408 строки
12 KiB
JSON
408 строки
12 KiB
JSON
|
{
|
||
|
"version": "Notebook/1.0",
|
||
|
"items": [
|
||
|
{
|
||
|
"type": 9,
|
||
|
"content": {
|
||
|
"version": "KqlParameterItem/1.0",
|
||
|
"parameters": [
|
||
|
{
|
||
|
"id": "1115aea6-5b33-4d1d-9f17-46452a39691f",
|
||
|
"version": "KqlParameterItem/1.0",
|
||
|
"name": "TimeRange",
|
||
|
"label": "Time Range",
|
||
|
"type": 4,
|
||
|
"value": {
|
||
|
"durationMs": 604800000
|
||
|
},
|
||
|
"typeSettings": {
|
||
|
"selectableValues": [
|
||
|
{
|
||
|
"durationMs": 300000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 900000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 1800000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 3600000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 14400000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 43200000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 86400000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 172800000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 259200000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 604800000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 1209600000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 2419200000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 2592000000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 5184000000
|
||
|
},
|
||
|
{
|
||
|
"durationMs": 7776000000
|
||
|
}
|
||
|
],
|
||
|
"allowCustom": true
|
||
|
},
|
||
|
"resourceType": "microsoft.insights/components"
|
||
|
},
|
||
|
{
|
||
|
"id": "7c8ba908-ba63-4e20-a4fd-d1cbf5555d4e",
|
||
|
"version": "KqlParameterItem/1.0",
|
||
|
"name": "VPNDevice",
|
||
|
"label": "VPN Device",
|
||
|
"type": 2,
|
||
|
"isRequired": true,
|
||
|
"multiSelect": true,
|
||
|
"quote": "'",
|
||
|
"delimiter": ",",
|
||
|
"query": "SymantecVIP\r\n| distinct Computer\r\n| sort by Computer asc",
|
||
|
"value": [
|
||
|
"value::all"
|
||
|
],
|
||
|
"typeSettings": {
|
||
|
"additionalResourceOptions": [
|
||
|
"value::all"
|
||
|
]
|
||
|
},
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
|
}
|
||
|
],
|
||
|
"style": "above",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
|
},
|
||
|
"name": "parameters - 3"
|
||
|
},
|
||
|
{
|
||
|
"type": 11,
|
||
|
"content": {
|
||
|
"version": "LinkItem/1.0",
|
||
|
"style": "tabs",
|
||
|
"links": [
|
||
|
{
|
||
|
"cellValue": "selectedTab",
|
||
|
"linkTarget": "parameter",
|
||
|
"linkLabel": "General",
|
||
|
"subTarget": "General",
|
||
|
"style": "link"
|
||
|
},
|
||
|
{
|
||
|
"cellValue": "selectedTab",
|
||
|
"linkTarget": "parameter",
|
||
|
"linkLabel": "User Analysis",
|
||
|
"subTarget": "UserAnalysis",
|
||
|
"style": "link"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
"name": "links - 12"
|
||
|
},
|
||
|
{
|
||
|
"type": 3,
|
||
|
"content": {
|
||
|
"version": "KqlItem/1.0",
|
||
|
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| summarize GRANTED = countif(AccessResult == \"GRANTED\"), DENIED = countif(AccessResult == \"DENIED\"), count() by bin(TimeGenerated, {TimeRange:grain})\r\n| project-away count_",
|
||
|
"size": 0,
|
||
|
"title": "User Access Events",
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
|
"visualization": "barchart",
|
||
|
"chartSettings": {
|
||
|
"seriesLabelSettings": [
|
||
|
{
|
||
|
"seriesName": "GRANTED",
|
||
|
"color": "green"
|
||
|
},
|
||
|
{
|
||
|
"seriesName": "DENIED",
|
||
|
