Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/CiscoUmbrella.json

700 строки
27 KiB
JSON
Исходник Обычный вид История

Workbooks: first commit
2020-11-27 17:06:22 +03:00
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": ">**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/CiscoUmbrella/Cisco_Umbrella) to create the Kusto function alias **Cisco_Umbrella**."
},
"name": "Text"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "464b6899-a8de-4f01-84a6-d4e3ecc7f282",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Cisco Umbrella Main Dashboard",
"subTarget": "cisco_umbrella_main_dashboard",
"preText": "Cisco Umbrella Main Dashboard",
"style": "link"
},
{
"id": "a3798d8a-a610-475c-9cbf-7252301dab7e",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Cisco Umbrella Dns Dashboard",
"subTarget": "cisco_umbrella_dns_dashboard",
"style": "link"
},
{
"id": "80bcf252-bcf6-4736-993d-59da0a8e4c76",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Cisco Umbrella Proxy Dashboard",
"subTarget": "cisco_umbrella_proxy_dashboard",
"style": "link"
},
{
"id": "f536a1e9-362e-4d98-bdd1-0f7dfb23901a",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Cisco Umbrella Firewall Dashboard",
"subTarget": "cisco_umbrella_firewall_dashboard",
"style": "link"
}
]
},
"name": "Links"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "37b91baf-6272-4709-a028-1370823249d4",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 5184000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Parameters1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| summarize Count=count() by EventType\n| render barchart",
"size": 3,
"title": "Events Count by EventType",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "EventType",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "EventType",
"formatter": 1
},
"centerContent": {
"columnMatch": "Count",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_main_dashboard"
},
"customWidth": "30",
"name": "EventsCountByEventType"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType;",
"size": 0,
"title": "Events over time",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_main_dashboard"
},
"customWidth": "70",
"name": "EventsOverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where DvcAction contains \"block\"\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Blocks over time",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_main_dashboard"
},
"customWidth": "70",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let CU_Total_Requests =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| summarize count()\n| extend evttype=\"Total Requests\";\n\nlet CU_Total_Blocked =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where DvcAction contains \"block\"\n| summarize count()\n| extend evttype=\"Total Blocked\";\n\nlet CU_Security_Blocked =\nCisco_Umbrella \n| where TimeGenerated {TimeRange} \n| where DvcAction contains \"block\"\n| where isnotempty(ThreatCategory)\n| summarize count()\n| extend evttype=\"Security Blocked\";\n\nunion CU_Security_Blocked,CU_Total_Blocked,CU_Total_Requests",
"size": 3,
"title": "Network Breakdown Statistic",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "evttype",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_main_dashboard"
},
"customWidth": "30",
"name": "NetworkBreakdownStatistic"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| summarize count() by DvcAction",
"size": 3,
"title": "DNS - Events count by Action",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "DvcAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"customWidth": "30",
"name": "DNSEventsCountByAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| summarize Count=count() by DnsQueryTypeName | sort by Count",
"size": 0,
"title": "DNS - Events count by QueryType",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"customWidth": "70",
"name": "DNSEventsCountByQueryType"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where EventType == \"dnslogs\"\n| where TimeGenerated {TimeRange} \n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| summarize Count=count() by tostring(Threat_Category)\n| sort by Count \n| join kind = inner (\nCisco_Umbrella\n| where EventType == \"dnslogs\"\n| where isnotempty(ThreatCategory)\n| where TimeGenerated {TimeRange} \n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Threat_Category))\n on Threat_Category\n | project-away Threat_Category1, TimeGenerated\n | project Threat_Category, Count, Trend\n | order by Count\n| take 10",
"size": 0,
"title": "DNS - Events by Threat Category",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"customWidth": "30",
"name": "DNSEventsByThreatCategory"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| summarize Count=count() by tostring(Url_Category)\n| sort by Count\n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Url_Category))\n on Url_Category\n | project-away Url_Category1, TimeGenerated\n | project Url_Category, Count, Trend\n | order by Count\n| take 10",
"size": 0,
"title": "DNS - Events by Url Category",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"customWidth": "35",
