Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/PaloAltoOverview.json

1509 строки
58 KiB
JSON
Исходник Обычный вид История

Palo Alto Overview Workbook fix (#1256) * replace string operator for query * delete and re-create json * move to workbook folder * fix indent
2020-11-17 00:06:32 +03:00
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "<div style=\"font-size: 200%;\">Palo Alto Networks overview</div>"
},
"name": "text - 0"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "a5c18655-3e2d-4d12-8ba4-82e57b296581",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
},
{
"id": "32f5a8aa-9c54-4fd1-a2b9-8461b2c57f55",
"version": "KqlParameterItem/1.0",
"name": "Source_IP",
"label": "Source IP",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CommonSecurityLog\r\n| summarize Count = count()/1000 by SourceIP\r\n| where SourceIP != \"\"\r\n| order by Count desc, SourceIP asc\r\n| project Value = SourceIP, Label = strcat(SourceIP, \" - \", Count, \"k\"), Selected = false\r\n",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "All"
},
"timeContext": {
"durationMs": 1800000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "b937ca33-bc62-4183-bc0f-9ad8306dc36a",
"version": "KqlParameterItem/1.0",
"name": "Destination_IP",
"label": "Destination IP",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CommonSecurityLog\r\n| summarize Count = count()/1000 by DestinationIP\r\n| where DestinationIP != \"\"\r\n| order by Count desc, DestinationIP asc\r\n| project Value = DestinationIP, Label = strcat(DestinationIP, \" - \", Count, \"k\"), Selected = false",
"value": [
"value::all"
],
"typeSettings": {
"limitSelectTo": 10,
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "All"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 5"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "7f28bae3-a11f-408a-832f-77a0f3e633d7",
"version": "KqlParameterItem/1.0",
"name": "EventClass",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| distinct DeviceEventClassID",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "All"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 35"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP})\r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or \"{EventClass:lable}\" == \"All\" or DeviceEventClassID in ({EventClass});\r\ndata\r\n| summarize Count = count() by Activity\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Activity)\r\n on Activity\r\n| project-away Activity1, TimeGenerated\r\n| extend Activitys = Activity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend Activity = 'All', Activitys = '*' \r\n)\r\n| order by Count desc\r\n| take 10",
"size": 4,
"exportFieldName": "Activity",
"exportParameterName": "activities",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Activities, by volume",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "Activity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueDark",
"showIcon": true
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "lightBlue",
"showIcon": true
}
},
{
"columnMatch": "Activitys",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey1",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
},
"tileSettings": {
"titleContent": {
"columnMatch": "Activity",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
}
},
"name": "all activities"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP})\r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or DeviceEventClassID in ({EventClass})\r\n| where '{activities}' == \"All\" or Activity == '{activities}'\r\n| summarize LogVolume=count() by DeviceEventClassID, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})",
"size": 0,
"aggregation": 3,
"exportToExcelOptions": "visible",
"title": "Event trend, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "DeviceEventClassID",
"formatter": 1
},
"leftContent": {
"columnMatch": "LogVolume",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "Event trend by time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//trend by sevearity\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or DeviceEventClassID in ({EventClass})\r\n| where '{activities}' == \"All\" or Activity == '{activities}'\r\n| summarize count() by bin_at(TimeGenerated, {TimeRange:grain},{TimeRange:start}), LogSeverity\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Events severity, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "LogSeverity",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "LogSeverity",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "Events severity over time"
},
{
"type": 1,
"content": {
"json": "---\r\n### Traffic events summary"
},
"name": "text - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ \"Traffic\";\r\ndata\r\n| summarize Count = count() by DeviceEventClassID\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceEventClassID)\r\n on DeviceEventClassID\r\n| project-away DeviceEventClassID1, TimeGenerated\r\n| extend DeviceEventClassIDs = DeviceEventClassID\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceEventClassID = 'All', DeviceEventClassIDs = '*' \r\n)\r\n| order by Count desc\r\n| take 10",
"size": 4,
"exportFieldName": "DeviceEventClassID",
"exportParameterName": "EventClass",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Device events Id summary - click to filter the graph below",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceEventClassID",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "Traffic event summary"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ \"Traffic\";\r\ndata\r\n| summarize Count = count() by DeviceAction\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\r\n on DeviceAction\r\n| project-away DeviceAction1, TimeGenerated\r\n| extend DeviceAction = DeviceAction\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceAction = 'All', DeviceActions = '*' \r\n)\r\n| order by Count desc\r\n| take 10",
"size": 4,
"exportFieldName": "DeviceAction",
"exportParameterName": "DeviceAction",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Device action summary - click to filter the graph below",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceAction",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"palette": "blueDark",
"showIcon": true
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blueDark",
"showIcon": true
}
},
{
"columnMatch": "jkey",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey1",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "DeviceActions",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
