With great pleasure, we would like to introduce the open-source version of Senserva’s Azure Active Directory toolkit to help you secure your environment built on top of Microsoft Sentinel.
Senserva is an automated platform which will help you to identify and prioritize potential Microsoft cloud security issues. With it’s patent pending engine, it will identify threats within your environment, provide them with a grade through Machine Learning Algorithms.
After a successful participation in the Microsoft Sentinel Hackathon, we are open sourcing a part of our toolkit in order for organizations to identify potential security issues at no cost.
Introducing the toolkit
The open-source toolkit consists out of two main parts:
A scanner which retrieves information from your tenant and pushes it into Azure Sentinel.
Jupyter Notebooks which provide rich insights into your Azure AD Security.
While the scanner is the source of everything, the Jupyter Notebooks will be used by you to get insights into the data.
Jupyter Notebooks are natively built into Microsoft Sentinel and provide a rich amount of possibilities for you to get deep insights into your environment.
Built on top of a custom Python library, Pyserva, the Notebooks will retrieve information from your Microsoft Sentinel environment and provide visualizations which you can interact with to receive custom insights you desire.
Before you can get going, you need to ensure the open-source scanner is installed and sending data into your Microsoft Sentinel environment (Instructions on how to install the scanner will be added to the GitHub page in the upcoming days).
Afterwards, you should install the Jupyter Notebooks as documented on GitHub. The Jupyter Notebooks will provide rich visualizations into your data and provide easy interaction which will allow you to receive insights.
How to use the Notebooks
After you have deployed the Jupyter Notebooks within your environment, you can browse to your Workspace and run on of the three Notebooks.
Within the current open-source version, the following Notebooks are included:
Senserva Connections Notebook, which allows you to visually identify which Azure AD objects are connected to each other. This Notebook used data gathered from both Azure AD and Microsoft Sentinel’s UEBA.
Senserva Conditional Access Notebook that provides an overview of all your current policies and provide insights into your current policies.
Senserva Locations Notebook which visualizes the geographic location of all the sign-ins within your tenants, enriched with additional info such as UEBA and Identity Protection risk score.
The connections Notebook was initially built for the Microsoft Sentinel Hackathon and was the first of our notebooks to be open sourced.
This Notebook allows you to visualize the different connections Azure AD objects have with each other.
While most administrators will be aware of the connections different users will have between each other (by group memberships), users can also have connections to applications. This notebook will help you to identify connections which might not be apart if you are just browsing the Azure AD portal.
This notebook provides two main visualizations:
A graph to verify the existing connections in an environment
A table which allows you to filter out specific users and find users with high privileges. These privileges both include Azure AD Roles, Azure RBAC and access to applications.
Conditional Access Notebook
While the Azure AD portal provides you an overview of all of your current Conditional Access policies, it can be extremely tricky to get an insightful overview of your policies.
By using the Conditional Access Notebook, you can receive an overview of all current Conditional Access policies within your environment. By using the built-in controls, you are able to filter the policies to only show enabled policies or add additional columns.
If you are searching for policies containing a specific Grant control for example, you can easily filter the grant column to get all the policies that you want to see.
By using the ‘Export to CSV’ button, you can export your current selection to a CSV file which can be used to share with others or add additional reporting upon.
This Notebook requires data gathered from the Senserva.
By using Jupyter Notebooks and Python, we are not only able to easily visualize the sign-in data from your entire tenant but also provide enrichment.
This enrichment includes the following:
- Role of the user (Global Admins will have a higher importance to regular user accounts)
- Azure AD Identity Protection Risk score
- Microsoft Sentinel UEBA Investigation Score
- Status of the sign-in: Successful or failed sign-ins
- By using the built-in filters, it’s extremely easy to only show only the high risk sign-ins which allows you to focus your investigation on what matters.
With this blog, we provided a high level overview on the solution and the different components. In the future, additional blogs will be released showcasing advanced insights and examples on how you can include your own custom built checks to adapt the Notebooks to your liking.
Besides these specific Notebooks, Senserva also offer select, high-end development services in order to help people adapt Jupyter Notebooks and provide insights from our experience.
If you have any feedback about this open source toolkit or want to learn more, get in touch through our website.
By Thijs Lecomte|December 15, 2021