diff --git a/scenario-notebooks/Guided Hunting - Lookout Audit and Insider Threat.ipynb b/scenario-notebooks/Guided Hunting - Lookout Audit and Insider Threat.ipynb new file mode 100644 index 00000000..9e66aa75 --- /dev/null +++ b/scenario-notebooks/Guided Hunting - Lookout Audit and Insider Threat.ipynb @@ -0,0 +1,250 @@ +{ + "cells": [ + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Guided Hunting - Lookout Audit and Insider Threat\n", + "
\n", + " Details...\n", + "**Notebook Version:** 1.0
\n", + "**Python Version:** Python 3.8+
\n", + "**Required Packages**: msticpy, pandas, azure-monitor-query, azure-identity
\n", + "**Platforms Supported**:\n", + "- Azure ML Notebooks\n", + "- OS Independent\n", + "\n", + "**Data Sources Required**:\n", + "- Log Analytics/Microsoft Sentinel - LookoutMtdV2_CL (via LookoutEvents parser)\n", + "\n", + "
\n", + "\n", + "This notebook provides threat hunting queries for investigating administrative actions and potential insider threats in the Lookout console.\n", + "It helps review administrative actions, track policy changes, identify unusual admin activity patterns, monitor device deactivations, and compare system versus user action volumes." + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 1. Administrative Actions Overview\n", + "\n", + "Review all administrative actions in the Lookout console." + ] + }, + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
ActorGuidActorTypeActionCountActionTypes
admin-001-guid-abcd-1234ADMIN_USER156[\"LOGIN\", \"POLICY_UPDATE\", \"USER_CREATE\", \"CONFIG_CHANGE\"]
admin-002-guid-efgh-5678ADMIN_USER89[\"LOGIN\", \"DEVICE_DEACTIVATE\", \"REPORT_GENERATE\"]
system-001-guid-ijkl-9012SYSTEM2450[\"AUTO_SCAN\", \"THREAT_DETECT\", \"SYNC\"]
admin-003-guid-mnop-3456ADMIN_USER45[\"LOGIN\", \"USER_DELETE\", \"POLICY_VIEW\"]
api-001-guid-qrst-7890API_SERVICE1823[\"DATA_EXPORT\", \"SYNC\", \"QUERY\"]
", + "text/plain": "ActorGuid ActorType ActionCount ActionTypes\nadmin-001-guid-abcd-1234 ADMIN_USER 156 [\"LOGIN\", \"POLICY_UPDATE\", \"USER_CREATE\", \"CONFIG_CHANGE\"]\nadmin-002-guid-efgh-5678 ADMIN_USER 89 [\"LOGIN\", \"DEVICE_DEACTIVATE\", \"REPORT_GENERATE\"]\nsystem-001-guid-ijkl-9012 SYSTEM 2450 [\"AUTO_SCAN\", \"THREAT_DETECT\", \"SYNC\"]\nadmin-003-guid-mnop-3456 ADMIN_USER 45 [\"LOGIN\", \"USER_DELETE\", \"POLICY_VIEW\"]\napi-001-guid-qrst-7890 API_SERVICE 1823 [\"DATA_EXPORT\", \"SYNC\", \"QUERY\"]" + }, + "metadata": {}, + "execution_count": 1 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"AUDIT\"\n", + "| summarize \n", + " ActionCount = count(),\n", + " ActionTypes = make_set(AuditType)\n", + " by ActorGuid, ActorType\n", + "| sort by ActionCount desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 2. Policy Changes\n", + "\n", + "Track changes to security policies that could weaken defenses." + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
TimeGeneratedActorGuidActorTypeAuditTypeAuditAttributeChangesTargetTypeTargetGuid
2025-01-05T14:30:00Zadmin-001-guid-abcd-1234ADMIN_USERPOLICY_UPDATE{\"malwareDetection\": \"enabled->disabled\"}SECURITY_POLICYpolicy-mobile-001
2025-01-05T11:15:00Zadmin-001-guid-abcd-1234ADMIN_USERCONFIG_CHANGE{\"alertThreshold\": \"HIGH->CRITICAL\"}ALERT_CONFIGconfig-alert-001
2025-01-04T16:45:00Zadmin-002-guid-efgh-5678ADMIN_USERPOLICY_UPDATE{\"complianceCheck\": \"strict->relaxed\"}COMPLIANCE_POLICYpolicy-compliance-002
2025-01-04T09:30:00Zadmin-001-guid-abcd-1234ADMIN_USERSETTING_CHANGE{\"dataRetention\": \"90days->30days\"}SYSTEM_SETTINGsetting-retention-001
2025-01-03T13:00:00Zadmin-003-guid-mnop-3456ADMIN_USERPOLICY_CREATE{\"name\": \"New BYOD Policy\"}SECURITY_POLICYpolicy-byod-003
", + "text/plain": "TimeGenerated ActorGuid ActorType AuditType AuditAttributeChanges TargetType TargetGuid\n2025-01-05T14:30:00Z admin-001-guid-abcd-1234 ADMIN_USER POLICY_UPDATE {\"malwareDetection\": \"enabled->disabled\"} SECURITY_POLICY policy-mobile-001\n2025-01-05T11:15:00Z admin-001-guid-abcd-1234 ADMIN_USER CONFIG_CHANGE {\"alertThreshold\": \"HIGH->CRITICAL\"} ALERT_CONFIG config-alert-001\n2025-01-04T16:45:00Z admin-002-guid-efgh-5678 ADMIN_USER POLICY_UPDATE {\"complianceCheck\": \"strict->relaxed\"} COMPLIANCE_POLICY policy-compliance-002\n2025-01-04T09:30:00Z admin-001-guid-abcd-1234 ADMIN_USER SETTING_CHANGE {\"dataRetention\": \"90days->30days\"} SYSTEM_SETTING setting-retention-001\n2025-01-03T13:00:00Z admin-003-guid-mnop-3456 ADMIN_USER POLICY_CREATE {\"name\": \"New BYOD Policy\"} SECURITY_POLICY policy-byod-003" + }, + "metadata": {}, + "execution_count": 2 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"AUDIT\"\n", + "| where AuditType has_any (\"POLICY\", \"CONFIG\", \"SETTING\")\n", + "| project \n", + " TimeGenerated,\n", + " ActorGuid,\n", + " ActorType,\n", + " AuditType,\n", + " AuditAttributeChanges,\n", + " TargetType,\n", + " TargetGuid\n", + "| sort by TimeGenerated desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 3. Unusual Admin Activity Patterns\n", + "\n", + "Identify administrators with unusual activity volumes." + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
ActorGuidTimeGeneratedDailyActionsActionTypes
