WinAttackSim$
82020-11-23 01:31:54.340000+00:004688WinAttackSimS-1-5-20WORKGROUP\\WinAttackSim$39.82086119.9104300.001991slui.exeC:\\Windows\\System32\\slui.exe\"C:\\windows\\System32\\SLUI.exe\" RuleId=379cccfb...C:\\Windows\\System32\\SppExtComObj.Exe12688212020-11-23 01:31:54.340000+00:00WinAttackSimWORKGROUP\\WinAttackSim$
\n", "
" ], "text/plain": [ " TimeGenerated EventID Computer SubjectUserSid \\\n", "0 2020-11-21 21:18:51.317000+00:00 4688 WinAttackSim S-1-5-18 \n", "1 2020-11-23 01:31:49.930000+00:00 4688 WinAttackSim S-1-5-18 \n", "2 2020-11-20 17:18:36.960000+00:00 4688 WinAttackSim S-1-5-18 \n", "3 2020-11-21 21:18:51.303000+00:00 4688 WinAttackSim S-1-5-18 \n", "4 2020-11-21 21:18:51.310000+00:00 4688 WinAttackSim S-1-5-18 \n", "5 2020-11-18 01:18:36.913000+00:00 4688 WinAttackSim S-1-5-18 \n", "6 2020-11-21 03:18:49.223000+00:00 4688 WinAttackSim S-1-5-18 \n", "7 2020-11-23 01:31:49.957000+00:00 4688 WinAttackSim S-1-5-20 \n", "8 2020-11-23 01:31:54.340000+00:00 4688 WinAttackSim S-1-5-20 \n", "\n", " Account Weight AdjustedProcessEntropy \\\n", "0 WORKGROUP\\WinAttackSim$ 10.743361 10.743361 \n", "1 WORKGROUP\\WinAttackSim$ 10.743361 10.743361 \n", "2 WORKGROUP\\WinAttackSim$ 10.743361 10.743361 \n", "3 WORKGROUP\\WinAttackSim$ 10.743361 10.743361 \n", "4 WORKGROUP\\WinAttackSim$ 10.743361 10.743361 \n", "5 WORKGROUP\\WinAttackSim$ 39.820861 19.910430 \n", "6 WORKGROUP\\WinAttackSim$ 39.820861 19.910430 \n", "7 WORKGROUP\\WinAttackSim$ 39.820861 19.910430 \n", "8 WORKGROUP\\WinAttackSim$ 39.820861 19.910430 \n", "\n", " FullDecimalProcessEntropy Process \\\n", "0 0.001074 Defrag.exe \n", "1 0.001074 SppExtComObj.Exe \n", "2 0.001074 makecab.exe \n", "3 0.001074 rundll32.exe \n", "4 0.001074 tzsync.exe \n", "5 0.001991 lpremove.exe \n", "6 0.001991 lpremove.exe \n", "7 0.001991 slui.exe \n", "8 0.001991 slui.exe \n", "\n", " NewProcessName \\\n", "0 C:\\Windows\\System32\\Defrag.exe \n", "1 C:\\Windows\\System32\\SppExtComObj.Exe \n", "2 C:\\Windows\\System32\\makecab.exe \n", "3 C:\\Windows\\System32\\rundll32.exe \n", "4 C:\\Windows\\System32\\tzsync.exe \n", "5 C:\\Windows\\System32\\lpremove.exe \n", "6 C:\\Windows\\System32\\lpremove.exe \n", "7 C:\\Windows\\System32\\slui.exe \n", "8 C:\\Windows\\System32\\slui.exe \n", "\n", " CommandLine \\\n", "0 C:\\windows\\system32\\defrag.exe -c -h -k -g -$ \n", "1 C:\\windows\\system32\\SppExtComObj.exe -Embedding \n", "2 \"C:\\windows\\system32\\makecab.exe\" C:\\windows\\L... \n", "3 C:\\windows\\system32\\rundll32.exe Windows.Stora... \n", "4 C:\\windows\\system32\\tzsync.exe \n", "5 C:\\windows\\system32\\lpremove.exe \n", "6 C:\\windows\\system32\\lpremove.exe \n", "7 \"C:\\windows\\System32\\SLUI.exe\" RuleId=502ff3ba... \n", "8 \"C:\\windows\\System32\\SLUI.exe\" RuleId=379cccfb... \n", "\n", " ParentProcessName TotalProcessCountOnHost \\\n", "0 C:\\Windows\\System32\\svchost.exe 12688 \n", "1 C:\\Windows\\System32\\svchost.exe 12688 \n", "2 C:\\Windows\\WinSxS\\amd64_microsoft-windows-serv... 12688 \n", "3 C:\\Windows\\System32\\svchost.exe 12688 \n", "4 C:\\Windows\\System32\\svchost.exe 12688 \n", "5 C:\\Windows\\System32\\svchost.exe 12688 \n", "6 C:\\Windows\\System32\\svchost.exe 12688 \n", "7 C:\\Windows\\System32\\SppExtComObj.Exe 12688 \n", "8 C:\\Windows\\System32\\SppExtComObj.Exe 12688 \n", "\n", " ProcessCountOnHost DistinctComputersWithProcessCount \\\n", "0 1 1 \n", "1 1 1 \n", "2 1 1 \n", "3 1 1 \n", "4 1 1 \n", "5 2 1 \n", "6 2 1 \n", "7 2 1 \n", "8 2 1 \n", "\n", " timestamp HostCustomEntity AccountCustomEntity \n", "0 2020-11-21 21:18:51.317000+00:00 WinAttackSim WORKGROUP\\WinAttackSim$ \n", "1 2020-11-23 01:31:49.930000+00:00 WinAttackSim WORKGROUP\\WinAttackSim$ \n", "2 2020-11-20 17:18:36.960000+00:00 WinAttackSim WORKGROUP\\WinAttackSim$ \n", "3 2020-11-21 21:18:51.303000+00:00 WinAttackSim WORKGROUP\\WinAttackSim$ \n", "4 2020-11-21 21:18:51.310000+00:00 WinAttackSim WORKGROUP\\WinAttackSim$ \n", "5 2020-11-18 01:18:36.913000+00:00 WinAttackSim WORKGROUP\\WinAttackSim$ \n", "6 2020-11-21 03:18:49.223000+00:00 WinAttackSim WORKGROUP\\WinAttackSim$ \n", "7 2020-11-23 01:31:49.957000+00:00 WinAttackSim WORKGROUP\\WinAttackSim$ \n", "8 2020-11-23 01:31:54.340000+00:00 WinAttackSim WORKGROUP\\WinAttackSim$ " ] }, "execution_count": 13, "metadata": {}, "output_type": "execute_result" } ], "source": [ "from msticpy.data.data_providers import QueryProvider\n", "from msticpy.common.wsconfig import WorkspaceConfig\n", "qry_prov = QueryProvider('LogAnalytics')\n", "wkspace = WorkspaceConfig()\n", "qry_prov.connect(wkspace.code_connect_str)\n", "qry_prov.exec_query(queries['properties.Query'].iloc[2])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "We can also get a list of configured alert rules:" ] }, { "cell_type": "code", "execution_count": 14, "metadata": { "ExecuteTime": { "end_time": "2020-10-28T00:50:07.155005Z", "start_time": "2020-10-28T00:50:06.191005Z" } }, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
typekindproperties.severityproperties.queryproperties.queryFrequencyproperties.queryPeriodproperties.triggerOperatorproperties.triggerThresholdproperties.suppressionDurationproperties.suppressionEnabled...properties.descriptionproperties.tacticsproperties.alertRuleTemplateNameproperties.lastModifiedUtcproperties.customFields.Filenameproperties.customFields.Reasonproperties.productFilterproperties.severitiesFilterproperties.displayNamesFilterproperties.displayNamesExcludeFilter
0Microsoft.SecurityInsights/alertRulesScheduledMediumlet failureCountThreshold = 5;\\nlet successCou...P1DP1DGreaterThan0.0PT5HFalse...Identifies evidence of brute force activity ag...[CredentialAccess]28b42356-45af-40a6-a0b4-a554cdfd5d8a2020-11-17T08:15:49.636781ZNaNNaNNaNNaNNaNNaN
1Microsoft.SecurityInsights/alertRulesScheduledMediumlet timeframe = 1d;\\n//Set a threshold of fail...P1DP1DGreaterThan0.0PT5HFalse...This query creates a list of IP addresses with...[InitialAccess, CredentialAccess]ba144bf8-75b8-406f-9420-ed74397f94792020-11-11T05:16:14.5036485ZFileNameReasonNaNNaNNaNNaN
2Microsoft.SecurityInsights/alertRulesScheduledMediumlet timeframe = 1d;\\nSecurityEvent\\n| where Ti...P1DP1DGreaterThan0.0PT5HFalse...Checks for event id 1102 which indicates the s...[DefenseEvasion]80da0a8f-cfe1-4cd0-a895-8bc1771a720e2020-11-11T01:46:53.4905768ZNaNNaNNaNNaNNaNNaN
3Microsoft.SecurityInsights/alertRulesScheduledMediumAzureActivity\\n| take 1\\n| extend IPCustomEnti...P1DP14DGreaterThan0.0PT5HFalse...This analytic matches Azure Activity logs to k...[Impact]None2020-11-04T22:43:33.9845152ZNaNNaNNaNNaNNaNNaN
4Microsoft.SecurityInsights/alertRulesScheduledMediumlet timeframe = 1d;\\nSecurityEvent\\n| where Ti...P1DP1DGreaterThan0.0PT5HFalse...Checks for event id 1102 which indicates the s...[DefenseEvasion]80da0a8f-cfe1-4cd0-a895-8bc1771a720e2020-11-11T07:19:24.7658031ZNaNNaNNaNNaNNaNNaN
\n", "

5 rows × 29 columns

\n", "
