# Azuure Sentinel Notebooks -Introduction to Sentinel Code Snippets

Azure Sentinel Notebook features enables Security Analysts to leverage Azure Notebooks to excute code and kql driven analysis. Notebooks are built to reflect most of the Open Source Jupyter Notebook capabilities.  
The Jupyter Notebook (formerly IPython Notebooks) is defined by Wikipedia as an Open Source web-based interactive computational environment for creating notebook documents. It can be classified as a programming tool.  
A Jupyter Notebook document is a browser-based REPL containing an ordered list of input/output cells which can contain code, text (using Markdown), mathematics, plots and rich media.  
Underneath the interface, a notebook is a JSON document, following a versioned schema, usually ending with the ".ipynb" extension.  
Before using a Notebook, you're required to provision a compute system built with the Kernles and default runtimes to work with the Notebook.  
[Azure Sentinel Notebooks Ninja Part 2: Getting Started with Azure Sentinel Notebooks](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-notebooks-ninja-part-2-getting-started-with-azure/ba-p/2716661) will provide how to start with Azure Sentinel Notebook.  

This Notebook is developed to provide you with some of the basic and essential code to create your first custom Notebook. It uses built-in Code Snippets that you can access by simply typing the word "Sentinel".

## Sample notebook that uses Azure Sentinel code snippets
Code Snippets are convenient and saves times when performing the same task. If you use snippets, you can significantly reduce time, organize many processes, and get a ready-made solution for many tasks.  
This concept applies to Sentinel Notebooks as well. When comes down to develop a notebook for Sentinel, you will need four fundamental pieces of code that allow the notebook to authenticate and connect to the data source stored on the workspace, load all the packages required to formulate and execute KQL queries against it, and setup the environment for the integration with Microsoft Security Center (mstic) Python packages (msticpy).  

**By typing the  keyword “Sentinel” you’ll be able to import the needed code for the above requirements** 
 
There four Code Snippets are:  
 
1. Get Configuration parameters  
2. Set up environment for msticpy  
3. Authenticate into Azure resources  
4. Authenticate into Azure Log Analytics   


# First custom Sentinel Notebook (Jupyter)
---
There are at least 3 ways you can connect, query, and consume data from Sentinel.  
1. Using Microsoft msticpy    
2. Using LogAnalyticsManagementClient  
3. Using KQL Magic

---


If they don't have it, then they will need to create this file from scratch, like the steps you show.



### Create a config.json file
---
The config.json file is used to set the configurations parameters that you can use when connecting to Azure Sentinel.  
This file is automatically generated and properly configured when you create the Notebook Compute system from Sentinel and imported at least one of the Notebooks available from the template library.  
The file will have all the value properly added based on the Sentinel workspace you've used for the Notebook, the Azure Subscription and Resource Group where Sentinel is located, the Tenant ID, and both the user alias and object ID.
In the case where you're using a custom Compute system for your Notebooks then you can create this file manually. 

-**Here how to create the file manually**- 

Create a new file under your directory and paste the following.  
Edit the information as relates to your Azure Subscription, Tenant ID, Log Analytic Workspace used by Sentinel, your accout Alias and your account ID

`
{
    "tenant_id":"<Azure_Active_Directory_Tenant_Id>",  
    "subscription_id":"<Azure_Subscription_Id?",  
    "resource_group":"<Sentinel_Resource_Group>",  
    "workspace_id":"<Sentinel_Workspace_id>",  
    "workspace_name":"<Sentinel_Worspace_Name>",  
    "user_alias":"<User_Alias_With_Permissions_to_Access_Sentinel>",  
    "user_object_id":"<User_Object_Id>"  
}
`


## 1. Using Microsoft MSTICPy
---
 


### Installing MSTICPy using a Code Snippet

The Microsoft Threat Intelligence Center (MSTIC) team is one of the main producers of threat intelligence at Microsoft as it collects the threat intelligence that’s infused into products and services.  
MSTICPy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to:  
* query log data from multiple sources  
* enrich the data with Threat Intelligence, geolocations and Azure resource data  
* extract Indicators of Activity (IoA) from logs and unpack encoded data  
* perform sophisticated analysis such as anomalous session detection and time series decomposition  
* visualize data using interactive timelines, process trees and multi-dimensional Morph Charts  

It also includes some time-saving notebook tools such as widgets to set query time boundaries, select and display items from lists, and configure the notebook environment, as well as Python library to query Sentinel via KQL (i.e. Kqlmagic).


