## Instaling KQLmagic libraries

In [None]:
!pip3 install Kqlmagic --no-cache-dir --upgrade

## Loading the KQLmagic library

In [1]:
%reload_ext Kqlmagic

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

## Configuring KQLmagic

In [2]:
%config Kqlmagic.auto_dataframe=True
%config Kqlmagic.auto_popup_schema=True
# %config Kqlmagic.display_limit=10

## Importing python libraries

In [3]:
import pandas as pd
pd.options.display.max_columns = None
pd.options.display.max_rows = False

<h2 align='center'>=========================================================</h2>

## Connecting to a private Log Analytics
**ATTENTION:** edit and change the name of `config_file_example.py` to `config_file.py`. Note that `config_file.py` will not be pushed to Github because it contains sensitive information (and it is in `.gitignore``)

In [4]:
from config_file import *

In [5]:
%kql loganalytics://tenant=$conf_tenant_id;clientid=$conf_aad_appid;clientsecret=$conf_aad_appkey;workspace=$conf_workspace_id

<IPython.core.display.Javascript object>

<h2 align='center'>=========================================================</h2>

## in 'SigninLogs', manually determining which columns contain sensitive information

- **'TenantId' = TRUE**
- 'SourceSystem'
- 'TimeGenerated'
- **'ResourceId' = TRUE**
- 'OperationName'
- 'OperationVersion'
- 'Category'
- 'ResultType'
- 'ResultSignature'
- 'ResultDescription'
- 'DurationMs'
- 'CorrelationId'
- 'Resource'
- 'ResourceGroup'
- 'ResourceProvider'
- **'Identity' = TRUE**
- 'Level'
- **'Location' = TRUE**
- **'AlternateSignInName' = TRUE**
- 'AppDisplayName'
- 'AppId'
- 'AuthenticationDetails'
- 'AuthenticationMethodsUsed'
- 'AuthenticationProcessingDetails'
- 'AuthenticationRequirement'
- 'AuthenticationRequirementPolicies'
- 'ClientAppUsed'
- 'ConditionalAccessPolicies'
- 'ConditionalAccessStatus'
- 'CreatedDateTime'
- 'DeviceDetail'
- 'IsInteractive'
- 'Id'
- **'IPAddress' = TRUE**
- 'IsRisky'
- **'LocationDetails' = TRUE**
- 'MfaDetail'
- 'NetworkLocationDetails'
- **'OriginalRequestId' = TRUE**
- 'ProcessingTimeInMilliseconds'
- 'RiskDetail'
- 'RiskEventTypes'
- 'RiskEventTypes_V2'
- 'RiskLevelAggregated'
- 'RiskLevelDuringSignIn'
- 'RiskState'
- 'ResourceDisplayName'
- **'ResourceIdentity' = TRUE**
- 'ServicePrincipalId'
- 'ServicePrincipalName'
- 'Status'
- 'TokenIssuerName'
- 'TokenIssuerType'
- 'UserAgent'
- **'UserDisplayName' = TRUE**
- **'UserId' = TRUE**
- **'UserPrincipalName' = TRUE**
- **'AADTenantId' = TRUE**
- 'Type'

## Manually anonymizing 1 single entry of each sensitive field

In [7]:
import uuid, names,random, pycountry

In [8]:
fake_domainname = 'mycompany.com'

TenantId=str(uuid.uuid4())
AADTenantId = str(uuid.uuid4())
ResourceId='/tenants/'+AADTenantId+'/providers/Microsoft.aadiam'
Identity = names.get_full_name()
UserDisplayName = Identity
UserPrincipalName = Identity.lower().replace(' ','.')+'@'+fake_domainname
Location = list(pycountry.countries)[random.randint(0,248)].alpha_2
LocationDetails = '{'+'\'countryOrRegion\':\''+Location+'\'}'
IPAddress = ".".join(map(str, (random.randint(0, 255) for _ in range(4))))
OriginalRequestId = str(uuid.uuid4())
ResourceIdentity = str(uuid.uuid4())
UserId = str(uuid.uuid4())

print(TenantId, ResourceId, Identity, Location, IPAddress, LocationDetails, OriginalRequestId, ResourceIdentity, UserDisplayName, UserId, UserPrincipalName, AADTenantId)

