Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update PaloAltoOverview.json

This commit is contained in:
Murali Krishna Dev Uppugunduri 2024-04-05 20:22:13 +05:30 коммит произвёл GitHub
Родитель ebfacaa0e4
Коммит 0fa4510ffe
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
1 изменённых файлов: 342 добавлений и 44 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

386
Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoOverview.json
Просмотреть файл

@ -12,6 +12,8 @@
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "a5c18655-3e2d-4d12-8ba4-82e57b296581",
@ -138,6 +140,8 @@
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "7f28bae3-a11f-408a-832f-77a0f3e633d7",
@ -178,16 +182,27 @@
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP})\r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or \"{EventClass:lable}\" == \"All\" or DeviceEventClassID in ({EventClass});\r\ndata\r\n| summarize Count = count() by Activity\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Activity)\r\n on Activity\r\n| project-away Activity1, TimeGenerated\r\n| extend Activitys = Activity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend Activity = 'All', Activitys = '*' \r\n)\r\n| order by Count desc\r\n| take 10",
"size": 4,
"title": "Activities, by volume",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Activity",
"exportParameterName": "activities",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Activities, by volume",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "Activity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 8,
@ -232,7 +247,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
},
"tileSettings": {
"titleContent": {
@ -276,7 +292,11 @@
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP})\r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or DeviceEventClassID in ({EventClass})\r\n| where '{activities}' == \"All\" or Activity == '{activities}'\r\n| summarize LogVolume=count() by DeviceEventClassID, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})",
"size": 0,
"aggregation": 3,
"exportToExcelOptions": "visible",
"title": "Event trend, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -312,7 +332,11 @@
"version": "KqlItem/1.0",
"query": "//trend by sevearity\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or DeviceEventClassID in ({EventClass})\r\n| where '{activities}' == \"All\" or Activity == '{activities}'\r\n| summarize count() by bin_at(TimeGenerated, {TimeRange:grain},{TimeRange:start}), LogSeverity\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Events severity, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -373,11 +397,15 @@
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ \"Traffic\";\r\ndata\r\n| summarize Count = count() by DeviceEventClassID\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceEventClassID)\r\n on DeviceEventClassID\r\n| project-away DeviceEventClassID1, TimeGenerated\r\n| extend DeviceEventClassIDs = DeviceEventClassID\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceEventClassID = 'All', DeviceEventClassIDs = '*' \r\n)\r\n| order by Count desc\r\n| take 10",
"size": 4,
"title": "Device events Id summary - click to filter the graph below",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DeviceEventClassID",
"exportParameterName": "EventClass",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Device events Id summary - click to filter the graph below",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
@ -424,16 +452,27 @@
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ \"Traffic\";\r\ndata\r\n| summarize Count = count() by DeviceAction\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\r\n on DeviceAction\r\n| project-away DeviceAction1, TimeGenerated\r\n| extend DeviceAction = DeviceAction\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceAction = 'All', DeviceActions = '*' \r\n)\r\n| order by Count desc\r\n| take 10",
"size": 4,
"title": "Device action summary - click to filter the graph below",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DeviceAction",
"exportParameterName": "DeviceAction",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Device action summary - click to filter the graph below",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceAction",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 3,
@ -478,7 +517,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
},
"tileSettings": {
"titleContent": {
@ -522,7 +562,11 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC'\r\n| where '{EventClass}' == \"All\" or DeviceEventClassID=='{EventClass}'\r\n| summarize EventCount= count() by DeviceAction, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Device action, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -537,7 +581,11 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where '{DeviceAction}' == \"All\" or DeviceAction=='{DeviceAction}'\r\n| where Activity =~ \"Traffic\"\r\n| summarize EventCount= count() by DeviceEventClassID, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Device events Id, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -552,7 +600,11 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(';reason=(.*?);',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Reasons for session ending, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -567,7 +619,11 @@
"version": "KqlItem/1.0",
