Updating to include new CEF Changes
This commit is contained in:
Родитель
e030fbc51d
Коммит
1b1b1b6bea
|
@ -64,10 +64,13 @@ output {
|
||||||
"deviceCustomFloatingPoint4",
|
"deviceCustomFloatingPoint4",
|
||||||
"deviceCustomFloatingPoint4Label",
|
"deviceCustomFloatingPoint4Label",
|
||||||
"deviceCustomNumber1",
|
"deviceCustomNumber1",
|
||||||
|
"fieldDeviceCustomNumber1",
|
||||||
"deviceCustomNumber1Label",
|
"deviceCustomNumber1Label",
|
||||||
"deviceCustomNumber2",
|
"deviceCustomNumber2",
|
||||||
|
"fieldDeviceCustomNumber2",
|
||||||
"deviceCustomNumber2Label",
|
"deviceCustomNumber2Label",
|
||||||
"deviceCustomNumber3",
|
"deviceCustomNumber3",
|
||||||
|
"fieldDeviceCustomNumber3",
|
||||||
"deviceCustomNumber3Label",
|
"deviceCustomNumber3Label",
|
||||||
"baseEventCount",
|
"baseEventCount",
|
||||||
"deviceCustomString1",
|
"deviceCustomString1",
|
||||||
|
@ -131,7 +134,8 @@ output {
|
||||||
"destinationLatitude",
|
"destinationLatitude",
|
||||||
"categoryDeviceType",
|
"categoryDeviceType",
|
||||||
"managerReceiptTime",
|
"managerReceiptTime",
|
||||||
"agentMacAddress"
|
"agentMacAddress",
|
||||||
|
"reason"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -381,10 +381,13 @@ output {
|
||||||
"deviceCustomFloatingPoint4",
|
"deviceCustomFloatingPoint4",
|
||||||
"deviceCustomFloatingPoint4Label",
|
"deviceCustomFloatingPoint4Label",
|
||||||
"deviceCustomNumber1",
|
"deviceCustomNumber1",
|
||||||
|
"fieldDeviceCustomNumber1",
|
||||||
"deviceCustomNumber1Label",
|
"deviceCustomNumber1Label",
|
||||||
"deviceCustomNumber2",
|
"deviceCustomNumber2",
|
||||||
|
"fieldDeviceCustomNumber2",
|
||||||
"deviceCustomNumber2Label",
|
"deviceCustomNumber2Label",
|
||||||
"deviceCustomNumber3",
|
"deviceCustomNumber3",
|
||||||
|
"fieldDeviceCustomNumber3"
|
||||||
"deviceCustomNumber3Label",
|
"deviceCustomNumber3Label",
|
||||||
"baseEventCount",
|
"baseEventCount",
|
||||||
"deviceCustomString1",
|
"deviceCustomString1",
|
||||||
|
@ -501,7 +504,8 @@ output {
|
||||||
"destinationGeoCountryCode3",
|
"destinationGeoCountryCode3",
|
||||||
"destinationASNsOrg",
|
"destinationASNsOrg",
|
||||||
"destinationASN",
|
"destinationASN",
|
||||||
"destinationDnsDomain"
|
"destinationDnsDomain",
|
||||||
|
"reason"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -30,20 +30,26 @@ query: |
|
||||||
| where DestinationPort !between (toint(49512) .. toint(65535))
|
| where DestinationPort !between (toint(49512) .. toint(65535))
|
||||||
| where Computer != ""
|
| where Computer != ""
|
||||||
| where DestinationIP !startswith "10."
|
| where DestinationIP !startswith "10."
|
||||||
|
| extend Reason = coalesce(
|
||||||
|
column_ifexists("Reason", ""),
|
||||||
|
extract("reason=(.+?)(;|$)", 1, AdditionalExtensions),
|
||||||
|
""
|
||||||
|
)
|
||||||
// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.
|
// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.
|
||||||
| where AdditionalExtensions !has "reason=aged-out"
|
| where Reason !has "aged-out"
|
||||||
// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.
|
// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.
