2019-09-05 09:23:48 +03:00
{
2019-09-23 09:16:01 +03:00
"version" : "Notebook/1.0" ,
"items" : [
{
"type" : 1 ,
"content" : {
"json" : "## Application gateway firewall events"
} ,
"name" : "text - 10"
} ,
{
"type" : 9 ,
"content" : {
"version" : "KqlParameterItem/1.0" ,
"query" : "" ,
"crossComponentResources" : [ ] ,
"parameters" : [
{
"id" : "49e2f511-592f-4d7f-8fda-d686803f3dbf" ,
"version" : "KqlParameterItem/1.0" ,
"name" : "TimeRange" ,
"type" : 4 ,
"isRequired" : true ,
"value" : {
"durationMs" : 2592000000
} ,
"typeSettings" : {
"selectableValues" : [
{
"durationMs" : 300000
} ,
{
"durationMs" : 900000
} ,
{
"durationMs" : 1800000
} ,
{
"durationMs" : 3600000
} ,
{
"durationMs" : 14400000
} ,
{
"durationMs" : 43200000
} ,
{
"durationMs" : 86400000
} ,
{
"durationMs" : 172800000
} ,
{
"durationMs" : 259200000
} ,
{
"durationMs" : 604800000
} ,
{
"durationMs" : 1209600000
} ,
{
"durationMs" : 2419200000
} ,
{
"durationMs" : 2592000000
} ,
{
"durationMs" : 5184000000
} ,
{
"durationMs" : 7776000000
}
] ,
"allowCustom" : true
}
} ,
{
"id" : "d54c1639-d46c-4655-9d76-d5416926a453" ,
"version" : "KqlParameterItem/1.0" ,
"name" : "WAF" ,
"type" : 2 ,
"isRequired" : true ,
"multiSelect" : true ,
"quote" : "'" ,
"delimiter" : "," ,
"query" : "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| summarize Count=count() by Resource\r\n| order by Count desc, Resource asc\r\n| project Value = Resource, Lable = strcat(Resource, \" - \", Count)" ,
"value" : [
"value::all"
] ,
"typeSettings" : {
"additionalResourceOptions" : [
"value::all"
] ,
"selectAllValue" : "All"
} ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
}
] ,
"style" : "pills" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
} ,
"name" : "parameters - 2"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
"query" : "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" and (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| where action_s == \"Blocked\" or action_s == \"Detected\" \r\n| summarize count() by requestUri_s \r\n| top 10 by count_ desc " ,
"size" : 0 ,
"exportToExcelOptions" : "visible" ,
"title" : "Blocked URL addresses" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "piechart"
} ,
"customWidth" : "30" ,
"name" : "query - 9"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
"query" : "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" and (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| summarize number = count() by action_s" ,
"size" : 0 ,
"exportToExcelOptions" : "visible" ,
"title" : "WAF actions" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "piechart"
} ,
"customWidth" : "30" ,
"name" : "query - 11"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
"query" : "AzureDiagnostics\r\n| where (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayFirewall\" \r\n| summarize number = count() by instanceId_s, TimeGenerated\r\n| where instanceId_s contains \"role\"\r\n| extend roulenumber = extract(\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\", 1, instanceId_s) \r\n| project roulenumber , number , TimeGenerated \r\n" ,
"size" : 0 ,
"exportToExcelOptions" : "visible" ,
"title" : "Role use, by time" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "linechart"
} ,
"customWidth" : "40" ,
"name" : "query - 8"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
"query" : "AzureDiagnostics\r\n| where \"{WAF:lable}\" == \"All\" or Resource in ({WAF})\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| summarize count() by Message\r\n| top 10 by count_ \r\n" ,
"size" : 0 ,
"exportFieldName" : "Message" ,
"exportParameterName" : "Selected" ,
"exportDefaultValue" : "*" ,
"exportToExcelOptions" : "visible" ,
"title" : "Event trigger" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "table" ,
"gridSettings" : {
"formatters" : [
{
"columnMatch" : "Message" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "count_" ,
"formatter" : 3 ,
"formatOptions" : {
"palette" : "blue" ,
"showIcon" : true
}
}
] ,
"labelSettings" : [
{
"columnId" : "Message"
} ,
{
"columnId" : "count_" ,
"label" : ""
}
]
}
} ,
"customWidth" : "50" ,
"name" : "query - 12"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
"query" : "AzureDiagnostics\r\n| where \"{WAF:lable}\" == \"All\" or Resource in ({WAF})\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| where ('{Selected}' == Message) or '{Selected}'==\"*\"\r\n| summarize count() by Message, TimeGenerated" ,
"size" : 0 ,
"exportToExcelOptions" : "visible" ,
"title" : "Messages, by time" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "barchart" ,
"tileSettings" : {
"showBorder" : false ,
"titleContent" : {
"columnMatch" : "Message" ,
"formatter" : 1
} ,
"leftContent" : {
"columnMatch" : "count_" ,
"formatter" : 12 ,
"formatOptions" : {
"palette" : "auto"
} ,
"numberFormat" : {
"unit" : 17 ,
"options" : {
"maximumSignificantDigits" : 3 ,
"maximumFractionDigits" : 2
}
}
}
}
} ,
"customWidth" : "50" ,
"name" : "query - 13"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
"query" : "AzureDiagnostics\r\n| where \"{WAF:lable}\" == \"All\" or Resource in ({WAF})\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| where '{Selected}' == Message or '{Selected}' == \"*\"\r\n| extend Role = extract(\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\",1,instanceId_s) \r\n| project Message, TimeGenerated, SourceSystem, hostname_s, ResourceId, ResourceGroup, ResourceProvider, Category, Role, action_s, site_s, details_message_s, details_file_s, clientIp_s, requestUri_s\r\n| sort by TimeGenerated\r\n" ,
"size" : 0 ,
"exportToExcelOptions" : "visible" ,
"title" : "Message, full details" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "table"
} ,
"name" : "query - 11"
} ,
{
"type" : 1 ,
"content" : {
"json" : "---"
} ,
"name" : "text - 12"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
"query" : "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" and (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| where Message contains \"attack\"\r\n| extend Role = extract(\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\",1,instanceId_s) \r\n| summarize Amount = count() by Message, bin(TimeGenerated, 1h), hostName = hostname_s, ResourceId, Category, Role\r\n| project Amount, Message, TimeGenerated, hostName, ResourceId, Category, Role\r\n| order by Amount desc" ,
"size" : 0 ,
"exportFieldName" : "" ,
"exportParameterName" : "MessageFilter" ,
"exportDefaultValue" : "{\"Message\":\"*\"}" ,
"exportToExcelOptions" : "visible" ,
"title" : "Attacks events, by messages" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"gridSettings" : {
"formatters" : [
{
"columnMatch" : "Amount" ,
"formatter" : 8 ,
"formatOptions" : {
"showIcon" : true ,
