scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Configuration - Basic
      • Configuration - Transformations
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
        • Customizing PagerDuty Alerts
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
  • Self-Hosted Scanner
    • Overview
Powered by GitBook
On this page
  • Example use cases
  • Threat Hunting
  • Incident Response

Was this helpful?

  1. Using Scanner
  2. Beta features

Jupyter Notebooks

Powerful threat hunting and investigation with Jupyter notebooks.

PreviousGetting StartedNextGetting Started with Jupyter Notebooks

Last updated 1 year ago

Was this helpful?

Using the Scanner Python SDK within Jupyter notebooks, you can perform powerful analysis and generate visualizations for threat hunting and incident response.

Example use cases

Here are some examples of the kinds of threat activity that our users investigate with Jupyter notebooks and our SDK.

Threat Hunting

  • Unusual API Activity: Check for unexpected spikes or unusual patterns in API usage that could suggest unauthorized access or actions. This includes activities like unusual login attempts (especially from unfamiliar IP addresses or geographies), changes in IAM user permissions, or unexpected resource launches.

  • Privilege Escalation Attempts: Teams often look for any evidence of attempts to modify roles or policies to escalate privileges. This includes creating or modifying IAM roles and policies, or attaching policies to existing roles that grant higher privileges than usual.

  • Resource Deletion or Termination: Monitoring for the deletion of logs, object storage buckets, cloud compute instances, or other resources which could be an attempt to hide unauthorized activity or prepare for an attack by disabling security controls.

  • Suspicious Cross-Account Activity: Looking for activity where resources are being accessed or manipulated across cloud accounts in an unauthorized or unexpected manner, especially if those accounts are not commonly interlinked.

  • Access from Unauthorized or Risky Locations: Identifying access attempts from geographic locations that are not recognized as typical for the organization, which might suggest compromised credentials.

  • Use of Previously Unused or Rare AWS Services: Threat actors might experiment with less commonly used cloud services to explore or exploit resources unnoticed. Monitoring for first-time usage or infrequent service interactions can be crucial.

  • Failed Security Controls Changes: Investigating any failed attempts to change security groups, network ACLs, or other security-related configurations, as these might be signs of an attacker probing for weaknesses.

Incident Response

  • Compromised User Credentials: If there's an indication that user credentials have been compromised, users can use CloudTrail logs to trace the actions performed by the compromised accounts. This includes logins, resources accessed, data downloaded, or settings changed. The aim is to determine the extent of the breach and to mitigate further unauthorized access.

  • Unauthorized Resource Manipulation: In cases where there are unauthorized changes to critical resources (like security groups, EC2 instances, RDS databases), CloudTrail logs help in identifying when the changes were made, who made them, and what exactly was changed. This helps in quickly reverting changes and securing the resources.

  • Detection of Insider Threats: Incident response may involve investigations into suspicious activities that suggest insider threats. Cloud audit logs can be used to monitor and review actions taken by employees, especially those involving sensitive data or critical configurations.

  • Analysis of Data Exfiltration Attempts: Cloud audit logs can be analyzed to check for large volumes of data access from services like S3 or unusual access patterns, such as accessing data from IPs that do not belong to the organization, or at odd hours.

  • Evaluation of Response and Mitigation Actions: Post-incident, it's important to evaluate the effectiveness of the response actions. Cloud audit logs can be used to verify that all unauthorized changes were rolled back, compromised accounts were disabled, and that new security measures were implemented correctly.

Use Jupyter notebooks with the Scanner SDK for powerful analysis and visualizations