Learning Path 8 - Lab 1 - Exercise 2 - Threat Hunting using Notebooks with Microsoft Sentinel

Lab scenario

You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to explore the benefits of threat hunting with Microsoft Sentinel Notebooks. You can use notebooks to:

  • Perform analytics that are not provided out-of-the box in Microsoft Sentinel, such as some Python machine learning features.
  • Create data visualizations that are not provided out-of-the box in Microsoft Sentinel, such as custom timelines and process trees.
  • Integrate data sources outside of Microsoft Sentinel, such as an on-premises data set.

Note: An interactive lab simulation is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.

Task 1: Explore Notebooks

In this task, you will explore using notebooks in Microsoft Sentinel.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Edge browser, navigate to the Azure portal at https://portal.azure.com.

  3. In the Sign in dialog box, copy and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  5. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  6. Select your Microsoft Sentinel Workspace.

  7. In the Microsoft Sentinel Workspace, select Notebooks under the Threat management area.

  8. Next, you need to create an AzureML Workspace. Select Configure Azure Machine Learning and then select Create new Azure ML workspace button in the command bar.

  9. In the Subscription box, select your subscription.

  10. Select Create new for the Resource group and enter RG-MachineLearning for the Name and select OK.

  11. In the Workspace details section do the following:

    • Give your workspace a unique name.
    • Leave East US as the default value for Region.
    • Keep the default Storage account, Key vault, and Application insights information.
    • The Container registry option can remain as None.
  12. At the bottom of the page, select Review + create. When you see the “Validation passed” message, select Create.

    Note: It may take a few minutes to deploy the Machine Learning workspace.

  13. After Your deployment is complete message appears, return to the Microsoft Sentinel portal.

  14. Select Notebooks again and then select the Templates tab from the middle command bar.

  15. Select A Getting Started Guide for Microsoft Sentinel ML Notebooks.

  16. On the right pane, scroll down and select Create from template button. Review the default options and then select Save.

  17. Once the saving is done, select the Launch notebook button. This will take you to the Microsoft Azure Machine Learning Studio.

  18. Select Close if an informational window appears in the Microsoft Azure Machine Learning Studio.

  19. In the command bar, to the right of the Compute instance: selector, select the + symbol to create a new compute instance. Hint: It might be hidden inside the ellipsis icon (…).

    Note: You can have more screen space by hiding the Azure ML Studio left blade by selecting the 3 lines on the top left, as well as the Notebooks Files selecting the « icon.

  20. Type a unique name in the Compute name field. This will identify you compute instance.

  21. Scroll down and select the first option available. Hint: Workload type: Development on Notebooks and light weight testing.

  22. Select the Create button at the bottom of the screen. Close any feedback window that may appear. This will take a few minutes, you will see a notification (bell icon) when it is done and the Compute instance left icon turns from blue to green.

  23. Once the Compute has been created and running, verify that the kernel to use is Python 3.8 - AzureML. Hint: This is shown in the right of the command bar.

  24. Select the Authenticate button and wait for the authentication to complete.

  25. Clear all the results from the notebook by selecting the Clear all outputs from the command bar and follow the Getting Started tutorial. Hint: This can be found by selecting the ellipsis (…) from the command bar.

Note: If you cannot complete the steps above to access the Notebook, you can follow it on its GitHub viewwer page instead. Getting Started with Azure ML Notebooks and Microsoft Sentinel

You have completed the lab.