" ], "text/plain": [ " type kind properties.severity \\\n", "0 Microsoft.SecurityInsights/alertRules Scheduled Medium \n", "1 Microsoft.SecurityInsights/alertRules Scheduled Medium \n", "2 Microsoft.SecurityInsights/alertRules Scheduled Medium \n", "3 Microsoft.SecurityInsights/alertRules Scheduled Medium \n", "4 Microsoft.SecurityInsights/alertRules Scheduled Medium \n", "\n", " properties.query \\\n", "0 let failureCountThreshold = 5;\\nlet successCou... \n", "1 let timeframe = 1d;\\n//Set a threshold of fail... \n", "2 let timeframe = 1d;\\nSecurityEvent\\n| where Ti... \n", "3 AzureActivity\\n| take 1\\n| extend IPCustomEnti... \n", "4 let timeframe = 1d;\\nSecurityEvent\\n| where Ti... \n", "\n", " properties.queryFrequency properties.queryPeriod properties.triggerOperator \\\n", "0 P1D P1D GreaterThan \n", "1 P1D P1D GreaterThan \n", "2 P1D P1D GreaterThan \n", "3 P1D P14D GreaterThan \n", "4 P1D P1D GreaterThan \n", "\n", " properties.triggerThreshold properties.suppressionDuration \\\n", "0 0.0 PT5H \n", "1 0.0 PT5H \n", "2 0.0 PT5H \n", "3 0.0 PT5H \n", "4 0.0 PT5H \n", "\n", " properties.suppressionEnabled ... \\\n", "0 False ... \n", "1 False ... \n", "2 False ... \n", "3 False ... \n", "4 False ... \n", "\n", " properties.description \\\n", "0 Identifies evidence of brute force activity ag... \n", "1 This query creates a list of IP addresses with... \n", "2 Checks for event id 1102 which indicates the s... \n", "3 This analytic matches Azure Activity logs to k... \n", "4 Checks for event id 1102 which indicates the s... \n", "\n", " properties.tactics properties.alertRuleTemplateName \\\n", "0 [CredentialAccess] 28b42356-45af-40a6-a0b4-a554cdfd5d8a \n", "1 [InitialAccess, CredentialAccess] ba144bf8-75b8-406f-9420-ed74397f9479 \n", "2 [DefenseEvasion] 80da0a8f-cfe1-4cd0-a895-8bc1771a720e \n", "3 [Impact] None \n", "4 [DefenseEvasion] 80da0a8f-cfe1-4cd0-a895-8bc1771a720e \n", "\n", " properties.lastModifiedUtc properties.customFields.Filename \\\n", "0 2020-11-17T08:15:49.636781Z NaN \n", "1 2020-11-11T05:16:14.5036485Z FileName \n", "2 2020-11-11T01:46:53.4905768Z NaN \n", "3 2020-11-04T22:43:33.9845152Z NaN \n", "4 2020-11-11T07:19:24.7658031Z NaN \n", "\n", " properties.customFields.Reason properties.productFilter \\\n", "0 NaN NaN \n", "1 Reason NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "4 NaN NaN \n", "\n", " properties.severitiesFilter properties.displayNamesFilter \\\n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "4 NaN NaN \n", "\n", " properties.displayNamesExcludeFilter \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN \n", "4 NaN \n", "\n", "[5 rows x 29 columns]" ] }, "execution_count": 14, "metadata": {}, "output_type": "execute_result" } ], "source": [ "alert_rules = azs.get_alert_rules(ws.value)\n", "alert_rules.head().drop(columns=[\"id\", \"etag\", \"name\"])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "We can also get a list of saved bookmarks. To see the events these bookmarks relate to you can pass the query value to a QueryProvider." ] }, { "cell_type": "code", "execution_count": 15, "metadata": { "ExecuteTime": { "end_time": "2020-10-28T00:50:17.332381Z", "start_time": "2020-10-28T00:50:14.780804Z" } }, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
typeproperties.displayNameproperties.createdproperties.updatedproperties.createdBy.objectIdproperties.createdBy.emailproperties.createdBy.nameproperties.updatedBy.objectIdproperties.updatedBy.emailproperties.updatedBy.name...properties.labelsproperties.queryproperties.queryResultproperties.queryStartTimeproperties.queryEndTimeproperties.incidentInfo.incidentIdproperties.incidentInfo.titleproperties.incidentInfo.relationNameproperties.incidentInfo.severityproperties.notes