425dc03a-3cdc-42e7-884b-09bf02157895 /tenants/2e42acc6-619f-4cb7-98eb-4909abdbaeea/providers/Microsoft.aadiam Andre Zeman BF 65.176.224.16 {'countryOrRegion':'BF'} e86521a6-2dbf-4465-a3b3-830c5c031999 f4917825-5289-4de1-b1c3-bfc8c74296e7 Andre Zeman 9fe9da09-5f63-4ccb-bd48-0b43fc6047b0 andre.zeman@mycompany.com 2e42acc6-619f-4cb7-98eb-4909abdbaeea


<h2 align='center'>=========================================================</h2>

## Getting the original data

In [12]:
df = %kql workspace("nwsentinel-law").SigninLogs | where TimeGenerated > ago(30d) 

<h2 align='center'>=========================================================</h2>

## Script to anonymizing each sensitive field
### Methodology:
1. get len of unique values;
2. create a simmilar set with the same lenght of the set with unique values;
3. substitute the new set for the original set;

In [13]:
import uuid, names,random, pycountry

In [14]:
fake_domainname = 'mycompany.com'

In [15]:
df_anon = df

In [16]:
column_name = 'AADTenantId'

list_names = df_anon[column_name].unique().tolist()
unique_values = len(list_names)

lists = []
for p in range(unique_values):
    lists.append(str(uuid.uuid4()))

substitution_mask = pd.concat([pd.Series(df_anon[column_name].unique()), pd.Series(lists)], axis=1, sort=False)
df_anon = pd.merge(df_anon, substitution_mask, how='inner', left_on=column_name, right_on=0,sort=False).drop([0, column_name], axis=1).rename(columns={1: column_name})

In [17]:
df_anon['ResourceId']=df_anon['AADTenantId'].apply(lambda x: '/tenants/'+str(x)+'/providers/Microsoft.aadiam')

In [18]:
column_name = 'TenantId'

list_names = df_anon[column_name].unique().tolist()
unique_values = len(list_names)

lists = []
for p in range(unique_values):
    lists.append(str(uuid.uuid4()))

substitution_mask = pd.concat([pd.Series(df_anon[column_name].unique()), pd.Series(lists)], axis=1, sort=False)
df_anon = pd.merge(df_anon, substitution_mask, how='inner', left_on=column_name, right_on=0,sort=False).drop([0, column_name], axis=1).rename(columns={1: column_name})

In [19]:
column_name = 'Identity'

list_names = df_anon[column_name].unique().tolist()
unique_values = len(list_names)

lists = []
for p in range(unique_values):
    lists.append(names.get_full_name())

substitution_mask = pd.concat([pd.Series(df_anon[column_name].unique()), pd.Series(lists)], axis=1, sort=False)
df_anon = pd.merge(df_anon, substitution_mask, how='inner', left_on=column_name, right_on=0,sort=False).drop([0, column_name], axis=1).rename(columns={1: column_name})

In [20]:
df_anon['UserDisplayName']=df_anon['Identity']

In [21]:
df_anon['UserPrincipalName'] = df_anon['Identity'].apply(lambda x: x.lower().replace(' ','.')+'@'+fake_domainname)

In [22]:
df_anon['AlternateSignInName'] = df_anon['UserPrincipalName']