"query": "// Data sent outbound vs inbound\r\nCommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC'\r\n| extend Direction=iff(DeviceCustomString4=~'Trust','Outbound' ,'Inbound' )\r\n| summarize DataSentOutBoundMB=sumif(SentBytes, Direction=~'Outbound')/1048576, DataRecievedInboundMB=sumif(ReceivedBytes, Direction=~'Inbound')/1048576 by TimeGenerated\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Sent and received data, by volume",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -589,12 +645,23 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction contains 'block'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 blocked URLs, by application protocol",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProtocolCount",
"formatter": 4,
@ -604,7 +671,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "25",
@ -616,12 +684,23 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('block-url', 'block-continue')\r\n| summarize CategoryCount=count() by DeviceCustomString2\r\n| project-rename CategoryName= DeviceCustomString2\r\n| top 5 by CategoryCount\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 URL blocked, by category",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "CategoryName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "CategoryCount",
"formatter": 4,
@ -630,7 +709,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "25",
@ -642,7 +722,11 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('block-url', 'block-continue')\r\n| summarize URLCount=count() by RequestURL\r\n| top 5 by URLCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 blocked URLs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@ -656,12 +740,23 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 URLs, by application protocols",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProtocolCount",
"formatter": 4,
@ -670,7 +765,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "25",
@ -682,12 +778,23 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('alert', 'continue')\r\n| summarize URLCount=count() by RequestURL\r\n| top 5 by URLCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed URLs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "RequestURL",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "URLCount",
"formatter": 4,
@ -696,7 +803,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "25",
@ -708,12 +816,23 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| summarize ActionCount=count() by DeviceAction\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "URL threat event summary",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceAction",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ActionCount",
"formatter": 4,
@ -722,7 +841,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "25",
@ -734,7 +854,11 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction contains 'block'\r\n| extend PAReferer= extract(';PanOSReferer=(.*?);',1,AdditionalExtensions)\r\n| where PAReferer !=''\r\n| summarize RefererCount= count() by PAReferer\r\n| top 5 by RefererCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 referrers for blocked URLs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@ -748,12 +872,23 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('alert', 'continue')\r\n| summarize CategoryCount=count() by DeviceCustomString2\r\n| project-rename CategoryName= DeviceCustomString2\r\n| top 5 by CategoryCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed URLs, by category",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "CategoryName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "CategoryCount",
"formatter": 4,
@ -762,7 +897,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "25",
@ -774,13 +910,24 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction !contains 'block'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed URLs, by application protocol",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProtocolCount",
"formatter": 4,
@ -789,7 +936,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "33",
@ -801,12 +949,30 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| summarize ActionCount=count() by DeviceAction, TimeGenerated\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Web filter ativity, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceAction",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ActionCount",
"formatter": 4,
@ -815,7 +981,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "33",
@ -827,12 +994,23 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('alert', 'continue')\r\n| summarize IPCount=count() by SourceIP\r\n| top 5 by IPCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed web traffic source IP addresses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "SourceIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IPCount",
"formatter": 4,
@ -841,7 +1019,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "33",
@ -860,7 +1039,11 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'wildfire'\r\n| summarize ActionCount=count() by DeviceAction, TimeGenerated\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Wildfire events, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -875,16 +1058,27 @@
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'wildfire'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP});\r\ndata\r\n| summarize Count = count() by DeviceAction\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\r\n on DeviceAction\r\n| project-away DeviceAction1, TimeGenerated\r\n| extend DeviceActions = DeviceAction\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceAction = 'All', DeviceActions = '*' \r\n)\r\n| project DeviceAction, Count, Trend\r\n| order by Count desc\r\n| take 10",
"size": 4,
"title": "Top 5 Wildfire activities",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DeviceAction",