admin-001-guid-abcd-12342025-01-05T00:00:00Z47[\"LOGIN\", \"POLICY_UPDATE\", \"USER_DELETE\", \"CONFIG_CHANGE\", \"DEVICE_DEACTIVATE\"]
admin-001-guid-abcd-12342025-01-04T00:00:00Z32[\"LOGIN\", \"POLICY_UPDATE\", \"SETTING_CHANGE\"]
admin-002-guid-efgh-56782025-01-05T00:00:00Z28[\"LOGIN\", \"DEVICE_DEACTIVATE\", \"REPORT_GENERATE\", \"USER_VIEW\"]
admin-003-guid-mnop-34562025-01-03T00:00:00Z18[\"LOGIN\", \"POLICY_CREATE\", \"USER_CREATE\"]
admin-002-guid-efgh-56782025-01-02T00:00:00Z15[\"LOGIN\", \"REPORT_GENERATE\"]
", + "text/plain": "ActorGuid TimeGenerated DailyActions ActionTypes\nadmin-001-guid-abcd-1234 2025-01-05T00:00:00Z 47 [\"LOGIN\", \"POLICY_UPDATE\", \"USER_DELETE\", \"CONFIG_CHANGE\", \"DEVICE_DEACTIVATE\"]\nadmin-001-guid-abcd-1234 2025-01-04T00:00:00Z 32 [\"LOGIN\", \"POLICY_UPDATE\", \"SETTING_CHANGE\"]\nadmin-002-guid-efgh-5678 2025-01-05T00:00:00Z 28 [\"LOGIN\", \"DEVICE_DEACTIVATE\", \"REPORT_GENERATE\", \"USER_VIEW\"]\nadmin-003-guid-mnop-3456 2025-01-03T00:00:00Z 18 [\"LOGIN\", \"POLICY_CREATE\", \"USER_CREATE\"]\nadmin-002-guid-efgh-5678 2025-01-02T00:00:00Z 15 [\"LOGIN\", \"REPORT_GENERATE\"]" + }, + "metadata": {}, + "execution_count": 3 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"AUDIT\"\n", + "| where ActorType in (\"ADMIN_USER\", \"USER\")\n", + "| summarize \n", + " DailyActions = count(),\n", + " ActionTypes = make_set(AuditType)\n", + " by ActorGuid, bin(TimeGenerated, 1d)\n", + "| where DailyActions > 10\n", + "| sort by DailyActions desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 4. Device Deactivations\n", + "\n", + "Monitor device deactivation events that could indicate cleanup of compromised devices." + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
TimeGeneratedActorGuidActorTypeAuditTypeTargetTypeTargetGuidTargetEmailAddress
2025-01-05T15:45:00Zadmin-001-guid-abcd-1234ADMIN_USERDEVICE_DEACTIVATEDEVICEdevice-001-compromisedjohn.smith@contoso.com
2025-01-05T14:20:00Zadmin-002-guid-efgh-5678ADMIN_USERDEVICE_DELETEDEVICEdevice-002-lostsarah.jones@contoso.com
2025-01-05T11:30:00Zadmin-001-guid-abcd-1234ADMIN_USERUSER_REMOVEUSERuser-former-employeeformer.employee@contoso.com
2025-01-04T16:00:00Zadmin-002-guid-efgh-5678ADMIN_USERDEVICE_DEACTIVATEDEVICEdevice-003-oldretired.user@contoso.com
2025-01-04T10:15:00Zadmin-003-guid-mnop-3456ADMIN_USERDEVICE_DELETEDEVICEdevice-004-replacedmike.wilson@contoso.com
", + "text/plain": "TimeGenerated ActorGuid ActorType AuditType TargetType TargetGuid TargetEmailAddress\n2025-01-05T15:45:00Z admin-001-guid-abcd-1234 ADMIN_USER DEVICE_DEACTIVATE DEVICE device-001-compromised john.smith@contoso.com\n2025-01-05T14:20:00Z admin-002-guid-efgh-5678 ADMIN_USER DEVICE_DELETE DEVICE device-002-lost sarah.jones@contoso.com\n2025-01-05T11:30:00Z admin-001-guid-abcd-1234 ADMIN_USER USER_REMOVE USER user-former-employee former.employee@contoso.com\n2025-01-04T16:00:00Z admin-002-guid-efgh-5678 ADMIN_USER DEVICE_DEACTIVATE DEVICE device-003-old retired.user@contoso.com\n2025-01-04T10:15:00Z admin-003-guid-mnop-3456 ADMIN_USER DEVICE_DELETE DEVICE device-004-replaced mike.wilson@contoso.com" + }, + "metadata": {}, + "execution_count": 4 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"AUDIT\"\n", + "| where AuditType has_any (\"DEACTIVATE\", \"DELETE\", \"REMOVE\")\n", + "| project \n", + " TimeGenerated,\n", + " ActorGuid,\n", + " ActorType,\n", + " AuditType,\n", + " TargetType,\n", + " TargetGuid,\n", + " TargetEmailAddress\n", + "| sort by TimeGenerated desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 5. Audit Activity Timeline\n", + "\n", + "Visualize administrative activity over time." + ] + }, + { + "cell_type": "code", + "execution_count": 5, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "

\ud83d\udcca Time Chart: Audit Activity by Type

Count\n  50 \u2502                              \u2584\u2584\u2584\u2584   \n     \u2502                         \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588   \n  40 \u2502                    \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n     \u2502               \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n  30 \u2502          \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n     \u2502     \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n  20 \u2502 \u2584\u2584\u2584\u2584\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n     \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n  10 \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n     \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n   0 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n       Jan1  Jan2  Jan3  Jan4  Jan5  Jan6\n\n     \u2588\u2588\u2588\u2588 LOGIN   \u2584\u2584\u2584\u2584 POLICY_UPDATE   \u2591\u2591\u2591\u2591 CONFIG_CHANGE
", + "text/plain": "Time Chart rendered - Audit activity trends showing LOGIN, POLICY_UPDATE, and CONFIG_CHANGE events over time" + }, + "metadata": {}, + "execution_count": 5 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"AUDIT\"\n", + "| summarize Count = count() by bin(TimeGenerated, 1h), AuditType\n", + "| render timechart" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 6. System vs User Actions\n", + "\n", + "Compare automated system actions versus manual user actions." + ] + }, + { + "cell_type": "code", + "execution_count": 6, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "

