While hunting in Azure, you might find yourself pivoting from one resource to another or find that you may want to see the whole workspace from a big picture point of view. The Guided Hunting: Azure Resource Explorer notebook will allow you to take advantage of the new Azure Resource API and visualize all the resources in your subscription. It will also provide general contextual TI info about your resources of interest to help you recognize unusual behaviors.
The notebook can be accessed here and a full video walkthrough is attached below and available by link here.
This notebook is one of a collection of Azure Sentinel Jupyter Notebooks. If you are not already familiar with them, please check out this blog series covering how Jupyter Notebooks can be helpful in threat hunting: Part 1, Part 2, Part 3.
Additionally, the notebook heavily uses MSTICpy, which has detailed documentation that you can use to customize any of the notebooks we publish.
Notebook Setup and Configuration
We encourage you to run this notebook directly using Azure ML Notebooks. If you haven’t used it before, this video has a thorough explanation on how to set it up. This video also covers how to set up the msticpyconfig.yaml file, which is also necessary to run the notebook.
You can also run it using Jupyter Lab, Jupyter Notebook, or VSCode, given a proper Python environment on your machine. The images in this blog are taken from when the notebook was run using Jupyter Notebook.
The notebook begins by making sure your Python environment is properly set up and the correct packages, including MSTICpy, have been installed.
Connecting to Azure
Run the next two cells to login to your Azure account and connect to your Azure Workspace.
The two cells after that, in the Connect to ResourceGraph and LogAnalytics section, will enable us to query security logs for resource information.
Selecting a Resource to Investigate
Run the first cell in this section to select a time range. All queries that follow will be in this time range (although you can edit those KQL queries later).
Run the second cell if you already have a resource of interest in mind while you’re running the notebook.
If not, run the third cell to generate a summary table of alerts and their related resources. If any of these piques your interest or looks suspicious, you can choose that resource in the dropdown generated by the final cell in this section.
View Resource Graph
This section generates a graph that helps you visualize all of the resources in your subscription. It is broken down into different sections to help make the code more understandable and customizable. Run each cell in order and wait for a printed confirmation that it was run successfully before moving on to the next cell.
The show graph section will print out your interactive graph visualization. There is a bullet point list explaining how to read the graph. It is printed again here:
The sizes of the circles represent how many alerts are related to the resource that it represents. The resource you selected above to investigate will be in a darker green color than the rest.
Hover over each circle for information on its name, type, and the number of alerts associated with it.
Use the selector tool to choose the types of resources you want displayed in the graph. Be aware the graph will not update unless you also update the slider after updating the selector.
Use the slider to filter by the number of alerts. We recommend clicking rather than sliding to prevent the graph from slowly generating a graph per number you slide onto.
The graph also enables you to zoom in and pan and drag however you would like that would best help you understand your environment. Taking a look at it might help you realize that there’s another resource you want to investigate. In that case, you can run the notebook again on that resource. The sections below the graph section will also help you figure this out and focus your hunt.
This section provides contextual information, including TI information, on the resource that you chose.
This section prints out SecurityAlert log entries that are related to the resource of choice. It also attaches any relevant TI information based on IP addresses to the table so you can pivot on anything suspicious. Relevant Entity Explorer notebooks are linked in the notebook and also below if you find something interesting to pivot on.
There is also a timeline that can help you narrow down your scope as you pivot.
Parse Resource Graph
The resource graph API (link) can be super useful to get some general information about a resource. This next section allows you to choose a different resource to take a quick look at some details in case you might want to pivot using it.
Location and Resource Type Counts
An unusual location or an unusually large count of a certain type of resource can also signify malicious behavior. This section prints out a quick summary of these to see if they match your expectations.
Related AzureActivityLogs Activity
Similar to the Related Alerts section above, this section queries AzureActivityLogs for the resource you are investigating. It also uses TI information flag the severities of IP addresses found. Again, we recommend using an Entity Explorer on anything of interest. timeline is provided to narrow your query scope as you hunt and to help you notice suspicious time periods.
It can be difficult to navigate all of the resources in a workspace but the new Azure Resource API and this notebook can help you visualize what’s going on as you hunt. We hope you find this helpful and feel free to customize it to your needs and let us know if you have any suggestions for improvements we can make.