Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Threat Intelligence

What’s New: PowerShell+Azure Sentinel notebooks to supercharge your hunting and investigations!

Azure Sentinel News Editor by Azure Sentinel News Editor
November 26, 2020
in Threat Intelligence
0
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services
5.2kViews
376 Shares Share on Facebook Share on Twitter

his blog post is a collaboration between @JulianGonzalez  and @ZhipengZhao

For those that have wanted to get into the Azure Sentinel notebooks, but are more comfortable with PowerShell than Python, we have news for you.  Using the latest version of the Azure Sentinel notebooks, you can now enable PowerShell notebooks via .Net Interactive Public Preview.

To get started, you will need to install .Net Interactive Public Preview on your notebook server and enable the PowerShell kernel.  This article also includes a companion Azure Sentinel PowerShell notebook to get you started and be sure to check out the Azure Sentinel notebook official documentation for details on configuring the environment.

What are PowerShell Jupyter notebooks?

The Jupyter notebook is an interactive open source programming tool for data analytics and visualizations. A notebook is divided into cells. Each cell is a section that can combine the programming code and its output along with markdown, graphs, comments, API results, and other powerful visuals. An analyst can traverse between cells, execute them individually and adjust them on the fly and re-run them if changes are required.

Why PowerShell Jupyter notebooks for threat hunting and investigation?

The interactive nature of notebooks results in iterative and rapid development, as well as code sharing and reuse, thus making notebooks an increasingly popular choice for data scientists and analysts. Notebooks have increasingly become adopted by security analysts to automate frequent mundane tasks, incorporate APIs and visualize and provide context for security datasets.  In addition, security analysts can share the code/logic and outcome of a given hunt or investigation which can be run as-is or improved over time. Review this article for a more comprehensive list of capabilities.

Since many security analysts are already comfortable with PowerShell and may already have several go-to scripts for their daily work, PowerShell Jupyter notebooks will help those users embrace Jupyter notebooks to supercharge their threat hunts and investigations!

Leverage charts for your incident and/or hunting data:

Access your hunting queries:

Run KQL queries with interactive input:

Retrieve scan results from Virus Total:

What is .Net Interactive Public Preview and how do I install it?

.Net Interactive Public Preview is a group of tools and APIs that enables users to create embedded .Net Interactive experiences across the web, markdown and notebooks.  This includes the ability to author and run notebooks in C#, F# and PowerShell. 

Prerequisites

The instructions below assume you have already deployed your Azure Machine Learning (AML) workspace and compute.  If you have not already done so, follow the instructions here.

Installing .Net Interactive on your notebook server

Open terminal window on your notebook server:

Once you see the terminal window, you are ready to start:

Check Ubuntu version

cat /etc/*release

Install the .Net SDK and the runtime based on your version

These instructions work for version 16.04.  Refer to the .Net Core on Ubuntu documentation (article) for definitive guidance. 

wget https://packages.microsoft.com/config/ubuntu/16.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update; \
sudo apt-get install -y apt-transport-https && \
sudo apt-get update && \
sudo apt-get install -y dotnet-sdk-3.1

Install dotnet interactive tool source

dotnet tool install -g --add-source "https://dotnet.myget.org/F/dotnet-try/api/v3/index.json" Microsoft.dotnet-interactive

Create a symlink between the installed location of dotnet interactive and your local bin directory:

sudo ln -s /home/azureuser/.dotnet/tools/dotnet-interactive /usr/local/bin/dotnet-interactive 

Install Jupyter interactive

dotnet interactive jupyter install

Run Jupyter kernelspec list to verify that PowerShell is listed as a kernel

jupyter kernelspec list

The output should look like this:

Now you will need to clone the Azure Sentinel GitHub repository to your notebook server.  (In the near future this step will not be required as this notebook will be added to the Azure Sentinel notebook portal)

git clone https://github.com/Azure/Azure-Sentinel-Notebooks sentinel-notebooks

Important:

!! Before you proceed, if you had the notebook UI open, you must refresh your browser to see the .Net kernel options in the dropdown. (yes, they are cached)  !!

Click ‘Refresh’ in the notebook UI to see the files you cloned:

Go to the folder with your cloned files and select the sample PowerShell notebook:

Your notebook is now ready to go, select the PowerShell kernel from the drop down to start:

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-powershell-azure-sentinel-notebooks-to-supercharge/ba-p/1695969

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
Threat Intelligence

Tips for Parsing Syslog to Azure Sentinel

December 31, 2020
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services
Threat Intelligence

Locate all the Preview Goodies in Your Azure Sentinel Console

December 30, 2020
Microsoft is quietly becoming a cybersecurity powerhouse
Threat Intelligence

How to Prohibit an Azure Sentinel Analyst from Editing a Playbook

December 29, 2020
Next Post
ITC Secure Achieves Microsoft Gold Partner Status

What's new: The new Azure Sentinel Notebooks experience is now in public preview!

Microsoft’s Azure Defender for IoT Uses CyberX Tech

Threat Intelligence menu item in Public Preview!

Microsoft introduces integrated Darktrace-a-like, Azure Sentinel

Stay ahead of threats with new innovations from Azure Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Vectra AI and Microsoft partner on security integration

What’s New: Cross Workspace Hunting is now available!

3 months ago
Azure Stack and Azure Arc for data services from Blog Posts – SQLServerCentral

Azure Sentinel Side-by-Side with QRadar

3 months ago
Microsoft Debuts Azure Sentinel SIEM, Threat Experts Service

Azure Sentinel Event Grouping is in Public Preview

2 months ago
Microsoft Windows Virtual Desktop: A cheat sheet

Microsoft Windows Virtual Desktop: A cheat sheet

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

Understanding the Little Blue Permissions Locks in Azure Sentinel Data Connectors

Trending

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
IR

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

by Azure Sentinel News Editor
February 22, 2021
0

The Azure Sentinel product group continues to crank out new Data Connector after new Data Connector. There...

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021
What’s new: Microsoft Teams connector in Public Preview

New Search Capability for Azure Sentinel Incidents

February 16, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

February 16, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021
  • New Items of Note on the Azure Sentinel GitHub Repo February 18, 2021
  • Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation February 17, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News