Welcome to Scribd!

Hunt for Threats Using Notebooks, Bookmarks and Livestream

Uploaded by

0% found this document useful (0 votes)

21 views32 pages

This document discusses advanced hunting capabilities in the Microsoft Sentinel portal. It covers: - Performing advanced hunting using Jupyter notebooks, which allow running analytics, visualizations, and integrating external data. - Creating custom hunting queries to modify manually-run queries or convert them to analytical rules for automated monitoring. - Using hunting bookmarks to track query results and reference findings for collaboration. - Monitoring hunting queries in real time using Livestream sessions. The last section previews a demonstration of these features, including notebooks, custom queries, bookmarks, and Livestream. It also requires specific role-based access and an Azure Machine Learning workspace to use notebooks for advanced hunting in Sentinel.

Original Description:

Original Title

Hunt for Threats Using the Microsoft Sentinel Portal Slides

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

0% found this document useful (0 votes)

21 views32 pages

Hunt for Threats Using Notebooks, Bookmarks and Livestream

Uploaded by

Jesse Oliveira

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Jump to Page

You are on page 1of 32

Search inside document

Hunt for Threats Using the Microsoft

Sentinel Portal

Michael J. Teske
Principal Author Evangelist-Pluralsight
Hunt for Threats Using the Microsoft Sentinel
Portal

Perform advanced hunting with notebooks

Create custom hunting queries
- Run hunting queries manually
- Convert a hunting query to an analytical rule

Use hunting bookmarks for data investigations

- Track query results with bookmarks
Monitor hunting queries by using Livestream
Perform Advanced Hunting with Notebooks
Perform Advanced Hunting with Notebooks

Data store is accessed by a common API

- Azure Portal
- Azure Sentinel tools
- Jupyter notebooks
- Python
Use notebooks for:
- Perform analytics
- Create data visualizations
- Integrate external data sources
Requirements

Machine Learning Workspace

- Storage account
- Key vault
- Application insights
- Networking
• Public or private endpoint
- Advanced
• System or user assigned identity
• Credential or Identity-based storage
account access
• Microsoft or customer managed keys
Permissions Required for Notebooks

Microsoft Sentinel Permissions Azure Machine Learning Permissions

Microsoft Sentinel Reader Default roles
Microsoft Sentinel Responder Azure ML Data Scientist
Microsoft Sentinel Contributor Reader
Contributor
Owner
Jupyter Notebooks
Create Custom Hunting Queries
Custom Queries
Custom Queries
Custom Hunting Queries

Queries, but for threat hunting, but still KQL

queries
Modify query in details pane and run
Save modified query as a new query
Custom Hunting Queries
Custom Hunting Queries
Convert a Hunting Query to an Analytical Rule

Hunting queries expose data you might want

to monitor

Data returned is consistent and constant

Important enough to add to your normal
alerting system
Allows you to convert from manual monitoring
to automated analysis
Convert a Hunting Query to an Analytical Rule
Use Hunting Bookmarks for
Data Investigations
Hunting Bookmarks

Used to preserve queries ran in Microsoft

Sentinel
- Includes query results
- Record observations
- Reference findings via notes

Visible to you and your team for collaboration

Allows you to address urgent findings
Hunting Bookmarks
Hunting Bookmarks
# PowerShell Azure Sentinel Bookmark commands

Get-AzSentinelBookmark

New-AzSentinelBoomark

Remove-AzSentinelBoomark

Update-AzSentinelBoomark

Hunting Bookmarks Using PowerShell

# Create a bookmark named MyBookmark

New-AzSentinelBookmark -ResourceGroupName “ps-course-rg" -WorkspaceName "MyWorkspace“ `

-DisplayName "MyBookmark" -Query "SecurityAlert | take 1“

Hunting Bookmarks Using PowerShell

Hunting Bookmarks
Hunting Bookmarks
Monitor Hunting Queries by Using Livestream
Monitor Hunting Queries by Using Livestream

Livestream allows users quickly create

sessions using any Analytics query
- Real time monitoring
Monitor Hunting Queries by Using Livestream
Monitor Hunting Queries by Using Livestream
Monitor Hunting Queries by Using Livestream
Demo Review Jupyter Notebooks
Manage custom queries
- Convert query to analytics rule
- Hunting bookmarks
- Create Livestream session
Perform advanced hunting with notebooks
- Running cell blocks
- Requires an Azure Machine Learning
workspace
Summary
- Must have:
• Sentinel reader, responder and
contributor roles
• Default Azure ML roles

