2020-07-08 01:25:53 +03:00
{
"version" : "Notebook/1.0" ,
"items" : [
{
"type" : 9 ,
"content" : {
"version" : "KqlParameterItem/1.0" ,
"parameters" : [
{
"id" : "23197862-8ab5-4aa4-8e78-bb26fbf1a6bc" ,
"version" : "KqlParameterItem/1.0" ,
"name" : "TimeRange" ,
"label" : "Time Range" ,
"type" : 4 ,
"isRequired" : true ,
"value" : {
"durationMs" : 2419200000
} ,
"typeSettings" : {
"selectableValues" : [
{
"durationMs" : 300000
} ,
{
"durationMs" : 900000
} ,
{
"durationMs" : 1800000
} ,
{
"durationMs" : 3600000
} ,
{
"durationMs" : 14400000
} ,
{
"durationMs" : 43200000
} ,
{
"durationMs" : 86400000
} ,
{
"durationMs" : 172800000
} ,
{
"durationMs" : 259200000
} ,
{
"durationMs" : 604800000
} ,
{
"durationMs" : 1209600000
} ,
{
"durationMs" : 2419200000
} ,
{
"durationMs" : 2592000000
} ,
{
"durationMs" : 5184000000
} ,
{
"durationMs" : 7776000000
}
] ,
"allowCustom" : true
2020-11-18 23:05:28 +03:00
}
} ,
{
"id" : "9df846cc-3ff1-4608-ac3a-7dddc6c709a7" ,
"version" : "KqlParameterItem/1.0" ,
"name" : "Domain" ,
"type" : 2 ,
"multiSelect" : true ,
"quote" : "'" ,
"delimiter" : "," ,
"query" : "Okta_CL\n| summarize by domain_s" ,
"value" : [
"value::all"
] ,
"typeSettings" : {
"additionalResourceOptions" : [
"value::1"
] ,
"showDefault" : false
2020-07-08 01:25:53 +03:00
} ,
2020-11-18 23:05:28 +03:00
"defaultValue" : "value::1" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
2020-07-08 01:25:53 +03:00
}
] ,
"style" : "above" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
} ,
"name" : "parameters - 2"
} ,
{
"type" : 11 ,
"content" : {
"version" : "LinkItem/1.0" ,
"style" : "tabs" ,
"links" : [
{
"cellValue" : "selectedTab" ,
"linkTarget" : "parameter" ,
"linkLabel" : "Administrative" ,
"subTarget" : "General" ,
"preText" : "Session/User Analysis" ,
"style" : "link"
} ,
{
"cellValue" : "selectedTab" ,
"linkTarget" : "parameter" ,
"linkLabel" : "Application" ,
"subTarget" : "Application" ,
"style" : "link"
} ,
{
"cellValue" : "selectedTab" ,
"linkTarget" : "parameter" ,
"linkLabel" : "Session/User Analysis" ,
"subTarget" : "Analysis" ,
"preText" : "Session/User Analysis" ,
"style" : "link"
}
]
} ,
"name" : "links - 13"
} ,
{
"type" : 9 ,
"content" : {
"version" : "KqlParameterItem/1.0" ,
"parameters" : [
{
"id" : "fc39a4b9-f38a-4a3e-bf83-845441828fb8" ,
"version" : "KqlParameterItem/1.0" ,
"name" : "ApplicationList" ,
"label" : "Application" ,
"type" : 2 ,
"isRequired" : true ,
"multiSelect" : true ,
"quote" : "'" ,
"delimiter" : "," ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| distinct tostring(target_s.alternateId)\r\n| sort by target_s_alternateId asc" ,
2020-07-08 01:25:53 +03:00
"value" : [
"value::all"
] ,
"typeSettings" : {
"additionalResourceOptions" : [
"value::all"
]
} ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
}
] ,
"style" : "above" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "Application"
} ,
"name" : "parameters - 15"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where eventType_s == \"user.session.start\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| summarize Count = count() by Results = outcome_result_s, bin(TimeGenerated, {TimeRange:grain})" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Console Login by Result" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "barchart" ,
"tileSettings" : {
"showBorder" : false ,
"titleContent" : {
"columnMatch" : "Results" ,
"formatter" : 1
} ,
"leftContent" : {
"columnMatch" : "Count" ,
"formatter" : 12 ,
"formatOptions" : {
"palette" : "auto"
} ,
"numberFormat" : {
"unit" : 17 ,
"options" : {
"maximumSignificantDigits" : 3 ,
"maximumFractionDigits" : 2
}
}
}
} ,
"chartSettings" : {
"seriesLabelSettings" : [
{
"seriesName" : "FAILURE" ,
"color" : "red"
} ,
{
"seriesName" : "SUCCESS" ,
"color" : "green"
}
]
}
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "General"
} ,
"customWidth" : "50" ,
