MicrosoftDocs
diff --git a/‎articles/sentinel/media/notebook-get-started/compute-ready.png
37.4 KB b/‎articles/sentinel/media/notebook-get-started/compute-ready.png
37.4 KB
diff --git a/‎articles/sentinel/media/notebook-get-started/msticpy-editor.png
8.63 KB b/‎articles/sentinel/media/notebook-get-started/msticpy-editor.png
8.63 KB
diff --git a/‎articles/sentinel/notebook-get-started.md
Lines changed: 111 additions & 5 deletions b/‎articles/sentinel/notebook-get-started.md
Lines changed: 111 additions & 5 deletions
@@ -57,15 +57,121 @@ This procedure describes how to launch your notebook with Microsoft Sentinel.
     - *Markdown* cells contain text and graphics with instructions for using the notebook
     - *Code* cells contain executable code that performs the notebook functions
 
-1. Read and run the code cells in order, using the directions in the notebook. Skipping cells or running them out of order might cause errors later in the notebook.
+1. At the top of the page, select your **Compute**, and then read and run the code cells in order using the instructions in the notebook. Skipping cells or running them out of order might cause errors later in the notebook.
 
-    Depending on the function being performed, the code in the cell might run quickly, or it might take a few seconds to complete. When the cell is running, the play button changes to a loading spinner, and a status of `Executing` is displayed at the bottom of the cell, together with the elapsed time.
+    Depending on the compute you selected, it might take a few minutes to start. When the compute is ready, it'll show as **Ready** at the top of the tab.
 
-The notebook contains sections for you to run the following tasks:
+    :::image type="content" source="media/notebook-get-started/compute-ready.png" alt-text="Screenshot of a machine learning environment ready to run code cells.":::
 
-- **Initialize the notebook and MSTICPy**. Use this section of the notebook to set up your environment and understand the basics of notebooks and MSYTICPy. For more information, see the sample [`msticpyconfig.yaml](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/msticpyconfig.yaml) template, which has commented-out sections that might help you understand the settings.
+    Depending on the function being performed, the code in the cell might run quickly, or it might take a few seconds to complete. When the cell is running, the play button changes to a loading spinner, and the status is displayed at the bottom of the cell, together with the elapsed time.
 