Create custom hunting queries

- Run hunting queries manually
- Convert a hunting query to an
analytical rule
• Add to your normal security monitoring
Use hunting bookmarks for data
investigations
Summary
- Track query results with bookmarks
• Provides ability to return to the
investigation
Monitor hunting queries by using
Livestream
- Monitoring hunting queries as they occur
in real time
Up Next:
Configure SOAR in Microsoft Sentinel

Azure Databricks Monitoring
Document22 pages
Azure Databricks Monitoring
Mounika Raj
100% (1)
Power Platform Admin and Governance Whitepaper
Document117 pages
Power Platform Admin and Governance Whitepaper
Jesse Oliveira
No ratings yet
Power Platform Admin and Governance Whitepaper
Document117 pages
Power Platform Admin and Governance Whitepaper
Jesse Oliveira
No ratings yet
BRICKS READING 150 Bricks Reading 150 1.ocr - Bak
Document141 pages
BRICKS READING 150 Bricks Reading 150 1.ocr - Bak
Jackie Francois
100% (2)
Microsoft Sentinel Training Notes
Document16 pages
Microsoft Sentinel Training Notes
xapehox362
No ratings yet
Azure Analytics: Synapse
Document251 pages
Azure Analytics: Synapse
James Alberto Martinez
100% (4)
AZ 104T00A ENU PowerPoint - 11
Document42 pages
AZ 104T00A ENU PowerPoint - 11
Prakash Ray
100% (1)
Azure Cosmos DB Documentation Overview
Document1,816 pages
Azure Cosmos DB Documentation Overview
Wagner Mariano
No ratings yet
Definition of English As A Second Language
Document1 page
Definition of English As A Second Language
amani
No ratings yet
L400-P8 Notebooks and Hunting
Document14 pages
L400-P8 Notebooks and Hunting
H Z
No ratings yet
Use Microsoft Sentinel Workbooks To Analyze and Interpret Data Slides
Document21 pages
Use Microsoft Sentinel Workbooks To Analyze and Interpret Data Slides
Jesse Oliveira
No ratings yet
Configure Soar in Microsoft Sentinel Slides
Document20 pages
Configure Soar in Microsoft Sentinel Slides
Jesse Oliveira
No ratings yet
SC 200T00A ENU PowerPoint 08
Document24 pages
SC 200T00A ENU PowerPoint 08
wandi17001
No ratings yet
Lansweeper Features 2020
Document1 page
Lansweeper Features 2020
Raisa Raisa
No ratings yet
AZ-300-Week1-DevelopConfigureInfrastructure
Document115 pages
AZ-300-Week1-DevelopConfigureInfrastructure
friends_always
No ratings yet
Data Sheet Asset V2
Document4 pages
Data Sheet Asset V2
Ajmul India
No ratings yet
Splunk Development Day 1 Overview
Document34 pages
Splunk Development Day 1 Overview
Loga K
No ratings yet
Microsoft System Center Configuration Manager Advanced Deployment
From Everand
Microsoft System Center Configuration Manager Advanced Deployment
Martyn Coupland
No ratings yet
Az 104t00a Enu Powerpoint 11
Document33 pages
Az 104t00a Enu Powerpoint 11
ROTIAR
No ratings yet
Artificial Intelligence Classifiers with .NET
Document14 pages
Artificial Intelligence Classifiers with .NET
WâhÿúÐî Ñâfï'ï
No ratings yet
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
From Everand
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
Lee Allen
Rating: 4.5 out of 5 stars
4.5/5 (6)
Software Architecture with Python
From Everand
Software Architecture with Python
Anand Balachandran Pillai
No ratings yet
Database Forensics Guide for Incident Preparedness and Artifact Analysis
Document18 pages
Database Forensics Guide for Incident Preparedness and Artifact Analysis
mach75
No ratings yet
splunk basics
Document13 pages
splunk basics
akshat jain
No ratings yet
Er
Document82 pages
Er
Tamella Paulauskiene
No ratings yet
1 - IntroductionBIG Chiopstetr
Document17 pages
1 - IntroductionBIG Chiopstetr
Anasua Pal
No ratings yet
KSE Brochure Nov 2019 2
Document7 pages
KSE Brochure Nov 2019 2
Aryan
No ratings yet
D72591GC10 1001 Us
Document3 pages
D72591GC10 1001 Us
trungquan710
No ratings yet
Instrumentation and Measurement: Csci 599 Class Presentation Shreyans Mehta
Document22 pages