|
||||||
| where AdditionalExtensions !has "reason=tcp-fin"
|
| where Reason !has "tcp-fin"
|
||||||
// Uncomment one of the following where clauses to trigger on specific TCP reset reasons
|
// Uncomment one of the following where clauses to trigger on specific TCP reset reasons
|
||||||
// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK
|
// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK
|
||||||
// TCP RST-server - Occurs when the server sends a TCP reset to the client
|
// TCP RST-server - Occurs when the server sends a TCP reset to the client
|
||||||
// | where AdditionalExtensions has "reason=tcp-rst-from-server"
|
// | where AdditionalExtensions has "reason=tcp-rst-from-server"
|
||||||
// TCP RST-client - Occurs when the client sends a TCP reset to the server
|
// TCP RST-client - Occurs when the client sends a TCP reset to the server
|
||||||
// | where AdditionalExtensions has "reason=tcp-rst-from-client"
|
// | where AdditionalExtensions has "reason=tcp-rst-from-client"
|
||||||
| extend reason = tostring(split(AdditionalExtensions, ";")[3])
|
// Already performed
|
||||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
|
//| extend reason = tostring(split(AdditionalExtensions, ";")[3])
|
||||||
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
|
||||||
| where count_ >= 10
|
| where count_ >= 10
|
||||||
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction
|
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction
|
||||||
| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
|
| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
|
||||||
entityMappings:
|
entityMappings:
|
||||||
- entityType: Account
|
- entityType: Account
|
||||||
|
@ -58,5 +64,5 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: Address
|
- identifier: Address
|
||||||
columnName: IPCustomEntity
|
columnName: IPCustomEntity
|
||||||
version: 1.0.0
|
version: 1.0.1
|
||||||
kind: Scheduled
|
kind: Scheduled
|
|
@ -21,7 +21,10 @@ CommonSecurityLog
|
||||||
SourceUserName = replace(@'\^', @'/', SourceUserName)
|
SourceUserName = replace(@'\^', @'/', SourceUserName)
|
||||||
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions),
|
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions),
|
||||||
workstationID = extract("workstationID=(.*?);", 1, AdditionalExtensions),
|
workstationID = extract("workstationID=(.*?);", 1, AdditionalExtensions),
|
||||||
end = extract("end=(.*?);", 1, AdditionalExtensions),
|
end = coalesce(
|
||||||
|
extract("end=(.*?);", 1, AdditionalExtensions),
|
||||||
|
tostring(column_ifexists("EndTime", ""))
|
||||||
|
),
|
||||||
flag = extract("flag=(.*?);", 1, AdditionalExtensions),
|
flag = extract("flag=(.*?);", 1, AdditionalExtensions),
|
||||||
AUDITSESSION = extract("AUDITSESSION=(.*?);", 1, AdditionalExtensions),
|
AUDITSESSION = extract("AUDITSESSION=(.*?);", 1, AdditionalExtensions),
|
||||||
BTGREASON = extract("BTGREASON=(.*?);", 1, AdditionalExtensions),
|
BTGREASON = extract("BTGREASON=(.*?);", 1, AdditionalExtensions),
|
||||||
|
|
|
@ -12,9 +12,12 @@
|
||||||
// Functions usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. PAN_CL | take 10).
|
// Functions usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. PAN_CL | take 10).
|
||||||
//
|
//
|
||||||
//
|
//
|
||||||
|
|
||||||
CommonSecurityLog
|
CommonSecurityLog
|
||||||
| where DeviceVendor == "Palo Alto Networks"
|
| where DeviceVendor == "Palo Alto Networks"
|
||||||
|
| extend DeviceCustomNumber1 = coalesce(column_ifexists("FieldDeviceCustomNumber1", int(null)),DeviceCustomNumber1),
|
||||||
|
DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", int(null)),DeviceCustomNumber2),
|
||||||
|
DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", int(null)),DeviceCustomNumber3),
|
||||||
|
ExternalID = coalesce(column_ifexists("ExtID", ""),tostring(ExternalID))
|
||||||
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions)
|
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions)
|
||||||
| extend PanOSPacketsReceived = extract(@"PanOSPacketsReceived=(.*?);", 1, AdditionalExtensions),
|
| extend PanOSPacketsReceived = extract(@"PanOSPacketsReceived=(.*?);", 1, AdditionalExtensions),
|
||||||
PanOSPacketsSent = extract(@"PanOSPacketsSent=(.*?);", 1, AdditionalExtensions),
|
PanOSPacketsSent = extract(@"PanOSPacketsSent=(.*?);", 1, AdditionalExtensions),
|
||||||
|
@ -47,6 +50,9 @@ CommonSecurityLog
|
||||||
LogProfile = DeviceCustomString6,
|
LogProfile = DeviceCustomString6,
|
||||||
TotalBytes = FlexNumber1,
|
TotalBytes = FlexNumber1,
|
||||||
Flags = FlexString1
|
Flags = FlexString1
|
||||||
|
| extend start = coalesce(tostring(column_ifexists("StartTime",datetime(null))),start),
|
||||||
|
reason = coalesce(column_ifexists("Reason",""),reason),
|
||||||
|
cat = coalesce(column_ifexists("DeviceEventCategory",""),cat)
|
||||||
| project-away FlexString1Label,
|
| project-away FlexString1Label,
|
||||||
FlexString1,
|
FlexString1,
|
||||||
FlexNumber1Label,
|
FlexNumber1Label,
|
||||||
|
|
|
@ -15,7 +15,9 @@
|
||||||
"multiSelect": true,
|
"multiSelect": true,
|
||||||
"quote": "'",
|
"quote": "'",
|
||||||
"delimiter": ",",
|
"delimiter": ",",
|
||||||
"value": [],
|
"value": [
|
||||||
|
"/subscriptions/4383ac89-7cd1-48c1-8061-b0b3c5ccfd97"
|
||||||
|
],
|
||||||
"typeSettings": {
|
"typeSettings": {
|
||||||
"additionalResourceOptions": [],
|
"additionalResourceOptions": [],
|
||||||
"includeAll": false
|
"includeAll": false
|
||||||
|
@ -35,7 +37,8 @@
|
||||||
"additionalResourceOptions": []
|
"additionalResourceOptions": []
|
||||||
},
|
},
|
||||||
"queryType": 1,
|
"queryType": 1,
|
||||||
"resourceType": "microsoft.resourcegraph/resources"
|
"resourceType": "microsoft.resourcegraph/resources",
|
||||||
|
"value": "/subscriptions/4383ac89-7cd1-48c1-8061-b0b3c5ccfd97/resourceGroups/CATTesting/providers/Microsoft.OperationalInsights/workspaces/CAT-LogAnalytics"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"id": "9fa77675-1222-4936-89d0-285da325bba0",
|
"id": "9fa77675-1222-4936-89d0-285da325bba0",
|
||||||
|
@ -142,9 +145,6 @@
|
||||||
"size": 1,
|
"size": 1,
|
||||||
"title": "📊 Data flow over Time - TimeBrush enabled. You can click within this chart and select a subset of the data. TimeRange selected: {TimeRange:label} with Automatic Time Grain of: {TimeRange:grain}",
|
"title": "📊 Data flow over Time - TimeBrush enabled. You can click within this chart and select a subset of the data. TimeRange selected: {TimeRange:label} with Automatic Time Grain of: {TimeRange:grain}",
|
||||||
"color": "pink",
|
"color": "pink",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"timeBrushParameterName": "TimeRange",
|
"timeBrushParameterName": "TimeRange",
|
||||||
"timeBrushExportOnlyWhenBrushed": true,
|
"timeBrushExportOnlyWhenBrushed": true,
|
||||||
|
@ -221,9 +221,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceAction\r\n| order by count_ desc",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceAction\r\n| order by count_ desc",
|
||||||
"size": 3,
|
"size": 3,
|
||||||
"title": "Count by Actions ",
|
"title": "Count by Actions ",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -283,9 +280,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by Protocol\r\n| order by Protocol asc, count_ desc",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by Protocol\r\n| order by Protocol asc, count_ desc",
|
||||||
"size": 3,
|
"size": 3,
|
||||||
"title": "Count by Protocols",
|
"title": "Count by Protocols",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -357,9 +351,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceName\r\n| order by count_ desc",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceName\r\n| order by count_ desc",
|
||||||
"size": 3,
|
"size": 3,
|
||||||
"title": "Count by DeviceName",
|
"title": "Count by DeviceName",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -416,12 +407,9 @@
|
||||||
"type": 3,
|
"type": 3,
|
||||||
"content": {
|
"content": {
|
||||||
"version": "KqlItem/1.0",
|
"version": "KqlItem/1.0",
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| where isnotempty(ThreatId)\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| order by LogSeverity desc",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| where isnotempty(ThreatId)\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| order by LogSeverity desc",
|
||||||
"size": 3,
|
"size": 3,
|
||||||
"title": "Count by Threats",
|
"title": "Count by Threats",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -495,9 +483,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by ApplicationProtocol\r\n| order by count_ desc",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by ApplicationProtocol\r\n| order by count_ desc",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Count by Application Protocol ",
|
"title": "Count by Application Protocol ",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -571,9 +556,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceEventClassID\r\n| order by count_ desc",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceEventClassID\r\n| order by count_ desc",
|
||||||
"size": 1,
|
"size": 1,
|
||||||
"title": "Count by EventClass",
|
"title": "Count by EventClass",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -630,12 +612,9 @@
|
||||||
"type": 3,
|
"type": 3,
|
||||||
"content": {
|
"content": {
|
||||||
"version": "KqlItem/1.0",
|
"version": "KqlItem/1.0",
|
||||||
"query": "CommonSecurityLog\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| where isnotempty(ThreatId)\r\n| where AdditionalExtensions !contains \"Not\"\r\n| summarize arg_max(TimeGenerated,*) by ThreatId\r\n",
|
"query": "CommonSecurityLog\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| where isnotempty(ThreatId)\r\n| where AdditionalExtensions !contains \"Not\"\r\n| summarize arg_max(TimeGenerated,*) by ThreatId\r\n",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Lastest Threats by ThreatId, {$rowCount}",
|
"title": "Lastest Threats by ThreatId, {$rowCount}",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"showExportToExcel": true,
|
"showExportToExcel": true,
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
|
@ -737,9 +716,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction has \"Block\"\r\n| summarize arg_max(TimeGenerated,*) by DeviceName, SourceIP",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction has \"Block\"\r\n| summarize arg_max(TimeGenerated,*) by DeviceName, SourceIP",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Blocks by Device, {$rowCount} - Click to check IOC status",
|
"title": "Blocks by Device, {$rowCount} - Click to check IOC status",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"exportFieldName": "SourceIP",
|
"exportFieldName": "SourceIP",
|
||||||
"exportParameterName": "IPAddress",
|
"exportParameterName": "IPAddress",
|
||||||
|
@ -820,9 +796,6 @@
|
||||||
"query": " let starttime = 14d;\r\n let endtime = 1d;\r\n let timeframe = 1h;\r\n let scorethreshold = 5;\r\n let percentotalthreshold = 50;\r\n let TimeSeriesData = CommonSecurityLog\r\n | where DeviceVendor =~ \"Cisco\"\r\n | where DeviceProduct =~ 'Firepower'\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\r\n | project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\r\n | make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\r\n // Filtering specific records associated with spikes as outliers\r\n let TimeSeriesAlerts=materialize(TimeSeriesData\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\r\n | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\r\n | where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\r\n | project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\r\n let AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\r\n // Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\r\n TimeSeriesAlerts\r\n | where TimeGenerated > ago(2d)\r\n | join (\r\n CommonSecurityLog\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated > ago(2d)\r\n | extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\r\n | where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\r\n | summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\r\n | extend AnomalyHour = TimeGeneratedHour\r\n ) on AnomalyHour, DeviceVendor\r\n | extend PercentTotal = round((HourlyCount / Total) * 100, 3)\r\n | where PercentTotal > percentotalthreshold\r\n | project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\r\n | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\r\n | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\r\n | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax",
|
"query": " let starttime = 14d;\r\n let endtime = 1d;\r\n let timeframe = 1h;\r\n let scorethreshold = 5;\r\n let percentotalthreshold = 50;\r\n let TimeSeriesData = CommonSecurityLog\r\n | where DeviceVendor =~ \"Cisco\"\r\n | where DeviceProduct =~ 'Firepower'\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\r\n | project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\r\n | make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\r\n // Filtering specific records associated with spikes as outliers\r\n let TimeSeriesAlerts=materialize(TimeSeriesData\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\r\n | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\r\n | where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\r\n | project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\r\n let AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\r\n // Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\r\n TimeSeriesAlerts\r\n | where TimeGenerated > ago(2d)\r\n | join (\r\n CommonSecurityLog\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated > ago(2d)\r\n | extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\r\n | where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\r\n | summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\r\n | extend AnomalyHour = TimeGeneratedHour\r\n ) on AnomalyHour, DeviceVendor\r\n | extend PercentTotal = round((HourlyCount / Total) * 100, 3)\r\n | where PercentTotal > percentotalthreshold\r\n | project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\r\n | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\r\n | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\r\n | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Time series anomaly detection for total volume of traffic, {$rowCount}",
