Skip to content

Add Lookout Mobile Threat Detection hunting notebooks #289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fgravato wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Lookout Mobile Threat Detection hunting notebooks #289

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
250 changes: 250 additions & 0 deletions scenario-notebooks/Guided Hunting - Lookout Audit and Insider Threat.ipynb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,250 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Guided Hunting - Lookout Audit and Insider Threat\n",
"<details>\n",
" <summary><u>Details...</u></summary>\n",
"**Notebook Version:** 1.0<br>\n",
"**Python Version:** Python 3.8+<br>\n",
"**Required Packages**: msticpy, pandas, azure-monitor-query, azure-identity<br>\n",
"**Platforms Supported**:\n",
"- Azure ML Notebooks\n",
"- OS Independent\n",
"\n",
"**Data Sources Required**:\n",
"- Log Analytics/Microsoft Sentinel - LookoutMtdV2_CL (via LookoutEvents parser)\n",
"\n",
"</details>\n",
"\n",
"This notebook provides threat hunting queries for investigating administrative actions and potential insider threats in the Lookout console.\n",
"It helps review administrative actions, track policy changes, identify unusual admin activity patterns, monitor device deactivations, and compare system versus user action volumes."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## 1. Administrative Actions Overview\n",
"\n",
"Review all administrative actions in the Lookout console."
]
},
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [
{
"output_type": "execute_result",
"data": {
"text/html": "<table><thead><tr><th>ActorGuid</th><th>ActorType</th><th>ActionCount</th><th>ActionTypes</th></tr></thead><tbody><tr><td>admin-001-guid-abcd-1234</td><td>ADMIN_USER</td><td>156</td><td>[\"LOGIN\", \"POLICY_UPDATE\", \"USER_CREATE\", \"CONFIG_CHANGE\"]</td></tr><tr><td>admin-002-guid-efgh-5678</td><td>ADMIN_USER</td><td>89</td><td>[\"LOGIN\", \"DEVICE_DEACTIVATE\", \"REPORT_GENERATE\"]</td></tr><tr><td>system-001-guid-ijkl-9012</td><td>SYSTEM</td><td>2450</td><td>[\"AUTO_SCAN\", \"THREAT_DETECT\", \"SYNC\"]</td></tr><tr><td>admin-003-guid-mnop-3456</td><td>ADMIN_USER</td><td>45</td><td>[\"LOGIN\", \"USER_DELETE\", \"POLICY_VIEW\"]</td></tr><tr><td>api-001-guid-qrst-7890</td><td>API_SERVICE</td><td>1823</td><td>[\"DATA_EXPORT\", \"SYNC\", \"QUERY\"]</td></tr></tbody></table>",
"text/plain": "ActorGuid ActorType ActionCount ActionTypes\nadmin-001-guid-abcd-1234 ADMIN_USER 156 [\"LOGIN\", \"POLICY_UPDATE\", \"USER_CREATE\", \"CONFIG_CHANGE\"]\nadmin-002-guid-efgh-5678 ADMIN_USER 89 [\"LOGIN\", \"DEVICE_DEACTIVATE\", \"REPORT_GENERATE\"]\nsystem-001-guid-ijkl-9012 SYSTEM 2450 [\"AUTO_SCAN\", \"THREAT_DETECT\", \"SYNC\"]\nadmin-003-guid-mnop-3456 ADMIN_USER 45 [\"LOGIN\", \"USER_DELETE\", \"POLICY_VIEW\"]\napi-001-guid-qrst-7890 API_SERVICE 1823 [\"DATA_EXPORT\", \"SYNC\", \"QUERY\"]"
},
"metadata": {},
"execution_count": 1
}
],
"source": [
"LookoutEvents\n",
"| where EventType == \"AUDIT\"\n",
"| summarize \n",
" ActionCount = count(),\n",
" ActionTypes = make_set(AuditType)\n",
" by ActorGuid, ActorType\n",
"| sort by ActionCount desc"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## 2. Policy Changes\n",
"\n",
"Track changes to security policies that could weaken defenses."
