Learning Path 8 - Lab 1 - Exercise 2 - Threat Hunting using Notebooks with Microsoft Sentinel
Lab scenario
You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to explore the benefits of threat hunting with Microsoft Sentinel Notebooks. You can use notebooks to:
- Perform analytics that are not provided out-of-the box in Microsoft Sentinel, such as some Python machine learning features.
- Create data visualizations that are not provided out-of-the box in Microsoft Sentinel, such as custom timelines and process trees.
- Integrate data sources outside of Microsoft Sentinel, such as an on-premises data set.
Task 1: Explore Notebooks
In this task, you will explore using notebooks in Microsoft Sentinel.
-
Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.
-
In the Edge browser, navigate to the Azure portal at https://portal.azure.com.
-
In the Sign in dialog box, copy and paste in the Tenant Email account provided by your lab hosting provider and then select Next.
-
In the Enter password dialog box, copy and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.
-
In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.
-
Select your Microsoft Sentinel Workspace.
-
In the Microsoft Sentinel Workspace, select Notebooks.
-
Next, you need to create an AzureML Workspace. Select Configure Azure Machine Learning and then select Create new Azure ML workspace button in the command bar.
-
In the Subscription box, select your subscription.
-
Select Create new for the Resource group and enter RG-MachineLearning for the Name and select OK.
-
In the Workspace details section do the following:
- Give your workspace a unique name.
- Leave East US as the default value for Region.
- Keep the default Storage account, Key vault, and Application insights information.
- The Container registry option can remain as None.
-
At the bottom of the page, select Review + create. When you see the “Validation passed” message, select Create.
Note: It may take a few minutes to deploy the Machine Learning workspace.
-
After Your deployment is complete message appears, return to the Microsoft Sentinel portal.
-
Select Notebooks and then select the Templates tab from the middle command bar.
-
Select A Getting Started Guide for Microsoft Sentinel ML Notebooks.
-
On the right pane, scroll down and select Create from template button. Review the default option and select Save.
-
Once the saving is done, select the Launch notebook button. This will take you to the Microsoft Azure Machine Learning Studio.
-
Select Close if an informational window appears in the Microsoft Azure Machine Learning Studio.
-
In the command bar, to the right of the Compute: instance selector, select the + symbol to create a new compute instance.
-
Type a unique name in the Compute name field. This will identify you compute instance.
-
Scroll down and select the first option available. Hint: Workload type: Development on Notebooks and light weight testing.
-
Select the Create button at the bottom of the screen. Close any feedback window that may appear. This will take a few minutes, you will see a notification (bell icon) when it is done.
-
Once the Compute has been created and running, verify that the kernel to use is Python 3.8 - AzureML. Hint: This is shown in the right of the command bar. You can also increase your screen size by selecting « under the Notebooks menu.
-
Select the Authenticate button and wait for the authentication to complete.
-
Clear all the results from the notebook by selecting the Clear all outputs from the command bar and follow the Getting Started tutorial. Hint: This can be found by selecting the ellipsis (…) from the command bar.
Note: If you cannot complete the steps above to access the Notebook, you can follow it on its GitHub page instead. See the notebook file here: Microsoft Sentinel Notebooks on GitHub