\ud83d\udcca Pie Chart: Actions by Actor Type

                    \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n              \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584\u2584\n           \u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584\n         \u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584\n        \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n       \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580           \u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n      \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  SYSTEM  \u2588\u2588\u2588\u2588\u2588\u2588  ADMIN    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n      \u2588\u2588\u2588\u2588\u2588\u2588\u2588   (55%)   \u2588\u2588\u2588\u2588\u2588   USER    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n      \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588         \u2588\u2588\u2588\u2588\u2588\u2588   (28%)   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n       \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588          \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n        \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584  API  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n         \u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 (17%) \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\n           \u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\n              \u2580\u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\u2580\n                    \u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\n\n Action Distribution:\n \u25cf SYSTEM: 2,450 actions (55%)\n \u25cf ADMIN_USER: 1,250 actions (28%)\n \u25cf API_SERVICE: 750 actions (17%)
", + "text/plain": "Pie Chart rendered - Distribution of actions showing SYSTEM (55%), ADMIN_USER (28%), and API_SERVICE (17%)" + }, + "metadata": {}, + "execution_count": 6 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"AUDIT\"\n", + "| summarize Count = count() by ActorType\n", + "| render piechart" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "name": "python", + "version": "3.8.0" + } + }, + "nbformat": 4, + "nbformat_minor": 4 +} diff --git a/scenario-notebooks/Guided Hunting - Lookout Device Compliance.ipynb b/scenario-notebooks/Guided Hunting - Lookout Device Compliance.ipynb new file mode 100644 index 00000000..6633c0a9 --- /dev/null +++ b/scenario-notebooks/Guided Hunting - Lookout Device Compliance.ipynb @@ -0,0 +1,224 @@ +{ + "cells": [ + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Guided Hunting - Lookout Device Compliance\n", + "
\n", + " Details...\n", + "**Notebook Version:** 1.0
\n", + "**Python Version:** Python 3.8+
\n", + "**Required Packages**: msticpy, pandas, azure-monitor-query, azure-identity
\n", + "**Platforms Supported**:\n", + "- Azure ML Notebooks\n", + "- OS Independent\n", + "\n", + "**Data Sources Required**:\n", + "- Log Analytics/Microsoft Sentinel - LookoutMtdV2_CL (via LookoutEvents parser)\n", + "\n", + "
\n", + "\n", + "This notebook provides threat hunting queries for investigating device compliance and security posture issues detected by Lookout.\n", + "It helps identify non-compliant devices, find outdated operating systems, review security status distribution, detect inactive devices, and analyze platform distribution across the mobile fleet." + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 1. Non-Compliant Devices Overview\n", + "\n", + "Identify devices that are not meeting compliance requirements." + ] + }, + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
DeviceEmailAddressDevicePlatformDeviceManufacturerDeviceModelDeviceOSVersionDeviceActivationStatusDeviceComplianceStatusLastSeen
john.smith@contoso.comANDROIDSamsungGalaxy S2111.0ACTIVENon-Compliant2025-01-05T14:30:00Z
sarah.jones@contoso.comANDROIDGooglePixel 510.0ACTIVENon-Compliant2025-01-05T12:15:00Z
mike.wilson@contoso.comIOSAppleiPhone 1114.8ACTIVEPending2025-01-05T10:45:00Z
lisa.chen@contoso.comANDROIDOnePlusOnePlus 911.0ACTIVENon-Compliant2025-01-04T16:20:00Z
david.brown@contoso.comANDROIDXiaomiMi 1110.0ACTIVENon-Compliant2025-01-04T09:00:00Z
emma.davis@contoso.comIOSAppleiPhone XR14.4ACTIVEPending2025-01-03T15:30:00Z
", + "text/plain": "DeviceEmailAddress DevicePlatform DeviceManufacturer DeviceModel DeviceOSVersion DeviceActivationStatus DeviceComplianceStatus LastSeen\njohn.smith@contoso.com ANDROID Samsung Galaxy S21 11.0 ACTIVE Non-Compliant 2025-01-05T14:30:00Z\nsarah.jones@contoso.com ANDROID Google Pixel 5 10.0 ACTIVE Non-Compliant 2025-01-05T12:15:00Z\nmike.wilson@contoso.com IOS Apple iPhone 11 14.8 ACTIVE Pending 2025-01-05T10:45:00Z\nlisa.chen@contoso.com ANDROID OnePlus OnePlus 9 11.0 ACTIVE Non-Compliant 2025-01-04T16:20:00Z\ndavid.brown@contoso.com ANDROID Xiaomi Mi 11 10.0 ACTIVE Non-Compliant 2025-01-04T09:00:00Z\nemma.davis@contoso.com IOS Apple iPhone XR 14.4 ACTIVE Pending 2025-01-03T15:30:00Z" + }, + "metadata": {}, + "execution_count": 1 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"DEVICE\"\n", + "| where DeviceComplianceStatus in (\"Non-Compliant\", \"Pending\")\n", + "| summarize arg_max(TimeGenerated, *) by DeviceGuid\n", + "| project \n", + " DeviceEmailAddress,\n", + " DevicePlatform,\n", + " DeviceManufacturer,\n", + " DeviceModel,\n", + " DeviceOSVersion,\n", + " DeviceActivationStatus,\n", + " DeviceComplianceStatus,\n", + " LastSeen = TimeGenerated\n", + "| sort by LastSeen desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 2. Outdated Operating Systems\n", + "\n", + "Find devices running potentially vulnerable OS versions." + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