Instrumentation and Measurement: Csci 599 Class Presentation Shreyans Mehta
GammaKristian
No ratings yet
Instrumentation and Measurement: Csci 599 Class Presentation Shreyans Mehta
Document22 pages
Instrumentation and Measurement: Csci 599 Class Presentation Shreyans Mehta
aly_wael71
No ratings yet
Instrumentation and Measurement: Csci 599 Class Presentation Shreyans Mehta
Document22 pages
Instrumentation and Measurement: Csci 599 Class Presentation Shreyans Mehta
Muhammad Usman Sindhu
No ratings yet
Instrumentation and Measurement: Csci 599 Class Presentation Shreyans Mehta
Document22 pages
Instrumentation and Measurement: Csci 599 Class Presentation Shreyans Mehta
indrakonwar1541
No ratings yet
Modern Analytics Academy - Data Modeling
Document12 pages
Modern Analytics Academy - Data Modeling
Hernan Labastie
No ratings yet
Download Exam Ref 70 764 Administering A Sql Database Infrastructure Victor Isakov full chapter
Document67 pages
Download Exam Ref 70 764 Administering A Sql Database Infrastructure Victor Isakov full chapter
brian.calloway212
100% (2)
Packt Elasticsearch 7 Quick Start Guide 2019
Document324 pages
Packt Elasticsearch 7 Quick Start Guide 2019
yohoyon
No ratings yet
01 - Azure Monitor Data Platform
Document4 pages
01 - Azure Monitor Data Platform
Lucas Mendes Pereira
100% (1)
Getting Started With Real-Time Analytics With Kafka and Spark in Microsoft Azure - Joe Plumb.
Document44 pages
Getting Started With Real-Time Analytics With Kafka and Spark in Microsoft Azure - Joe Plumb.
Samudra Bandaranayake
No ratings yet
System Surveillance Using Keylogger
Document22 pages
System Surveillance Using Keylogger
garapati kavyasri
0% (1)
Monitor MySQL, InnoDB, Replication, OS and more with alerts
Document3 pages
Monitor MySQL, InnoDB, Replication, OS and more with alerts
sandeep
No ratings yet
Overview of The QuantStudio® 3 System - Rev2 - LA19507
Document50 pages
Overview of The QuantStudio® 3 System - Rev2 - LA19507
Michael Okeke
No ratings yet
Py App Document
Document1,556 pages
Py App Document
kmdasari
No ratings yet
Practical Security Arbor
Document2 pages
Practical Security Arbor
Anis Amouri
No ratings yet
Presentation On Asset Management System & Library Management System
Document33 pages
Presentation On Asset Management System & Library Management System
Ashish Gupta
No ratings yet
Esas Doc Ms
Document1,590 pages
Esas Doc Ms
Saida Rasul
No ratings yet
Manage Microsoft Sentinel Analytics Rules Slides
Document24 pages
Manage Microsoft Sentinel Analytics Rules Slides
Jesse Oliveira
No ratings yet
Caseware IDEA Presentation - Region - Caseware Branded
Document24 pages
Caseware IDEA Presentation - Region - Caseware Branded
imma.kimbe
No ratings yet
Learn Splunk Online Training
Document25 pages
Learn Splunk Online Training
Angelina Joile
No ratings yet
03 Microsoftazurefundamentalssolutions 11606403870213
Document25 pages
03 Microsoftazurefundamentalssolutions 11606403870213
cvb vbn
No ratings yet
Microsoft SQL Server Administration Using MS SQL Server 2008
Document122 pages
Microsoft SQL Server Administration Using MS SQL Server 2008
Laura Johnston
No ratings yet
Metasploit Pro v4.11
Document188 pages
Metasploit Pro v4.11
Patrizia
No ratings yet
Ruth Aydt Pablo Research Group Department of Computer Science University of Illinois at Urbana-Champaign
Document47 pages
Ruth Aydt Pablo Research Group Department of Computer Science University of Illinois at Urbana-Champaign
Ajay Malhotra
No ratings yet
Smart Control and Automation Network
Document7 pages
Smart Control and Automation Network
mewmew
No ratings yet
Mikrotik Ansible - Ru.en
Document11 pages
Mikrotik Ansible - Ru.en
Jacques Hoto
No ratings yet
Instrumentation and Measurement: Csci 599 Class Presentation Shreyans Mehta
Document22 pages
Instrumentation and Measurement: Csci 599 Class Presentation Shreyans Mehta
Kamal Singh Rathore
No ratings yet