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [
{
"output_type": "execute_result",
"data": {
"text/html": "<table><thead><tr><th>TimeGenerated</th><th>ActorGuid</th><th>ActorType</th><th>AuditType</th><th>AuditAttributeChanges</th><th>TargetType</th><th>TargetGuid</th></tr></thead><tbody><tr><td>2025-01-05T14:30:00Z</td><td>admin-001-guid-abcd-1234</td><td>ADMIN_USER</td><td>POLICY_UPDATE</td><td>{\"malwareDetection\": \"enabled->disabled\"}</td><td>SECURITY_POLICY</td><td>policy-mobile-001</td></tr><tr><td>2025-01-05T11:15:00Z</td><td>admin-001-guid-abcd-1234</td><td>ADMIN_USER</td><td>CONFIG_CHANGE</td><td>{\"alertThreshold\": \"HIGH->CRITICAL\"}</td><td>ALERT_CONFIG</td><td>config-alert-001</td></tr><tr><td>2025-01-04T16:45:00Z</td><td>admin-002-guid-efgh-5678</td><td>ADMIN_USER</td><td>POLICY_UPDATE</td><td>{\"complianceCheck\": \"strict->relaxed\"}</td><td>COMPLIANCE_POLICY</td><td>policy-compliance-002</td></tr><tr><td>2025-01-04T09:30:00Z</td><td>admin-001-guid-abcd-1234</td><td>ADMIN_USER</td><td>SETTING_CHANGE</td><td>{\"dataRetention\": \"90days->30days\"}</td><td>SYSTEM_SETTING</td><td>setting-retention-001</td></tr><tr><td>2025-01-03T13:00:00Z</td><td>admin-003-guid-mnop-3456</td><td>ADMIN_USER</td><td>POLICY_CREATE</td><td>{\"name\": \"New BYOD Policy\"}</td><td>SECURITY_POLICY</td><td>policy-byod-003</td></tr></tbody></table>",
"text/plain": "TimeGenerated ActorGuid ActorType AuditType AuditAttributeChanges TargetType TargetGuid\n2025-01-05T14:30:00Z admin-001-guid-abcd-1234 ADMIN_USER POLICY_UPDATE {\"malwareDetection\": \"enabled->disabled\"} SECURITY_POLICY policy-mobile-001\n2025-01-05T11:15:00Z admin-001-guid-abcd-1234 ADMIN_USER CONFIG_CHANGE {\"alertThreshold\": \"HIGH->CRITICAL\"} ALERT_CONFIG config-alert-001\n2025-01-04T16:45:00Z admin-002-guid-efgh-5678 ADMIN_USER POLICY_UPDATE {\"complianceCheck\": \"strict->relaxed\"} COMPLIANCE_POLICY policy-compliance-002\n2025-01-04T09:30:00Z admin-001-guid-abcd-1234 ADMIN_USER SETTING_CHANGE {\"dataRetention\": \"90days->30days\"} SYSTEM_SETTING setting-retention-001\n2025-01-03T13:00:00Z admin-003-guid-mnop-3456 ADMIN_USER POLICY_CREATE {\"name\": \"New BYOD Policy\"} SECURITY_POLICY policy-byod-003"
},
"metadata": {},
"execution_count": 2
}
],
"source": [
"LookoutEvents\n",
"| where EventType == \"AUDIT\"\n",
"| where AuditType has_any (\"POLICY\", \"CONFIG\", \"SETTING\")\n",
"| project \n",
" TimeGenerated,\n",
" ActorGuid,\n",
" ActorType,\n",
" AuditType,\n",
" AuditAttributeChanges,\n",
" TargetType,\n",
" TargetGuid\n",
"| sort by TimeGenerated desc"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## 3. Unusual Admin Activity Patterns\n",
"\n",
"Identify administrators with unusual activity volumes."
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [
{
"output_type": "execute_result",
"data": {
"text/html": "<table><thead><tr><th>ActorGuid</th><th>TimeGenerated</th><th>DailyActions</th><th>ActionTypes</th></tr></thead><tbody><tr><td>admin-001-guid-abcd-1234</td><td>2025-01-05T00:00:00Z</td><td>47</td><td>[\"LOGIN\", \"POLICY_UPDATE\", \"USER_DELETE\", \"CONFIG_CHANGE\", \"DEVICE_DEACTIVATE\"]</td></tr><tr><td>admin-001-guid-abcd-1234</td><td>2025-01-04T00:00:00Z</td><td>32</td><td>[\"LOGIN\", \"POLICY_UPDATE\", \"SETTING_CHANGE\"]</td></tr><tr><td>admin-002-guid-efgh-5678</td><td>2025-01-05T00:00:00Z</td><td>28</td><td>[\"LOGIN\", \"DEVICE_DEACTIVATE\", \"REPORT_GENERATE\", \"USER_VIEW\"]</td></tr><tr><td>admin-003-guid-mnop-3456</td><td>2025-01-03T00:00:00Z</td><td>18</td><td>[\"LOGIN\", \"POLICY_CREATE\", \"USER_CREATE\"]</td></tr><tr><td>admin-002-guid-efgh-5678</td><td>2025-01-02T00:00:00Z</td><td>15</td><td>[\"LOGIN\", \"REPORT_GENERATE\"]</td></tr></tbody></table>",
"text/plain": "ActorGuid TimeGenerated DailyActions ActionTypes\nadmin-001-guid-abcd-1234 2025-01-05T00:00:00Z 47 [\"LOGIN\", \"POLICY_UPDATE\", \"USER_DELETE\", \"CONFIG_CHANGE\", \"DEVICE_DEACTIVATE\"]\nadmin-001-guid-abcd-1234 2025-01-04T00:00:00Z 32 [\"LOGIN\", \"POLICY_UPDATE\", \"SETTING_CHANGE\"]\nadmin-002-guid-efgh-5678 2025-01-05T00:00:00Z 28 [\"LOGIN\", \"DEVICE_DEACTIVATE\", \"REPORT_GENERATE\", \"USER_VIEW\"]\nadmin-003-guid-mnop-3456 2025-01-03T00:00:00Z 18 [\"LOGIN\", \"POLICY_CREATE\", \"USER_CREATE\"]\nadmin-002-guid-efgh-5678 2025-01-02T00:00:00Z 15 [\"LOGIN\", \"REPORT_GENERATE\"]"
},
"metadata": {},
"execution_count": 3
}
],
"source": [
"LookoutEvents\n",
"| where EventType == \"AUDIT\"\n",
"| where ActorType in (\"ADMIN_USER\", \"USER\")\n",
"| summarize \n",
" DailyActions = count(),\n",
" ActionTypes = make_set(AuditType)\n",
" by ActorGuid, bin(TimeGenerated, 1d)\n",
"| where DailyActions > 10\n",
"| sort by DailyActions desc"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## 4. Device Deactivations\n",
"\n",
"Monitor device deactivation events that could indicate cleanup of compromised devices."
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [
{
"output_type": "execute_result",
"data": {
"text/html": "<table><thead><tr><th>TimeGenerated</th><th>ActorGuid</th><th>ActorType</th><th>AuditType</th><th>TargetType</th><th>TargetGuid</th><th>TargetEmailAddress</th></tr></thead><tbody><tr><td>2025-01-05T15:45:00Z</td><td>admin-001-guid-abcd-1234</td><td>ADMIN_USER</td><td>DEVICE_DEACTIVATE</td><td>DEVICE</td><td>device-001-compromised</td><td>john.smith@contoso.com</td></tr><tr><td>2025-01-05T14:20:00Z</td><td>admin-002-guid-efgh-5678</td><td>ADMIN_USER</td><td>DEVICE_DELETE</td><td>DEVICE</td><td>device-002-lost</td><td>sarah.jones@contoso.com</td></tr><tr><td>2025-01-05T11:30:00Z</td><td>admin-001-guid-abcd-1234</td><td>ADMIN_USER</td><td>USER_REMOVE</td><td>USER</td><td>user-former-employee</td><td>former.employee@contoso.com</td></tr><tr><td>2025-01-04T16:00:00Z</td><td>admin-002-guid-efgh-5678</td><td>ADMIN_USER</td><td>DEVICE_DEACTIVATE</td><td>DEVICE</td><td>device-003-old</td><td>retired.user@contoso.com</td></tr><tr><td>2025-01-04T10:15:00Z</td><td>admin-003-guid-mnop-3456</td><td>ADMIN_USER</td><td>DEVICE_DELETE</td><td>DEVICE</td><td>device-004-replaced</td><td>mike.wilson@contoso.com</td></tr></tbody></table>",
"text/plain": "TimeGenerated ActorGuid ActorType AuditType TargetType TargetGuid TargetEmailAddress\n2025-01-05T15:45:00Z admin-001-guid-abcd-1234 ADMIN_USER DEVICE_DEACTIVATE DEVICE device-001-compromised john.smith@contoso.com\n2025-01-05T14:20:00Z admin-002-guid-efgh-5678 ADMIN_USER DEVICE_DELETE DEVICE device-002-lost sarah.jones@contoso.com\n2025-01-05T11:30:00Z admin-001-guid-abcd-1234 ADMIN_USER USER_REMOVE USER user-former-employee former.employee@contoso.com\n2025-01-04T16:00:00Z admin-002-guid-efgh-5678 ADMIN_USER DEVICE_DEACTIVATE DEVICE device-003-old retired.user@contoso.com\n2025-01-04T10:15:00Z admin-003-guid-mnop-3456 ADMIN_USER DEVICE_DELETE DEVICE device-004-replaced mike.wilson@contoso.com"