In [23]:
column_name = 'Location'

list_names = df_anon[column_name].unique().tolist()
unique_values = len(list_names)

lists = []
for p in range(unique_values):
    lists.append(list(pycountry.countries)[random.randint(0,248)].alpha_2)

substitution_mask = pd.concat([pd.Series(df_anon[column_name].unique()), pd.Series(lists)], axis=1, sort=False)
df_anon = pd.merge(df_anon, substitution_mask, how='inner', left_on=column_name, right_on=0,sort=False).drop([0, column_name], axis=1).rename(columns={1: column_name})

In [24]:
df_anon['LocationDetails'] = df_anon['Location'].apply(lambda x: '{'+'\'countryOrRegion\':\''+str(x)+'\'}')

In [25]:
column_name = 'IPAddress'

list_names = df_anon[column_name].unique().tolist()
unique_values = len(list_names)

lists = []
for p in range(unique_values):
    lists.append(".".join(map(str, (random.randint(0, 255) for _ in range(4)))))

substitution_mask = pd.concat([pd.Series(df_anon[column_name].unique()), pd.Series(lists)], axis=1, sort=False)
df_anon = pd.merge(df_anon, substitution_mask, how='inner', left_on=column_name, right_on=0,sort=False).drop([0, column_name], axis=1).rename(columns={1: column_name})

In [26]:
column_name = 'OriginalRequestId'

list_names = df_anon[column_name].unique().tolist()
unique_values = len(list_names)

lists = []
for p in range(unique_values):
    lists.append(str(uuid.uuid4()))

substitution_mask = pd.concat([pd.Series(df_anon[column_name].unique()), pd.Series(lists)], axis=1, sort=False)
df_anon = pd.merge(df_anon, substitution_mask, how='inner', left_on=column_name, right_on=0,sort=False).drop([0, column_name], axis=1).rename(columns={1: column_name})

In [27]:
column_name = 'ResourceIdentity'

list_names = df_anon[column_name].unique().tolist()
unique_values = len(list_names)

lists = []
for p in range(unique_values):
    lists.append(str(uuid.uuid4()))

substitution_mask = pd.concat([pd.Series(df_anon[column_name].unique()), pd.Series(lists)], axis=1, sort=False)
df_anon = pd.merge(df_anon, substitution_mask, how='inner', left_on=column_name, right_on=0,sort=False).drop([0, column_name], axis=1).rename(columns={1: column_name})

In [28]:
column_name = 'UserId'

list_names = df_anon[column_name].unique().tolist()
unique_values = len(list_names)

lists = []
for p in range(unique_values):
    lists.append(str(uuid.uuid4()))

substitution_mask = pd.concat([pd.Series(df_anon[column_name].unique()), pd.Series(lists)], axis=1, sort=False)
df_anon = pd.merge(df_anon, substitution_mask, how='inner', left_on=column_name, right_on=0,sort=False).drop([0, column_name], axis=1).rename(columns={1: column_name})

## Observing the annonymized Dataframe

In [36]:
df_anon.sort_values(by='TimeGenerated').to_csv('30days_anonymized_azure_signin_logs.csv')

In [37]:
df_anon.head()

