Notebook Version: 1.0
Python Version: Python 3.6 (including Python 3.6 - AzureML)
Required Packages: kqlmagic, msticpy, pandas, pandas_bokeh, numpy, matplotlib, networkx, seaborn, datetime, ipywidgets, ipython, dnspython, ipwhois, folium, maxminddb_geolite2
Platforms Supported:
Data Sources Required:
Notebook description....
The next cell:
This should complete without errors. If you encounter errors or warnings look at the following two notebooks:
If you are running in the Azure Sentinel Notebooks environment (Azure Notebooks or Azure ML) you can run live versions of these notebooks:
You may also need to do some additional configuration to successfully use functions such as Threat Intelligence service lookup and Geo IP lookup.
There are more details about this in the ConfiguringNotebookEnvironment
notebook and in these documents:
from pathlib import Path
from IPython.display import display, HTML
REQ_PYTHON_VER = "3.6"
REQ_MSTICPY_VER = "1.0.0"
display(HTML("<h3>Starting Notebook setup...</h3>"))
if Path("./utils/nb_check.py").is_file():
from utils.nb_check import check_versions
check_versions(REQ_PYTHON_VER, REQ_MSTICPY_VER)
# If not using Azure Notebooks, install msticpy with
# !pip install msticpy
extra_imports = []
# Usually there is no advantage to using nbinit to do your imports - just import them
# as normal. "init_notebook" imports a few standard packages (pandas, numpy, etc)
# and several common msticpy modules and classes.
# If you really want to use this mechanism the syntax is as follows:
# Each line is a string:
# - if just importing a module (e.g. "re"), just the name is enough
# - if importing an item from a module (e.g. from datetime import timedelta)
# the string would be "datetime, delta"
# - if you want to import and alias something (e.g. import pandas as pd) us
# "source_mod, , alias" (note you need the extra comma)
# - if you're importing an object from a module and want to alias it (e.g.
# from datetime import timedelta as td - use "datetime, timedelta, td"
# extra_imports = [
# "module.src [,target] [,alias",
# "pandas, , pd",
# "bokeh.plotting, show"
# ]
additional_packages = []
# specify the name of the package to install. It will not be installed if it
# is already. You can provide a package specification - e.g. pkg==version,
# as shown below
# additional_packages = ["seaborn", "another_pkg>=1.2.0"]
from msticpy.nbtools import nbinit
nbinit.init_notebook(
namespace=globals(),
extra_imports=extra_imports,
additional_packages=additional_packages,
);
If you are using user/device authentication (the default), run the following cell.
connect_str = "loganalytics://tenant(TENANT_ID).workspace(WORKSPACE_ID).clientid(client_id).clientsecret(client_secret)" qry_prov.connect(connect_str)instead of
qry_prov.connect(ws_config)
To find your Workspace Id go to Azure Sentinel Workspaces. Look at the workspace properties to find the ID.
# List Workspaces available
# WorkspaceConfig().list_workspaces()
# To use a specific workspace create a WorkspaceConfig using the
# workspace parameter
# ws_config = WorkspaceConfig(workspace='MyWorkspace')
# See if we have an Azure Sentinel Workspace defined in our config file.
# If not, let the user specify Workspace and Tenant IDs
ws_config = WorkspaceConfig()
if not ws_config.config_loaded:
ws_config.prompt_for_ws()
qry_prov = QueryProvider(data_environment="AzureSentinel")
print("done")
# Authenticate to Azure Sentinel workspace
qry_prov.connect(ws_config)
query_scope = nbwidgets.QueryTime(auto_display=True)
qry_prov.SecurityAlert.list_alerts(query_scope)