# How To: Manage Azure Sentinel Bookmarks

__Notebook Version:__ 1.0<br>
__Python Version:__ Python 3.6 (including Python 3.6 - AzureML), Plotly 3.5 <br>
__Required Packages:__ Kqlmagic 0.1.90<br>
__Platforms Supported:__<br>
    -  Azure Notebooks Free Compute
    -  Azure Notebooks DSVM
__Data Source Required:__<br>
    -  Log Analytics - Bookmarks
    
### Description
The sample notebook get bookmarks from Azure Sentinel

<font color=red>When you switch between Azure Notebooks Free Compute and Data Science Virtual Machine (DSVM), you may need to select Python version: please select Python 3.6 for Free Compute, and Python 3.6 - AzureML for DSVM.</font>

## Prerequisite check

In [None]:
# only run once, current version 0.1.2
!pip install --upgrade Sentinel-Utilities

In [None]:
import SentinelUtils
# checking Python version
check = SentinelUtils.version_management.ModuleVersionCheck()
py_check = check.validate_python('3.6.0')
if py_check.requirement_met == False:
    print('Please select Python 3.6 or Python 3.6 - AzureML at the upper right corner')
else:
    print('Please continue')

In [None]:
# checking required packages
mods_check = check.validate_installed_modules(['Kqlmagic>=0.1.90'])
for mod_info in mods_check:
    if mod_info.requirement_met == False:
        print('Please install {} {} at the following cell.'.format(mod_info.name, mod_info.required_version))

In [None]:
# Please install required packages based on the check at last cellp
#!pip install Kqlmagic --upgrade

## Table of Contents

1. Retrieve Log Analytics information
3. Log into Log Analytics
4. Retrieve Bookmark Data
5. Bookmark service functions 
6. Bookmark management through service API
7. Go to Azure Log Analytics
8. Data Analysis - Timeline Chart

## 1. Retrieve Log Analytics Information

In [None]:
path = %env PATH
dsvm = False
if '/dsvm/' in path:
    dsvm = True
    
if dsvm == False:
    # Run this if you are using Free Compute
    tenant_id = SentinelUtils.config_reader.ConfigReader.read_config_values("../config.json")[0]
    subscription_id = SentinelUtils.config_reader.ConfigReader.read_config_values("../config.json")[1]
    resource_group = SentinelUtils.config_reader.ConfigReader.read_config_values("../config.json")[2]
    workspace_id = SentinelUtils.config_reader.ConfigReader.read_config_values("../config.json")[3]
    workspace_name = SentinelUtils.config_reader.ConfigReader.read_config_values("../config.json")[4]
    print('Your Log Analytic Workspace: {}'.format(workspace_name))
else:
    # Run this if you are using DSVM.  You need to copy the values from config.json, if the file has no value, then you need to go to Log Analytics Portal to get the information.
    tenant_id = input('tenant_id:')
    subscription_id = input('subscription_id:')
    resource_group = input('resource_group:')
    workspace_id = input('workspace_id:')
    workspace_name = input('workspace_name:')

## 2. Log into Log Analytics

In [None]:
# You must run this cell to log into Log Analytics to continue
# Make sure you have 0.1.90 or above, if not, run Kqlmagic installation again
%reload_ext Kqlmagic
%kql loganalytics://code;workspace=workspace_id;tenant=tenant_id;alias="SentinelDB"

## 3. Retrieve Bookmark Data

In [None]:
# Checking required Data Sources
required_data_sources = ['HuntingBookmark']
dbSchema = %kql --schema "SentinelDB@loganalytics"
tables = list(dbSchema.keys())
for source in required_data_sources:
    if source not in tables:
        print('You do not have required data source: {}'.format(source))
    else:
        print('Please continue')

In [None]:
%kql HuntingBookmark | take 100

## 4. Bookmark service functions

In [None]:
# head
import json
import requests
import pandas as pd
from pandas.io.json import json_normalize

# calling test site
test_subscription_id = input('test subscription id:')
test_resource_group = input('test resource_group:')
test_workspace_name = input('test workspace_name:')