"name" : "query - 5"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where eventType_s == \"user.session.start\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where outcome_result_s == \"FAILURE\"\r\n| summarize Total = count() by User = actor_alternateId_s\r\n| top 10 by Total" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Top 10 Failed Console Logins by User" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "table" ,
"gridSettings" : {
"formatters" : [
{
"columnMatch" : "Total" ,
"formatter" : 3 ,
"formatOptions" : {
"palette" : "coldHot"
}
}
]
} ,
"tileSettings" : {
"showBorder" : false ,
"titleContent" : {
"columnMatch" : "Results" ,
"formatter" : 1
} ,
"leftContent" : {
"columnMatch" : "Count" ,
"formatter" : 12 ,
"formatOptions" : {
"palette" : "auto"
} ,
"numberFormat" : {
"unit" : 17 ,
"options" : {
"maximumSignificantDigits" : 3 ,
"maximumFractionDigits" : 2
}
}
}
} ,
"chartSettings" : {
"seriesLabelSettings" : [
{
"seriesName" : "FAILURE" ,
"color" : "red"
} ,
{
"seriesName" : "SUCCESS" ,
"color" : "green"
}
]
}
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "General"
} ,
"customWidth" : "50" ,
"name" : "query - 5 - Copy"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where eventType_s == \"user.authentication.auth_via_mfa\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where outcome_result_s == \"FAILURE\"\r\n| summarize count() by actor_alternateId_s\r\n| top 10 by count_" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Top 10 Failed MFA Authentications by User" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "table" ,
"gridSettings" : {
"formatters" : [
{
"columnMatch" : "count_" ,
"formatter" : 3 ,
"formatOptions" : {
"palette" : "coldHot"
}
} ,
{
"columnMatch" : "Total" ,
"formatter" : 3 ,
"formatOptions" : {
"palette" : "coldHot"
}
}
] ,
"labelSettings" : [
{
"columnId" : "actor_alternateId_s" ,
"label" : "User"
} ,
{
"columnId" : "count_" ,
"label" : "Total"
}
]
} ,
"tileSettings" : {
"showBorder" : false ,
"titleContent" : {
"columnMatch" : "Results" ,
"formatter" : 1
} ,
"leftContent" : {
"columnMatch" : "Count" ,
"formatter" : 12 ,
"formatOptions" : {
"palette" : "auto"
} ,
"numberFormat" : {
"unit" : 17 ,
"options" : {
"maximumSignificantDigits" : 3 ,
"maximumFractionDigits" : 2
}
}
}
} ,
"chartSettings" : {
"seriesLabelSettings" : [
{
"seriesName" : "FAILURE" ,
"color" : "red"
} ,
{
"seriesName" : "SUCCESS" ,
"color" : "green"
}
]
}
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "General"
} ,
"customWidth" : "50" ,
"name" : "query - 5 - Copy - Copy"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where eventType_s == \"user.authentication.auth_via_mfa\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| summarize Count=count() by Results = outcome_result_s, bin(TimeGenerated, {TimeRange:grain})" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "MFA Authentications by Result" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "barchart" ,
"tileSettings" : {
"showBorder" : false ,
"titleContent" : {
"columnMatch" : "Results" ,
"formatter" : 1
} ,
"leftContent" : {
"columnMatch" : "Count" ,
"formatter" : 12 ,
"formatOptions" : {
"palette" : "auto"
} ,
"numberFormat" : {
"unit" : 17 ,
"options" : {
"maximumSignificantDigits" : 3 ,
"maximumFractionDigits" : 2
}
}
}
} ,
"chartSettings" : {
"seriesLabelSettings" : [
{
"seriesName" : "SUCCESS" ,
"color" : "green"
} ,
{
"seriesName" : "FAILURE" ,
"color" : "red"
}
]
}
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "General"
} ,
"customWidth" : "50" ,
"name" : "query - 5 - Copy"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| summarize count() by tostring(target_s.displayName)\r\n| top 10 by count_" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Active Applications" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "piechart" ,
"tileSettings" : {
"showBorder" : false ,
"titleContent" : {
"columnMatch" : "Users" ,
"formatter" : 1
} ,
"leftContent" : {
"columnMatch" : "Count" ,
"formatter" : 12 ,
"formatOptions" : {
"palette" : "auto"
} ,
"numberFormat" : {
"unit" : 17 ,
"options" : {