Dokumen - Pub Elasticsearch 7 Quick Start Guide Get Up and Running With The Distributed Search and Analytics Capabilities of Elasticsearch 9781789803327 1789803322
Document326 pages
Dokumen - Pub Elasticsearch 7 Quick Start Guide Get Up and Running With The Distributed Search and Analytics Capabilities of Elasticsearch 9781789803327 1789803322
ZeroCool Zero
No ratings yet
8 DBA Tasks For Azure SQL: What's Different From On-Prem
Document33 pages
8 DBA Tasks For Azure SQL: What's Different From On-Prem
Joji K
100% (1)
Zenoss Core 3.x Network and System Monitoring
From Everand
Zenoss Core 3.x Network and System Monitoring
Michael Badger
No ratings yet
ThoughtSpot Data Sheet
Document5 pages
ThoughtSpot Data Sheet
shahnawaz_javed
No ratings yet
Elasticsearch 7 Quick Start Guide Get Up and Running With The Distributed Search and Analytics Capabilities of Elasticsearch 9781789803327 1789803322
Document318 pages
Elasticsearch 7 Quick Start Guide Get Up and Running With The Distributed Search and Analytics Capabilities of Elasticsearch 9781789803327 1789803322
ZeroCool Zero
No ratings yet
Azure Synapse Analytics PoC Environment
Document8 pages
Azure Synapse Analytics PoC Environment
cloudtraining2023
No ratings yet
Train deep neural networks in Python Keras framework for human activity classification
Document28 pages
Train deep neural networks in Python Keras framework for human activity classification
cem bingöl
No ratings yet
Spring Microservices
From Everand
Spring Microservices
Rajesh RV
No ratings yet
Openstack On Intel: Billy Cox Director, Cloud Builders Software and Services Group Intel Corp
Document23 pages
Openstack On Intel: Billy Cox Director, Cloud Builders Software and Services Group Intel Corp
Noel Castro
No ratings yet
Grossman Ngdm07
Document35 pages
Grossman Ngdm07
api-3798592
No ratings yet
Manage Microsoft Sentinel Incidents Slides
Document17 pages
Manage Microsoft Sentinel Incidents Slides
Jesse Oliveira
No ratings yet
ACCENT GUIDE For Brazilian Speakers PDF
Document12 pages
ACCENT GUIDE For Brazilian Speakers PDF
André Resende
No ratings yet
1 Manage Azure Virtual Networks VPN Gateway m1 Slides PDF
Document8 pages
1 Manage Azure Virtual Networks VPN Gateway m1 Slides PDF
Jesse Oliveira
No ratings yet
How Business Apps Are Built
Document8 pages
How Business Apps Are Built
Jesse Oliveira
No ratings yet
Configuring Recovery Services Vault Slides
Document13 pages
Configuring Recovery Services Vault Slides
Jesse Oliveira
No ratings yet
Manage Microsoft Sentinel Analytics Rules Slides
Document24 pages
Manage Microsoft Sentinel Analytics Rules Slides
Jesse Oliveira
No ratings yet
Object Report With Powershell
Document12 pages
Object Report With Powershell
Jesse Oliveira
No ratings yet
How Business Apps Are Built
Document8 pages
How Business Apps Are Built
Jesse Oliveira
No ratings yet
Object Report With Powershell
Document12 pages
Object Report With Powershell
Jesse Oliveira
No ratings yet
Introduction To Powerapps and Flow Slides PDF
Document8 pages
Introduction To Powerapps and Flow Slides PDF
Jesse Oliveira
No ratings yet
Introduction To Powerapps and Flow Slides PDF
Document8 pages
Introduction To Powerapps and Flow Slides PDF
Jesse Oliveira
No ratings yet
Introduction To Powerapps and Flow Slides PDF
Document8 pages
Introduction To Powerapps and Flow Slides PDF
Jesse Oliveira
No ratings yet
Introduction To Powerapps and Flow Slides PDF
Document8 pages
Introduction To Powerapps and Flow Slides PDF
Jesse Oliveira
No ratings yet
Introduction To Powerapps and Flow Slides PDF
Document8 pages
Introduction To Powerapps and Flow Slides PDF
Jesse Oliveira
No ratings yet
Azure Storage - Practical Exercises Guide
Document7 pages
Azure Storage - Practical Exercises Guide
Jesse Oliveira
No ratings yet
Introduction To Powerapps and Flow Slides
Document8 pages
Introduction To Powerapps and Flow Slides
