A notebook is a service offered under Azure Sentinel that combines Azure Machine Learning and Jupyter technology. It affords security analysts the capabilities to analyze, correlate, and visualize huge datasets – a valuable function for hunting.
Using these machine learning capabilities, you can create complex logic to identify anomalies; correlate data across different logs; apply machine learning models for prediction; and visualize data in various formats such as charts, tables, or graphs.
In the SC-200 exam context, being proficient in handling notebooks could mean a better understanding of the Azure Sentinel platform.
Hunting via Notebooks
Let’s take a closer look at how you can perform hunting using notebooks.
Load data
Initially, you’d need to connect your notebook to your Log Analytics workspace where your logs reside. Once your notebook is connected to the workspace, you can start querying the data by using the Kusto Query Language (KQL).
Below is a basic command to query your security logs for any sign-in event:
python securitylogs_df = workspace.query("SecurityEvent | where EventID == 4625")
The above query will return all the data points (security logs) that have encountered the event ID ‘4625’.
Analyze your data
After querying the data, you can use Python libraries such as pandas and numpy to clean, analyze, and manipulate these data points.
For example, if you want to view only the unsuccessful sign-in events in a certain period, you can use this command:
python unsuccessful_signin_events_df = securitylogs_df[securitylogs_df['EventID'] == 4625 and securitylogs_df['TimeGenerated'] > '2020-08-01']
This command will return data points (events) that show unsuccessful sign-ins from August 2020 onwards.
Visualize Your Data
Visualizing your data can help you identify trends and anomalies at glance. Using Python’s Matplotlib library, you can plot your data on graphs.
Here’s some sample syntax to plot a simple graph:
python import matplotlib.pyplot as plt
plt.plot(securitylogs_df['TimeGenerated'], securitylogs_df['EventID'])
plt.show()
This command will plot the ‘EventID’ against ‘TimeGenerated’, and by this, you can visualize the pattern of security events over time.
Conclusion
Hunting via notebooks is an important skill in diagnosing and detecting threats across your organization’s network. Making the most of this tool can help you glean meaningful insights from large datasets, aiding in your preparation for your SC-200 Microsoft Security Operations Analyst exam. For more in-depth learning, I recommend reviewing official Microsoft documentation on Azure Notebooks and Kusto Query Language (KQL).
As always, practice is key to mastering any technology. So, go ahead and try performing your own hunting exercise using notebooks on the Azure Sentinel platform. Happy hunting!
Practice Test
True or False: You can use notebooks like Azure Notebooks for hunting security threats in your Microsoft ecosystem.
- True
- False
Answer: True.
Explanation: Azure Notebooks provide a platform using which security operators can write code for threat hunting. They support various languages like Python, R, and F# that can be used for scripting hunt queries.
What languages does the Azure Sentinel Notebook support for scripting?
- A. Python
- B. Bash
- C. PowerShell
- D. R
Answer: A, D.
Explanation: Azure Sentinel notebooks provide support for Python and R language-based scripting.
In Microsoft’s security ecosystem, which of the following is NOT true about Jupyter notebooks?
- A. It supports Python
- B. It supports R
- C. It supports PowerShell
- D. They are Ideal for building and testing new hunting strategies
Answer: C. It supports PowerShell.
Explanation: Jupyter notebooks used in Azure Sentinel support Python and R, but they do not provide support for PowerShell.
True or False: Notebooks cannot integrate with data from outside services.
- True
- False
Answer: False.
Explanation: Notebooks can be integrated with data from various services and APIs, which can be used to enrich hunting investigations.
To perform hunting in Azure Sentinel with notebooks, you will need access to which of the following?
- A. Data connectors
- B. Azure Notebooks
- C. Log Analytics workspace
- D. All of the above
Answer: D. All of the above
Explanation: You will need data connectors to get the data into Sentinel, Azure Notebooks for scripting and Log Analytics workspace to query the data.
True or False: You cannot share notebooks on Azure Notebooks.
- True
- False
Answer: False.
Explanation: You can share your Jupyter notebooks on Azure Notebooks, making it easier for teams to collaborate on the same hunting query.