To use MSTICPy, you'll need to install it first since the Compute Kernel does not include it by default.  
The below code cell uses one of the four Code Snippet described early but it includes a tiny variant and that is this: `%pip install --upgrade --quiet msticpy[azuresentinel,ml]`  
By including the **"azuresentinel,ml"** in the command you'll install the modules for Azure, Sentinel, Key Vault, KQL, and ML:

- Key Vault and keyring storage of settings secrets  
- Azure Sentinel data queries  
- Kqlmagic Jupyter extended  
- Azure API data retrieval (subs, resources, Vms, etc.)  
- Azure storage APIs  
- Azure Sentinel APIs (not data query)   
- Timeseries analysis  
- Event clustering  
- Outlier analysis 

In [None]:
#####################################################
# Sentinel - Set up environment for msticpy         #
#####################################################
# import some modules needed in this cell
from pathlib import Path
from IPython.display import display, HTML

display(HTML('Checking upgrade to latest msticpy version'))
%pip install --upgrade --quiet msticpy[azuresentinel,ml]

REQ_PYTHON_VER=(3, 6)
REQ_MSTICPY_VER=(1, 2, 3)
REQ_MP_EXTRAS = ['keyvault']

display(HTML('<h3>Starting Notebook setup...</h3>'))
if Path('./utils/nb_check.py'):
    from utils.nb_check import check_versions
    check_versions(REQ_PYTHON_VER, REQ_MSTICPY_VER)

# intialize msticpy
from msticpy.nbtools import nbinit
nbinit.init_notebook(
    namespace=globals(),
    extra_imports=['urllib.request, urlretrieve']
)
pd.set_option('display.html.table_schema', False)

### Configure msticpyconfig.yaml
MSTICPy uses a yaml configuration file **msticpyconfig.yaml**
To generate the config file you'll need the config.json file first, then execute the below code cell to generate the yaml file and configure it if you wish to add other seting beside the Default.


In [None]:
#####################################################
# MSTICPy - Set up msticpyconfig.yaml #
#####################################################
from msticpy.config import MpConfigEdit
import os
mp_conf = "msticpyconfig.yaml"
# check if MSTICPYCONFIG is already an env variable
mp_env = os.environ.get("MSTICPYCONFIG")
mp_conf = mp_env if mp_env and Path(mp_env).is_file() else mp_conf
if not Path(mp_conf).is_file():
    print(
        "Please check that there is a config.json file in your workspace folder.",
        "If this is not there, create it first (sample in Create a config.json file",
        sep="\n"
    )
else:
    mpedit = MpConfigEdit(mp_conf)
    mpedit.set_tab("AzureSentinel")
    display(mpedit)

### Import MSTICPy settings from the msticpyconfig.yaml

In [None]:
#####################################################
# MSTICPy - Import msticpyconfig.yaml #
#####################################################
import msticpy
msticpy.settings.refresh_config()

### Connecting to Sentinel

In [None]:
#####################################################
# MSTICPy - Connect to Sentinel #
#####################################################
## Create a QueryProvider object for running queries in our LogAnalytics workspace
qry_prov = QueryProvider(data_environment='AzureSentinel')
## Use the workspace configuration we've set up in msticpyconfig.yaml (you can also choose another workspace here)
ws_config = WorkspaceConfig(workspace="Default")
qry_prov.connect(connection_str=ws_config.code_connect_str)

### Write your KQL query, execute it, and present results

In [None]:
#####################################################
# MSTICPy - Read data from Sentinel using KQL #
#####################################################
Query_Data_Log_Type = '''
Event | take 10 | where TimeGenerated >=ago(30d)
'''
Results_df = qry_prov.exec_query(Query_Data_Log_Type)
Results_df.head(10)

## 2. Using LogAnalyticsManagementClient
---
This is the Microsoft Azure Log Analytics Management Client Library.

### Getting Sentinel configuration parameters from the config.json file
Before connecting to Sentinel and start querying data we need to initialize Sentinel parameters referred by the rest of the code.  
These parameters are:  
- Azure Tenant
- Azure Subscription ID
- Resource Group
- Workspace ID
- Workspace Name
- User Alias
- USer object ID  

For this task we're going to use a second Sentinel Code Snippet: **Get Configuration Parameters**

In [None]:
####################################################
# Sentinel - Get Sentinel Configuration parameters #
####################################################
import json
def read_config_values(file_path):
    'This loads pre-generated parameters for Azure Sentinel Workspace'
    with open(file_path) as json_file:
        if json_file:
            json_config = json.load(json_file)
            return (json_config['tenant_id'],
                json_config['subscription_id'],
                json_config['resource_group'],
                json_config['workspace_id'],
                json_config['workspace_name'],
                json_config['user_alias'],
                json_config['user_object_id'])
    return None

# Calling the above function to populate Sentinel workspace parameters
tenant_id, subscription_id, resource_group, workspace_id, workspace_name, user_alias, user_object_id = read_config_values('config.json')

### Login and authenticate into Azure Sentinel
To login and authenticate into Azure Sentinel we can use the Sentinel Code Snippet **Authenticate into Azure Log Analytics**.  