"name": "DNSEventsByUrlCategory"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let list_IP = Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n|summarize Count=count() by SrcIpAddr | top 10 by Count\n| summarize makelist(SrcIpAddr);\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n|summarize Count=count() by SrcIpAddr \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n| where SrcIpAddr in (list_IP)\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcIpAddr)\n on SrcIpAddr\n | project-away SrcIpAddr1, TimeGenerated\n | project SrcIpAddr, Count, Trend\n | order by Count\n| take 10\n\n",
"size": 0,
"title": "DNS - Top 10 SrcIp with Blocked Action",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"customWidth": "35",
"name": "DNSTop10SrcIpBlockedAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange}\n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n| summarize Count=count() by DnsQueryName, UrlCategory \n| top 10 by Count\n",
"size": 0,
"title": "DNS - Top 10 Blocked Url ",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"name": "DNSTop10BlockedUrl "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| summarize count() by DvcAction",
"size": 3,
"title": "Proxy - Events count by Action",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"customWidth": "30",
"name": "ProxyEventsCountByAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let CU_proxy_outcoming_traffic =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| extend TrafficType = \"Outcoming\", Bytes = SrcBytes\n| project TrafficType, Bytes, TimeGenerated;\n\nlet CU_proxy_incoming_traffic =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| extend TrafficType = \"Incoming\", Bytes = DstBytes\n| project TrafficType, Bytes, TimeGenerated;\n\n\nunion CU_proxy_outcoming_traffic, CU_proxy_incoming_traffic\n| make-series TotalGbytes = round(sum(Bytes/(1024*1024*1024)),2) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by TrafficType\n",
"size": 0,
"title": "Proxy - Traffic timechart, GB",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"customWidth": "70",
"name": "ProxyTrafficTimechart"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| summarize Count=count() by tostring(Url_Category)\n| sort by Count\n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Url_Category))\n on Url_Category\n | project-away Url_Category1, TimeGenerated\n | project Url_Category, Count, Trend\n | order by Count\n| take 10",
"size": 0,
"title": "Proxy - Events by Url Category",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"customWidth": "30",
"name": "ProxyEventsByUrlCategory"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let list_IP = Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n|summarize Count=count() by SrcIpAddr | top 10 by Count\n| summarize makelist(SrcIpAddr);\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n|summarize Count=count() by SrcIpAddr \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n| where SrcIpAddr in (list_IP)\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcIpAddr)\n on SrcIpAddr\n | project-away SrcIpAddr1, TimeGenerated\n | project SrcIpAddr, Count, Trend\n | order by Count\n| take 10\n\n",
"size": 0,
"title": "Proxy - Top 10 Source IP with Blocked Action",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"customWidth": "35",
"name": "ProxyTop10SourceIPBlockedAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| summarize Count=count() by tostring(Threat_Category)\n| sort by Count \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Threat_Category))\n on Threat_Category\n | project-away Threat_Category1, TimeGenerated\n | project Threat_Category, Count, Trend\n | order by Count\n| take 10",
"size": 0,
"title": "Proxy - Events by Threat Category",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"customWidth": "35",
"name": "ProxyEventsByThreatCategory"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange}\n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n| summarize Count=count() by UrlOriginal, UrlCategory \n| top 10 by Count\n",
"size": 0,
"title": "Proxy - Top 10 Blocked Url ",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"name": "ProxyTop10BlockedUrl "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"cloudfirewalllogs\"\n| summarize count() by DvcAction",
"size": 3,
"title": "Firewall - Events count by Action",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "DvcAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_firewall_dashboard"
},
"customWidth": "30",
"name": "FirewallEventsCountByAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"cloudfirewalllogs\"\n| make-series Packets = sum(toint(NetworkPackets)) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by NetworkDirection",
"size": 0,
"title": "Firewall - Traffic over time, Packets",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_firewall_dashboard"
},
"customWidth": "70",
"name": "FirewallTrafficOverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n|where EventType == \"cloudfirewalllogs\"\n| where DvcAction contains \"BLOCK\"\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Firewall - Block Events over time",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_firewall_dashboard"
},
"customWidth": "50",
"name": "query - 19"
}
],
"fallbackResourceIds": [
"/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourcegroups/socprime/providers/microsoft.operationalinsights/workspaces/azuresocprimesentinel"
],
"fromTemplateId": "sentinel-CiscoUmbrella",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}