Jesse Oliveira
No ratings yet
Introduction To Powerapps and Flow Slides PDF
Document8 pages
Introduction To Powerapps and Flow Slides PDF
Jesse Oliveira
No ratings yet
Flooring Estimates
Document4 pages
Flooring Estimates
Bernie Cardenas
No ratings yet
Windows 8 VDI Image Client Tuning Guide PDF
Document29 pages
Windows 8 VDI Image Client Tuning Guide PDF
Jesse Oliveira
No ratings yet
Object Report With Powershell
Document12 pages
Object Report With Powershell
Jesse Oliveira
No ratings yet
Excel Visualization Demo
Document97 pages
Excel Visualization Demo
Jesse Oliveira
No ratings yet
SAP FI - Link
Document1 page
SAP FI - Link
Jesse Oliveira
No ratings yet
Azure Storage - Practical Exercises Guide
Document7 pages
Azure Storage - Practical Exercises Guide
Jesse Oliveira
No ratings yet
Slicer Regional Dashboard Draft01
Document7 pages
Slicer Regional Dashboard Draft01
Jesse Oliveira
No ratings yet
The Internet of TInghs PDF
Document68 pages
The Internet of TInghs PDF
Jesse Oliveira
No ratings yet
Test Script - Purchase Order - Purchase Order
Document5 pages
Test Script - Purchase Order - Purchase Order
flash3d
No ratings yet
PERL Basics
Document53 pages
PERL Basics
Lalith Krishnan
No ratings yet
Flowview Plugin For Cacti
Document7 pages
Flowview Plugin For Cacti
Jh0n Fredy H
100% (2)
DBMS GFG
Document21 pages
DBMS GFG
Raghavendra Sharma
No ratings yet
Phonetics Exercise #1 Xds
Document1 page
Phonetics Exercise #1 Xds
Diego Herrán Aragón
0% (1)
Gone in 30 Seconds
Document2 pages
Gone in 30 Seconds
qisz aziz
No ratings yet
20th Sunday August 16 Liturgy
Document4 pages
20th Sunday August 16 Liturgy
Ajay Simon
No ratings yet
DLPort IO
Document19 pages
DLPort IO
Jhon Wilser Velasco Marquina
No ratings yet
Modal Exercises Lesson 4 PDF
Document27 pages
Modal Exercises Lesson 4 PDF
Jose Guardiola Tomás
No ratings yet
Direct and Indirect Questions
Document8 pages
Direct and Indirect Questions
Iuli Julie
No ratings yet
Narrative Essay
Document7 pages
Narrative Essay
joanne_defrancesca
No ratings yet
Alive After The Fall
Document15 pages
Alive After The Fall
aaartyab
No ratings yet
Ielts Band 9 Sample Essay
Document12 pages
Ielts Band 9 Sample Essay
K60 Nguyễn Khánh Linh
No ratings yet
Integrating Snort and OSSIM
Document7 pages
Integrating Snort and OSSIM
Marcelo Laurenti
No ratings yet
The Powerful Teacher
Document58 pages
The Powerful Teacher
rachael
92% (12)
Mag. Manuel Calle Reyes - Libro: Razonamiento Verbal - Criterios y Métodos-2013
Document25 pages
Mag. Manuel Calle Reyes - Libro: Razonamiento Verbal - Criterios y Métodos-2013
Fer Al
No ratings yet
Pre-Quiz - Attempt Review
Document4 pages
Pre-Quiz - Attempt Review
Vinesh Dara
No ratings yet
Pragmatic Transfer
Document20 pages
Pragmatic Transfer
Dian Anggraini
No ratings yet
Vmware Remote Console 110 Vsphere PDF
Document26 pages
Vmware Remote Console 110 Vsphere PDF
ufukozdemir
No ratings yet
Industrial Training PPT C Bash Shell Data Structur Uing Linux
Document22 pages
Industrial Training PPT C Bash Shell Data Structur Uing Linux
Abhishek Singh Tomar
No ratings yet
Circulating and Compiling The Litterae A
Document37 pages
Circulating and Compiling The Litterae A
Martin M. Morales
No ratings yet
Automation Software Engineering
Document12 pages
Automation Software Engineering
Ignacio Sebastian Cabello Araya
No ratings yet
Bài Ôn FG
Document4 pages
Bài Ôn FG
Thu Lê Thị Hiền
No ratings yet
Special Features of Legal English
Document3 pages
Special Features of Legal English
Cristina González Angós
100% (3)
Stamford University
Document9 pages
Stamford University
sheikh sayeed
No ratings yet
EEE 4133 Lec-Aug 16
Document23 pages
EEE 4133 Lec-Aug 16
Majba Ahamad
No ratings yet
Sources For TEFL PHD Exam
Document3 pages
Sources For TEFL PHD Exam
Ehsan Abbaspour
No ratings yet
Zachs Animals PDF
Document4 pages
Zachs Animals PDF
Fares Haif
No ratings yet