"maximumSignificantDigits" : 3 ,
"maximumFractionDigits" : 2
}
}
}
}
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "General"
} ,
"customWidth" : "50" ,
"name" : "query - 3"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| summarize count() by tostring(target_s.displayName), bin(TimeGenerated, {TimeRange:grain})" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Active Applications" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "areachart" ,
"tileSettings" : {
"showBorder" : false ,
"titleContent" : {
"columnMatch" : "Users" ,
"formatter" : 1
} ,
"leftContent" : {
"columnMatch" : "Count" ,
"formatter" : 12 ,
"formatOptions" : {
"palette" : "auto"
} ,
"numberFormat" : {
"unit" : 17 ,
"options" : {
"maximumSignificantDigits" : 3 ,
"maximumFractionDigits" : 2
}
}
}
}
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "General"
} ,
"customWidth" : "50" ,
"name" : "Events by Application"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where eventType_s == \"application.user_membership.add\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| extend TargetUser = tostring(parse_json(target_s)[0].alternateId)\r\n| extend Application = tostring(parse_json(target_s)[1].alternateId)\r\n| summarize count() by ['Event Time'] = published_t, ['Source User'] = actor_alternateId_s, Application, ['Target User'] = TargetUser\r\n| project-away count_\r\n| sort by ['Event Time'] desc" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Users Added to Application" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "General"
} ,
"customWidth" : "50" ,
"name" : "query - 18"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where eventType_s == \"application.user_membership.remove\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| extend TargetUser = tostring(parse_json(target_s)[0].alternateId)\r\n| extend Application = tostring(parse_json(target_s)[1].alternateId)\r\n| summarize count() by published_t, SourceUser = actor_alternateId_s, Application, TargetUser\r\n| project-away count_\r\n| sort by published_t desc\r\n" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Users Removed from Application" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "General"
} ,
"customWidth" : "50" ,
"name" : "query - 18 - Copy"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where target_s.type == \"AppInstance\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| summarize count() by tostring(target_s.alternateId), bin(TimeGenerated,{TimeRange:grain})" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Total Events by Application" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "barchart"
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "Application"
} ,
"customWidth" : "50" ,
"name" : "query - 12"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where target_s.type == \"AppInstance\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| where eventType_s has \"authentication\"\r\n| where outcome_result_s == \"FAILURE\"\r\n| summarize count() by tostring(target_s.alternateId), bin(TimeGenerated,{TimeRange:grain})" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Failed Logins by Application" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "barchart"
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "Application"
} ,
"customWidth" : "50" ,
"name" : "query - 12 - Copy"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where target_s.type == \"AppInstance\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| summarize Total = count() by Application = tostring(target_s.alternateId)\r\n| top 10 by Total" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Top 10 Event Count by Application" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "Application"
} ,
"customWidth" : "50" ,