0Microsoft.SecurityInsights/Bookmarksmercury IP2020-11-18T09:26:54.1605891+00:002020-11-18T09:26:54.1605891+00:00e0139aae-7811-40ca-abc6-3fcb79140a6bTim.Burrell@microsoft.comTim Burrell (MSTIC)e0139aae-7811-40ca-abc6-3fcb79140a6bTim.Burrell@microsoft.comTim Burrell (MSTIC)...[]print \"192.168.15.6\" \\n{\"print_0\":\"192.168.15.6\",\"__entityMapping\":{\"...2020-11-17T09:26:33.557+00:002020-11-18T09:26:33.557+00:00NoneNoneNoneNoneNaN
1Microsoft.SecurityInsights/Bookmarkstest 12020-11-18T15:25:01.1843361+00:002020-11-18T15:25:01.1843361+00:00b3a76793-1a0d-4bfe-95f6-96919d4b9acfbnick@microsoft.comBen Nickb3a76793-1a0d-4bfe-95f6-96919d4b9acfbnick@microsoft.comBen Nick...[fluffyDogCampaign]let auditLookback = 14d;\\n// Setting threshold...{\"InitiatedBy\":\"seb@seccxp.ninja\",\"IpAddress\":...NaNNaNNoneNoneNoneNonethis looks suspicious
2Microsoft.SecurityInsights/Bookmarksfailed logons - decb171c8160 (1)2020-11-19T11:26:31.3053573+00:002020-11-19T11:26:31.3053573+00:00518a3ca6-44f0-4ac7-8179-97d18e48d65cpascals@microsoft.comPascal Sauliere518a3ca6-44f0-4ac7-8179-97d18e48d65cpascals@microsoft.comPascal Sauliere...[]// Event: An account failed to log on\\nSecurit...{\"TenantId\":\"8ecf8077-cf51-4820-aadd-14040956f...NaNNaNNoneNoneNoneNoneNaN
3Microsoft.SecurityInsights/BookmarksRare Audit activity initiated by App - cbade9...2020-11-11T18:39:16.6537628+00:002020-11-11T18:39:16.6537628+00:00f6b78447-93dc-4041-a22a-6eb1c34265e2Umesh.Nagdev@microsoft.comUmesh Nagdevf6b78447-93dc-4041-a22a-6eb1c34265e2Umesh.Nagdev@microsoft.comUmesh Nagdev...[]let current = 1d;\\nlet auditLookback = 14d;\\nl...{\"InitiatedByApp\":\"Microsoft Azure AD Group-Ba...2020-11-10T18:39:01.061+00:002020-11-11T18:39:01.061+00:00NoneNoneNoneNoneNaN
4Microsoft.SecurityInsights/BookmarksThreatIntelligenceIndicator - 4193cb45b90a (2)2020-11-11T16:08:45.6964987+00:002020-11-11T16:08:45.6964987+00:00525c09b5-61ef-4e10-8150-b44c97ead3a1Andrew.Blumhardt@microsoft.comAndrew Blumhardt525c09b5-61ef-4e10-8150-b44c97ead3a1Andrew.Blumhardt@microsoft.comAndrew Blumhardt...[]ThreatIntelligenceIndicator{\"TenantId\":\"8ecf8077-cf51-4820-aadd-14040956f...2020-11-10T16:08:26.089+00:002020-11-11T16:08:26.089+00:00NoneNoneNoneNoneMy Bookmark
\n", "

5 rows × 21 columns

\n", "
" ], "text/plain": [ " type \\\n", "0 Microsoft.SecurityInsights/Bookmarks \n", "1 Microsoft.SecurityInsights/Bookmarks \n", "2 Microsoft.SecurityInsights/Bookmarks \n", "3 Microsoft.SecurityInsights/Bookmarks \n", "4 Microsoft.SecurityInsights/Bookmarks \n", "\n", " properties.displayName \\\n", "0 mercury IP \n", "1 test 1 \n", "2 failed logons - decb171c8160 (1) \n", "3 Rare Audit activity initiated by App - cbade9... \n", "4 ThreatIntelligenceIndicator - 4193cb45b90a (2) \n", "\n", " properties.created properties.updated \\\n", "0 2020-11-18T09:26:54.1605891+00:00 2020-11-18T09:26:54.1605891+00:00 \n", "1 2020-11-18T15:25:01.1843361+00:00 2020-11-18T15:25:01.1843361+00:00 \n", "2 2020-11-19T11:26:31.3053573+00:00 2020-11-19T11:26:31.3053573+00:00 \n", "3 2020-11-11T18:39:16.6537628+00:00 2020-11-11T18:39:16.6537628+00:00 \n", "4 2020-11-11T16:08:45.6964987+00:00 2020-11-11T16:08:45.6964987+00:00 \n", "\n", " properties.createdBy.objectId properties.createdBy.email \\\n", "0 e0139aae-7811-40ca-abc6-3fcb79140a6b Tim.Burrell@microsoft.com \n", "1 