Merge pull request #478 from tom-meaney-forcepoint/forcepoint-ngfw-connector

Add workbook JSON, preview images (black + white themes)

DataConnectors/FORCEPOINT_NGFW.json

@@ -111,7 +111,7 @@
     },
     {
       "title": "5. Forcepoint integration installation guide ",
-      "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://aka.ms/forcepointngfwconfig)"
+      "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/ngfw-sentinel)"
     }
   ]
 }

Workbooks/ForcepointNGFW.json

@@ -0,0 +1,111 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 1,
+      "content": {
+        "json": "# Log results grouped by Activity type"
+      },
+      "name": "text - 7"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CommonSecurityLog \n| where DeviceVendor == \"Forcepoint\" and DeviceProduct == \"NGFW\"\n| summarize Count= count() by Activity\n| render barchart",
+        "size": 1,
+        "timeContext": {
+          "durationMs": 2592000000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "chartSettings": {
+          "xAxis": "Activity",
+          "group": "Count",
+          "createOtherGroup": 0,
+          "showLegend": true
+        }
+      },
+      "name": "query - 2"
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "# Number of log results grouped by severity"
+      },
+      "name": "text - 6"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CommonSecurityLog \n| where DeviceVendor == \"Forcepoint\" and DeviceProduct == \"NGFW\"\n| summarize Count= count() by LogSeverity\n| render barchart",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 2592000000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "chartSettings": {
+          "group": "Count",
+          "createOtherGroup": 0,
+          "showMetrics": false,
+          "showLegend": true
+        }
+      },
+      "name": "query - 5"
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "# Log results grouped by Source IP address"
+      },
+      "name": "text - 8"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CommonSecurityLog \n| where DeviceVendor == \"Forcepoint\" and DeviceProduct == \"NGFW\"\n| summarize Count= count() by SourceIP\n| render barchart",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 2592000000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "query - 2"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CommonSecurityLog| where DeviceVendor == \"Forcepoint\" and DeviceProduct == \"NGFW\" and DeviceAction  == 'Terminate'",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 2592000000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "query - 3"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CommonSecurityLog| where DeviceVendor == \"Forcepoint\" and DeviceProduct == \"NGFW\" and LogSeverity  == '10'",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 6566400000,
+          "endTime": "2020-01-16T13:46:00.000Z"
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "query - 4"
+    }
+  ],
+  "fromTemplateId": "sentinel-UserWorkbook",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}