Which of the following does not support integration with Azure Notebooks for threat hunting?
- A. Office 365
- B. Azure Active Directory
- C. Azure firewall
- D. Azure Logic Apps
Answer: D. Azure Logic Apps.
Explanation: Azure Logic Apps are primarily used for integrations and workflows, not for threat hunting. While they can send data to Sentinel, they are not primarily for investigating or hunting threats.
True or False: You should convert Logs in Azure Sentinel into data frames for efficient hunting.
- True
- False
Answer: True.
Explanation: Converting logs into a DataFrame in Python provides better computational efficiency. It also makes the data easier to manipulate and visualize.
What is the key feature of Azure Sentinel Notebooks that support threat hunting?
- A. Collaboration
- B. Scripting
- C. Ease of use
- D. All of the above
Answer: D. All of the above.
Explanation: Azure Sentinel notebooks support scripting in Python and R, can be easily shared among teams for collaboration, and have an easy-to-use interface.
True or False: PowerShell is the primary language used in Azure Notebooks for scripting hunting queries.
- True
- False
Answer: False.
Explanation: Azure Notebooks primarily leverage Python and R for creating and running hunting queries.
Interview Questions
What is Hunting in the context of Microsoft Security Operations?
Hunting, in the context of Microsoft Security Operations, refers to the proactive search for security threats that may not be automatically detected by security tools. It involves investigating directories, monitoring network traffic, and proactively searching for abnormal activities in server or application logs.
What is the purpose of using notebooks for hunting in Microsoft Security Operations?
Notebooks are used in hunting for providing a venue to record, document, and share findings. They provide a way to write, execute, and share code in an interactive environment which can help security operations analysts to perform threat hunting activities more effectively.
In the context of Microsoft Security operations, what is a notebook?
A notebook is an interactive programming environment that allows a user to execute code, view results, visualize data, and see computations. In the context of Microsoft Security Operations, notebooks are used for proactive threat hunting, information visualization, and sharing findings and methods with other analysts.
What is Azure Sentinel and how it is used in hunting?
Azure Sentinel is Microsoft’s cloud-native Security Information and Event Management (SIEM) solution. It uses built-in AI to analyze large volumes of data across an organization rapidly. It allows security analysts to create notebooks for hunting, providing capabilities for advanced threat detection, visualization, and response.
What is KQL and how is it used in notebooks for hunting in Microsoft Security Operations?
KQL, or Kusto Query Language, is a read-only request language used for querying large volumes of data. In hunting with notebooks, security analysts can use KQL to query and retrieve data for further analysis, helping in the identification of anomalies and potential security threats.
What is the use of Azure Notebooks in threat hunting?
Azure Notebooks provide an environment for writing, sharing and executing code in programming languages like Python and R. In threat hunting, Azure Notebooks can be used to run advanced analytics and use visualization tools, making threat detection, and investigation processes more efficient and collaborative.
What role does Microsoft Defender Advanced Threat Protection play in hunting threats using notebooks?
Microsoft Defender Advanced Threat Protection is a platform that helps enterprises prevent, detect, investigate, and respond to advanced threats. It assists in hunting by bringing in raw data for analysis into Notebooks and providing advanced threat intelligence.
How are Jupyter notebooks used in the context of Microsoft Security Operations?
In the context of Microsoft Security Operations, Jupyter notebooks can be used for running sophisticated queries, analyzing data, and recording the steps involved in a hunting investigation. It effectively captures the workflow of threat hunting, encouraging collaborative hunting and sharing of intelligence and techniques amongst analysts.
What are some common actions that can be performed in notebooks during the hunting process?
Some common actions include executing code, viewing output results, visualizing data, and documenting processes and insights. This can consist of querying data sources, performing investigations over historical data, exhibiting results graphically, and sharing the findings.
What are some of the features that make notebooks a useful tool in Security Operations hunting?
Notebooks allow for interactive analysis with visualisations which is crucial in investigating complex threats. They support multiple programming languages, can be shared for collaboration and ensure reproducibility of results. In addition, they contribute to the improvement of hunting processes by assisting in the development of templates for common investigations.
extutorials.com