b3a76793-1a0d-4bfe-95f6-96919d4b9acf bnick@microsoft.com \n", "2 518a3ca6-44f0-4ac7-8179-97d18e48d65c pascals@microsoft.com \n", "3 f6b78447-93dc-4041-a22a-6eb1c34265e2 Umesh.Nagdev@microsoft.com \n", "4 525c09b5-61ef-4e10-8150-b44c97ead3a1 Andrew.Blumhardt@microsoft.com \n", "\n", " properties.createdBy.name properties.updatedBy.objectId \\\n", "0 Tim Burrell (MSTIC) e0139aae-7811-40ca-abc6-3fcb79140a6b \n", "1 Ben Nick b3a76793-1a0d-4bfe-95f6-96919d4b9acf \n", "2 Pascal Sauliere 518a3ca6-44f0-4ac7-8179-97d18e48d65c \n", "3 Umesh Nagdev f6b78447-93dc-4041-a22a-6eb1c34265e2 \n", "4 Andrew Blumhardt 525c09b5-61ef-4e10-8150-b44c97ead3a1 \n", "\n", " properties.updatedBy.email properties.updatedBy.name ... \\\n", "0 Tim.Burrell@microsoft.com Tim Burrell (MSTIC) ... \n", "1 bnick@microsoft.com Ben Nick ... \n", "2 pascals@microsoft.com Pascal Sauliere ... \n", "3 Umesh.Nagdev@microsoft.com Umesh Nagdev ... \n", "4 Andrew.Blumhardt@microsoft.com Andrew Blumhardt ... \n", "\n", " properties.labels properties.query \\\n", "0 [] print \"192.168.15.6\" \\n \n", "1 [fluffyDogCampaign] let auditLookback = 14d;\\n// Setting threshold... \n", "2 [] // Event: An account failed to log on\\nSecurit... \n", "3 [] let current = 1d;\\nlet auditLookback = 14d;\\nl... \n", "4 [] ThreatIntelligenceIndicator \n", "\n", " properties.queryResult \\\n", "0 {\"print_0\":\"192.168.15.6\",\"__entityMapping\":{\"... \n", "1 {\"InitiatedBy\":\"seb@seccxp.ninja\",\"IpAddress\":... \n", "2 {\"TenantId\":\"8ecf8077-cf51-4820-aadd-14040956f... \n", "3 {\"InitiatedByApp\":\"Microsoft Azure AD Group-Ba... \n", "4 {\"TenantId\":\"8ecf8077-cf51-4820-aadd-14040956f... \n", "\n", " properties.queryStartTime properties.queryEndTime \\\n", "0 2020-11-17T09:26:33.557+00:00 2020-11-18T09:26:33.557+00:00 \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 2020-11-10T18:39:01.061+00:00 2020-11-11T18:39:01.061+00:00 \n", "4 2020-11-10T16:08:26.089+00:00 2020-11-11T16:08:26.089+00:00 \n", "\n", " properties.incidentInfo.incidentId properties.incidentInfo.title \\\n", "0 None None \n", "1 None None \n", "2 None None \n", "3 None None \n", "4 None None \n", "\n", " properties.incidentInfo.relationName properties.incidentInfo.severity \\\n", "0 None None \n", "1 None None \n", "2 None None \n", "3 None None \n", "4 None None \n", "\n", " properties.notes \n", "0 NaN \n", "1 this looks suspicious \n", "2 NaN \n", "3 NaN \n", "4 My Bookmark \n", "\n", "[5 rows x 21 columns]" ] }, "execution_count": 15, "metadata": {}, "output_type": "execute_result" } ], "source": [ "bkmarks = azs.get_bookmarks(ws.value)\n", "bkmarks.head().drop(columns=[\"id\", \"etag\", \"name\"])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "We can also interact with Incidents via the API to get a set of all incidents, or a single incident:" ] }, { "cell_type": "code", "execution_count": 16, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idnameetagtypeproperties.titleproperties.severityproperties.statusproperties.owner.objectIdproperties.owner.emailproperties.owner.assignedTo...properties.additionalData.commentsCountproperties.additionalData.alertProductNamesproperties.additionalData.tacticsproperties.firstActivityTimeGeneratedproperties.lastActivityTimeGeneratedproperties.relatedAnalyticRuleIdsproperties.incidentUrlproperties.descriptionproperties.firstActivityTimeUtcproperties.lastActivityTimeUtc
