Authenticate with Log Analytics workspace interactively in Azure Sentinel notebooks

One of the common steps before a SecOps analyst starts investigating and writing hunting query is to authenticate with the Log Analytics workspace where security data and event log are stored, using kqlmagic. Most common way is to let Azure Notebooks to read a configuration file where secrets are there, or directly initialize a plain-text password constant.

In this article, let’s explore another way to get secret information from Azure Key Vault and interactively connect to your Log Analytics workspace, without much of worry about Python module dependency. You wouldn’t have to store any secret in either configuration file or install another Python module that would represent as a masking text box.

You may need this use case if you work with external MSSP (Managed Security Service Provider) and you wouldn’t like to let them know any secret. You would only give them RBAC to work :).

Pre-requisites

Storing secrets in Azure Key Vault is considered a security practice. Although it may result overhead in coding, as well as more steps to get things done. In this scenario, let’s create a secret named jupyterClientSecret and put the secret password in this secret.

  • A service principal is created to authenticate with Log Analytics workspace.
  • A Key Vault and secret that stores service principal password.

If you are a ‘lazy’, run the following dirty script to get the pre-requisites done

Interactive Azure Logon with Python

To interactively login to Azure with Python, you can use acquire_token_with_device_code() . Below is the sample code to achieve an access token that can be used to authoritative Azure Key Vault endpoint:

When you execute this code snippet, Azure Notebooks will provide a device code. You simply need to browse the page and enter the given code.

Get Key Vault Secret via API Call

Once get the access token, you simply need to pass it along with request URI. Below is the sample code:

Reload and Authenticate Log Analytics workspace

Finally use the return client secret value and pass in order to connect to your Log Analytics workspace.

Here is the full code snippet to interactively login to Azure and then Log Analytics workspace.

Once you connect to Log Analytics workspace, it’s time to enjoy your hunting.

There is a great detail write-up from Maurice de Jong that works with Azure Key Vault SDK. This is a must-read article . You now have two ways – one is calling via API  purely and one is working with SDK library.

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

Leave a Reply