You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/perform-threat-hunting-sentinel-with-notebooks/includes/1-introduction.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
You can use notebooks in Microsoft Sentinel for advanced hunting.
2
2
3
-
You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You want to mature your Security Operations team to proactively hunt for malicious activity in your environment with advanced machine learning capabilities.
3
+
You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You want to mature your Security Operations team to proactively hunt for malicious activity in your environment with advanced machine learning capabilities.
4
4
5
5
After developing your hunting hypothesis, you utilize a Jupyter notebook to integrate machine learning libraries, advanced visualizations, and external data to detect malicious activity patterns.
6
6
@@ -12,4 +12,6 @@ After completing this module, you'll be able to:
12
12
13
13
## Prerequisites
14
14
15
-
Basic knowledge of operational concepts such as monitoring, logging, and alerting
15
+
- Basic knowledge of operational concepts such as monitoring, logging, and alerting
To start with Notebooks, use the "Getting Started Guide For Microsoft Sentinel ML Notebooks" notebook.
1
+
To get started with Notebooks, use the *Getting Started Guide For Microsoft Sentinel ML Notebooks* notebook.
2
2
3
-
1. In the Microsoft Sentinel Workspace, select **Notebooks**
3
+
1. In the Microsoft Sentinel navigation menu, expand the *Threat Management* section, and select **Notebooks**
4
4
5
-
1. You need to create an AzureML Workspace. Select **Configure Azure Machine Learning** then **Create new Azure ML workspace**.
5
+
1. You need to create an Azure Machine Learning (ML) Workspace. From the menu, select **Configure Azure Machine Learning**, then **Create new Azure ML workspace**.
6
6
7
7
1. In the Subscription box, select your subscription.
8
8
@@ -14,33 +14,76 @@ To start with Notebooks, use the "Getting Started Guide For Microsoft Sentinel M
14
14
15
15
- Choose your Region
16
16
17
-
-Save your Storage account, Key vault, and Application insights information.
17
+
-Keep the default Storage account, Key vault, and Application insights information.
18
18
19
19
- The Container registry option can remain as None.
20
20
21
-
1. At the bottom of the page, select **Review + create**. Then on the next page, select **create**. It will take a moment to deploy the workspace.
21
+
1. At the bottom of the page, select **Review + create**. Then on the next page, select **create**. It takes a moment to deploy the workspace.
22
22
23
-
1. Navigate to the Microsoft Sentinel workspace, select **Notebooks**.
23
+
> [!NOTE]
24
+
> It takes a few minutes to deploy the Machine Learning workspace.
24
25
25
-
1.Select the **Templates** tab.
26
+
1.After *Your deployment is complete* message appears, return to Microsoft Sentinel.
26
27
27
-
1.Select the **A Getting Started Guide For Microsoft Sentinel ML Notebooks** from the list.
28
+
1.Navigate to the Threat Management section, and select **Notebooks**.
28
29
29
-
1. Select **Create from template**on the bottom of the right page.
30
+
1. Select the **Templates**tab.
30
31
31
-
1. Select the **Save**.
32
+
1. Select the **A Getting Started Guide For Microsoft Sentinel ML Notebooks** from the list.
32
33
33
-
1. Select the **Launch notebook**.
34
+
1. Select **Create from template** button on the bottom of the detail pane.
34
35
35
-
1.Next to the Compute instance selector at the top of the screen, select the **+**.
36
+
1.Review the default options and then select **Save**.
36
37
37
-
1.Choose your compute settings.
38
+
1.Select the **Launch notebook** button.
38
39
39
-
1.Name your Compute instance and select the **Create**button at the bottom of the screen.
40
+
1.Select **Close**if an informational window appears in the Microsoft Azure Machine Learning studio.
40
41
41
-
1.Wait for the compute instance to finish creating.
42
+
1.1. In the command bar, to the right of the **Compute:** selector, select the **+** symbol to *Create Azure ML compute* instance. **Hint:** It might be hidden inside the ellipsis icon **(...)**.
42
43
43
-
1. In the top right of the notebook, select a Kernel to use if not selected.
44
+
> [!NOTE]
45
+
> You can have more screen space by hiding the Azure ML Studio left menu selections. Select the *Hamburger menu* (3 horizontal lines on the top left), and by collapsing the Notebooks Files by selecting the **<<** icon.
44
46
45
-
1.Follow the instructions in the Notebook.
47
+
1.Type a unique name in the *Compute name* field. This identifies your compute instance.
46
48
49
+
1. Scroll down and select the first option available.
50
+
51
+
> [!TIP]
52
+
> Workload type: Development on Notebooks (or other IDE) and lightweight testing.
53
+
54
+
1. Select the **Review + Create** button at the bottom of the screen, then scroll down and select **Create**. Close any feedback window that appears. This takes a few minutes. You see a notification (bell icon) when it completes and the *Compute instance* left icon turns from blue to green.
55
+
56
+
1. Once the Compute is created and running, verify that the kernel to use is *Python 3.10 - Pytorch and Tensorflow*.
57
+
58
+
> [!TIP]
59
+
> This is shown in the right of the menu bar. If that kernel isn't selected, select the *Python 3.10 - Pytorch and Tensorflow* option from the drop-down list. You can select the **Refresh** icon on the far right to see the kernel options.