You might like to have better background color for the AZ LOGIN command. Use: !echo -e '\e[41m'

The followings are possible color combination:

- BgBlack = '\e[40m' 
- BgRed = '\e[41m' 
- BgGreen = '\e[42m' 
- BgYellow = '\e[43m' 
- BgBlue = '\e[44m' 
- BgMagenta = '\e[45m' 
- BgCyan = '\e[46m' 
- BgWhite = '\e[47m'

In [None]:
####################################################
# Sentinel - Authenticate into Azure Log Analytics #
####################################################
# Azure CLI is used to get device code to login into Azure, you need to copy the code and open the DeviceLogin site.
# !!! You need [tenant_id] and [subscription_id] to login into Azure !!!
from azure.common.client_factory import get_client_from_cli_profile
from azure.common.credentials import get_azure_cli_credentials
from azure.loganalytics import LogAnalyticsDataClient
from azure.mgmt.loganalytics import LogAnalyticsManagementClient
from azure.loganalytics.models import QueryBody

!echo -e '\e[41m'
!az login --use-device-code
la_client = get_client_from_cli_profile(LogAnalyticsManagementClient, subscription_id = subscription_id)
creds, _ = get_azure_cli_credentials(resource='https://api.loganalytics.io')
la_data_client = LogAnalyticsDataClient(creds)

### Write your own query and execute it
Now you can run a quick query using the log analytics data client

In [None]:
query = 'Event | take 10 | where TimeGenerated >=ago(24h)'
result = la_data_client.query(workspace_id, QueryBody(query=query))
print(result.as_dict())


## Using KQL Magic
---
Kqlmagic magic extension enables notebook experience, exploring Microsoft Azure Monitor data: 
- Azure Data Explorer (Kusto)
- ApplicationInsights
- LogAnalytics 

data from Jupyter notebook (Python3 kernel), using kql (Kusto Query language).  
https://pypi.org/project/Kqlmagic/

### Install or Upgrade and Load KQLMAGIC
Execute the next Code Cell to install KQLMagic module. This is needed only if you have not installed MSTICPy.  
The KQLMAGIC_AZUREML_COMPUTE environment variable sets the name of the Azure ML Compute. You can refer to the compute name by looking either at the Compute section of ML Studio or simply in the above Notebook ribbon where it says Compute.  
Take note of the name and enter its value in the below code variable **azml_compute**


In [None]:
# User Input
azml_compute='vm-sentinel-ml01'
kqlmagic_azml_compute='https://' + azml_compute + '.eastus.instances.azureml.ms'

In [None]:
!pip install Kqlmagic --no-cache-dir --upgrade
%env KQLMAGIC_AZUREML_COMPUTE="$kqlmagic_azml_compute"
%env KQLMAGIC_CONFIGURATION="show_init_banner=False"
%reload_ext Kqlmagic

### Getting Sentinel configuration parameters from the config.json file

Before connecting to Sentinel and start querying data is recommended to initialize Sentinel parameter:

    Azure Tenant
    Azure Subscription ID
    Resource Group
    Workspace ID
    Workspace Name
    User Alias
    USer object ID

Use the Sentinel Code Snippet **Get Configuration Parameters**

In [None]:
####################################################
# Sentinel - Get Sentinel Configuration parameters #
####################################################
import json
def read_config_values(file_path):
    'This loads pre-generated parameters for Azure Sentinel Workspace'
    with open(file_path) as json_file:
        if json_file:
            json_config = json.load(json_file)
            return json_config['workspace_id']
    return None

# Calling the above function to populate Sentinel workspace parameters
workspace_id = read_config_values('config.json')

### Login and authenticate into the Worksapce

In [None]:
%kql loganalytics://code;workspace=workspace_id

### Write your own query and execute it 

In [None]:
%%kql
Event
| take 1
| where TimeGenerated >=ago(30d)

### Python code can access the result by the _ variable
The underscore character is used by Python to hold and access the result of the KQL query from KQL Magic.
You can pass the result to a data frame df with df = _.to_dataframe()  


In [None]:
df = _.to_dataframe()
df

### Present query output using the data frame df

In [None]:
df

### Show results in different forms

In [None]:
df.head()

In [None]:
df.min()

In [None]:
df.to_json()

In [None]:
df.columns

### Excution of another cell overrides \_ variable.  
Use\_kql\_raw\_result\_ python variable holds last kql query result.  
If you run the previous cell you'll get an error since the \_ is now overrided


In [None]:
df = _kql_raw_result_

In [None]:
df

### Alterantive way to assign kql query result to a python variable

In [None]:
%kql my_bar_chart << Event | where TimeGenerated >=ago(30d) | take 1000 | summarize count() by Source | sort by count_ | render barchart title='My bar chart'
my_bar_chart

In [None]:
my_bar_chart.show_table()