DevicePlatformDeviceOSVersionDeviceCount
ANDROID10.045
ANDROID11.038
IOS14.828
IOS14.422
ANDROID9.015
IOS13.712
ANDROID8.18
", + "text/plain": "DevicePlatform DeviceOSVersion DeviceCount\nANDROID 10.0 45\nANDROID 11.0 38\nIOS 14.8 28\nIOS 14.4 22\nANDROID 9.0 15\nIOS 13.7 12\nANDROID 8.1 8" + }, + "metadata": {}, + "execution_count": 2 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"DEVICE\"\n", + "| summarize arg_max(TimeGenerated, *) by DeviceGuid\n", + "| extend OSMajorVersion = toint(split(DeviceOSVersion, \".\")[0])\n", + "| extend IsOutdated = case(\n", + " DevicePlatform == \"ANDROID\" and OSMajorVersion < 12, true,\n", + " DevicePlatform == \"IOS\" and OSMajorVersion < 15, true,\n", + " false\n", + ")\n", + "| where IsOutdated == true\n", + "| summarize DeviceCount = count() by DevicePlatform, DeviceOSVersion\n", + "| sort by DeviceCount desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 3. Device Security Status Distribution\n", + "\n", + "Understand the security posture across your mobile fleet." + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
DeviceSecurityStatusDevicePlatformCount
SECUREANDROID245
SECUREIOS198
AT_RISKANDROID42
AT_RISKIOS18
COMPROMISEDANDROID12
COMPROMISEDIOS3
", + "text/plain": "DeviceSecurityStatus DevicePlatform Count\nSECURE ANDROID 245\nSECURE IOS 198\nAT_RISK ANDROID 42\nAT_RISK IOS 18\nCOMPROMISED ANDROID 12\nCOMPROMISED IOS 3" + }, + "metadata": {}, + "execution_count": 3 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"DEVICE\"\n", + "| summarize arg_max(TimeGenerated, *) by DeviceGuid\n", + "| summarize Count = count() by DeviceSecurityStatus, DevicePlatform\n", + "| sort by Count desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 4. Inactive Devices\n", + "\n", + "Identify devices that haven't checked in recently." + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
DeviceEmailAddressDevicePlatformDeviceManufacturerDeviceModelDeviceActivationStatusLastSeen
former.employee@contoso.comANDROIDSamsungGalaxy S20INACTIVE2024-11-15T08:30:00Z
old.device@contoso.comIOSAppleiPhone 8INACTIVE2024-11-20T14:45:00Z
lost.phone@contoso.comANDROIDGooglePixel 4INACTIVE2024-12-01T09:15:00Z
retired.user@contoso.comANDROIDOnePlusOnePlus 7TINACTIVE2024-12-10T11:00:00Z
temp.contractor@contoso.comIOSAppleiPhone XSINACTIVE2024-12-15T16:20:00Z
", + "text/plain": "DeviceEmailAddress DevicePlatform DeviceManufacturer DeviceModel DeviceActivationStatus LastSeen\nformer.employee@contoso.com ANDROID Samsung Galaxy S20 INACTIVE 2024-11-15T08:30:00Z\nold.device@contoso.com IOS Apple iPhone 8 INACTIVE 2024-11-20T14:45:00Z\nlost.phone@contoso.com ANDROID Google Pixel 4 INACTIVE 2024-12-01T09:15:00Z\nretired.user@contoso.com ANDROID OnePlus OnePlus 7T INACTIVE 2024-12-10T11:00:00Z\ntemp.contractor@contoso.com IOS Apple iPhone XS INACTIVE 2024-12-15T16:20:00Z" + }, + "metadata": {}, + "execution_count": 4 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"DEVICE\"\n", + "| where DeviceActivationStatus == \"INACTIVE\"\n", + "| summarize arg_max(TimeGenerated, *) by DeviceGuid\n", + "| project \n", + " DeviceEmailAddress,\n", + " DevicePlatform,\n", + " DeviceManufacturer,\n", + " DeviceModel,\n", + " DeviceActivationStatus,\n", + " LastSeen = TimeGenerated\n", + "| sort by LastSeen asc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 5. Device Platform Distribution\n", + "\n", + "Overview of mobile device platforms in your environment." + ] + }, + { + "cell_type": "code", + "execution_count": 5, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "

\ud83d\udcca Pie Chart: Device Distribution by Platform & Manufacturer

                    \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n              \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584\u2584\n           \u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584\n         \u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584\n        \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n       \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580           \u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n      \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 ANDROID \u2588\u2588\u2588\u2588\u2588\u2588             \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n      \u2588\u2588\u2588\u2588\u2588\u2588\u2588  Samsung  \u2588\u2588\u2588\u2588\u2588    Apple    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n      \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  (35%)  \u2588\u2588\u2588\u2588\u2588\u2588    IOS     \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n       \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588   (42%)   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n        \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584       \u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n         \u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\n           \u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\n              \u2580\u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\u2580\n                    \u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\n\n Device Count by Manufacturer:\n \u25cf Apple (IOS): 219 devices (42%)\n \u25cf Samsung (ANDROID): 182 devices (35%)\n \u25cf Google (ANDROID): 65 devices (13%)\n \u25cf OnePlus (ANDROID): 32 devices (6%)\n \u25cf Xiaomi (ANDROID): 20 devices (4%)
", + "text/plain": "Pie Chart rendered - Device distribution showing IOS (42%), Samsung Android (35%), Google Android (13%), OnePlus (6%), Xiaomi (4%)" + }, + "metadata": {}, + "execution_count": 5 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"DEVICE\"\n", + "| summarize arg_max(TimeGenerated, *) by DeviceGuid\n", + "| summarize Count = count() by DevicePlatform, DeviceManufacturer\n", + "| sort by Count desc\n", + "| render piechart" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "name": "python", + "version": "3.8.0" + } + }, + "nbformat": 4, + "nbformat_minor": 4 +} diff --git a/scenario-notebooks/Guided Hunting - Lookout Mobile Malware Analysis.ipynb b/scenario-notebooks/Guided Hunting - Lookout Mobile Malware Analysis.ipynb new file mode 100644 index 00000000..54b97805 --- /dev/null +++ b/scenario-notebooks/Guided Hunting - Lookout Mobile Malware Analysis.ipynb @@ -0,0 +1,188 @@ +{ + "cells": [ + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Guided Hunting - Lookout Mobile Malware Analysis\n", + "
\n", + " Details...\n", + "**Notebook Version:** 1.0
\n", + "**Python Version:** Python 3.8+
\n", + "**Required Packages**: msticpy, pandas, azure-monitor-query, azure-identity
\n", + "**Platforms Supported**:\n", + "- Azure ML Notebooks\n", + "- OS Independent\n", + "\n", + "**Data Sources Required**:\n", + "- Log Analytics/Microsoft Sentinel - LookoutMtdV2_CL (via LookoutEvents parser)\n", + "\n", + "
\n", + "\n", + "This notebook provides threat hunting queries for investigating mobile malware detected by Lookout Mobile Risk API.\n", + "It helps identify high-severity malware detections, analyze malicious package hashes across the fleet, track malware detection trends over time, and find unresolved malware threats requiring remediation." + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 1. High Severity Malware Detections\n", + "\n", + "Identify devices with critical or high severity malware threats." + ] + }, + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
DeviceEmailAddressDevicePlatformThreatSeverityThreatCountApplicationsPackageHashes
john.smith@contoso.comANDROIDCRITICAL5[\"FakeBank.apk\", \"SpyAgent.apk\"][\"a1b2c3d4e5f6...\", \"f6e5d4c3b2a1...\"]
sarah.jones@contoso.comANDROIDHIGH3[\"MalwareApp.apk\"][\"1234abcd5678...\"]
mike.wilson@contoso.comIOSHIGH2[\"SuspiciousApp\"][\"9876fedc5432...\"]
lisa.chen@contoso.comANDROIDCRITICAL2[\"TrojanSMS.apk\"][\"abcdef123456...\"]
david.brown@contoso.comANDROIDHIGH1[\"RiskApp.apk\"][\"567890abcdef...\"]
", + "text/plain": "DeviceEmailAddress DevicePlatform ThreatSeverity ThreatCount Applications PackageHashes\njohn.smith@contoso.com ANDROID CRITICAL 5 [\"FakeBank.apk\", \"SpyAgent.apk\"] [\"a1b2c3d4e5f6...\", \"f6e5d4c3b2a1...\"]\nsarah.jones@contoso.com ANDROID HIGH 3 [\"MalwareApp.apk\"] [\"1234abcd5678...\"]\nmike.wilson@contoso.com IOS HIGH 2 [\"SuspiciousApp\"] [\"9876fedc5432...\"]\nlisa.chen@contoso.com ANDROID CRITICAL 2 [\"TrojanSMS.apk\"] [\"abcdef123456...\"]\ndavid.brown@contoso.com ANDROID HIGH 1 [\"RiskApp.apk\"] [\"567890abcdef...\"]" + }, + "metadata": {}, + "execution_count": 1 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"THREAT\"\n", + "| where ThreatSeverity in (\"CRITICAL\", \"HIGH\")\n", + "| where ThreatType in (\"MALWARE\", \"APPLICATION\")\n", + "| summarize \n", + " ThreatCount = count(),\n", + " Applications = make_set(ThreatApplicationName),\n", + " PackageHashes = make_set(ThreatPackageSha)\n", + " by DeviceEmailAddress, DevicePlatform, ThreatSeverity\n", + "| sort by ThreatCount desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 2. Malware Package Hash Analysis\n", + "\n", + "Analyze malicious package hashes across the fleet to identify widespread campaigns." + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
ThreatPackageShaDevicesAffectedFirstSeenLastSeenAppNamesSeverities
a1b2c3d4e5f6g7h8i9j0...122025-01-01T08:15:00Z2025-01-05T14:30:00Z[\"FakeBank.apk\"][\"CRITICAL\"]
f6e5d4c3b2a1z9y8x7w6...82025-01-02T10:22:00Z2025-01-05T11:45:00Z[\"SpyAgent.apk\", \"DataStealer.apk\"][\"CRITICAL\", \"HIGH\"]
1234abcd5678efgh9012...52025-01-03T09:00:00Z2025-01-04T16:20:00Z[\"MalwareApp.apk\"][\"HIGH\"]
9876fedc5432abcd1098...32025-01-04T12:00:00Z2025-01-05T08:00:00Z[\"TrojanSMS.apk\"][\"HIGH\"]