"color": "red"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
"conditionalVisibility": {
|
||
|
"parameterName": "selectedTab",
|
||
|
"comparison": "isEqualTo",
|
||
|
"value": "General"
|
||
|
},
|
||
|
"customWidth": "50",
|
||
|
"name": "query - 2"
|
||
|
},
|
||
|
{
|
||
|
"type": 3,
|
||
|
"content": {
|
||
|
"version": "KqlItem/1.0",
|
||
|
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| summarize count() by Computer, bin(TimeGenerated, {TimeRange:grain})",
|
||
|
"size": 0,
|
||
|
"title": "Total VPN Device Events",
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
|
"visualization": "areachart",
|
||
|
"chartSettings": {
|
||
|
"seriesLabelSettings": [
|
||
|
{
|
||
|
"seriesName": "GRANTED",
|
||
|
"color": "green"
|
||
|
},
|
||
|
{
|
||
|
"seriesName": "DENIED",
|
||
|
"color": "red"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
"conditionalVisibility": {
|
||
|
"parameterName": "selectedTab",
|
||
|
"comparison": "isEqualTo",
|
||
|
"value": "General"
|
||
|
},
|
||
|
"customWidth": "50",
|
||
|
"name": "query - 2 - Copy"
|
||
|
},
|
||
|
{
|
||
|
"type": 3,
|
||
|
"content": {
|
||
|
"version": "KqlItem/1.0",
|
||
|
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| where AccessResult == \"DENIED\"\r\n| summarize count() by Reason",
|
||
|
"size": 0,
|
||
|
"title": "Top Denied Access Reasons",
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
|
"visualization": "piechart"
|
||
|
},
|
||
|
"conditionalVisibility": {
|
||
|
"parameterName": "selectedTab",
|
||
|
"comparison": "isEqualTo",
|
||
|
"value": "General"
|
||
|
},
|
||
|
"customWidth": "50",
|
||
|
"name": "query - 2"
|
||
|
},
|
||
|
{
|
||
|
"type": 3,
|
||
|
"content": {
|
||
|
"version": "KqlItem/1.0",
|
||
|
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| where isnotempty(RADIUSAuth)\r\n| summarize Total = count() by User, Results = RADIUSAuth, Reason\r\n| sort by Total desc",
|
||
|
"size": 0,
|
||
|
"title": "Top 10 Users Rejected RADIUS Authentication",
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
|
"gridSettings": {
|
||
|
"formatters": [
|
||
|
{
|
||
|
"columnMatch": "Total",
|
||
|
"formatter": 3,
|
||
|
"formatOptions": {
|
||
|
"palette": "coldHot"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
"conditionalVisibility": {
|
||
|
"parameterName": "selectedTab",
|
||
|
"comparison": "isEqualTo",
|
||
|
"value": "General"
|
||
|
},
|
||
|
"customWidth": "50",
|
||
|
"name": "query - 2 - Copy"
|
||
|
},
|
||
|
{
|
||
|
"type": 3,
|
||
|
"content": {
|
||
|
"version": "KqlItem/1.0",
|
||
|
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| where AccessResult == \"DENIED\"\r\n| summarize Total = count() by ClientIP\r\n| top 10 by Total\r\n",
|
||
|
"size": 0,
|
||
|
"title": "Top Denied Client IP Addresses",
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
|
},
|
||
|
"conditionalVisibility": {
|
||
|
"parameterName": "selectedTab",
|
||
|
"comparison": "isEqualTo",
|
||
|
"value": "General"
|
||
|
},
|
||
|
"customWidth": "50",
|
||
|
"name": "query - 2 - Copy"
|
||
|
},
|
||
|
{
|
||
|
"type": 3,
|
||
|
"content": {
|
||
|
"version": "KqlItem/1.0",
|
||
|
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| summarize count() by Component",
|
||
|
"size": 0,
|
||
|
"title": "Access Method",
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
|
"visualization": "piechart"
|
||
|
},
|
||
|
"conditionalVisibility": {
|
||
|