0/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...aabf6bcd-4134-b07b-1152-040aa0cdf069\"0402f99f-0000-0100-0000-5fbd43d50000\"Microsoft.SecurityInsights/IncidentsTime series anomaly detection for total volume...HighNewNoneNoneNone...2[Azure Sentinel][Exfiltration]2020-11-24T17:10:35.7652885Z2020-11-24T17:10:35.7652885Z[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...https://portal.azure.com/#asset/Microsoft_Azur...NaNNaNNaN
1/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...e917efd0-331d-48b7-81d7-6205cee787f5\"0302de84-0000-0100-0000-5fbd23f30000\"Microsoft.SecurityInsights/IncidentsXASE SENSITIVITY TESTMediumNewNoneNoneNone...0[Azure Sentinel][]2020-11-24T15:17:06.8646498Z2020-11-24T15:17:06.8646498Z[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...https://portal.azure.com/#asset/Microsoft_Azur...LOWER CASE2020-11-24T14:55:03.95Z2020-11-24T14:55:03.95Z
2/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...81d59f6e-988f-4758-a2d2-90886befccab\"03029c83-0000-0100-0000-5fbd23d10000\"Microsoft.SecurityInsights/IncidentsCase Sensitivity test UPPERMediumNewNoneNoneNone...0[Azure Sentinel][]2020-11-24T15:16:33.5131821Z2020-11-24T15:16:33.5131821Z[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...https://portal.azure.com/#asset/Microsoft_Azur...sdff2020-11-24T14:57:49.43Z2020-11-24T14:57:49.43Z
3/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...b68151e7-890f-48aa-befb-3de2bc987557\"03022274-0000-0100-0000-5fbd222f0000\"Microsoft.SecurityInsights/IncidentsPotential Password SprayMediumNewNoneNoneNone...0[Azure Sentinel][Persistence]2020-11-24T15:09:35.0020779Z2020-11-24T15:09:35.0020779Z[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...https://portal.azure.com/#asset/Microsoft_Azur...Description with a link2020-11-24T10:04:32.5297051Z2020-11-24T15:04:32.5297051Z
4/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...49f91f51-30ce-4028-9117-96ca3debbe14\"0302f05f-0000-0100-0000-5fbd204e0000\"Microsoft.SecurityInsights/IncidentsCase Sensitivity test UPPERMediumNewNoneNoneNone...0[Azure Sentinel][]2020-11-24T15:01:33.9949456Z2020-11-24T15:01:33.9949456Z[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...https://portal.azure.com/#asset/Microsoft_Azur...sdff2020-11-24T14:41:32.13Z2020-11-24T14:41:32.13Z
\n", "

5 rows × 27 columns

\n", "
" ], "text/plain": [ " id \\\n", "0 /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... \n", "1 /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... \n", "2 /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... \n", "3 /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... \n", "4 /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... \n", "\n", " name \\\n", "0 aabf6bcd-4134-b07b-1152-040aa0cdf069 \n", "1 e917efd0-331d-48b7-81d7-6205cee787f5 \n", "2 81d59f6e-988f-4758-a2d2-90886befccab \n", "3 b68151e7-890f-48aa-befb-3de2bc987557 \n", "4 49f91f51-30ce-4028-9117-96ca3debbe14 \n", "\n", " etag \\\n", "0 \"0402f99f-0000-0100-0000-5fbd43d50000\" \n", "1 \"0302de84-0000-0100-0000-5fbd23f30000\" \n", "2 \"03029c83-0000-0100-0000-5fbd23d10000\" \n", "3 \"03022274-0000-0100-0000-5fbd222f0000\" \n", "4 \"0302f05f-0000-0100-0000-5fbd204e0000\" \n", "\n", " type \\\n", "0 Microsoft.SecurityInsights/Incidents \n", "1 Microsoft.SecurityInsights/Incidents \n", "2 Microsoft.SecurityInsights/Incidents \n", "3 Microsoft.SecurityInsights/Incidents \n", "4 Microsoft.SecurityInsights/Incidents \n", "\n", " properties.title properties.severity \\\n", "0 Time series anomaly detection for total volume... High \n", "1 XASE SENSITIVITY TEST Medium \n", "2 Case Sensitivity test UPPER Medium \n", "3 Potential Password Spray Medium \n", "4 Case Sensitivity test UPPER Medium \n", "\n", " properties.status properties.owner.objectId properties.owner.email \\\n", "0 New None None \n", "1 New None None \n", "2 New None None \n", "3 New None None \n", "4 New None None \n", "\n", " properties.owner.assignedTo ... properties.additionalData.commentsCount \\\n", "0 None ... 