Microsoft Sentinel: Threat Hunting Tools You Could Be Missing Out On
You’ve probably heard of Microsoft Sentinel. But how familiar are you with some of its less well-known features, like workbooks and notebooks? These tools are essential for analysts conducting investigations in Microsoft Sentinel environments, yet they’re often overlooked. Getting to grips with them can offer you a competitive advantage.
As a SOC analyst, incident responder, or cloud security engineer using Microsoft Sentinel as your SIEM, you’ll be familiar with its standard features, such as incidents, analytics rules, and threat intelligence.
However, you might not be so familiar with workbooks, which enable data visualisation and dynamic reporting, or notebooks, which empower you to document threat hunts and build replayable incident response playbooks. Let’s look at how these Microsoft Sentinel features can improve your incident response and threat hunting.
Eyes on: monitoring metrics with workbooks
One key advantage of workbooks is their ability to dynamically visualise data from a range of sources across your Microsoft environment and beyond. This provides obvious security advantages via monitoring of metrics such as request rates, egress traffic, CPU utilisation, and management plane actions.
If your workbook dashboard shows an unexpected spike in requests to a sensitive resource, it could be a sign that something isn’t quite right. Visualising these metrics in near-real-time graphs helps spot early signs of compromise and speeds up detection.
The other, often overlooked advantage of metrics in workbooks comes from a management perspective. Microsoft Azure offers many template workbooks for common data reporting needs, including the Cybersecurity Maturity Model Certification and Azure Security Benchmark workbooks. Up-to-date reporting on performance against these core security benchmarks is critical for security engineers to identify insecure points in your Microsoft estate.
For CISOs and SOC managers, the capability to track improvements in KPI metrics like Mean Time to Triage or Mean Time to Repair can prove invaluable in monitoring SOC performance and evidencing the positive effects of realistic training. This can be achieved using the Security Operations Efficiency Workbook offered as a template workbook. To learn more about monitoring metrics with workbooks, check out the newly released Azure Workbooks: Monitoring Metrics lab.
Diving deep: security analysis with workbooks
From a security perspective, workbooks can be a powerful tool if you get creative. The ability to query logs and metric data across a wide range of sources means you can combine information to enhance threat intelligence and identify unusual behavior in investigations through visual comparison of standard baseline activities.
Workbooks can build complex queries into logs from a range of sources, including sign-in logs, Windows Event logs, networking logs, and resource activity logs. By cleverly designing log queries within your workbooks, you can visually detect anomalous activity and chart this in workbook reports that can be shared across a SOC team.
Graphically representing data in workbooks can have numerous advantages. By visualising resource relationships, you can easily identify shadow IT or resources deployed by threat actors for persistence, such as a lone resource in a location your business doesn’t use. For another example, you can diagram external collaborations in Microsoft Teams or email connections in Microsoft Outlook to identify anomalous behaviour and hunt for potential risks.
By visualising data dynamically in workbooks, you can boost security analysis and threat hunting across every stage of the Cyber Kill Chain. Our Microsoft Sentinel: Security Analysis with Workbooks lab covers this further.
Improved response: incident investigations with notebooks
Microsoft Sentinel integrates Jupyter notebooks into the Microsoft Azure portal, enabling you to run and document code during SIEM investigations in Microsoft Sentinel. If you’re in a SOC team, notebooks provide some seriously useful advantages:
- Readable code for other analysts: By tracking your steps in a notebook using markdown, you can explain your queries, capture outputs, and make your work easy for another analyst to understand.
- Standardise your analysis and response: Once you've made a notebook for a specific security event, you can reuse it whenever a similar incident occurs. This gives you a
- step-by-step guide to analyse and respond to the new incident.
- Share incident response knowledge: Notebooks are also very easy to share with other people. If you want to train a more junior team member in how to analyse and respond to that specific security event, you can share the notebook with them. This reduces reliance on individuals, helps to prevent silos, and teaches other members of your team.
- Improve your response: The next time a specific security event occurs, you may realise that other data sources or queries can be helpful to investigate. It's very easy to add to and develop your notebook. This means you can improve your response over time as you iterate on the work you've already done.
For hands-on experience getting to grips with notebooks, check out the Microsoft Sentinel: Introduction to Notebooks lab.
Tracking threat actors: hunting with notebooks
It’s not just the inherent advantages of Jupyter notebooks that this feature brings to the table. By enabling sophisticated automation and log querying, notebooks in Microsoft Sentinel can offer detailed investigation guides, empowering your threat hunting and incident response teams.
By connecting natively to Microsoft Sentinel workspaces, notebooks can query Log Analytics log tables to investigate recent activity, sign-in logs, requests, and more. By collating this information into a centralised location, your investigation can seamlessly track a threat actor’s movements through your estate. Then, by storing these queries in a notebook, you can reuse them repeatedly, which can rapidly reduce investigation times for commonly occurring incidents. The example below shows a saved query that displays any write operations against a virtual machine with a provided name. It’s reusable, repeatable, and reliable.
By standardising incident investigations and creating reusable, documented queries for threat hunting, you can reduce time wasted by rewriting the same playbooks repeatedly, greatly improving your SOC team's efficiency.
The new Microsoft Sentinel: Threat Hunting with Notebooks lab gives hands-on experience tracking a realistic threat actor who has compromised a Microsoft Azure account.
Beyond workbooks and notebooks: Empowering your SOC team
Workbooks and notebooks are handy tools in Microsoft Sentinel, but they form only a small part of the arsenal. The newly released Microsoft Sentinel: Threat Hunting with Notebooks and Workbooks collection is ideal for SOC analysts, incident responders, forensics specialists, and cloud/security engineers who use Microsoft Sentinel as their SIEM and want to expand their knowledge.
By adding this collection to our existing Microsoft Sentinel content, we cover the core areas of the Microsoft Sentinel (SC-200) certification while offering more advanced content for experienced SIEM users.
Gain a competitive edge by building hands-on experience in realistic scenarios so you can use Microsoft Sentinel to its fullest potential.
Share your thoughts
Why not give this content a try and let me know how you got on? Remember, if you need help with a lab or want to collaborate with other community members, share your question on the Help forum!