Anomaly detection and Explanation with Isolation Forest and SHAP using Microsoft Sentinel Notebooks
In this blog, we will demonstrate how you can identify anomalous Windows logon sessions using an Isolation Forest algorithm with an Azure ML studio notebook connected to a Microsoft Sentinel workspace. Furthermore, we will use SHAP (Shapley Additive exPlanations) library to explain the output generated by model and provide reasoning for the anomalies to accelerate investigation process for SOC Analysts, rather than manually investigating cause of the anomalous score by black box model.msticpy - Python Defender Tools
msticpy is a package of python tools intended to be used for security investigations and hunting (primarily in Jupyter notebooks). The article gives an overview of many of the modules and classes in msticpy with illustrations of how they are used. [Note - superseded by a newer version - please see "MSTICPy and Jupyter Notebooks in Azure Sentinel"]Using Threat Intelligence in your Jupyter Notebooks
Use Threat Intelligence in your hunting/investigation notebooks? Ever wanted to lookup an IoC in multiple TI providers without installing a bunch of packages or hand-crafting HTTP requests? TILookup is a multi-provider TI query module. It supports multiple providers like OTX, VirusTotal, Azure Sentinel and XForce (others in the pipeline and you can add your own).Why Use Jupyter for Security Investigations?
"Why would I use Jupyter notebooks to work with Azure Sentinel data rather than the built-in query and investigation tools?". This article summarizes some of the reasons you might want to add Jupyter to your palatte of investigation and hunting tools available in Azure Sentinel.