"name" : "query - 12 - Copy"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where target_s.type == \"AppInstance\"\r\n| where eventType_s has \"authentication\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| summarize SUCCESS = countif(outcome_result_s == \"SUCCESS\"), FAILURE = countif(outcome_result_s == \"FAILURE\"), Total = count() by User = actor_alternateId_s\r\n| top 10 by Total\r\n" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Top 10 User Authentications" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"gridSettings" : {
"formatters" : [
{
"columnMatch" : "SUCCESS" ,
"formatter" : 8 ,
"formatOptions" : {
"palette" : "red"
}
} ,
{
"columnMatch" : "FAILURE" ,
"formatter" : 8 ,
"formatOptions" : {
"palette" : "green"
}
} ,
{
"columnMatch" : "Total" ,
"formatter" : 3 ,
"formatOptions" : {
"palette" : "coldHot"
}
}
]
}
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "Application"
} ,
"customWidth" : "50" ,
"name" : "query - 12 - Copy - Copy"
} ,
{
"type" : 9 ,
"content" : {
"version" : "KqlParameterItem/1.0" ,
"parameters" : [
{
"id" : "427470db-f8f8-461c-adc7-47fe5202b5d1" ,
"version" : "KqlParameterItem/1.0" ,
"name" : "SessionID" ,
"label" : "Session ID" ,
"type" : 2 ,
"isRequired" : true ,
"multiSelect" : true ,
"quote" : "'" ,
"delimiter" : "," ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where actor_alternateId_s !in (\"system@okta.com\")\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| distinct authenticationContext_externalSessionId_s\r\n| sort by authenticationContext_externalSessionId_s asc" ,
2020-07-08 01:25:53 +03:00
"value" : [
"value::all"
] ,
"typeSettings" : {
"additionalResourceOptions" : [
"value::all"
]
} ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
} ,
{
"id" : "939a52ae-0662-4483-a52b-35287b151074" ,
"version" : "KqlParameterItem/1.0" ,
"name" : "User" ,
"type" : 2 ,
"isRequired" : true ,
"multiSelect" : true ,
"quote" : "'" ,
"delimiter" : "," ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where actor_alternateId_s !in (\"system@okta.com\")\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| distinct actor_alternateId_s\r\n| sort by actor_alternateId_s asc" ,
2020-07-08 01:25:53 +03:00
"value" : [
"value::all"
] ,
"typeSettings" : {
"additionalResourceOptions" : [
"value::all"
]
} ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
} ,
{
"id" : "059ad6dc-5f2f-490d-941a-d9f87cf71723" ,
"version" : "KqlParameterItem/1.0" ,
"name" : "EventTypes" ,
"label" : "Event Type" ,
"type" : 2 ,
"isRequired" : true ,
"multiSelect" : true ,
"quote" : "'" ,
"delimiter" : "," ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| distinct eventType_s\r\n| sort by eventType_s asc" ,
2020-07-08 01:25:53 +03:00
"value" : [
"user.session.start"
] ,
"typeSettings" : {
"additionalResourceOptions" : [
"value::all"
]
} ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
}
] ,
"style" : "above" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces"
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "Analysis"
} ,
"name" : "parameters - 7"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where authenticationContext_externalSessionId_s in ({SessionID})\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize count(eventType_s) by actor_alternateId_s, bin(published_t, {TimeRange:grain})" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"showAnnotations" : true ,
"title" : "User Events Timeline" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "barchart" ,
"gridSettings" : {
"sortBy" : [
{
"itemKey" : "actor_alternateId_s" ,
"sortOrder" : 2
}
]
} ,
"sortBy" : [
{
"itemKey" : "actor_alternateId_s" ,
"sortOrder" : 2
}
]
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "Analysis"
} ,
"customWidth" : "50" ,
"name" : "query - 8 - Copy"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where authenticationContext_externalSessionId_s in ({SessionID})\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize count() by authenticationContext_externalSessionId_s, published_t, eventType_s, actor_alternateId_s\r\n| sort by authenticationContext_externalSessionId_s asc, published_t asc" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "User Event Details" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"gridSettings" : {