Unnamed: 0,SourceSystem,TimeGenerated,ResourceId,OperationName,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,CorrelationId,Resource,ResourceGroup,ResourceProvider,Level,AlternateSignInName,AppDisplayName,AppId,AuthenticationDetails,AuthenticationMethodsUsed,AuthenticationProcessingDetails,AuthenticationRequirement,AuthenticationRequirementPolicies,ClientAppUsed,ConditionalAccessPolicies,ConditionalAccessStatus,CreatedDateTime,DeviceDetail,IsInteractive,Id,IsRisky,LocationDetails,MfaDetail,NetworkLocationDetails,ProcessingTimeInMilliseconds,RiskDetail,RiskEventTypes,RiskEventTypes_V2,RiskLevelAggregated,RiskLevelDuringSignIn,RiskState,ResourceDisplayName,ServicePrincipalId,ServicePrincipalName,Status,TokenIssuerName,TokenIssuerType,UserAgent,UserDisplayName,UserPrincipalName,Type,AADTenantId,TenantId,Identity,Location,IPAddress,OriginalRequestId,ResourceIdentity,UserId
0,Azure AD,2020-06-11 19:55:26.519000+00:00,/tenants/8ac33302-ee2c-4b99-a924-01ffa6e2dd05/...,Sign-in activity,1.0,SignInLogs,0,,,0,5c676e3a-2259-4d10-b7cc-1fa4b241ef54,Microsoft.aadiam,Microsoft.aadiam,,4,laurence.cortez@mycompany.com,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[\r\n {\r\n ""authenticationStepDateTime"": ...",,"[\r\n {\r\n ""key"": ""Domain Hint Present"",\...",,[],Browser,"[{'enforcedSessionControls': [], 'conditionsNo...",success,2020-06-11 19:55:26+00:00,"{'deviceId': '', 'browser': 'Chrome 69.0.3497'}",False,79ebf008-75ef-402f-b7ab-d5b8512e5700,,{'countryOrRegion':'PL'},{},[],113,none,[],,none,none,none,Skype Presence Service,,,"{'errorCode': 0, 'additionalDetails': 'MFA req...",,AzureAD,Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/53...,Laurence Cortez,laurence.cortez@mycompany.com,SigninLogs,8ac33302-ee2c-4b99-a924-01ffa6e2dd05,b3ae965c-98b0-4b04-ac15-e7dc9878a5a3,Laurence Cortez,PL,227.199.92.44,dba77c6d-0264-4b15-b1ef-3d6194ca0e34,0e4e5dab-d078-4281-967e-e5248fb9f3f9,2f19f3a4-8c84-4c9b-9008-16001a508555
1,Azure AD,2020-06-11 19:55:26.519000+00:00,/tenants/8ac33302-ee2c-4b99-a924-01ffa6e2dd05/...,Sign-in activity,1.0,SignInLogs,0,,,0,5c676e3a-2259-4d10-b7cc-1fa4b241ef54,Microsoft.aadiam,Microsoft.aadiam,,4,laurence.cortez@mycompany.com,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[\r\n {\r\n ""authenticationStepDateTime"": ...",,"[\r\n {\r\n ""key"": ""Domain Hint Present"",\...",singleFactorAuthentication,[],Browser,"[{'enforcedSessionControls': [], 'conditionsNo...",success,2020-06-11 19:55:26+00:00,"{'deviceId': '', 'browser': 'Chrome 69.0.3497'}",False,79ebf008-75ef-402f-b7ab-d5b8512e5700,,{'countryOrRegion':'PL'},{},[],113,none,[],[],none,none,none,Skype Presence Service,,,"{'errorCode': 0, 'additionalDetails': 'MFA req...",,AzureAD,Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/53...,Laurence Cortez,laurence.cortez@mycompany.com,SigninLogs,8ac33302-ee2c-4b99-a924-01ffa6e2dd05,b3ae965c-98b0-4b04-ac15-e7dc9878a5a3,Laurence Cortez,PL,227.199.92.44,dba77c6d-0264-4b15-b1ef-3d6194ca0e34,0e4e5dab-d078-4281-967e-e5248fb9f3f9,2f19f3a4-8c84-4c9b-9008-16001a508555
