Azure-Sentinel/Workbooks/SymantecVIP.json

408 строки
12 KiB
JSON
Исходник Обычный вид История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "1115aea6-5b33-4d1d-9f17-46452a39691f",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
},
{
"id": "7c8ba908-ba63-4e20-a4fd-d1cbf5555d4e",
"version": "KqlParameterItem/1.0",
"name": "VPNDevice",
"label": "VPN Device",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SymantecVIP\r\n| distinct Computer\r\n| sort by Computer asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 3"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "General",
"subTarget": "General",
"style": "link"
},
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "User Analysis",
"subTarget": "UserAnalysis",
"style": "link"
}
]
},
"name": "links - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| summarize GRANTED = countif(AccessResult == \"GRANTED\"), DENIED = countif(AccessResult == \"DENIED\"), count() by bin(TimeGenerated, {TimeRange:grain})\r\n| project-away count_",
"size": 0,
"title": "User Access Events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "GRANTED",
"color": "green"
},
{
"seriesName": "DENIED",
"color": "red"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| summarize count() by Computer, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Total VPN Device Events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "GRANTED",
"color": "green"
},
{
"seriesName": "DENIED",
"color": "red"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 2 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| where AccessResult == \"DENIED\"\r\n| summarize count() by Reason",
"size": 0,
"title": "Top Denied Access Reasons",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| where isnotempty(RADIUSAuth)\r\n| summarize Total = count() by User, Results = RADIUSAuth, Reason\r\n| sort by Total desc",
"size": 0,
"title": "Top 10 Users Rejected RADIUS Authentication",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "coldHot"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 2 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| where AccessResult == \"DENIED\"\r\n| summarize Total = count() by ClientIP\r\n| top 10 by Total\r\n",
"size": 0,
"title": "Top Denied Client IP Addresses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 2 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecVIP\r\n| where Computer in ({VPNDevice}) or '*' in ({VPNDevice})\r\n| summarize count() by Component",
"size": 0,
"title": "Access Method",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "f764e22c-c942-4277-9b5d-7cd0c8b5a308",
"version": "KqlParameterItem/1.0",
"name": "UserList",
"label": "Select User(s)",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SymantecVIP \r\n| extend Username = iif(User has \"\\\\\", extract(@\"[a-zA-Z]+\\\\(\\S+)$\",1,User), User)\r\n| distinct tolower(Username)",
"value": [],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "formVertical",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "UserAnalysis"
},
"name": "parameters - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecVIP\r\n| extend Username = tolower(iif(User has \"\\\\\", extract(@\"[a-zA-Z]+\\\\(\\S+)$\",1,User), User))\r\n| where Username in ({UserList}) or '*' in ({UserList})\r\n| summarize count() by User, bin(TimeGenerated, {TimeRange:grain})",
"size": 1,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "UserAnalysis"
},
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecVIP\r\n| extend Username = tolower(iif(User has \"\\\\\", extract(@\"[a-zA-Z]+\\\\(\\S+)$\",1,User), User))\r\n| where Username in ({UserList}) or '*' in ({UserList})\r\n| project LogTime, User, Message\r\n| sort by LogTime, User asc",
"size": 0,
"title": "User Activity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "UserAnalysis"
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecVIP\r\n| extend Username = tolower(iif(User has \"\\\\\", extract(@\"[a-zA-Z]+\\\\(\\S+)$\",1,User), User))\r\n| where Username in ({UserList}) or '*' in ({UserList})\r\n| summarize count() by Component",
"size": 0,
"title": "User Access Method",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "UserAnalysis"
},
"customWidth": "50",
"name": "query - 4 - Copy"
}
],
"fromTemplateId": "sentinel-UserWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}