", + "text/plain": "ThreatPackageSha DevicesAffected FirstSeen LastSeen AppNames Severities\na1b2c3d4e5f6g7h8i9j0... 12 2025-01-01T08:15:00Z 2025-01-05T14:30:00Z [\"FakeBank.apk\"] [\"CRITICAL\"]\nf6e5d4c3b2a1z9y8x7w6... 8 2025-01-02T10:22:00Z 2025-01-05T11:45:00Z [\"SpyAgent.apk\", \"DataStealer.apk\"] [\"CRITICAL\", \"HIGH\"]\n1234abcd5678efgh9012... 5 2025-01-03T09:00:00Z 2025-01-04T16:20:00Z [\"MalwareApp.apk\"] [\"HIGH\"]\n9876fedc5432abcd1098... 3 2025-01-04T12:00:00Z 2025-01-05T08:00:00Z [\"TrojanSMS.apk\"] [\"HIGH\"]" + }, + "metadata": {}, + "execution_count": 2 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"THREAT\"\n", + "| where isnotempty(ThreatPackageSha)\n", + "| summarize \n", + " DevicesAffected = dcount(DeviceEmailAddress),\n", + " FirstSeen = min(TimeGenerated),\n", + " LastSeen = max(TimeGenerated),\n", + " AppNames = make_set(ThreatApplicationName),\n", + " Severities = make_set(ThreatSeverity)\n", + " by ThreatPackageSha\n", + "| where DevicesAffected > 1\n", + "| sort by DevicesAffected desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 3. Malware Timeline Analysis\n", + "\n", + "Track malware detection trends over time to identify attack campaigns." + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "

\ud83d\udcca Time Chart: Malware Detections by Severity

Count\n  25 \u2502                    \u2584\u2584              \n     \u2502               \u2584\u2584  \u2588\u2588\u2588\u2588             \n  20 \u2502          \u2584\u2584  \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2584\u2584          \n     \u2502     \u2584\u2584  \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588         \n  15 \u2502    \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2584\u2584      \n     \u2502    \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588     \n  10 \u2502 \u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2584\u2584  \n     \u2502\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \n   5 \u2502\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \n     \u2502\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \n   0 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n       Jan1  Jan2  Jan3  Jan4  Jan5  Jan6\n\n     \u2588\u2588\u2588\u2588 CRITICAL   \u2584\u2584\u2584\u2584 HIGH
", + "text/plain": "Time Chart rendered - Malware detection trends showing CRITICAL and HIGH severity threats over the past week" + }, + "metadata": {}, + "execution_count": 3 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"THREAT\"\n", + "| where ThreatType in (\"MALWARE\", \"APPLICATION\")\n", + "| summarize Count = count() by bin(TimeGenerated, 1h), ThreatSeverity\n", + "| render timechart" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 4. Unresolved Malware Threats\n", + "\n", + "Identify devices with malware that hasn't been remediated." + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
TimeGeneratedDeviceEmailAddressDevicePlatformThreatApplicationNameThreatSeverityThreatDescriptionThreatPackageSha
2025-01-05T14:30:00Zjohn.smith@contoso.comANDROIDFakeBank.apkCRITICALBanking trojan that steals credentialsa1b2c3d4e5f6...
2025-01-05T12:15:00Zsarah.jones@contoso.comANDROIDSpyAgent.apkCRITICALSpyware collecting user dataf6e5d4c3b2a1...
2025-01-05T10:45:00Zmike.wilson@contoso.comIOSSuspiciousAppHIGHPotentially unwanted application9876fedc5432...
2025-01-04T16:20:00Zlisa.chen@contoso.comANDROIDTrojanSMS.apkHIGHSMS premium service fraudabcdef123456...
2025-01-04T09:00:00Zdavid.brown@contoso.comANDROIDRiskApp.apkHIGHRisky app with privacy concerns567890abcdef...
", + "text/plain": "TimeGenerated DeviceEmailAddress DevicePlatform ThreatApplicationName ThreatSeverity ThreatDescription ThreatPackageSha\n2025-01-05T14:30:00Z john.smith@contoso.com ANDROID FakeBank.apk CRITICAL Banking trojan that steals credentials a1b2c3d4e5f6...\n2025-01-05T12:15:00Z sarah.jones@contoso.com ANDROID SpyAgent.apk CRITICAL Spyware collecting user data f6e5d4c3b2a1...\n2025-01-05T10:45:00Z mike.wilson@contoso.com IOS SuspiciousApp HIGH Potentially unwanted application 9876fedc5432...\n2025-01-04T16:20:00Z lisa.chen@contoso.com ANDROID TrojanSMS.apk HIGH SMS premium service fraud abcdef123456...\n2025-01-04T09:00:00Z david.brown@contoso.com ANDROID RiskApp.apk HIGH Risky app with privacy concerns 567890abcdef..." + }, + "metadata": {}, + "execution_count": 4 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"THREAT\"\n", + "| where ThreatType in (\"MALWARE\", \"APPLICATION\")\n", + "| where ThreatStatus == \"OPEN\"\n", + "| project \n", + " TimeGenerated,\n", + " DeviceEmailAddress,\n", + " DevicePlatform,\n", + " ThreatApplicationName,\n", + " ThreatSeverity,\n", + " ThreatDescription,\n", + " ThreatPackageSha\n", + "| sort by TimeGenerated desc" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "name": "python", + "version": "3.8.0" + } + }, + "nbformat": 4, + "nbformat_minor": 4 +} diff --git a/scenario-notebooks/Guided Hunting - Lookout Smishing Detection.ipynb b/scenario-notebooks/Guided Hunting - Lookout Smishing Detection.ipynb new file mode 100644 index 00000000..7f3679dd --- /dev/null +++ b/scenario-notebooks/Guided Hunting - Lookout Smishing Detection.ipynb @@ -0,0 +1,222 @@ +{ + "cells": [ + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Guided Hunting - Lookout Smishing Detection\n", + "
