netevert / sentinel-attack

Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
MIT License
1.06k stars 207 forks source link

I think i can simplify your workbook template? #9

Closed gardnerjr closed 4 years ago

gardnerjr commented 5 years ago

Throughout your template in https://github.com/BlueTeamLabs/sentinel-attack/tree/master/hunting/workbooks, you have this:

        "crossComponentResources": [
          "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
        ],

in each query step.

if the user is already opening workbooks from inside sentinel, the workspace to query should already be "set" in the workbook's resources (in edit mode, click the gear icon in the toolbar, on the resources tab you should see a workspace already listed there). If that's the case, query steps of the workbook will "inherit" that resource automatically, it doesn't need to be explicitly listed in each step.

also, in the advanced editor, if you scroll all the way to the bottom in this state, there should be a couple properties like

  "defaultResourceIds": [
"something sentinel specific?",    "/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.OperationalInsights/workspaces/workspaceName",
  ],

If that is the case, then the extra crossResourceIds section listing the workspace in every step is only there as an "override" from the default resources. so hypothetically, you can remove all of the crossComponentResources settings from the whole template you have, and just pasting it like it is should keep the window's defaultResourceIds intact and all the query steps would inherit that default workspace. That should just work without having to do a lot of replacements.

(if that doesn't work, the instructions chould probably say to copy the defaultResourceIds section from the bottom of the advanced editor when it opens into your template, and paste that back into the advanced editor).

I'm working with the Sentinel team on trying to clear up some of how they're doing the workbooks, so that this is a little simpler for everyone.

gardnerjr commented 5 years ago

also FYI, your first link in the workbooks readme links to jupyter notebooks, not azure workbooks. close but not quite :D

netevert commented 5 years ago

Hi @gardnerjr , many thanks for your comments and suggestions. I've opened two issues to address your specific points. I'll look into issue #11 at some point next week. Alternatively if you want to submit a pull request we'll happily accept the contribution.