Skip to content

add investigation notebook for sentinel fusion incident

License

Notifications You must be signed in to change notification settings

zbills/Azure-Sentinel-Notebooks

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Microsoft Sentinel Notebooks

Jupyter notebooks are an interactive development and data analysis environment hosted in a browser. The open API supported by Microsoft Sentinel allows you to use Jupyter notebooks to query, transform, analyze and visualize Microsoft Sentinel data. This makes notebooks a powerful addition to Microsoft Sentinel and is especially well-suited to ad-hoc investigations, hunting or customized workflows.

Network Timeline

More information on getting started with Microsoft Sentinel and Azure Notebooks

This repository contains notebooks contributed by Microsoft and the community to assist hunting and investigation tasks in Microsoft Sentinel.


Finding a notebook in the repo

Top Level notebooks

There are several notebooks at the top level of the repo - eventually only a few introductory notebooks will reside here. For the moment, notebooks at the top level include all of those used in the Microsoft Sentinel portal.

If you have never used notebooks in Microsoft Sentinel before you should run through the Getting Started Notebook

Other Folders

This contains notebooks designed for use by you in Microsoft Sentinel. Some of these are intended to illustrate specific techniques or investigation approaches

There are also support folders - source and utils


Full list of notebooks

<style> .nb_table, th, td { border: 1px solid; text-align: left; border-collapse=collapse; margin-left: auto; margin-right: auto; } .width-f { width: 10px !important; } .width-nb { width: 300px !important; } </style>
NotebookFolder
A Getting Started Guide For Azure Sentinel ML Notebooks.ipynb
A Getting Started Guide For PowerShell AML Notebooks.ipynb
A Tour of Cybersec notebook features.ipynb
ConfiguringNotebookEnvironment.ipynb
Credential Scan on Azure Blob Storage.ipynb
Credential Scan on Azure Data Explorer.ipynb
Credential Scan on Azure Log Analytics.ipynb
Entity Explorer - Account.ipynb
Entity Explorer - Domain and URL.ipynb
Entity Explorer - IP Address.ipynb
Entity Explorer - Linux Host.ipynb
Entity Explorer - Windows Host.ipynb
Guided Hunting - Anomalous Office365 Exchange Sessions.ipynb
Guided Hunting - Azure Resource Explorer.ipynb
Guided Hunting - Base64-Encoded Linux Commands.ipynb
Guided Hunting - Covid-19 Themed Threats.ipynb
Guided Investigation - Anomaly Lookup.ipynb
Guided Investigation - Incident Triage.ipynb
Guided Investigation - Process-Alerts.ipynb
Guided Investigation - Solarwinds Post Compromise Activity.ipynb
Guided Triage - Alerts.ipynb
Hands-on 1. Data Discovery using Azure REST API.ipynb
Hands-on 2. Surfing Data using Azure SDK.ipynb
Machine Learning in Notebooks Examples.ipynb
AffectedKeyCredentials-CVE-2021-42306.ipynbscenario-notebooks
AutomatedNotebooks-IncidentTriage.ipynbscenario-notebooks
AutomatedNotebooks-Manager.ipynbscenario-notebooks
Guided Hunting - Detect potential network beaconing using Apache Spark via Azure Synapse.ipynbscenario-notebooks
Guided Hunting - Office365-Exploring.ipynbscenario-notebooks
Guided Investigation - MDE Webshell Alerts.ipynbscenario-notebooks
Guided Investigation - WAF data.ipynbscenario-notebooks
Guided Analysis - User Security Metadata.ipynbscenario-notebooks/UserSecurityMetadata
papermill_test_runner.ipynbsrc/Test
Example - Azure Storage VT Hash Lookup.ipynbtutorials-and-examples/example-notebooks
Example - Guided Hunting - Office365-Exploring.ipynbtutorials-and-examples/example-notebooks
Example - Guided Investigation - Process-Alerts.ipynbtutorials-and-examples/example-notebooks
M365 Defender - APIs ep3.ipynbtutorials-and-examples/example-notebooks
M365 Defender - hunting.ipynbtutorials-and-examples/example-notebooks
MDE APIs Demo Notebook.ipynbtutorials-and-examples/example-notebooks
MSTICPy Tour.ipynbtutorials-and-examples/example-notebooks
Senserva Connections Graph Notebook.ipynbtutorials-and-examples/example-notebooks