-- **Query data from Microsoft Sentinel.** Use this section of the notebook to verify your Microsoft Sentinel settings in MSTICPy, load a QueryProvider to query data from Microsoft Sentinel, authenticate to Microsoft Sentinel, and test your connection.
+    Run the code cells in the **Introduction** section to learn the basics of running code in notebooks, and then run the code in the **Initializing the notebook and MSTICPy** section to set up your initial environment.
+    
+    When initializing the notebook, configuration warnings about missing settings are expected because you didn't configure anything yet.
+
+## Create your configuration file
+
+After the basic initialization, you're ready to create your configuration file with basic settings for working with MSTICPy.
+
+Many Microsoft Sentinel notebooks connect to external services such as [VirusTotal](https://www.virustotal.com) (VT) to collect and enrich data. To connect to these services you need to set and store configuration details, such as authentication tokens. Having this data in your configuration file avoids you having to type in authentication tokens and workspace details each time you use a notebook.
+
+MSTICPy uses a **msticpyconfig.yaml** for storing a wide range of configuration details.  By default, a **msticpyconfig.yaml** file is generated by the notebook initialization function. If you [cloned this notebook from the Microsoft Sentinel portal](#run-and-initialize-the-getting-started-guide-notebook), the configuration file is populated with Microsoft Sentinel workspace data. This data is read from a **config.json** file, created in the Azure Machine Learning workspace when you launch your notebook. For more information, see the [MSTICPy Package Configuration documentation](https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html).
+
+The following sections describe how to add more configuration details to the **msticpyconfig.yaml** file.
+
+If you run the *Getting Started Guide* notebook again, and already have a minimally configured **msticpyconfig.yaml** file, the `init_notebook` function doesn't overwrite or modify your existing file.
+
+At any point in time, select the **-Help** drop-down menu in the MSTICPy configuration tool for more instructions and links to detailed documentation.
+
+### Display the MSTICPy settings editor
+
+1. Add a code cell to your notebook, and run the following code to import the `MpConfigEdit` tool and display a settings editor for your **msticpyconfig.yaml** file:
+
+    ```python
+    from msticpy.config import MpConfigEdit
+
+    mpedit = MpConfigEdit( "msticpyconfig.yaml")
+    mpedit.set_tab("AzureSentinel")
+    display(mpedit)
+    ```
+
+    The automatically created **msticpyconfig.yaml** file is shown in the notebook in a series of editable tabs. In the **Microsoft Sentinel** tab, two entries are already populated with details of the Microsoft Sentinel workspace that the notebook was cloned from. One entry has the name of your workspace and the other is named **Default**.
+
+    MSTICPy allows you to store configurations for multiple Microsoft Sentinel workspaces and switch between them. The **Default** entry allows you to authenticate to your "home" workspace by default, without having to name it explicitly. If you add another workspaces, you can configure any one of them to be the **Default** entry.
+
+    In the Azure Machine Learning environment, the settings editor might take 10-20 seconds to appear.
+
+1. Verify your current settings and select **Save Settings**.
+
+### Add threat intelligence provider settings
+
+This procedure describes how to store your [VirusTotal API key](#prerequisites) in the **msticpyconfig.yaml** file. You can opt to upload the API key to Azure Key Vault, but you must configure the Key Vault settings first. For more information, see [Configure Key Vault settings](#configure-key-vault-settings).
+
+To add VirusTotal details in the MSTICPy settings editor, complete the following steps.
+
+1. Add a new code cell and run the following:
+
+   ```python
+   mpedit.set_tab("TI Providers")
+   mpedit
+   ```
+
+1. In the **TI Providers** tab, from the **Add prov** dropdown, select **VirusTotal** > **Add**.
+
+1. Under **Auth Key**, select **Text** next to the **Storage** option.
+
+1. In the **Value** field, paste your API key.
+
+1. Select **Update**, and then select **Save Settings** at the bottom of the settings editor.
+
+For more information about other supported threat intelligence providers, see [Threat intelligence providers](https://msticpy.readthedocs.io/en/latest/data_acquisition/TIProviders.html) in the MSTICPy documentation and [Threat intelligence integration in Microsoft Sentinel](threat-intelligence-integration.md).
+
+### Add GeoIP provider settings
+
+This procedure describes how to store a [MaxMind GeoLite2 account key](#prerequisites) in the **msticpyconfig.yaml** file, which allows your notebook to use geolocation lookup services for IP addresses.
+
+To add GeoIP provider settings in the MSTICPy settings editor, complete the following steps.
+
+1. Add a new code cell and run the following:
+
+   ```python
+   mpedit.set_tab("GeoIP Providers")
+   mpedit
+   ```
+
+1. In the **GeoIP Providers** tab, from the **Add prov** dropdown, select **GeoIPLite** > **Add**.
+
+1. In the **Value** field, enter your MaxMind account key.
+
+1. If needed, update the default **~/.msticpy** folder for storing the downloaded GeoIP database.
+
+    - On Windows, this folder is mapped to the **%USERPROFILE%/.msticpy**.
+    - On Linux or macOS, this path is mapped to the **.msticpy** folder in your home folder.
+
+For more information about other supported geolocation lookup services, see the [MSTICPy GeoIP Providers documentation](https://msticpy.readthedocs.io/en/latest/data_acquisition/GeoIPLookups.html).
+
+### Configure Azure Cloud settings
+
+If your organization doesn't use the Azure public cloud, you must specify this in your settings to successfully authenticate and use data from Microsoft Sentinel and Azure. For more information, see [Specify the Azure Cloud and default Azure Authentication methods](#specify-the-azure-cloud-and-azure-authentication-methods).
+
+### Validate settings
+
+1. On any tab in the MSTICPy settings editor, select **Validate settings**.
+
+   Warning messages about missing configurations are expected, but you shouldn't have any for threat intelligence provider or GeoIP provider settings.
+
+1. Depending on your environment, you might also need to [Configure Key Vault settings](#configure-key-vault-settings) or [Specify the Azure cloud](#specify-the-azure-cloud-and-azure-authentication-methods).
+
+1. If you need to make any changes because of the validation, make those changes and then select **Save Settings**.
+
+1. When you're done, select the **Close** button to hide the validation output.
+
+For more information, see: [Advanced configurations for Jupyter notebooks and MSTICPy in Microsoft Sentinel](notebooks-msticpy-advanced.md)
+
+## find a space for this
+
+
+- **Querying data from Microsoft Sentinel.** Use this section of the notebook to verify your Microsoft Sentinel settings in MSTICPy, load a QueryProvider to query data from Microsoft Sentinel, authenticate to Microsoft Sentinel, and test your connection.
 
    If you restart your Compute instance or switch to a different instance, you'll need to re-authenticate to Microsoft Sentinel. For more information, see [Caching credentials with Azure CLI](https://github.com/Azure/Azure-Sentinel-Notebooks/wiki/Caching-credentials-with-Azure-CLI).