2 \n", "1 None ... 0 \n", "2 None ... 0 \n", "3 None ... 0 \n", "4 None ... 0 \n", "\n", " properties.additionalData.alertProductNames \\\n", "0 [Azure Sentinel] \n", "1 [Azure Sentinel] \n", "2 [Azure Sentinel] \n", "3 [Azure Sentinel] \n", "4 [Azure Sentinel] \n", "\n", " properties.additionalData.tactics properties.firstActivityTimeGenerated \\\n", "0 [Exfiltration] 2020-11-24T17:10:35.7652885Z \n", "1 [] 2020-11-24T15:17:06.8646498Z \n", "2 [] 2020-11-24T15:16:33.5131821Z \n", "3 [Persistence] 2020-11-24T15:09:35.0020779Z \n", "4 [] 2020-11-24T15:01:33.9949456Z \n", "\n", " properties.lastActivityTimeGenerated \\\n", "0 2020-11-24T17:10:35.7652885Z \n", "1 2020-11-24T15:17:06.8646498Z \n", "2 2020-11-24T15:16:33.5131821Z \n", "3 2020-11-24T15:09:35.0020779Z \n", "4 2020-11-24T15:01:33.9949456Z \n", "\n", " properties.relatedAnalyticRuleIds \\\n", "0 [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... \n", "1 [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... \n", "2 [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... \n", "3 [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... \n", "4 [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... \n", "\n", " properties.incidentUrl properties.description \\\n", "0 https://portal.azure.com/#asset/Microsoft_Azur... NaN \n", "1 https://portal.azure.com/#asset/Microsoft_Azur... LOWER CASE \n", "2 https://portal.azure.com/#asset/Microsoft_Azur... sdff \n", "3 https://portal.azure.com/#asset/Microsoft_Azur... Description with a link \n", "4 https://portal.azure.com/#asset/Microsoft_Azur... sdff \n", "\n", " properties.firstActivityTimeUtc properties.lastActivityTimeUtc \n", "0 NaN NaN \n", "1 2020-11-24T14:55:03.95Z 2020-11-24T14:55:03.95Z \n", "2 2020-11-24T14:57:49.43Z 2020-11-24T14:57:49.43Z \n", "3 2020-11-24T10:04:32.5297051Z 2020-11-24T15:04:32.5297051Z \n", "4 2020-11-24T14:41:32.13Z 2020-11-24T14:41:32.13Z \n", "\n", "[5 rows x 27 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "incidents = azs.get_incidents(res_id=ws.value)\n", "display(incidents.head())" ] }, { "cell_type": "code", "execution_count": 17, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idnameetagtypeproperties.titleproperties.severityproperties.statusproperties.owner.objectIdproperties.owner.emailproperties.owner.assignedTo...properties.incidentNumberproperties.additionalData.alertsCountproperties.additionalData.bookmarksCountproperties.additionalData.commentsCountproperties.additionalData.alertProductNamesproperties.additionalData.tacticsproperties.firstActivityTimeGeneratedproperties.lastActivityTimeGeneratedproperties.relatedAnalyticRuleIdsproperties.incidentUrl
0/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...aabf6bcd-4134-b07b-1152-040aa0cdf069\"0402f99f-0000-0100-0000-5fbd43d50000\"Microsoft.SecurityInsights/IncidentsTime series anomaly detection for total volume...HighNewNoneNoneNone...4601102[Azure Sentinel][Exfiltration]2020-11-24T17:10:35.7652885Z2020-11-24T17:10:35.7652885Z[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...https://portal.azure.com/#asset/Microsoft_Azur...