},
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceAction",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "33",
"name": "Traffic activity summary"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC'\r\n| where '{EventClass}' == \"All\" or DeviceEventClassID=='{EventClass}'\r\n| summarize EventCount= count() by DeviceAction, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Device action, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "Traffic activity by time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where '{DeviceAction}' == \"All\" or DeviceAction=='{DeviceAction}'\r\n| where Activity =~ \"Traffic\"\r\n| summarize EventCount= count() by DeviceEventClassID, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Device events Id, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "Traffic class ID by time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
Updating to include new CEF Changes
2022-05-31 14:36:53 +03:00
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(';reason=(.*?);',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n",
Palo Alto Overview Workbook fix (#1256) * replace string operator for query * delete and re-create json * move to workbook folder * fix indent
2020-11-17 00:06:32 +03:00
"size": 0,
"exportToExcelOptions": "visible",
"title": "Reasons for session ending, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "50",
"name": "Reasons for session ending"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "// Data sent outbound vs inbound\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC'\r\n| extend Direction=iff(DeviceCustomString4=~'Trust','Outbound' ,'Inbound' )\r\n| summarize DataSentOutBoundMB=sumif(SentBytes, Direction=~'Outbound')/1048576, DataRecievedInboundMB=sumif(ReceivedBytes, Direction=~'Inbound')/1048576 by TimeGenerated\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Sent and received data, by volume",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "50",
"name": "Sent and received data by volume"
},
{
"type": 1,
"content": {
"json": "---\r\n## Web filter"
},
"name": "text - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction contains 'block'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 blocked URLs, by application protocol",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProtocolCount",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "purple",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 blocked URLs by application protocol"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('block-url', 'block-continue')\r\n| summarize CategoryCount=count() by DeviceCustomString2\r\n| project-rename CategoryName= DeviceCustomString2\r\n| top 5 by CategoryCount\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 URL blocked, by category",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "CategoryName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "CategoryCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "op 5 URL blocked by category"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('block-url', 'block-continue')\r\n| summarize URLCount=count() by RequestURL\r\n| top 5 by URLCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 blocked URLs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "25",
"name": "Top 5 blocked URLs"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 URLs, by application protocols",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProtocolCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 URLs by application protocols"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('alert', 'continue')\r\n| summarize URLCount=count() by RequestURL\r\n| top 5 by URLCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed URLs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "RequestURL",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "URLCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 allowed URLs"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| summarize ActionCount=count() by DeviceAction\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "URL threat event summary",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceAction",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ActionCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "URL threat event summary"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction contains 'block'\r\n| extend PAReferer= extract(';PanOSReferer=(.*?);',1,AdditionalExtensions)\r\n| where PAReferer !=''\r\n| summarize RefererCount= count() by PAReferer\r\n| top 5 by RefererCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 referrers for blocked URLs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "25",
"name": "Top 5 referrers for blocked URLs"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('alert', 'continue')\r\n| summarize CategoryCount=count() by DeviceCustomString2\r\n| project-rename CategoryName= DeviceCustomString2\r\n| top 5 by CategoryCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed URLs, by category",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "CategoryName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "CategoryCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 allowed URLs, by category"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction !contains 'block'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed URLs, by application protocol",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProtocolCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "33",
"name": "Top 5 allowed URLs by application protocol"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| summarize ActionCount=count() by DeviceAction, TimeGenerated\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Web filter ativity, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceAction",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ActionCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "33",
"name": "Web filter ativity by time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('alert', 'continue')\r\n| summarize IPCount=count() by SourceIP\r\n| top 5 by IPCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed web traffic source IP addresses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "SourceIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IPCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "33",
"name": "Top 5 allowed web traffic source IP addresses"
},
{
"type": 1,
"content": {
"json": "---\r\n## Wildfire"