2,Azure AD,2020-06-11 18:13:26.444000+00:00,/tenants/8ac33302-ee2c-4b99-a924-01ffa6e2dd05/...,Sign-in activity,1.0,SignInLogs,0,,,0,5c676e3a-2259-4d10-b7cc-1fa4b241ef54,Microsoft.aadiam,Microsoft.aadiam,,4,laurence.cortez@mycompany.com,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[\r\n {\r\n ""authenticationStepDateTime"": ...",,"[\r\n {\r\n ""key"": ""Domain Hint Present"",\...",,[],Browser,"[{'enforcedSessionControls': [], 'conditionsNo...",success,2020-06-11 18:13:26+00:00,"{'deviceId': '', 'browser': 'Chrome 69.0.3497'}",False,3225beb7-809e-4236-a78c-853abe885300,,{'countryOrRegion':'PL'},{},[],136,none,[],,none,none,none,Skype Presence Service,,,"{'errorCode': 0, 'additionalDetails': 'MFA req...",,AzureAD,Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/53...,Laurence Cortez,laurence.cortez@mycompany.com,SigninLogs,8ac33302-ee2c-4b99-a924-01ffa6e2dd05,b3ae965c-98b0-4b04-ac15-e7dc9878a5a3,Laurence Cortez,PL,227.199.92.44,a24954ec-ab2c-4f63-8a90-f2c488a53737,0e4e5dab-d078-4281-967e-e5248fb9f3f9,2f19f3a4-8c84-4c9b-9008-16001a508555
3,Azure AD,2020-06-11 18:13:26.444000+00:00,/tenants/8ac33302-ee2c-4b99-a924-01ffa6e2dd05/...,Sign-in activity,1.0,SignInLogs,0,,,0,5c676e3a-2259-4d10-b7cc-1fa4b241ef54,Microsoft.aadiam,Microsoft.aadiam,,4,laurence.cortez@mycompany.com,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[\r\n {\r\n ""authenticationStepDateTime"": ...",,"[\r\n {\r\n ""key"": ""Domain Hint Present"",\...",singleFactorAuthentication,[],Browser,"[{'enforcedSessionControls': [], 'conditionsNo...",success,2020-06-11 18:13:26+00:00,"{'deviceId': '', 'browser': 'Chrome 69.0.3497'}",False,3225beb7-809e-4236-a78c-853abe885300,,{'countryOrRegion':'PL'},{},[],136,none,[],[],none,none,none,Skype Presence Service,,,"{'errorCode': 0, 'additionalDetails': 'MFA req...",,AzureAD,Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/53...,Laurence Cortez,laurence.cortez@mycompany.com,SigninLogs,8ac33302-ee2c-4b99-a924-01ffa6e2dd05,b3ae965c-98b0-4b04-ac15-e7dc9878a5a3,Laurence Cortez,PL,227.199.92.44,a24954ec-ab2c-4f63-8a90-f2c488a53737,0e4e5dab-d078-4281-967e-e5248fb9f3f9,2f19f3a4-8c84-4c9b-9008-16001a508555
4,Azure AD,2020-06-11 19:04:26.455000+00:00,/tenants/8ac33302-ee2c-4b99-a924-01ffa6e2dd05/...,Sign-in activity,1.0,SignInLogs,0,,,0,5c676e3a-2259-4d10-b7cc-1fa4b241ef54,Microsoft.aadiam,Microsoft.aadiam,,4,laurence.cortez@mycompany.com,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[\r\n {\r\n ""authenticationStepDateTime"": ...",,"[\r\n {\r\n ""key"": ""Domain Hint Present"",\...",singleFactorAuthentication,[],Browser,"[{'enforcedSessionControls': [], 'conditionsNo...",success,2020-06-11 19:04:26+00:00,"{'deviceId': '', 'browser': 'Chrome 69.0.3497'}",False,3cec888c-db1c-4157-87f4-dff140b48500,,{'countryOrRegion':'PL'},{},[],141,none,[],[],none,none,none,Skype Presence Service,,,"{'errorCode': 0, 'additionalDetails': 'MFA req...",,AzureAD,Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/53...,Laurence Cortez,laurence.cortez@mycompany.com,SigninLogs,8ac33302-ee2c-4b99-a924-01ffa6e2dd05,b3ae965c-98b0-4b04-ac15-e7dc9878a5a3,Laurence Cortez,PL,227.199.92.44,73e93e09-e791-4f4d-b0d3-affd9c2dff4a,0e4e5dab-d078-4281-967e-e5248fb9f3f9,2f19f3a4-8c84-4c9b-9008-16001a508555