In [None]:
# functions, this is using testing environment
def generate_guid():
    import uuid
    return str(uuid.uuid4())

def construct_url(bookmark_id):
    base_url = 'https://resourceprovider.westus2.cloudapp.azure.com/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/bookmarks{}?api-version=1.0'
    return base_url.format(test_subscription_id, test_resource_group, test_workspace_name, '/' + bookmark_id) if bookmark_id != None else base_url.format(test_subscription_id, test_resource_group, test_workspace_name, '')

def create_bookmark():
    import datetime
    # Sample bookmark data
    newbookmark = {
      "properties": {
        "displayName": "Example bookmark",
        "notes": datetime.datetime.now().isoformat(),
        "labels": ["Azure Sentinel Notebooks"],
        "query": "SecurityEvent | take 5 | project Account, Computer",
        "queryResult": "'Account': 'WORKGROUP\vm3$', 'Computer': 'vm3'"
      }
    }
    
    url = construct_url(generate_guid())
    response = None
    headers = {"Content-Type" : "application/json"}
    try:
        response = requests.put(url, data=json.dumps(newbookmark), headers=headers)

        if response.status_code != 200:
            print(response.status_code)
            print(response.text)
            raise Exception('Recieved non 200 response while sending response to CFN.')
        return response
    except requests.exceptions.RequestException as e:
        if response != None:
            print(response.text)
        print(e)
        raise
        
def get_bookmarks():
    url = construct_url(None)
    response = requests.get(url)
    response.encoding = response.apparent_encoding
    resJson = json.loads(response.text)
    if resJson != None:
        try:
            return json_normalize(resJson['value'])
        except Exception as e:
            print(e)

## 5. Bookmark management through service API

In [None]:
# Create a new bookmark
res = create_bookmark()
print(res)

In [None]:
# get all bookamrks and filter by displayName
origin_df = get_bookmarks()
df = origin_df[origin_df['properties.displayName'] == 'Example bookmark'][['properties.created', 'properties.notes', 'properties.displayName', 'properties.labels', 'properties.query', 'properties.queryResult']]
df

## 6. Go to Azure Log Analytics

In [None]:
# Utils functions
def copy_query_to_clipboard(query_text):
    import ipywidgets as widgets
    from IPython.display import display
    from IPython.display import HTML

    url = 'https://ms.portal.azure.com/?feature.showassettypes=Microsoft_Azure_Security_Insights_SecurityInsightsDashboard#blade/Microsoft_Azure_Security_Insights/MainMenuBlade/7/subscriptionId/{}/resourceGroup/{}/workspaceName/{}'.format(subscription_id, resource_group, workspace_name)
    html_str = (
        """<!DOCTYPE html>
        <html><body>

        <input  id="asi_demo_query" type="text" readonly style="font-weight: bold; border: none; width:1px;" size = '"""
        + str(len(query_text))
        + """' value='"""
        + query_text
        + """'>

        <a target="_new" href="javascript:void(0);" onclick="asi_demo_copy()">Go to Log Analytics</a>
    
        <script>
        var asi_demo_win = null
        function asi_demo_copy() {
            var copyText = document.getElementById("asi_demo_query");
            copyText.select();
            document.execCommand("copy");

            var w = screen.width - 300;
            var h = screen.height - 300;
            params = 'width='+w+',height='+h
            asi_demo_win = window.open('"""
                    + url
                    + """', 'asi_demo_win', params);
        }

        </script>
        </body></html>"""
    )

    return html_str    

def make_clickable(val):
    # target _blank to open new window
    return '<a target="_new" href="{}"></a>'.format(val)

In [None]:
# appending link column to the dataframe
df = df.assign(GoToLogAnalytics=df['properties.query'].apply(lambda x: copy_query_to_clipboard(x)))
df.style.format({'': make_clickable})

## 7. Data Analysis - Timeline Chart

In [None]:
origin_df['Start'] = origin_df.groupby('properties.displayName')['properties.created'].transform(min)
origin_df['Finish'] = origin_df.groupby('properties.displayName')['properties.created'].transform(max)

plot_df = origin_df[['properties.displayName', 'Start', 'Finish']].copy().rename(columns = {'properties.displayName' : 'Task'}).drop_duplicates('Task')
plot_df = plot_df.reset_index().drop('index', 1)
plot_df

In [None]:
import plotly
import plotly.plotly as pplotly
import plotly.figure_factory as factory

# input your account info for Plotly, https://plot.ly
your_plotly_username = input('plotly username:')
your_api_key = input('plotly API key:')
plotly.tools.set_credentials_file(username=your_plotly_username, api_key=your_api_key)

In [None]:
chart = factory.create_gantt(plot_df)
pplotly.iplot(chart, filename='Bookmark Time Line', title='Bookmark Time Line', world_readable=True)