},
"metadata": {},
"execution_count": 4
}
],
"source": [
"LookoutEvents\n",
"| where EventType == \"AUDIT\"\n",
"| where AuditType has_any (\"DEACTIVATE\", \"DELETE\", \"REMOVE\")\n",
"| project \n",
" TimeGenerated,\n",
" ActorGuid,\n",
" ActorType,\n",
" AuditType,\n",
" TargetType,\n",
" TargetGuid,\n",
" TargetEmailAddress\n",
"| sort by TimeGenerated desc"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## 5. Audit Activity Timeline\n",
"\n",
"Visualize administrative activity over time."
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {},
"outputs": [
{
"output_type": "execute_result",
"data": {
"text/html": "<div style='padding:20px;background:#f8f9fa;border-radius:8px;'><p style='color:#666;font-style:italic;'>\ud83d\udcca Time Chart: Audit Activity by Type</p><pre style='font-family:monospace;color:#333;'>Count\n 50 \u2502 \u2584\u2584\u2584\u2584 \n \u2502 \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \n 40 \u2502 \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \n \u2502 \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \n 30 \u2502 \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \n \u2502 \u2584\u2584\u2584\u2584 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \n 20 \u2502 \u2584\u2584\u2584\u2584\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \n \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \n 10 \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \n \u2502 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \n 0 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n Jan1 Jan2 Jan3 Jan4 Jan5 Jan6\n\n \u2588\u2588\u2588\u2588 LOGIN \u2584\u2584\u2584\u2584 POLICY_UPDATE \u2591\u2591\u2591\u2591 CONFIG_CHANGE</pre></div>",
"text/plain": "Time Chart rendered - Audit activity trends showing LOGIN, POLICY_UPDATE, and CONFIG_CHANGE events over time"
},
"metadata": {},
"execution_count": 5
}
],
"source": [
"LookoutEvents\n",
"| where EventType == \"AUDIT\"\n",
"| summarize Count = count() by bin(TimeGenerated, 1h), AuditType\n",
"| render timechart"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## 6. System vs User Actions\n",
"\n",
"Compare automated system actions versus manual user actions."
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {},
"outputs": [
{
"output_type": "execute_result",
"data": {
"text/html": "<div style='padding:20px;background:#f8f9fa;border-radius:8px;'><p style='color:#666;font-style:italic;'>\ud83d\udcca Pie Chart: Actions by Actor Type</p><pre style='font-family:monospace;color:#333;'> \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584\u2584\n \u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584\n \u2584\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580 \u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 SYSTEM \u2588\u2588\u2588\u2588\u2588\u2588 ADMIN \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588 (55%) \u2588\u2588\u2588\u2588\u2588 USER \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588 (28%) \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2584 API \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 (17%) \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\n \u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\n \u2580\u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\u2580\n \u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\n\n Action Distribution:\n \u25cf SYSTEM: 2,450 actions (55%)\n \u25cf ADMIN_USER: 1,250 actions (28%)\n \u25cf API_SERVICE: 750 actions (17%)</pre></div>",
"text/plain": "Pie Chart rendered - Distribution of actions showing SYSTEM (55%), ADMIN_USER (28%), and API_SERVICE (17%)"
},
"metadata": {},
"execution_count": 6
}
],
"source": [
"LookoutEvents\n",
"| where EventType == \"AUDIT\"\n",
"| summarize Count = count() by ActorType\n",
"| render piechart"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"name": "python",
"version": "3.8.0"
}
},
"nbformat": 4,
"nbformat_minor": 4
}
Loading