"aggregation" : "Sum"
}
} ,
{
"columnMatch" : "Message" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "TimeGenerated" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "hostName" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "ResourceId" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "Category" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "Role" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "$gen_group" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "Count" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "TenantId" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "SourceSystem" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "MG" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "ManagementGroupName" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "Computer" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "ruleGroup_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "transactionId_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "originalHost_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "_schema_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "error_code_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "error_message_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "instanceId_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "clientIp_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "clientPort_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "requestUri_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "ruleSetType_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "ruleSetVersion_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "ruleId_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "action_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "site_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "details_message_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "details_data_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "details_file_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "details_line_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "hostname_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "clientIP_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "clientPort_d" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "httpMethod_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "requestQuery_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "userAgent_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "httpStatus_d" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "httpVersion_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "receivedBytes_d" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "sentBytes_d" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "timeTaken_d" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "sslEnabled_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "host_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "correlation_clientTrackingId_g" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "tags__type_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "msg_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "resource_originRunId_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "resource_actionName_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "correlation_actionTrackingId_g" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "workflowId_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "Level" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "OperationName" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "status_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "tags_LogicAppsCategory_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "resource_resourceGroupName_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "resource_workflowName_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "resource_runId_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "resource_location_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "resource_triggerName_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "SubscriptionId" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "ResourceGroup" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "ResourceProvider" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "Resource" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "ResourceType" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "code_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "correlation_clientTrackingId_s" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "resource_subscriptionId_g" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "resource_workflowId_g" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "startTime_t" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "endTime_t" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "Type" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
} ,
{
"columnMatch" : "_ResourceId" ,
"formatter" : 0 ,
"formatOptions" : {
"showIcon" : true
}
}
] ,
"filter" : true ,
"hierarchySettings" : {
"treeType" : 1 ,
"groupBy" : [
"Message"
] ,
"expandTopLevel" : false
} ,
"labelSettings" : [ ]
}
} ,
"name" : "query - 16"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
"query" : "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.childRows; // Used to choose a group of messages - redirects to the message which was grouped\r\nAzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" and (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| where Message contains \"attack\"\r\n| where SelectedMS.Message == Message or SelectedMS.Message == \"*\" or Message == Child[0].Message\r\n| summarize count() by Message, TimeGenerated" ,
"size" : 0 ,
"exportParameterName" : "Message" ,
"exportDefaultValue" : "{ \"Name\":\"\", \"Type\":\"*\"}" ,
"exportToExcelOptions" : "visible" ,
"title" : "Attack events, by time" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "barchart"
} ,
"customWidth" : "70" ,
"name" : "query - 14"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
"query" : "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" and (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where Message contains \"SQL Injection\" \r\n| summarize count() by hostname_s, Message\r\n| order by count_ desc " ,
"size" : 0 ,
"exportToExcelOptions" : "visible" ,
"title" : "SQL injection, by host name" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
} ,
"customWidth" : "30" ,
"name" : "query - 15"
}
] ,
"styleSettings" : { } ,
"fromTemplateId" : "sentinel-WebApplicationFirewallFirewallEvents" ,
"$schema" : "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
2019-09-05 09:23:48 +03:00
}