"parameterName": "selectedTab",
|
||
|
"comparison": "isEqualTo",
|
||
|
"value": "General"
|
||
|
},
|
||
|
"customWidth": "50",
|
||
|
"name": "query - 4"
|
||
|
},
|
||
|
{
|
||
|
"type": 9,
|
||
|
"content": {
|
||
|
"version": "KqlParameterItem/1.0",
|
||
|
"parameters": [
|
||
|
{
|
||
|
"id": "f764e22c-c942-4277-9b5d-7cd0c8b5a308",
|
||
|
"version": "KqlParameterItem/1.0",
|
||
|
"name": "UserList",
|
||
|
"label": "Select User(s)",
|
||
|
"type": 2,
|
||
|
"isRequired": true,
|
||
|
"multiSelect": true,
|
||
|
"quote": "'",
|
||
|
"delimiter": ",",
|
||
|
"query": "SymantecVIP \r\n| extend Username = iif(User has \"\\\\\", extract(@\"[a-zA-Z]+\\\\(\\S+)$\",1,User), User)\r\n| distinct tolower(Username)",
|
||
|
"value": [],
|
||
|
"typeSettings": {
|
||
|
"additionalResourceOptions": [
|
||
|
"value::all"
|
||
|
]
|
||
|
},
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
|
}
|
||
|
],
|
||
|
"style": "formVertical",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
|
},
|
||
|
"conditionalVisibility": {
|
||
|
"parameterName": "selectedTab",
|
||
|
"comparison": "isEqualTo",
|
||
|
"value": "UserAnalysis"
|
||
|
},
|
||
|
"name": "parameters - 6"
|
||
|
},
|
||
|
{
|
||
|
"type": 3,
|
||
|
"content": {
|
||
|
"version": "KqlItem/1.0",
|
||
|
"query": "SymantecVIP\r\n| extend Username = tolower(iif(User has \"\\\\\", extract(@\"[a-zA-Z]+\\\\(\\S+)$\",1,User), User))\r\n| where Username in ({UserList}) or '*' in ({UserList})\r\n| summarize count() by User, bin(TimeGenerated, {TimeRange:grain})",
|
||
|
"size": 1,
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
|
"visualization": "barchart"
|
||
|
},
|
||
|
"conditionalVisibility": {
|
||
|
"parameterName": "selectedTab",
|
||
|
"comparison": "isEqualTo",
|
||
|
"value": "UserAnalysis"
|
||
|
},
|
||
|
"name": "query - 10"
|
||
|
},
|
||
|
{
|
||
|
"type": 3,
|
||
|
"content": {
|
||
|
"version": "KqlItem/1.0",
|
||
|
"query": "SymantecVIP\r\n| extend Username = tolower(iif(User has \"\\\\\", extract(@\"[a-zA-Z]+\\\\(\\S+)$\",1,User), User))\r\n| where Username in ({UserList}) or '*' in ({UserList})\r\n| project LogTime, User, Message\r\n| sort by LogTime, User asc",
|
||
|
"size": 0,
|
||
|
"title": "User Activity",
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
|
},
|
||
|
"conditionalVisibility": {
|
||
|
"parameterName": "selectedTab",
|
||
|
"comparison": "isEqualTo",
|
||
|
"value": "UserAnalysis"
|
||
|
},
|
||
|
"customWidth": "50",
|
||
|
"name": "query - 5"
|
||
|
},
|
||
|
{
|
||
|
"type": 3,
|
||
|
"content": {
|
||
|
"version": "KqlItem/1.0",
|
||
|
"query": "SymantecVIP\r\n| extend Username = tolower(iif(User has \"\\\\\", extract(@\"[a-zA-Z]+\\\\(\\S+)$\",1,User), User))\r\n| where Username in ({UserList}) or '*' in ({UserList})\r\n| summarize count() by Component",
|
||
|
"size": 0,
|
||
|
"title": "User Access Method",
|
||
|
"timeContext": {
|
||
|
"durationMs": 0
|
||
|
},
|
||
|
"timeContextFromParameter": "TimeRange",
|
||
|
"queryType": 0,
|
||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
|
"visualization": "piechart"
|
||
|
},
|
||
|
"conditionalVisibility": {
|
||
|
"parameterName": "selectedTab",
|
||
|
"comparison": "isEqualTo",
|
||
|
"value": "UserAnalysis"
|
||
|
},
|
||
|
"customWidth": "50",
|
||
|
"name": "query - 4 - Copy"
|
||
|
}
|
||
|
],
|
||
|
"fromTemplateId": "sentinel-UserWorkbook",
|
||
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||
|
}
|