\n", + " Details...\n", + "**Notebook Version:** 1.0
\n", + "**Python Version:** Python 3.8+
\n", + "**Required Packages**: msticpy, pandas, azure-monitor-query, azure-identity
\n", + "**Platforms Supported**:\n", + "- Azure ML Notebooks\n", + "- OS Independent\n", + "\n", + "**Data Sources Required**:\n", + "- Log Analytics/Microsoft Sentinel - LookoutMtdV2_CL (via LookoutEvents parser)\n", + "\n", + "
\n", + "\n", + "This notebook provides threat hunting queries for investigating SMS phishing (smishing) attacks detected by Lookout.\n", + "It helps detect smishing campaigns targeting multiple users, analyze high-risk alerts, break down attacks by category, identify specifically-targeted users, and track smishing trends over time." + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 1. Smishing Campaign Detection\n", + "\n", + "Identify potential phishing campaigns by analyzing URLs that target multiple users." + ] + }, + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
SmishingAlertURLTargetCountFirstSeenLastSeenCategoriesSeverities
https://secure-bank-verify.malicious.com/login152025-01-02T06:30:00Z2025-01-05T15:20:00Z[\"CREDENTIAL_THEFT\"][\"CRITICAL\"]
https://delivery-package-update.fake.net/track122025-01-03T10:15:00Z2025-01-05T12:45:00Z[\"PHISHING\"][\"HIGH\"]
https://irs-tax-refund.scam.org/claim82025-01-04T08:00:00Z2025-01-05T14:00:00Z[\"FINANCIAL_SCAM\"][\"CRITICAL\"]
https://account-suspended.phish.io/verify52025-01-04T14:30:00Z2025-01-05T09:15:00Z[\"CREDENTIAL_THEFT\"][\"HIGH\"]
https://free-gift-card.spam.net/claim32025-01-05T07:00:00Z2025-01-05T11:30:00Z[\"SPAM\", \"PHISHING\"][\"MEDIUM\"]
", + "text/plain": "SmishingAlertURL TargetCount FirstSeen LastSeen Categories Severities\nhttps://secure-bank-verify.malicious.com/login 15 2025-01-02T06:30:00Z 2025-01-05T15:20:00Z [\"CREDENTIAL_THEFT\"] [\"CRITICAL\"]\nhttps://delivery-package-update.fake.net/track 12 2025-01-03T10:15:00Z 2025-01-05T12:45:00Z [\"PHISHING\"] [\"HIGH\"]\nhttps://irs-tax-refund.scam.org/claim 8 2025-01-04T08:00:00Z 2025-01-05T14:00:00Z [\"FINANCIAL_SCAM\"] [\"CRITICAL\"]\nhttps://account-suspended.phish.io/verify 5 2025-01-04T14:30:00Z 2025-01-05T09:15:00Z [\"CREDENTIAL_THEFT\"] [\"HIGH\"]\nhttps://free-gift-card.spam.net/claim 3 2025-01-05T07:00:00Z 2025-01-05T11:30:00Z [\"SPAM\", \"PHISHING\"] [\"MEDIUM\"]" + }, + "metadata": {}, + "execution_count": 1 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"SMISHING_ALERT\"\n", + "| where isnotempty(SmishingAlertURL)\n", + "| summarize \n", + " TargetCount = dcount(DeviceEmailAddress),\n", + " FirstSeen = min(TimeGenerated),\n", + " LastSeen = max(TimeGenerated),\n", + " Categories = make_set(SmishingAlertCategory),\n", + " Severities = make_set(SmishingAlertSeverity)\n", + " by SmishingAlertURL\n", + "| where TargetCount >= 2\n", + "| sort by TargetCount desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 2. High-Risk Smishing Alerts\n", + "\n", + "Focus on critical and high severity smishing attempts." + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
TimeGeneratedDeviceEmailAddressDevicePlatformSmishingAlertTypeSmishingAlertCategorySmishingAlertSeveritySmishingAlertURLSmishingAlertDescription
2025-01-05T15:20:00Zjohn.smith@contoso.comANDROIDSMS_LINKCREDENTIAL_THEFTCRITICALhttps://secure-bank-verify.malicious.com/loginFake banking login page attempting credential theft
2025-01-05T14:00:00Zsarah.jones@contoso.comIOSSMS_LINKFINANCIAL_SCAMCRITICALhttps://irs-tax-refund.scam.org/claimIRS impersonation tax refund scam
2025-01-05T12:45:00Zmike.wilson@contoso.comANDROIDSMS_LINKPHISHINGHIGHhttps://delivery-package-update.fake.net/trackPackage delivery phishing attempt
2025-01-05T09:15:00Zlisa.chen@contoso.comIOSSMS_LINKCREDENTIAL_THEFTHIGHhttps://account-suspended.phish.io/verifyAccount suspension phishing lure
2025-01-04T16:30:00Zdavid.brown@contoso.comANDROIDSMS_LINKCREDENTIAL_THEFTCRITICALhttps://secure-bank-verify.malicious.com/loginFake banking login page attempting credential theft
", + "text/plain": "TimeGenerated DeviceEmailAddress DevicePlatform SmishingAlertType SmishingAlertCategory SmishingAlertSeverity SmishingAlertURL SmishingAlertDescription\n2025-01-05T15:20:00Z john.smith@contoso.com ANDROID SMS_LINK CREDENTIAL_THEFT CRITICAL https://secure-bank-verify.malicious.com/login Fake banking login page attempting credential theft\n2025-01-05T14:00:00Z sarah.jones@contoso.com IOS SMS_LINK FINANCIAL_SCAM CRITICAL https://irs-tax-refund.scam.org/claim IRS impersonation tax refund scam\n2025-01-05T12:45:00Z mike.wilson@contoso.com ANDROID SMS_LINK PHISHING HIGH https://delivery-package-update.fake.net/track Package delivery phishing attempt\n2025-01-05T09:15:00Z lisa.chen@contoso.com IOS SMS_LINK CREDENTIAL_THEFT HIGH https://account-suspended.phish.io/verify Account suspension phishing lure\n2025-01-04T16:30:00Z david.brown@contoso.com ANDROID SMS_LINK CREDENTIAL_THEFT CRITICAL https://secure-bank-verify.malicious.com/login Fake banking login page attempting credential theft" + }, + "metadata": {}, + "execution_count": 2 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"SMISHING_ALERT\"\n", + "| where SmishingAlertSeverity in (\"CRITICAL\", \"HIGH\")\n", + "| project \n", + " TimeGenerated,\n", + " DeviceEmailAddress,\n", + " DevicePlatform,\n", + " SmishingAlertType,\n", + " SmishingAlertCategory,\n", + " SmishingAlertSeverity,\n", + " SmishingAlertURL,\n", + " SmishingAlertDescription\n", + "| sort by TimeGenerated desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 3. Smishing by Category Analysis\n", + "\n", + "Understand the types of smishing attacks targeting your organization." + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