SigmaRuleImporter.ipynbtutorials-and-examples/example-notebooks
VirusTotal File Behavior Explorer - MS and Sysmon detonation.ipynbtutorials-and-examples/example-notebooks
msticpy demo.ipynbtutorials-and-examples/example-notebooks
AnomalousSequence.ipynbtutorials-and-examples/feature-tutorials
AzureBlobStorage.ipynbtutorials-and-examples/feature-tutorials
AzureSentinelAPIs.ipynbtutorials-and-examples/feature-tutorials
Base64Unpack.ipynbtutorials-and-examples/feature-tutorials
DataObfuscation.ipynbtutorials-and-examples/feature-tutorials
DataUploader.ipynbtutorials-and-examples/feature-tutorials
DataViewer.ipynbtutorials-and-examples/feature-tutorials
Data_Queries.ipynbtutorials-and-examples/feature-tutorials
EventClustering.ipynbtutorials-and-examples/feature-tutorials
EventTimeline.ipynbtutorials-and-examples/feature-tutorials
FoliumMap.ipynbtutorials-and-examples/feature-tutorials
GeoIPLookups.ipynbtutorials-and-examples/feature-tutorials
IoCExtract.ipynbtutorials-and-examples/feature-tutorials
MDATPQuery.ipynbtutorials-and-examples/feature-tutorials
MPSettingsEditor.ipynbtutorials-and-examples/feature-tutorials
MordorData.ipynbtutorials-and-examples/feature-tutorials
NotebookWidgets.ipynbtutorials-and-examples/feature-tutorials
PivotFunctions-Introduction.ipynbtutorials-and-examples/feature-tutorials
PivotFunctions.ipynbtutorials-and-examples/feature-tutorials
ProcessTree.ipynbtutorials-and-examples/feature-tutorials
ResourceGraphDriver.ipynbtutorials-and-examples/feature-tutorials
Splunk-DataConnector.ipynbtutorials-and-examples/feature-tutorials
SqlToKql.ipynbtutorials-and-examples/feature-tutorials
Sumologic-DataConnector.ipynbtutorials-and-examples/feature-tutorials
TIProviders.ipynbtutorials-and-examples/feature-tutorials
TimeSeriesAnomaliesVisualization.ipynbtutorials-and-examples/feature-tutorials
VTLookupV3.ipynbtutorials-and-examples/feature-tutorials
VirusTotalLookup.ipynbtutorials-and-examples/feature-tutorials
Adding Hunting Bookmarks.ipynbtutorials-and-examples/how-tos
Adding Secrets to Azure Key Vault.ipynbtutorials-and-examples/how-tos
Automation Gallery - Credential Scan on Azure Blob Storage.ipynbtutorials-and-examples/how-tos
Automation Setup - Configure Azure Machine Learning Compute Cluster and Managed Identity.ipynbtutorials-and-examples/how-tos
Automation Setup - Configure Azure Machine Learning Pipelines.ipynbtutorials-and-examples/how-tos
Azure Sentinel Query Creator.ipynbtutorials-and-examples/how-tos
Configurate Azure ML and Azure Synapse Analytics.ipynbtutorials-and-examples/how-tos
Notebook Template.ipynbtutorials-and-examples/how-tos
Provisioning DSVM.ipynbtutorials-and-examples/how-tos
TroubleShootingNotebooks.ipynbtutorials-and-examples/how-tos
A Getting Started Guide For CSharp AML Notebooks.ipynbtutorials-and-examples/other-language-kernels
A Python Crash Course - Part 1 - Fundamentals.ipynbtutorials-and-examples/training-notebooks
Training - MSTICPy Training 1221.ipynbtutorials-and-examples/training-notebooks
Training - MSTICPy Training 3 - 2022-01-13.ipynbtutorials-and-examples/training-notebooks
generate-nb-toc.ipynbutils
A Getting Started Guide For Azure Sentinel Notebooks.ipynbtutorials-and-examples/deprecated-notebooks
Example - Step-by-Step Linux-Windows-Office Investigation.ipynbtutorials-and-examples/deprecated-notebooks
Get Started.ipynbtutorials-and-examples/deprecated-notebooks

Viewing the notebooks

You can view any of the notebooks directly on GitHub just by clicking on them.

For higher fidelity rendering we'd recommend Jupyter nbviewer.

  • Open a notebook here and copy the URL (or copy the a link from the table above)
  • Go to https://nbviewer.jupyter.org/ and paste the URL into the location text box.
  • Hit the Go! button

Find help and troubleshooting articles in the Wiki

Sentinel Notebooks Wiki


More Information


Feedback

For questions or feedback, please file an issue or contact [email protected]


Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

About

add investigation notebook for sentinel fusion incident

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Jupyter Notebook 99.7%
  • Other 0.3%