},
"name": "text - 24"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'wildfire'\r\n| summarize ActionCount=count() by DeviceAction, TimeGenerated\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Wildfire events, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "50",
"name": "Wildfire events, by time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'wildfire'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP});\r\ndata\r\n| summarize Count = count() by DeviceAction\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\r\n on DeviceAction\r\n| project-away DeviceAction1, TimeGenerated\r\n| extend DeviceActions = DeviceAction\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceAction = 'All', DeviceActions = '*' \r\n)\r\n| project DeviceAction, Count, Trend\r\n| order by Count desc\r\n| take 10",
"size": 4,
"exportFieldName": "DeviceAction",
"exportParameterName": "DeviceAction",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Top 5 Wildfire activities",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceAction",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "grayBlue",
"showIcon": true
}
},
{
"columnMatch": "DeviceActions",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey1",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"sortBy": [
{
"itemKey": "DeviceAction",
"sortOrder": 1
}
],
"labelSettings": []
},
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceAction",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "Top 5 Wildfire activities"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'wildfire'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP});\r\ndata\r\n| summarize Count = count() by DeviceCustomString2\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceCustomString2)\r\n on DeviceCustomString2\r\n| project-away DeviceCustomString21, TimeGenerated\r\n| extend DeviceCustomString2s = DeviceCustomString2\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceCustomString2 = 'All', DeviceCustomString2s = '*' \r\n)\r\n| project DeviceCustomString2, Count, Trend\r\n| order by Count desc\r\n| take 10",
"size": 4,
"exportFieldName": "DeviceCustomString2",
"exportParameterName": "DeviceString",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Top 5 Wildfire verdicts",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceAction",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "grayBlue",
"showIcon": true
}
},
{
"columnMatch": "DeviceActions",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey1",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"sortBy": [
{
"itemKey": "DeviceAction",
"sortOrder": 1
}
],
"labelSettings": []
},
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceCustomString2",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "Top 5 Wildfire verdicts"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'wildfire'\r\n| where '{DeviceAction}' == \"All\" or DeviceAction=='{DeviceAction}'\r\n| where '{DeviceString}' == \"All\" or DeviceCustomString2=='{DeviceString}'\r\n| project TimeGenerated, ReceiptTime, LogSeverity, DeviceAction, ['URL Category'] =DeviceCustomString2, DestinationPort, DestinationIP, Message, SourcePort, SourceIP, DestinationUserID, RequestURL",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Wildfire events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true,
"labelSettings": []
}
},
"name": "Wildfire events"
},
{
"type": 1,
"content": {
"json": "---\r\n## General statistics"
},
"name": "text - 30"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file'\r\n| where DeviceAction contains 'deny'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 denied files, by application protocol",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProtocolCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "33",
"name": "Top 5 denied files by application protocol"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file'\r\n| where DeviceAction !contains 'deny'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed files, by application protocol",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProtocolCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "33",
"name": "Top 5 allowed files by application protocol"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
Updating to include new CEF Changes
2022-05-31 14:36:53 +03:00
"query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract(';cat=(.*?)($|;)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount",
Palo Alto Overview Workbook fix (#1256) * replace string operator for query * delete and re-create json * move to workbook folder * fix indent
2020-11-17 00:06:32 +03:00
"size": 0,
"exportToExcelOptions": "visible",
"title": "Summary of Palo Alto file categories, by activity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "PACategory",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "CategoryCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
}
],
"labelSettings": []
}
},
"customWidth": "33",
"name": "Summary of Palo Alto file categories by activity"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'file'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP});\r\ndata\r\n| summarize Count = count() by DeviceAction\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\r\n on DeviceAction\r\n| project-away DeviceAction1, TimeGenerated\r\n| extend DeviceActions = DeviceAction\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceAction = 'All', DeviceActions = '*' \r\n)\r\n| project DeviceAction, Count, Trend\r\n| order by Count desc\r\n| take 10\r\n",
"size": 4,
"exportFieldName": "DeviceAction",
"exportParameterName": "SelectedDA",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Summary of file type activities",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceAction",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "Summary of file type activities"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'file'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where '{SelectedDA}' == \"All\" or DeviceAction == '{SelectedDA}'\r\n| summarize ActionCount=count() by DeviceAction, bin(TimeGenerated, {TimeRange:grain})\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Compare allowed and denied files, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "Compare allowed and denied files by time"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-PaloAltoOverview",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
added check point and cisco and images
2019-09-10 16:27:35 +03:00
}