Notebooks
I like to think of notebooks just like I did back in high school. A notebook is a place where you keep stuff you want to use later. In Azure Sentinel, it's a repository of complex organizations and tasks that you use for investigations.Notebooks are like step-by-step notes that you build to walk through the steps of an investigation and hunt. They encapsulate all the hunting steps in a reusable form that can be shared with others in your organization.
You can automate common investigative steps such as:
- Gathering additional entity information
- Query Azure Sentinel data about, users, machines, IPs, or any other entity
- Enrich it with other services to visualize the results
- And trigger actions
In Azure Sentinel, you will be using the Jupyter experience which is integrated into the portal. You don't need to do an installation at all. Jupyter is an environment based on IPython that enables interactive programming and data analysis using a variety of programming languages, including Python. Jupyter notebooks enjoy widespread use in research and academia for mathematical modeling, machine learning, statistical analysis, and for teaching and learning how to code.
They are very flexible and a have a huge collection of libraries for machine learning, visualization, and data analysis. Notebooks have a "*.ipynb" file extension - which stand for IPython notebook. Jupyter notebooks were originally known as IPython (Interactive Python) notebooks, and they only supported Python as a programming language. The name Jupyter is a combination of Julia, Python, and R — the core programming languages that Jupyter supports.
Jupyter notebooks are composed of cells. Each cell is assigned one of three types:
- Markdown for entering text in markdown format
- Code for entering code that runs interactively
- Raw NBConvert for entering data inline
Code entered into code cells is executed by a kernel, which provides an isolated environment for the notebook to run in. In Azure Notebooks, by default, this kernel runs on Azure Free Cloud Compute and Storage. The popular IPython kernel supports code written in Python, but dozens of other kernels are available supporting other languages. Azure Notebooks support Python, R, and F# out of the box. They also support the installation of the many packages and libraries that are commonly used in research.
One of the cool things about Azure Notebooks — and Python in general — is there are thousands of open-source libraries you can leverage to perform complex tasks without writing a lot of code
As with most of the entities in Sentinel, there are several pre-built Notebooks or you can create your own. The Azure Sentinel Community GitHub
repository is the location for any future Azure Sentinel notebooks
built by Microsoft or contributed from the community.
Now, I know that sounds like a lot. And it is. Notebooks are not super easy to learn. Here are a few resources for you to get started.
No comments:
Post a Comment