\n", "

1 rows × 24 columns

\n", "
" ], "text/plain": [ " id \\\n", "0 /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... \n", "\n", " name \\\n", "0 aabf6bcd-4134-b07b-1152-040aa0cdf069 \n", "\n", " etag \\\n", "0 \"0402f99f-0000-0100-0000-5fbd43d50000\" \n", "\n", " type \\\n", "0 Microsoft.SecurityInsights/Incidents \n", "\n", " properties.title properties.severity \\\n", "0 Time series anomaly detection for total volume... High \n", "\n", " properties.status properties.owner.objectId properties.owner.email \\\n", "0 New None None \n", "\n", " properties.owner.assignedTo ... properties.incidentNumber \\\n", "0 None ... 4601 \n", "\n", " properties.additionalData.alertsCount \\\n", "0 1 \n", "\n", " properties.additionalData.bookmarksCount \\\n", "0 0 \n", "\n", " properties.additionalData.commentsCount \\\n", "0 2 \n", "\n", " properties.additionalData.alertProductNames \\\n", "0 [Azure Sentinel] \n", "\n", " properties.additionalData.tactics properties.firstActivityTimeGenerated \\\n", "0 [Exfiltration] 2020-11-24T17:10:35.7652885Z \n", "\n", " properties.lastActivityTimeGenerated \\\n", "0 2020-11-24T17:10:35.7652885Z \n", "\n", " properties.relatedAnalyticRuleIds \\\n", "0 [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... \n", "\n", " properties.incidentUrl \n", "0 https://portal.azure.com/#asset/Microsoft_Azur... \n", "\n", "[1 rows x 24 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "incident = azs.get_incident(incident_id = incidents.iloc[0]['name'] , res_id=ws.value)\n", "display(incident)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "You can also interact with an incident - adding comments or changing properties such as severity or status:" ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Comment posted.\n" ] } ], "source": [ "azs.post_comment(incident_id = incident.iloc[0]['name'], comment=\"This is a test comment\", res_id=ws.value)" ] }, { "cell_type": "code", "execution_count": 20, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Incident updated.\n" ] } ], "source": [ "azs.update_incident(incident_id = incident.iloc[0]['name'], update_items={\"severity\":\"High\"}, res_id=ws.value)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "hide_input": false, "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.7.9" }, "latex_envs": { "LaTeX_envs_menu_present": true, "autoclose": false, "autocomplete": true, "bibliofile": "biblio.bib", "cite_by": "apalike", "current_citInitial": 1, "eqLabelWithNumbers": true, "eqNumInitial": 1, "hotkeys": { "equation": "Ctrl-E", "itemize": "Ctrl-I" }, "labels_anchors": false, "latex_user_defs": false, "report_style_numbering": false, "user_envs_cfg": false }, "toc": { "base_numbering": 1, "nav_menu": {}, "number_sections": false, "sideBar": true, "skip_h1_title": false, "title_cell": "Table of Contents", "title_sidebar": "Contents", "toc_cell": true, "toc_position": {}, "toc_section_display": true, "toc_window_display": false }, "varInspector": { "cols": { "lenName": 16, "lenType": 16, "lenVar": 40 }, "kernels_config": { "python": { "delete_cmd_postfix": "", "delete_cmd_prefix": "del ", "library": "var_list.py", "varRefreshCmd": "print(var_dic_list())" }, "r": { "delete_cmd_postfix": ") ", "delete_cmd_prefix": "rm(", "library": "var_list.r", "varRefreshCmd": "cat(var_dic_list()) " } }, "types_to_exclude": [ "module", "function", "builtin_function_or_method", "instance", "_Feature" ], "window_display": false }, "widgets": { "application/vnd.jupyter.widget-state+json": { "state": {}, "version_major": 2, "version_minor": 0 } } }, "nbformat": 4, "nbformat_minor": 4 }