In the recently published Remote Work Trend Report, Microsoft provided some interesting insights into how the shift into full-time remote work and learning has impacted the way we collaborate and remain productive with internal and external stakeholders. On the flip side, cybersecurity teams now have a mammoth task of securing virtual meetings, ensuring the right policies and permissions are being implemented, and monitoring guest access to meetings and data.
By using graphs, we can visualize interactions between:
Making it easier to visually identify outliers and smaller clusters that diverge from typical enterprise behavior.
Leveraging the good work of other contributors (in the links above) we can dive straight into creating the graph visualization in Azure Sentinel workbooks.
Once in Azure Sentinel, navigate to workbooks, and add a query module. You will be prompted to enter a KQL query, and a visualization drop down list will allow you to toggle how the query results will be presented - in this case we will be selecting Graph.
:warning: Note: Since Teams data is being retrieved through Logic Apps [link] if you did not define the table as TeamsData, just replace any mention of TeamsData in the following section to the table name you defined.
In the initial data datatable, the Members string which are user emails (internal and external) gets parsed to split the domain from the username. Internal organization domains then get filtered out (since we are only concerned about external domains in this scenario). A RequestId is then formed by stringing the external domain together with the requester (internal user).
let CallerOrg = (TeamsData | extend InternalOrg = tostring(split(UserId, "@")) | distinct InternalOrg); let data = (TeamsData | extend UPN = tostring(parse_json(Members).UPN) | extend Organization = tostring(split(UPN, "@")) | where isnotempty(Organization) | summarize Calls = count() by ExtDomain = Organization, Request = UserId, Dependency = UPN | where ExtDomain !in (CallerOrg) | extend RequestId = strcat(ExtDomain, '::', Request));
The links datatable then groups the number of unique calls/interactions between the internal user and an external domain, and we append the type of interaction in the “Kind” column.
let links = data | summarize Calls = sum(Calls) by ExtDomain, RequestId | project SourceId = ExtDomain, TargetId = RequestId, Calls, Kind = 'ExtDomain -> Request';
The nodes datatable counts and groups the total number of calls/interactions being made to each external domain, and again we append the type of interaction in the “Kind” column. We also union and combine the number of calls/interactions being initiated by internal users and append the type “Request”.
let nodes = data | summarize Calls = sum(Calls) by ExtDomain | project Id = ExtDomain, Name = ExtDomain, Calls, Kind = 'ExtDomain' | union (data | summarize Calls = sum(Calls) by RequestId, Request | project Id = RequestId, Name = Request, Calls, Kind = 'Request');
The final step is combining the nodes and links datatables into a single datatable.
nodes | union (links) | extend HEXColour = iif(Kind == "Request", "cad8e6", "28496b")
In graphs you can specify the color you would like the nodes to appear in. Just append the desired HEX color in a separate column — in this example I made internal users appear light blue, and external domains appear dark blue. If you would like, you could also add additional layers of color coding to enrich the visualization. Eg. assigning different colors to different internal user groups (HR could be yellow, Finance could be red, etc.)
Clicking into Graph Settings, a small pop-out window will appear on the right. The layout settings are where you define what each node will represent. Do note this is highly dependent on how you have structured the KQL query above, in this example by using:
This will give you a view where the central node is the external domain and the surrounding nodes are the internal users.
Save the query and the workbook and start to explore the different clusters and interactions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.