Visualize User and App Access Connections in Azure using Jupyter Notebooks in Microsoft Sentinel
Published Feb 17 2022 10:28 AM 2,946 Views
Senior Member

My name is TJ Dolan, I am a founder of Senserva, a Microsoft focused security solutions vendor.  We create innovative security data driven solutions with the goal of making both cloud administrators and security experts life’s a little easier via the automation of critical and often time-consuming tasks. 

 

As the leader of the Senserva product development efforts, I am always pushing us to learn and do new things as we work to help users of Microsoft Sentinel and Azure in general.   

 

I jumped when I saw a post from Rod Trent that talked about a Microsoft Sentinel Hackathon using Sentinel Notebooks. We had been working with KQL and Sentinel Workbooks but we struggled with not having a procedural computer language and our queries where getting more and more complex.  I knew right away Notebooks would solve this problem, and maybe, just maybe, we would win the Hackathon to boot. 

 

While we did not win that the main Hackathon prize, we won an even bigger one.  We started using Azure Notebooks and we quickly were creating great reports, pulling the same data from the Log Analytics Workspace as we have always done.  Soon our entire team was learning and using Notebooks.  Now it is how we do our deep user interfaces.  Queries are great for getting a lot of different data quickly, and Notebooks show it easily. For the complicated tasks we want to solve for our customers, our driving goal, we needed Notebooks.  

  

We find Notebooks to be a great way for users to not only visualize our data, but also interact with it. Notebooks allow our team to also report data in vastly different ways, providing an immense level of flexibility to the end user for their needs. Let’s jump into an example of this. 

 

  

One of the key tenets for Azure security is the user account. Not exactly a new concept there, but what can be more informative to people that are just jumping into Azure is how far that can extend. A user account can be a member of a group, have Active Directory roles assigned to them (either permanently or temporarily through Azure PIM), own devices, and have different levels of permissions to using applications like Sharepoint. A user can be included or, more importantly, excluded from the controls of a Conditional Access Policy. The is just a small subset of everything a user can be involved with. It’s enough to make your head spin. 

  

Before Notebooks, we talked with a multitude of companies about how complicated it can be to secure their Azure Active Directory network. Those who were less knowledgeable about cloud environments couldn’t wrap their heads around this concept easily. With Notebooks, our team can not only tell them but show them what a network can look like. This was the problem we aimed to solve in the Sentinel Hackathon. 

  

Our engine will scan a user’s tenant (or tenants, we’re Multi-tenant by design!) and provide data to Microsoft Sentinel. Using Notebooks, we can map the data points and visualize as an easy to read HTML table: 

 

TJ_Dolan_Senserva_0-1644937386041.png

 

 

 

This isn’t just a static table either, you can expand and reorder the data how you want: 

 

TJ_Dolan_Senserva_1-1644937386049.png

 

 

 

This is a great way to start someone out, help them see all the mappings that exist in their tenant. The table is also ready to drop into an internal presentation. 

 

The table above will show connections. Connections can be something as simple as a User being assigned a Role e.g. George Washington assigned as Global Administrator. Where it can get tricky is when indirect connections are created, such as Groups being assigned Roles instead of individual Users e.g. Global Administrator role is assigned to the group Founding Fathers, which user George Washington is a member of. 

 

For those that are more visual learners, we find visualizing as a network graph to be useful. They can see at once just how connected their network really is, all made possible with Sentinel Notebooks: 

 

TJ_Dolan_Senserva_2-1644937386051.png

 

 

 

Both these visuals run off the exact same data set, visualized differently by Sentinel Notebooks. This should tell just how powerful this tool can be in your kit. With the graph visual, we can see the system has picked out a particular object as being of more risk, based on the red color. With this being forefront, we see in the popup that it’s a user called Benedict Arnold. He’s connected to several other items like Groups, Roles, and Apps indicating that the user commands a high level of permission and influence over the network but is not known to be a member of the admin team. By pushing this relationship data up, the admin team can effectively pinpoint network vulnerabilities and disable accounts and/or remove excess permissions. Both the graph visual and table help detail out the relationships between this user and other objects. 

 

TJ_Dolan_Senserva_3-1644937386053.png

 

 

 

TJ_Dolan_Senserva_4-1644937386055.png

 

 

 

Microsoft has further streamlined Notebook functionality with their MsticPy library. With a few simple commands, you can fetch data, chart on a timeline, and create fantastic visuals. Our team has worked with the FoliumMap visuals of MsticPy, plotting points on a map with our data enhancements. We’ve worked with their team recently to enhance MsticPy, to add Clustering and GeoHash functionality to MsticPy.  

 

TJ_Dolan_Senserva_5-1644937386059.png

 

 

 

To sum up, Sentinel Notebooks have been a boon to our company. They have fast tracked our development cycles and help streamline adoption of Microsoft Sentinel for those with complex reporting needs. We greatly look forward to continuing using Notebooks and what’s next for them. 

 

 

Co-Authors
Version history
Last update:
‎Mar 07 2022 08:03 AM
Updated by: