Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/ThreatIntelligence.json

683 строки
44 KiB
JSON
Исходник Обычный вид История

updated workbooks JSONs and logos
2019-09-05 09:23:48 +03:00
{
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"id": "a4b4e975-fa7c-46a3-b669-850aacc88134",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"version": "KqlParameterItem/1.0",
"name": "Help",
"label": "🔎 Guide",
"type": 10,
"isRequired": true,
"typeSettings": {
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"additionalResourceOptions": [],
"showDefault": false
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
},
"jsonData": "[\r\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\r\n {\"value\": \"No\", \"label\": \"No\"}\r\n]"
},
{
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"crossComponentResources": [
"value::selected"
],
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"id": "314d02bf-4691-43fa-af59-d67073c8b8fa"
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
},
{
"id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
"crossComponentResources": [
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"value::all"
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"value::all"
]
},
{
"id": "e3225ed0-6210-40a1-b2d0-66e42ffa71d6",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"isRequired": true,
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"multiSelect": true,
"quote": "'",
"delimiter": ",",
Update Adjusting Custom View for Security Incidents to ensure functionality in GOV/AGC
2022-05-11 15:14:01 +03:00
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| order by name asc\r\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\r\n| mvexpand All limit 100\r\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"crossComponentResources": [
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"{Subscription}"
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
Update Adjusting Custom View for Security Incidents to ensure functionality in GOV/AGC
2022-05-11 15:14:01 +03:00
"value": [
"value::all"
]
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
},
{
"id": "15b2c181-7397-43c1-900a-28e175ae8a6f",
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
Update Adjusting Custom View for Security Incidents to ensure functionality in GOV/AGC
2022-05-11 15:14:01 +03:00
"durationMs": 86400000
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 604800000
}
],
"allowCustom": true
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
},
"timeContextFromParameter": "TimeRange"
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"name": "Parameter Selectors"
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
{
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"type": 1,
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
"content": {
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"json": "<svg viewBox=\"0 0 19 19\" width=\"20\" class=\"fxt-escapeShadow\" role=\"presentation\" focusable=\"false\" xmlns:svg=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" aria-hidden=\"true\"><g><path fill=\"#1b93eb\" d=\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\"></path><path fill=\"url(#0024423711759027356)\" d=\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\"></path><path d=\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\" class=\"msportalfx-svg-c01\"></path></g></svg>&nbsp;<span style=\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\"> Please take time to answer a quick survey,\r\n</span>[<span style=\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\"> click here. </span>](https://forms.office.com/r/n9beey85aP)"
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"name": "Survey"
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
{
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"type": 1,
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
"content": {
Update Adjusting Custom View for Security Incidents to ensure functionality in GOV/AGC
2022-05-11 15:14:01 +03:00
"json": "# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\n---\n\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)<br>\n"
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"customWidth": "79",
"name": "Workbook Overview"
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
{
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"type": 1,
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
"content": {
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"json": "![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) "
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"customWidth": "20",
Updated Azure Sentinel to Microsoft Sentinel
2021-11-11 02:43:48 +03:00
"name": "Microsoft Sentinel Logo"
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
{
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"type": 11,
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
"content": {
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "18c690d7-7cbd-46c1-b677-1f72692d40cd",
"cellValue": "TAB",
"linkTarget": "parameter",
"linkLabel": "Indicators Ingestion",
"subTarget": "Indicators",
"preText": "Alert rules",
"style": "link"
},
{
"id": "f88dcf47-af98-4684-9de3-1ee5f48f68fc",
"cellValue": "TAB",
"linkTarget": "parameter",
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"linkLabel": "Indicators Search",
"subTarget": "Observed",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"style": "link"
}
]
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
},
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"name": "Tabs link"
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
},
{
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"type": 12,
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
"content": {
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ",
"size": 0,
"showAnalytics": true,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"title": "Indicators Imported into Sentinel by Indicator Type and Date",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked",
"size": 0,
"showAnalytics": true,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"title": "Indicators Imported into Sentinel by Indicator Provider and Date",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
"size": 0,
"showAnalytics": true,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"title": "Active Indicators by Indicator Type",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
"size": 0,
"showAnalytics": true,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"title": "Active Indicators by Indicator Source",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart",
"size": 0,
"showAnalytics": true,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"title": "Active Indicators by Confidence Score",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let DomainQuery=view() { \r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))==1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))!=1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n ThreatIntelligenceIndicator\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n | where ExpirationDateTime > now() and Active == true\r\n | summarize count() by SourceSystem\r\n | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n",
"size": 0,
"showAnalytics": true,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"title": "Uniqueness of Threat Intelligence Sources",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Source",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "View",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "ActiveIndicators",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
],
"filter": true
},
"sortBy": []
},
"customWidth": "50",
"name": "query - 12"
}
]
},
"conditionalVisibility": {
"parameterName": "TAB",
"comparison": "isEqualTo",
"value": "Indicators"
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
},
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"name": "Indicators Ingestion"
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
},
{
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"type": 12,
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
"content": {
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "9aec751b-07bd-43ba-80b9-f711887dce45",
"version": "KqlParameterItem/1.0",
"name": "Indicator",
Rename TI workbook template field Renamed field "Indicator Search" to "Search Indicator in Events" to clarify that event indicators (not TI data) will be searched, based on conversation with Rijuta.
2022-07-12 02:05:55 +03:00
"label": "Search Indicator in Events",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"type": 1,
"value": "",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "Threat Research Parameters"
},
{
"type": 1,
"content": {
"json": ""
},
"customWidth": "50",
"name": "text - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"query": "//Add additional lines for desired data columns\r\nunion withsource= Table_Name *\r\n| where column_ifexists('CallerIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileOriginUrl', '') has \"{Indicator}\"\r\nor column_ifexists('FQDN', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessSHA256', '') has \"{Indicator}\"\r\nor column_ifexists('IpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddresses', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddress', '') has \"{Indicator}\"\r\nor column_ifexists('Name', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteIP', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteUrl', '') has \"{Indicator}\"\r\nor column_ifexists('RecipientEmailAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SenderMailFromAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('Url', '') has \"{Indicator}\"\r\nor column_ifexists('SrcIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('DstIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkSourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileHashValue', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkDestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSourceIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSenderAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DomainName', '') has \"{Indicator}\"\r\nor column_ifexists('AADEmail', '') has \"{Indicator}\"\r\nor column_ifexists('Account', '') has \"{Indicator}\"\r\nor column_ifexists('AccountName', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUpn', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Caller', '') has \"{Indicator}\"\r\nor column_ifexists('CompromisedEntity', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserID', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserName', '') has \"{Indicator}\"\r\nor column_ifexists('DisplayName', '') has \"{Indicator}\"\r\nor column_ifexists('Email_s', '') has \"{Indicator}\"\r\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessAccountUpn', '') has \"{Indicator}\" \r\nor column_ifexists('MailboxOwnerUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Owner', '') has \"{Indicator}\"\r\nor column_ifexists('RequesterUpn', '') has \"{Indicator}\"\r\nor column_ifexists('SourceIdentity', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserID', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserName', '') has \"{Indicator}\"\r\nor column_ifexists('SubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUser', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUserName', '') has \"{Indicator}\"\r\nor column_ifexists('Upn', '') has \"{Indicator}\"\r\nor column_ifexists('User_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserId', '') has \"{Indicator}\" \r\nor column_ifexists('UserId_', '') has \"{Indicator}\"\r\nor column_ifexists('UserId_s_s', '') has \"{Indicator}\" \r\nor column_ifexists('userName', '') has \"{Indicator}\"\r\nor column_ifexists('UserName', '') has \"{Indicator}\" \r\nor column_ifexists('UserName_s', '') has \"{Indicator}\"\r\nor column_ifexists('userPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName', '') has \"{Indicator}\"\r\nor column_ifexists('Computer', '') has \"{Indicator}\"\r\nor column_ifexists('FileHash', '') has \"{Indicator}\"\r\nor column_ifexists('FilePath', '') has \"{Indicator}\"\r\nor column_ifexists('Process', '') has \"{Indicator}\"\r\nor column_ifexists('CommandLine', '') has \"{Indicator}\"\r\nor column_ifexists('NewProcessName', '') has \"{Indicator}\"\r\nor column_ifexists('ParentProcessName', '') has \"{Indicator}\"\r\n| sum
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"size": 0,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"showAnalytics": true,
"title": "Indicators Observed",
"noDataMessage": "No indicators observed within these thresholds",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Type",
"exportParameterName": "Type",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Data Table",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "Log",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Logs Count",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
],
"filter": true
}
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Add additional lines for desired data columns\r\nunion withsource= Table_Name *\r\n| where column_ifexists('CallerIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileOriginUrl', '') has \"{Indicator}\"\r\nor column_ifexists('FQDN', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessSHA256', '') has \"{Indicator}\"\r\nor column_ifexists('IpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddresses', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddress', '') has \"{Indicator}\"\r\nor column_ifexists('Name', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteIP', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteUrl', '') has \"{Indicator}\"\r\nor column_ifexists('RecipientEmailAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SenderMailFromAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('Url', '') has \"{Indicator}\"\r\nor column_ifexists('SrcIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('DstIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkSourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileHashValue', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkDestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSourceIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSenderAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DomainName', '') has \"{Indicator}\"\r\nor column_ifexists('AADEmail', '') has \"{Indicator}\"\r\nor column_ifexists('Account', '') has \"{Indicator}\"\r\nor column_ifexists('AccountName', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUpn', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Caller', '') has \"{Indicator}\"\r\nor column_ifexists('CompromisedEntity', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserID', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserName', '') has \"{Indicator}\"\r\nor column_ifexists('DisplayName', '') has \"{Indicator}\"\r\nor column_ifexists('Email_s', '') has \"{Indicator}\"\r\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessAccountUpn', '') has \"{Indicator}\" \r\nor column_ifexists('MailboxOwnerUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Owner', '') has \"{Indicator}\"\r\nor column_ifexists('RequesterUpn', '') has \"{Indicator}\"\r\nor column_ifexists('SourceIdentity', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserID', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserName', '') has \"{Indicator}\"\r\nor column_ifexists('SubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUser', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUserName', '') has \"{Indicator}\"\r\nor column_ifexists('Upn', '') has \"{Indicator}\"\r\nor column_ifexists('User_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserId', '') has \"{Indicator}\" \r\nor column_ifexists('UserId_', '') has \"{Indicator}\"\r\nor column_ifexists('UserId_s_s', '') has \"{Indicator}\" \r\nor column_ifexists('userName', '') has \"{Indicator}\"\r\nor column_ifexists('UserName', '') has \"{Indicator}\" \r\nor column_ifexists('UserName_s', '') has \"{Indicator}\"\r\nor column_ifexists('userPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName', '') has \"{Indicator}\"\r\nor column_ifexists('Computer', '') has \"{Indicator}\"\r\nor column_ifexists('FileHash', '') has \"{Indicator}\"\r\nor column_ifexists('FilePath', '') has \"{Indicator}\"\r\nor column_ifexists('Process', '') has \"{Indicator}\"\r\nor column_ifexists('CommandLine', '') has \"{Indicator}\"\r\nor column_ifexists('NewProcessName', '') has \"{Indicator}\"\r\nor column_ifexists('ParentProcessName', '') has \"{Indicator}\"\r\n| mak
"size": 0,
"showAnalytics": true,
"title": "Indicators Observed over Time",
"noDataMessage": "No indicators observed within these thresholds",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Data Table",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "Log",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Logs Count",
"formatter": 4,
"formatOptions": {
"palette": "redBright"
}
}
],
"filter": true
}
},
"customWidth": "50",
"name": "query - 4 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let tiObservables = ThreatIntelligenceIndicator\r\n | where TimeGenerated < now()\r\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\r\nlet alertEntity = SecurityAlert \r\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\r\n | mvexpand(Entities)\r\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\r\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\r\n iif(isnotempty(Entities.Url), Entities.Url,\r\n iif(isnotempty(Entities.Value), Entities.Value,\r\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))))\r\n | where isnotempty(entity) \r\n | project entity, SystemAlertId, AlertTime;\r\nlet IncidentAlerts = SecurityIncident\r\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\r\n | mv-expand AlertIds\r\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\r\nlet AlertsWithTiObservables = alertEntity\r\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\r\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\r\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\r\nIncidentsWithAlertsWithTiObservables\r\n| where Indicator contains '{Indicator}' or Indicator == \"*\"\r\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\r\n| sort by Incidents, Alerts desc",
"size": 0,
"showAnalytics": true,
"title": "Threat Intelligence Alerts",
"noDataMessage": "No indicators observed within these thresholds",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"timeContextFromParameter": "TimeRange",
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"showExportToExcel": true,
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
{
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"columnMatch": "ThreatType",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Botnet",
"representation": "Command and Control",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "MaliciousUrl",
"representation": "Initial_Access",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Malware",
"representation": "Execution",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Phishing",
"representation": "Exfiltration",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Pre attack",
"text": "{0}{1}"
}
]
}
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
},
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
{
"columnMatch": "Source",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
{
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"columnMatch": "Incidents",
"formatter": 4,
"formatOptions": {
"palette": "redBright"
}
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
},
{
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"columnMatch": "Alerts",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
}
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
],
"filter": true
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
}
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
},
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"name": "query - 5"
Update the TI workbooks for RSA
2020-02-16 11:58:21 +03:00
},
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
Update Adjusting Custom View for Security Incidents to ensure functionality in GOV/AGC
2022-05-11 15:14:01 +03:00
"query": "SecurityIncident\r\n| extend SystemAlertId = tostring(AlertIds[0])\r\n| join (SecurityAlert \r\n| where Entities <> \"\"\r\n| mv-expand parse_json(Entities)\r\n| where Entities contains '{Indicator}'\r\n| project SystemAlertId, Entities\r\n) on SystemAlertId\r\n| where Title <> \"\"\r\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\r\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n| extend SeverityRank=iff(Severity == \"High\", 3, iff(Severity == \"Medium\", 2, iff(Severity == \"Low\", 1, iff(Severity == \"Informational\", 0, 0))))\r\n| sort by SeverityRank, IncidentNumber desc\r\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade, Entities\r\n| limit 2500",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"size": 0,
"showAnalytics": true,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"title": "Security Incidents",
"noDataMessage": "No incidents observed within these thresholds",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"columnMatch": "Incident Name",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"representation": "Alert",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"text": "{0}{1}"
}
]
}
},
{
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"columnMatch": "Severity",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"formatter": 18,
"formatOptions": {
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"thresholdsOptions": "icons",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"thresholdsGrid": [
{
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"operator": "==",
"thresholdValue": "High",
"representation": "Sev0",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "Sev1",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"text": "{0}{1}"
},
{
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"operator": "==",
"thresholdValue": "Low",
"representation": "Sev2",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"representation": "Sev3",
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"text": "{0}{1}"
}
]
}
},
{
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"columnMatch": "IncidentUrl",
"formatter": 7,
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
"formatOptions": {
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"linkTarget": "OpenBlade",
"linkLabel": "Incident >>",
"bladeOpenContext": {
"bladeName": "CaseBlade",
"extensionName": "Microsoft_Azure_Security_Insights",
"bladeParameters": [
{
"name": "id",
"source": "column",
"value": "IncidentBlade"
}
]
}
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
}
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
},
{
"columnMatch": "IncidentBlade",
"formatter": 5
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
}
],
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"rowLimit": 2500,
"filter": true,
"sortBy": [
{
"itemKey": "IncidentNumber",
"sortOrder": 2
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
}
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
]
},
"sortBy": [
{
"itemKey": "IncidentNumber",
"sortOrder": 2
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
}
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
]
ThreatIntelligenceWorkbookv2
2021-09-27 22:35:04 +03:00
},
"name": "query - 3"
}
]
},
"conditionalVisibility": {
"parameterName": "TAB",
"comparison": "isEqualTo",
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"value": "Observed"
Updated ThreatIntelligence workbook
2021-07-15 21:34:40 +03:00
},
ThreatIntelWorkbook Update
2022-04-14 02:10:14 +03:00
"name": "Indicators Observed"
changed to gallery templates and added AWS
2019-09-23 09:16:01 +03:00
}
],
"fromTemplateId": "sentinel-ThreatIntelligence",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
Rename TI workbook template field Renamed field "Indicator Search" to "Search Indicator in Events" to clarify that event indicators (not TI data) will be searched, based on conversation with Rijuta.
2022-07-12 02:05:55 +03:00
}