From 946f2327144209fff9d9d9f156b29fdccceadc00 Mon Sep 17 00:00:00 2001 From: philip Date: Fri, 17 Oct 2025 14:58:48 -0500 Subject: [PATCH] Update retroactive hunting documentation. --- .../retroactive-hunting-notebook/README.md | 4 ++-- .../TI-Retroactive-Hunting.ipynb | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/sentinel-lake-notebooks/retroactive-hunting-notebook/README.md b/sentinel-lake-notebooks/retroactive-hunting-notebook/README.md index 87b13ff7..144d3cee 100644 --- a/sentinel-lake-notebooks/retroactive-hunting-notebook/README.md +++ b/sentinel-lake-notebooks/retroactive-hunting-notebook/README.md @@ -25,7 +25,7 @@ For this job specifically there is job yaml file included. Action required by u - **CommonSecurityLogs**: Table for collecting events in the Common Event format from different security sources. ### Required Customer Input: -- **WORKSPACE_NAME**: Customer Log Analytics workspace name. This will be used for retrieving indicator and log data, as well as for outputing match results. If 'None' is provided then the notebook will look for the first log analytics workspace that is not the Sentinel generated 'default' workspace. +- **WORKSPACE_NAME**: Customer Log Analytics workspace name. This will be used for retrieving indicator and log data, as well as for outputing match results. If None is provided then the notebook will look for the first log analytics workspace that is not the Sentinel generated "System tables" workspace. This is a string variable and must be wrapped in quotes. - **LOOKBACK_DAYS**: 14-365. Lookback time period for logs matching. Default 30. - **MATCH_MODE**: Which ThreatIntelIndicators to match against which logs: current (TI valid now), loose (ignore validity). Default "current". - Enabled the log sources that you would like to match against under the `LOG SOURCE TOGGLES - SUPPORTED` section. @@ -45,7 +45,7 @@ Results are aggregated by TI indicator with match counts and event references fo | TIReferenceId | string | Reference to the Threat Intelligence record (e.g., internal IoC ID or STIX ID). | | TIValue | string | Actual IoC or observable value that was matched (e.g., "malicious.com", name of TTP, etc.). | | MatchCount | int | Number of events or records in the environment that matched this TI object. | -| EventReferences | dynamic | Array of matched events with format `[{"Table":"SigninLogs","RecordId":"abc123"}, ...]`. | +| EventReferences | dynamic | Array of matched events with format `[{"Table":"Syslog","TimeGenerated":"2025-09-12T18:01:08.768Z","LogField":"SyslogMessage"},...]`. | | TTPs | dynamic | Array of MITRE techniques (e.g., `["T1059", "T1071.001"]`) associated with the matched TI. | | ThreatActors | dynamic | Array of threat actor names tied to the matched TI object. | | EnrichmentContext | dynamic | Optional dictionary of enrichment tags (e.g., industry, country, malware family, confidence score). | diff --git a/sentinel-lake-notebooks/retroactive-hunting-notebook/TI-Retroactive-Hunting.ipynb b/sentinel-lake-notebooks/retroactive-hunting-notebook/TI-Retroactive-Hunting.ipynb index 8bfdd846..98831286 100644 --- a/sentinel-lake-notebooks/retroactive-hunting-notebook/TI-Retroactive-Hunting.ipynb +++ b/sentinel-lake-notebooks/retroactive-hunting-notebook/TI-Retroactive-Hunting.ipynb @@ -36,7 +36,7 @@ "- **CommonSecurityLogs**: Table for collecting events in the Common Event format from different security sources.\n", "\n", "### Required Customer Input:\n", - "- **WORKSPACE_NAME**: Customer Log Analytics workspace name. This will be used for retrieving indicator and log data, as well as for outputing match results. If 'None' is provided then the notebook will look for the first log analytics workspace that is not the Sentinel generated 'default' workspace.\n", + "- **WORKSPACE_NAME**: Customer Log Analytics workspace name. This will be used for retrieving indicator and log data, as well as for outputing match results. If None is provided then the notebook will look for the first log analytics workspace that is not the Sentinel generated \"System tables\" workspace. This is a string variable and must be wrapped in quotes.\n", "- **LOOKBACK_DAYS**: 14-365. Lookback time period for logs matching. Default 30.\n", "- **MATCH_MODE**: Which ThreatIntelIndicators to match against which logs: current (TI valid now), loose (ignore validity). Default \"current\".\n", "- Enabled the log sources that you would like to match against under the `LOG SOURCE TOGGLES - SUPPORTED` section.\n", @@ -56,7 +56,7 @@ "| TIReferenceId | string | Reference to the Threat Intelligence record (e.g., internal IoC ID or STIX ID). |\n", "| TIValue | string | Actual IoC or observable value that was matched (e.g., \"malicious.com\", name of TTP, etc.). |\n", "| MatchCount | int | Number of events or records in the environment that matched this TI object. |\n", - "| EventReferences | dynamic | Array of matched events with format `[{\"Table\":\"SigninLogs\",\"RecordId\":\"abc123\"}, ...]`. |\n", + "| EventReferences | dynamic | Array of matched events with format `[{\"Table\":\"Syslog\",\"TimeGenerated\":\"2025-09-12T18:01:08.768Z\",\"LogField\":\"SyslogMessage\"},...]`. |\n", "| TTPs | dynamic | Array of MITRE techniques (e.g., `[\"T1059\", \"T1071.001\"]`) associated with the matched TI. |\n", "| ThreatActors | dynamic | Array of threat actor names tied to the matched TI object. |\n", "| EnrichmentContext | dynamic | Optional dictionary of enrichment tags (e.g., industry, country, malware family, confidence score). |\n", @@ -76,7 +76,7 @@ "# ===============================================================================\n", "\n", "# Workspace and Data Configuration\n", - "WORKSPACE_NAME = None # log analytics workspace required to be set by customer; or leave as None to auto-detect the first non-default workspace\n", + "WORKSPACE_NAME = None # Log analytics workspace required to be set by customer; or leave as None to auto-detect the first non-default workspace. This must be a string wrapped in quotes, example: \"MyWorkspace-Name\"\n", "LOOKBACK_DAYS = 30 # Days to look back for logs (default: 1 month)\n", "\n", "# Matching Mode Configuration - Default \"current\"\n",