"sortBy" : [
{
"itemKey" : "actor_alternateId_s" ,
"sortOrder" : 2
}
] ,
"labelSettings" : [
{
"columnId" : "authenticationContext_externalSessionId_s" ,
"label" : "Session ID"
} ,
{
"columnId" : "published_t" ,
"label" : "Event Time"
} ,
{
"columnId" : "eventType_s" ,
"label" : "Event Type"
} ,
{
"columnId" : "actor_alternateId_s" ,
"label" : "User"
} ,
{
"columnId" : "count_" ,
"label" : "Total"
}
]
} ,
"sortBy" : [
{
"itemKey" : "actor_alternateId_s" ,
"sortOrder" : 2
}
]
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "Analysis"
} ,
"customWidth" : "50" ,
"name" : "query - 8"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where eventType_s has \"authentication\"\r\n| where authenticationContext_externalSessionId_s in ({SessionID})\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize SUCCESS = countif(outcome_result_s == \"SUCCESS\"), FAILURE = countif(outcome_result_s == \"FAILURE\"), Total = count() by actor_alternateId_s, tostring(target_s.alternateId)\r\n| sort by actor_alternateId_s asc, target_s_alternateId asc\r\n\r\n" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "Application Authentications" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"gridSettings" : {
"formatters" : [
{
"columnMatch" : "SUCCESS" ,
"formatter" : 8 ,
"formatOptions" : {
"palette" : "green"
}
} ,
{
"columnMatch" : "FAILURE" ,
"formatter" : 8 ,
"formatOptions" : {
"palette" : "red"
}
} ,
{
"columnMatch" : "Total" ,
"formatter" : 3 ,
"formatOptions" : {
"palette" : "blue"
}
}
] ,
"labelSettings" : [
{
"columnId" : "actor_alternateId_s" ,
"label" : "User"
} ,
{
"columnId" : "target_s_alternateId" ,
"label" : "Application"
} ,
{
"columnId" : "SUCCESS"
} ,
{
"columnId" : "FAILURE"
} ,
{
"columnId" : "Total"
}
]
} ,
"sortBy" : [ ]
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "Analysis"
} ,
"customWidth" : "50" ,
"name" : "query - 8 - Copy"
} ,
{
"type" : 3 ,
"content" : {
"version" : "KqlItem/1.0" ,
2020-11-18 23:05:28 +03:00
"query" : "Okta_CL\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n//| where authenticationContext_externalSessionId_s in ({SessionID})\r\n//| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n//| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize count(eventType_s) by \tCity = client_geographicalContext_city_s, actor_alternateId_s, Country = client_geographicalContext_country_s, latitude = client_geographicalContext_geolocation_lat_d, longitude = client_geographicalContext_geolocation_lon_d, Results = outcome_result_s" ,
2020-07-08 01:25:53 +03:00
"size" : 0 ,
"title" : "User Events by Geo-Location" ,
"timeContext" : {
"durationMs" : 0
} ,
"timeContextFromParameter" : "TimeRange" ,
"queryType" : 0 ,
"resourceType" : "microsoft.operationalinsights/workspaces" ,
"visualization" : "map" ,
"tileSettings" : {
"showBorder" : false ,
"titleContent" : {
"columnMatch" : "Users" ,
"formatter" : 1
} ,
"leftContent" : {
"columnMatch" : "Count" ,
"formatter" : 12 ,
"formatOptions" : {
"palette" : "auto"
} ,
"numberFormat" : {
"unit" : 17 ,
"options" : {
"maximumSignificantDigits" : 3 ,
"maximumFractionDigits" : 2
}
}
}
} ,
"mapSettings" : {
"locInfo" : "LatLong" ,
"latitude" : "latitude" ,
"longitude" : "longitude" ,
"sizeSettings" : "count_eventType_s" ,
"sizeAggregation" : "Sum" ,
"labelSettings" : "actor_alternateId_s" ,
"legendMetric" : "count_eventType_s" ,
"legendAggregation" : "Sum" ,
"itemColorSettings" : {
"nodeColorField" : "count_eventType_s" ,
"colorAggregation" : "Sum" ,
"type" : "heatmap" ,
"heatmapPalette" : "greenRed"
}
}
} ,
"conditionalVisibility" : {
"parameterName" : "selectedTab" ,
"comparison" : "isEqualTo" ,
"value" : "Analysis"
} ,
"customWidth" : "50" ,
"name" : "query - 3 - Copy - Copy"
}
] ,
2021-03-23 23:33:07 +03:00
"fromTemplateId" : "sentinel-SSOWorkbook" ,
2020-07-08 01:25:53 +03:00
"$schema" : "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
2021-03-23 23:33:07 +03:00
}
