Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
Azure
GitHub Repository: Azure/Azure-Sentinel-Notebooks
 Path: blob/master/src/Snippets/Snippets.json
3253 views
1
{

2
  "Microsoft Sentinel - Get Configuration parameters": {

3
    "prefix": [ "get-sentinelconfiguration", "get-sentinelconfig" ],

4
    "body": [

5
      "########################################################################",

6
      "# Microsoft Sentinel - Get Microsoft Sentinel Configuration parameters #",

7
      "########################################################################",

8
      "import json",

9
      "def read_config_values(file_path):",

10
      "    'This loads pre-generated parameters for Microsoft Sentinel Workspace'",

11
      "    with open(file_path) as json_file:",

12
      "        if json_file:",

13
      "            json_config = json.load(json_file)",

14
      "            return (json_config['${1:tenant_id}'],",

15
      "                json_config['${2:subscription_id}'],",

16
      "                json_config['${3:resource_group}'],",

17
      "                json_config['${4:workspace_id}'],",

18
      "                json_config['${5:workspace_name}'],",

19
      "                json_config['${6:user_alias}'],",

20
      "                json_config['${7:user_object_id}'])",

21
      "    return None",

22
      "",

23
      "# Calling the above function to populate Microsoft Sentinel workspace parameters",

24
      "# The file, config.json, was generated by the system, however, you may modify the values, or manually set the variables",

25
      "tenant_id, subscription_id, resource_group, workspace_id, workspace_name, user_alias, user_object_id = read_config_values('config.json')"

26
    ],

27
    "description": "Get Microsoft Sentinel configuration parameters from config.json"

28
  },

29


30
  "Microsoft Sentinel - Set up environment for MSTICPy": {

31
    "prefix": [ "msticpy-setup" ],

32
    "body": [

33
      "#######################################################",

34
      "# Microsoft Sentinel - Set up environment for MSTICPy #",

35
      "#######################################################",

36
      "# import some modules needed in this cell",

37
      "from pathlib import Path",

38
      "from IPython.display import display, HTML",

39
      "",

40
      "display(HTML('Checking upgrade to latest msticpy version'))",

41
      "%pip install --upgrade --quiet msticpy[azsentinel]",

42
      "",

43
      "display(HTML('<h3>Starting Notebook setup...</h3>'))",

44
      "# intialize msticpy",

45
      "try:",

46
      "    from msticpy.nbtools import nbinit",

47
      "    nbinit.init_notebook(",

48
      "    namespace=globals(),",

49
      "    extra_imports=[]",

50
      "    )",

51
      "except ImportError:",

52
      "    print('MSTICPy not installed, please restart the kernel to ensure MSTICPy is installed.')"

53
    ],

54
    "description": "Set up the execution environment for MSTICPy"

55
  },

56


57
  "Microsoft Sentinel - Authenticate with MSTICPy": {

58
    "prefix": [ "msticpy-azs-connect" ],

59
    "body": [

60
      "##############################################",

61
      "# Microsoft Sentinel - Authenticate with MSTICPy #",

62
      "##############################################",

63
      "",

64
      "from msticpy.data.data_providers import QueryProvider",

65
      "from msticpy.common.wsconfig import WorkspaceConfig",

66
      "",

67
      "ws_config = WorkspaceConfig()",

68
      "if not ws_config.config_loaded:",

69
      "ws_config.prompt_for_ws()",

70
      "",

71
      "qry_prov = QueryProvider(data_environment='AzureSentinel')",

72
      "qry_prov.connect(ws_config)",

73
      ""

74
    ],

75
    "description": "Load a Microsoft Sentinel query provider and connect to the default workspace with MSTICPy"

76
  },

77


78
  "Microsoft Sentinel - Set up MSTICPy Pivots": {

79
    "prefix": [ "msticpy-azs-pivots" ],

80
    "body": [

81
      "##########################################",

82
      "# Microsoft Sentinel - Set up MSTICPy Pivots #",

83
      "##########################################",

84
      "",

85
      "from msticpy.data.data_providers import QueryProvider",

86
      "from msticpy.common.wsconfig import WorkspaceConfig",

87
      "",

88
      "ws_config = WorkspaceConfig()",

89
      "if not ws_config.config_loaded:",

90
      "ws_config.prompt_for_ws()",

91
      "",

92
      "qry_prov = QueryProvider(data_environment='AzureSentinel')",

93
      "qry_prov.connect(ws_config)",

94
      "",

95
      "from msticpy.datamodel.pivot import Pivot",

96
      "Pivot(namespace=globals())",

97
      "Pivot.browse()"

98
    ],

99
    "description": "Set is MSTICPy Pivots to use Microsoft Sentinel"

100
  },

101


102
  "Microsoft Sentinel - Set up MSTICNb": {

103
    "prefix": [ "msticnb-setup" ],

104
    "body": [

105
      "###################################",

106
      "# Microsoft Sentinel - Set up MSTICNb #",

107
      "###################################",

108
      "from IPython.display import display, HTML",

109
      "",

110
      "display(HTML('Checking upgrade to latest msticnb version'))",

111
      "%pip install --upgrade --quiet msticnb",

112
      "",

113
      "display(HTML('<h3>Starting Notebooklet setup...</h3>'))",

114
      "# intialize msticnb",

115
      "try:",

116
      "    import msticnb as nb",

117
      "    nb.init(query_provider='AzureSentinel')",

118
      "    nb.browse()",

119
      "except ImportError:",

120
      "    print('MSTICNb not installed, please restart the kernel to ensure MSTICNb is installed.')"

121
    ],

122
    "description": "Install and load MSTICNb and display a browser showing avaliable notebooklets."

123
  },

124


125
  "Microsoft Sentinel - Authenticate into Azure Log Analytics": {

126
    "prefix": [ "login-loganalytics" ],

127
    "body": [

128
      "########################################################",

129
      "# Microsoft Sentinel - Authenticate to Azure Log Analytics #",

130
      "########################################################",

131
      "# Azure CLI is used to get device code to login into Azure, you need to copy the code and open the DeviceLogin site.",

132
      "# !!! You need [tenant_id] and [subscription_id] to login into Azure !!!",

133
      "from azure.common.client_factory import get_client_from_cli_profile",

134
      "from azure.common.credentials import get_azure_cli_credentials",

135
      "from azure.loganalytics import LogAnalyticsDataClient",

136
      "from azure.mgmt.loganalytics import LogAnalyticsManagementClient",

137
      "from azure.loganalytics.models import QueryBody",

138
      "",

139
      "!az login --use-device-code",

140
      "la_client = get_client_from_cli_profile(LogAnalyticsManagementClient, subscription_id = subscription_id)",

141
      "creds, _ = get_azure_cli_credentials(resource='https://api.loganalytics.io')",

142
      "la_data_client = LogAnalyticsDataClient(creds)",

143
      " ",

144
      "# Query sample: ",

145
      "# query = 'union withsource = SentinelTableName * | distinct SentinelTableName | sort by SentinelTableName asc'",

146
      "# result = la_data_client.query(workspace_id, QueryBody(query=query))",

147
      "# print(result.as_dict())"

148
    ],

149
    "description": "Using AZCLI to login to Azure Log Analytics"

150
  }

151
}

152


153