60
+
61
+
1. Select the **Authenticate** button and wait for the authentication to complete.
62
+
63
+
1. Clear all the results from the notebook by selecting the **Clear all outputs** (Eraser icon) from the menu bar and follow the *Getting Started* tutorial.
64
+
65
+
> [!TIP]
66
+
> This can be found by selecting the ellipsis (...) from the menu bar.
67
+
68
+
1. Review section *1 Introduction* in the notebook and proceed to section *2 Initializing the notebook and MSTICPy*.
69
+
70
+
> [!TIP]
71
+
> Section 1.2 *Running code in notebooks* lets you practice running small lines of Python code.
72
+
73
+
1. In section *2 Initializing the notebook and MSTICPy*, review the content on Initializing the notebook and installing the MSTICPy package.
74
+
75
+
1. Run the *Python code* to initialize the cell by selecting the **Run cell** button (Play icon) to the left of the code.
76
+
77
+
1. It should take >30 seconds to run. Once it completes, review the output messages and *disregard any warnings about the Python kernel version* or other error messages.
78
+
79
+
1. The code ran successfully if *msticpyconfig.yaml* was created in the *utils* folder in the *file explorer* pane on the left. It can take another 30 seconds for the file to appear. If it doesn't appear, select the **Refresh** icon in the *file explorer* pane.
80
+
81
+
> [!TIP]
82
+
> You can clear the output messages by selecting the ellipsis (...) on the left of the code window for the *Output menu* and selecting the *Clear output* (square with an x*) icon.
83
+
84
+
1. Select the **msticpyconfig.yaml** file in the *file explorer* pane on the left to review the contents of the file and then close it.
85
+
86
+
1. Proceed to section *3 Querying data with MSTICPy* and review the contents. Don't run the *Multiple Microsoft Sentinel workspaces* code cell as it fails, but the other code cells can be run successfully.
87
+
88
+
> [!NOTE]
89
+
> If you can't complete the steps above to access the Notebook, you can follow it on its GitHub viewer page instead. [Getting Started with Azure ML Notebooks and Microsoft Sentinel](https://nbviewer.org/github/Azure/Azure-Sentinel-Notebooks/blob/master/A%20Getting%20Started%20Guide%20For%20Azure%20Sentinel%20ML%20Notebooks.ipynb)
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/perform-threat-hunting-sentinel-with-notebooks/includes/5-explore-notebook-code.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,16 +1,16 @@
1
-
The following code blocks of the "Getting Started Guide For Microsoft Sentinel ML Notebooks" notebook provide a representative example of working with Microsoft Sentinel data.
1
+
The following code blocks provide a representative example of using notebooks to work with Microsoft Sentinel data.
2
2
3
3
**Code Block**
4
4
5
5
In this snippet of code:
6
6
7
7
- Create a new variable [test_query] that contains the KQL query.
8
8
9
-
- Next, you run the query [qry_prov.exec_query()]. This utilizes the msticpy library to execute the KQL query in the Microsoft Sentinel Log Analytics related workspace. The results are stored in the [test_df] variable.
9
+
- Next, you run the query [qry_prov.exec_query()]. This utilizes the msticpy library to execute the KQL query in the Microsoft Sentinel Log Analytics related workspace. The results are stored in the [test_df] variable.
10
10
11
11
- Next, display the first five rows with the xxx_xxxx.head() function.
12
12
13
-
:::image type="content" source="../media/threat-hunt-1.png" alt-text="Screenshot of a Sentinel Notebook Sample 1 Query.":::
13
+
:::image type="content" source="../media/threat-hunt-1.png" alt-text="Screenshot of a Microsoft Sentinel Notebook Sample 1 Query.":::
14
14
15
15
**Code Block**
16
16
@@ -26,16 +26,16 @@ In this snippet of code:
26
26
27
27
- The new function returns the Severity of the IP address.
28
28
29
-
:::image type="content" source="../media/threat-hunt-3.png" alt-text="Screenshot of a Sentinel Notebook Sample 2 Query.":::
29
+
:::image type="content" source="../media/threat-hunt-3.png" alt-text="Screenshot of a Microsoft Sentinel Notebook Sample 2 Query.":::
30
30
31
31
**Code Block**
32
32
33
33
In this snippet of code:
34
34
35
35
- Create a new variable [vis_q] that contains the KQL query.
36
36
37
-
- Next, you run the query [qry_prov.exec_query()]. This utilizes the msticpy library to execute the KQL query in the Microsoft Sentinel Log Analytics related workspace. The results are stored in the [vis_data] variable.
37
+
- Next, you run the query [qry_prov.exec_query()]. This utilizes the msticpy library to execute the KQL query in the Microsoft Sentinel Log Analytics related workspace. The results are stored in the [vis_data] variable.
38
38
39
-
- Then, [qry_prov.exec_query()] returns a pandas DataFrame that provides visualization features. You then plot a bar graph with the unique IP addresses and how many times they were used in the first five entries of the Dataframe.
39
+
- Then, [qry_prov.exec_query()] returns a pandas DataFrame that provides visualization features. You then plot a bar graph with the unique IP addresses and how many times they were used in the first five entries of the Dataframe.
40
40
41
-
:::image type="content" source="../media/threat-hunt-2.png" alt-text="Screenshot of a Sentinel Notebook Sample 3 Query.":::
41
+
:::image type="content" source="../media/threat-hunt-2.png" alt-text="Screenshot of a Microsoft Sentinel Notebook Sample 3 Query.":::
0 commit comments