This folder contains short notebooks that demonstrate specific features of MSTICPy such as the process tree, shown below.
MSTICPy is the Python package that powers many of the CyberSec notebooks
in Microsoft Sentinel.
You can find out more details and documentation of
these features on the MSTICPy ReadTheDocs Site.
Many of the notebooks in this folder use local data so don't require a Microsoft Sentinel logon to run.
The simplest way to get these notebooks into your AML workspace is to clone the GitHub repository into your workspace folders.
You can run the git commands from an existing notebook or from a terminal on your AML compute.
To clone the repo into a local "azure-sentinel-nb" folder (you can specify whatever name you prefer) type the following in a notebook cell and run
!git clone https://github.com/Azure/Azure-Sentinel-Notebooks.git azure-sentinel-nb
The command is the same if you are running in a shell, except you omit the leading "!"
$ git clone https://github.com/Azure/Azure-Sentinel-Notebooks.git azure-sentinel-nb
This will create a copy of the GitHub repo contents in the "azure-sentinel-nb" folder of your user folder. You will find the tutorial notebooks in the MSTIC-TutorialNotebooks sub folder.
To update your copy of the notebooks, type the following into a notebook cell and run:
!cd azure-sentinel-nb && git pull
Or from the terminal:
$ cd azure-sentinel-nb && git pull
If you have modified any of the notebooks, the pull command will fail.
To reset use
git reset --hard
(copy any modified files from the folder before running this).
You can run these notebooks in mybinder.org. This is a free notebook execution environment available to the community.
Note: mybinder.org is a community resource. Please use it responsibly
so that it remains available for others.
- Select the notebook that you want to run.
- Go to https://mybinder.org
- Fill the GitHub repository name ("https://github.com/Azure/Azure-Sentinel-Notebooks") and the notebook name (prefix with the path "MSTICPy-TutorialNotebooks/" as shown below).
- Click the launch button