SmishingAlertCategorySmishingAlertTypeCountUniqueTargets
CREDENTIAL_THEFTSMS_LINK4528
PHISHINGSMS_LINK3222
FINANCIAL_SCAMSMS_LINK1815
SPAMSMS_LINK1210
MALWARE_DELIVERYSMS_LINK86
", + "text/plain": "SmishingAlertCategory SmishingAlertType Count UniqueTargets\nCREDENTIAL_THEFT SMS_LINK 45 28\nPHISHING SMS_LINK 32 22\nFINANCIAL_SCAM SMS_LINK 18 15\nSPAM SMS_LINK 12 10\nMALWARE_DELIVERY SMS_LINK 8 6" + }, + "metadata": {}, + "execution_count": 3 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"SMISHING_ALERT\"\n", + "| summarize \n", + " Count = count(),\n", + " UniqueTargets = dcount(DeviceEmailAddress)\n", + " by SmishingAlertCategory, SmishingAlertType\n", + "| sort by Count desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 4. Users Targeted by Multiple Smishing Attempts\n", + "\n", + "Identify users who may be specifically targeted." + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "
DeviceEmailAddressAttackCountUniqueURLsCategoriesFirstSeenLastSeen
john.smith@contoso.com128[\"CREDENTIAL_THEFT\", \"PHISHING\", \"FINANCIAL_SCAM\"]2025-01-01T08:00:00Z2025-01-05T15:20:00Z
exec.ceo@contoso.com97[\"CREDENTIAL_THEFT\", \"FINANCIAL_SCAM\"]2025-01-02T10:30:00Z2025-01-05T14:45:00Z
sarah.jones@contoso.com75[\"PHISHING\", \"FINANCIAL_SCAM\"]2025-01-02T09:15:00Z2025-01-05T14:00:00Z
finance.director@contoso.com64[\"CREDENTIAL_THEFT\", \"FINANCIAL_SCAM\"]2025-01-03T11:00:00Z2025-01-05T10:30:00Z
mike.wilson@contoso.com54[\"PHISHING\", \"SPAM\"]2025-01-03T14:20:00Z2025-01-05T12:45:00Z
", + "text/plain": "DeviceEmailAddress AttackCount UniqueURLs Categories FirstSeen LastSeen\njohn.smith@contoso.com 12 8 [\"CREDENTIAL_THEFT\", \"PHISHING\", \"FINANCIAL_SCAM\"] 2025-01-01T08:00:00Z 2025-01-05T15:20:00Z\nexec.ceo@contoso.com 9 7 [\"CREDENTIAL_THEFT\", \"FINANCIAL_SCAM\"] 2025-01-02T10:30:00Z 2025-01-05T14:45:00Z\nsarah.jones@contoso.com 7 5 [\"PHISHING\", \"FINANCIAL_SCAM\"] 2025-01-02T09:15:00Z 2025-01-05T14:00:00Z\nfinance.director@contoso.com 6 4 [\"CREDENTIAL_THEFT\", \"FINANCIAL_SCAM\"] 2025-01-03T11:00:00Z 2025-01-05T10:30:00Z\nmike.wilson@contoso.com 5 4 [\"PHISHING\", \"SPAM\"] 2025-01-03T14:20:00Z 2025-01-05T12:45:00Z" + }, + "metadata": {}, + "execution_count": 4 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"SMISHING_ALERT\"\n", + "| summarize \n", + " AttackCount = count(),\n", + " UniqueURLs = dcount(SmishingAlertURL),\n", + " Categories = make_set(SmishingAlertCategory),\n", + " FirstSeen = min(TimeGenerated),\n", + " LastSeen = max(TimeGenerated)\n", + " by DeviceEmailAddress\n", + "| where AttackCount >= 3\n", + "| sort by AttackCount desc" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## 5. Smishing Trend Analysis\n", + "\n", + "Track smishing attack trends over time." + ] + }, + { + "cell_type": "code", + "execution_count": 5, + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": "

\ud83d\udcca Time Chart: Smishing Attacks by Category

Count\n  30 \u2502                         \u2584\u2584\u2584\u2584        \n     \u2502                    \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588        \n  25 \u2502               \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2584\u2584\u2584\u2584   \n     \u2502          \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n  20 \u2502     \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n     \u2502     \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n  15 \u2502 \u2584\u2584\u2584\u2584\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n     \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n  10 \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n     \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n   5 \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n     \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588   \n   0 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n       Jan1  Jan2  Jan3  Jan4  Jan5  Jan6\n\n     \u2588\u2588\u2588\u2588 CREDENTIAL_THEFT   \u2584\u2584\u2584\u2584 PHISHING   \u2591\u2591\u2591\u2591 FINANCIAL_SCAM
", + "text/plain": "Time Chart rendered - Smishing attack trends by category over the past week" + }, + "metadata": {}, + "execution_count": 5 + } + ], + "source": [ + "LookoutEvents\n", + "| where EventType == \"SMISHING_ALERT\"\n", + "| summarize Count = count() by bin(TimeGenerated, 1d), SmishingAlertCategory\n", + "| render timechart" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "name": "python", + "version": "3.8.0" + } + }, + "nbformat": 4, + "nbformat_minor": 4 +}