"exportParameterName": "DeviceAction",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Top 5 Wildfire activities",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceAction",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 3,
@ -899,6 +1093,34 @@
"palette": "grayBlue",
"showIcon": true
}
},
{
"columnMatch": "DeviceActions",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey1",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"sortBy": [
@ -906,14 +1128,9 @@
"itemKey": "DeviceAction",
"sortOrder": 1
}
]
],
"labelSettings": []
},
"sortBy": [
{
"itemKey": "DeviceAction",
"sortOrder": 1
}
],
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceAction",
@ -956,16 +1173,27 @@
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'wildfire'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP});\r\ndata\r\n| summarize Count = count() by DeviceCustomString2\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceCustomString2)\r\n on DeviceCustomString2\r\n| project-away DeviceCustomString21, TimeGenerated\r\n| extend DeviceCustomString2s = DeviceCustomString2\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceCustomString2 = 'All', DeviceCustomString2s = '*' \r\n)\r\n| project DeviceCustomString2, Count, Trend\r\n| order by Count desc\r\n| take 10",
"size": 4,
"title": "Top 5 Wildfire verdicts",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DeviceCustomString2",
"exportParameterName": "DeviceString",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Top 5 Wildfire verdicts",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceAction",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 3,
@ -980,6 +1208,34 @@
"palette": "grayBlue",
"showIcon": true
}
},
{
"columnMatch": "DeviceActions",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "jkey1",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"sortBy": [
@ -987,14 +1243,9 @@
"itemKey": "DeviceAction",
"sortOrder": 1
}
]
],
"labelSettings": []
},
"sortBy": [
{
"itemKey": "DeviceAction",
"sortOrder": 1
}
],
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceCustomString2",
@ -1037,12 +1288,17 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'wildfire'\r\n| where '{DeviceAction}' == \"All\" or DeviceAction=='{DeviceAction}'\r\n| where '{DeviceString}' == \"All\" or DeviceCustomString2=='{DeviceString}'\r\n| project TimeGenerated, ReceiptTime, LogSeverity, DeviceAction, ['URL Category'] =DeviceCustomString2, DestinationPort, DestinationIP, Message, SourcePort, SourceIP, DestinationUserID, RequestURL",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Wildfire events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
"filter": true,
"labelSettings": []
}
},
"name": "Wildfire events"
@ -1060,12 +1316,23 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file'\r\n| where DeviceAction contains 'deny'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 denied files, by application protocol",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProtocolCount",
"formatter": 4,
@ -1074,7 +1341,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "33",
@ -1086,12 +1354,23 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file'\r\n| where DeviceAction !contains 'deny'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed files, by application protocol",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProtocolCount",
"formatter": 4,
@ -1100,7 +1379,8 @@
"showIcon": true
}
}
]
],
"labelSettings": []
}
},
"customWidth": "33",
@ -1112,12 +1392,23 @@
"version": "KqlItem/1.0",
"query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract(';cat=(.*?)($|;)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Summary of Palo Alto file categories, by activity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "PACategory",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "CategoryCount",
"formatter": 4,
@ -1132,7 +1423,8 @@
}
}
}
]
],
"labelSettings": []
}
},
"customWidth": "33",
@ -1144,11 +1436,15 @@
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'file'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP});\r\ndata\r\n| summarize Count = count() by DeviceAction\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\r\n on DeviceAction\r\n| project-away DeviceAction1, TimeGenerated\r\n| extend DeviceActions = DeviceAction\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceAction = 'All', DeviceActions = '*' \r\n)\r\n| project DeviceAction, Count, Trend\r\n| order by Count desc\r\n| take 10\r\n",
"size": 4,
"title": "Summary of file type activities",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DeviceAction",
"exportParameterName": "SelectedDA",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Summary of file type activities",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
@ -1194,7 +1490,11 @@
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where (DeviceProduct has 'PAN-OS'\r\n or DeviceProduct has 'LF'\r\n )| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'file'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where '{SelectedDA}' == \"All\" or DeviceAction == '{SelectedDA}'\r\n| summarize ActionCount=count() by DeviceAction, bin(TimeGenerated, {TimeRange:grain})\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Compare allowed and denied files, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1203,9 +1503,7 @@
"name": "Compare allowed and denied files by time"
}
],
"fallbackResourceIds": [
"/subscriptions/4383ac89-7cd1-48c1-8061-b0b3c5ccfd97/resourcegroups/v-muuppugund/providers/microsoft.operationalinsights/workspaces/testsentinel"
],
"styleSettings": {},
"fromTemplateId": "sentinel-PaloAltoOverview",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}