Get Familiar with Azure Sentinel Bookmarks

So last week we talked about the difference between Workbooks, Playbooks and Notebooks in Azure Sentinel. But there is still one more "book" that is important to making your life easier when working with the cloud-based SIEM. It's called a bookmark.

What is a bookmark exactly? I'm glad you asked. Just like a bookmark help you keep track of the last page you read in a physical book (am I the only one who still reads physical books?), a bookmark in Azure Sentinel helps you keep track of items you might want to revisit while you're threat hunting. 

As you know, threat hunting usually has you looking through mountains of logs to find evidence of malicious behavior. During the hunting process, you may come across matches or findings, dashboards, or activities that look unusual or suspicious. In order to mark those items so you can come back to them in the future, use the bookmark functionality. Bookmarks let you save items for later, to be used to create a case for investigation.

While you're hunting, you'll probably come up with a hypotheses about what is going on. Bookmarks in  help you do this by preserving the queries you ran along with the query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration. 

You can revisit your bookmarked data at any time on the Bookmarks tab of the Hunting pane. You can use filtering and search options to quickly find specific data for your current investigation. 

You can also visualize your bookmarked data, by clicking Investigate from within the Bookmark itself. This launches the investigation experience in which you can view, investigate, and visually communicate your findings using an interactive entity-graph diagram and timeline.

How do you add a Bookmark?

1. In the Sentinel portal, navigate to Threat management - Hunting.
2. Select one of the hunting queries and on the right.
3. In the hunting query details, select Run Query.
4. Select View query results. For example:

      5. From the log query results list, you can use the checkboxes to select the info you find compelling.

      6. Now, select Add bookmark.

     7. Give your Bookmark a name and add any tags or notes you need to help you remember what was interesting about this information in the first place.

     8. Click Save and off you go with a new Bookmark that you or your fellow investigator can refer to in the future.

Workbooks, Playbooks and Notebooks. Oh my! Part 3

We talked about those new to Azure Sentinel might find the terms Workbook, Playbook and Notebook confusing. The other day we defined Azure Sentinel Workbooks. See here if you missed it. And here to read about Playbooks.

Notebooks

I like to think of notebooks just like I did back in high school. A notebook is a place where you keep stuff you want to use later. In Azure Sentinel, it's a repository of complex organizations and tasks that you use for investigations. 

Notebooks are like step-by-step notes that you build to walk through the steps of an investigation and hunt. They encapsulate all the hunting steps in a reusable form that can be shared with others in your organization. 
You can automate common investigative steps such as:

• Gathering additional entity information
• Query Azure Sentinel data about, users, machines, IPs, or any other entity
• Enrich it with other services to visualize the results
• And trigger actions

In Azure Sentinel, you will be using the Jupyter experience which is integrated into the portal. You don't need to do an installation at all. Jupyter is an environment based on IPython that enables interactive programming and data analysis using a variety of programming languages, including Python. Jupyter notebooks enjoy widespread use in research and academia for mathematical modeling, machine learning, statistical analysis, and for teaching and learning how to code.

They are very flexible and a have a huge collection of libraries for machine learning, visualization, and data analysis. Notebooks have a "*.ipynb" file extension - which stand for IPython notebook. Jupyter notebooks were originally known as IPython (Interactive Python) notebooks, and they only supported Python as a programming language. The name Jupyter is a combination of Julia, Python, and R — the core programming languages that Jupyter supports.

Jupyter notebooks are composed of cells. Each cell is assigned one of three types:

• Markdown for entering text in markdown format
• Code for entering code that runs interactively
• Raw NBConvert for entering data inline

Code entered into code cells is executed by a kernel, which provides an isolated environment for the notebook to run in. In Azure Notebooks, by default, this kernel runs on Azure Free Cloud Compute and Storage. The popular IPython kernel supports code written in Python, but dozens of other kernels are available supporting other languages. Azure Notebooks support Python, R, and F# out of the box. They also support the installation of the many packages and libraries that are commonly used in research.

One of the cool things about Azure Notebooks — and Python in general — is there are thousands of open-source libraries you can leverage to perform complex tasks without writing a lot of code

As with most of the entities in Sentinel, there are several pre-built Notebooks or you can create your own. The Azure Sentinel Community GitHub repository is the location for any future Azure Sentinel notebooks built by Microsoft or contributed from the community.

Now, I know that sounds like a lot. And it is. Notebooks are not super easy to learn. Here are a few resources for you to get started.

Introduction to machine learning with Python and Azure Notebooks

Use Jupyter notebooks to hunt for security threats

Threat Hunting in the Cloud with Azure Sentinel and Jupyter Notebooks

Workbooks, Playbooks and Notebooks. Oh my! Part 2

The other day we talked about those new to Azure Sentinel might find the terms Workbook, Playbook and Notebook confusing. The other day we defined Azure Sentinel Workbooks. See here if you missed it. 

Playbooks

Today, we're going to talk about Playbooks. What exactly is a Playbook in Azure Sentinel? I'm glad you asked.

A Playbook is really just another way of saying automated response. A Playbook is a collection of procedures that can be kicked off in response to an alert. You can do anything from opening a ticket in ServiceNow to blocking a suspicious IP or disabling a user in Azure AD. You can use them to tackle the most frequent threats that your organization faces so that you can spend your time on elsewhere.

Alert fatigue is real. Security analysts face a huge burden of more alerts than they can respond to. Automation increases efficiency and fills the security gap by allowing a Playbook to lift the burden of reviewing every incident. 

Playbooks in Azure Sentinel are based on Azure Logic Apps and the can be run manually as an on-demand response to a selected alert or set to run automatically when specific alerts are triggered. It's up to you.

It can be a little daunting at first, if you've never used Logic Apps but once you play around a little, you'll start understanding how it works. Here is some documentation to help with this.

Below, is an example of a Playbook that will isolate a machine if you get an alert from MDATP.

The first thing we do, is add the trigger. Here the trigger is a manual step by an admin responding to an Azure Sentinel Alert. It could be an automated trigger but in this case we're expecting a person to do something first.

Then we choose an Action. In this case we are using Alert - Get Incident which returns information about the incident associated with the alert like the workspace and the actual alert ID. 

Then we use the Action Alert - Get hosts which returns list of hosts associated with the alert.

Then we use a condition that says for each alert isolate the machine.

Think how much time you could save by creating automated Playbooks to respond to alerts. 
The same GitHub repository we mentioned the other day has a selection of pre-built Playbooks you can use or you can create your own.