|
"title": "Time series anomaly detection for total volume of traffic, {$rowCount}",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -872,9 +845,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where Activity == \"File Malware Event\"\r\n| where '{ComputerList}' == DeviceAction or '{ComputerList:label}' == \"<unset>\"\r\n",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where Activity == \"File Malware Event\"\r\n| where '{ComputerList}' == DeviceAction or '{ComputerList:label}' == \"<unset>\"\r\n",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "File Malware Events, {$rowCount}",
|
"title": "File Malware Events, {$rowCount}",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||||
|
@ -923,9 +893,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where DestinationPort == \"80\"\r\n| where '{DeviceAction}' == DeviceAction or '{DeviceAction:label}' == \"<unset>\"\r\n",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where DestinationPort == \"80\"\r\n| where '{DeviceAction}' == DeviceAction or '{DeviceAction:label}' == \"<unset>\"\r\n",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Outbound Web Traffic Port 80, {$rowCount}",
|
"title": "Outbound Web Traffic Port 80, {$rowCount}",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||||
|
@ -939,9 +906,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\"\r\n| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)\r\n| summarize by bytesOut, Computer, RequestURL, SourceUserName , SourceIP, SourceHostName, DestinationIP, DestinationPort\r\n| top 20 by bytesOut\r\n| order by bytesOut desc",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\"\r\n| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)\r\n| summarize by bytesOut, Computer, RequestURL, SourceUserName , SourceIP, SourceHostName, DestinationIP, DestinationPort\r\n| top 20 by bytesOut\r\n| order by bytesOut desc",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Top 20 sending URLs (bytes Sent Out)",
|
"title": "Top 20 sending URLs (bytes Sent Out)",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 604800000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"showExportToExcel": true,
|
"showExportToExcel": true,
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
|
@ -987,9 +951,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| summarize LastLogReceived = max(TimeGenerated)| project IsConnected = LastLogReceived > ago(30d), LastLogReceived, minsSinceLastLog = datetime_diff('minute',LastLogReceived, now())",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| summarize LastLogReceived = max(TimeGenerated)| project IsConnected = LastLogReceived > ago(30d), LastLogReceived, minsSinceLastLog = datetime_diff('minute',LastLogReceived, now())",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "IsConnected",
|
"title": "IsConnected",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 1209600000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -1029,9 +990,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where _IsBillable = true\r\n| make-series billedData = sum(_BilledSize) on TimeGenerated from {TimeRange:start} to now() step 1d by Type",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where _IsBillable = true\r\n| make-series billedData = sum(_BilledSize) on TimeGenerated from {TimeRange:start} to now() step 1d by Type",
|
||||||
"size": 1,
|
"size": 1,
|
||||||
"title": "Data Ingested during {TimeRange:label}",
|
"title": "Data Ingested during {TimeRange:label}",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 1209600000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -1077,9 +1035,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude,SourceIP, DestinationIP, DeviceName, IndicatorThreatType, ThreatConfidence, ReportReferenceLink\r\n| order by count_ desc",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude,SourceIP, DestinationIP, DeviceName, IndicatorThreatType, ThreatConfidence, ReportReferenceLink\r\n| order by count_ desc",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Count by Malicious IP",
|
"title": "Count by Malicious IP",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 0
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"showExportToExcel": true,
|
"showExportToExcel": true,
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
|
@ -1140,9 +1095,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude\r\n| order by count_ desc",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude\r\n| order by count_ desc",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Malicious IP by Country",
|
"title": "Malicious IP by Country",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 0
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"showExportToExcel": true,
|
"showExportToExcel": true,
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
|
@ -1210,9 +1162,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourceIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourceIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Top 10 Blocked inbound IPs",
|
"title": "Top 10 Blocked inbound IPs",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 1209600000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -1239,9 +1188,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourcePort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourcePort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Top 10 Blocked inbound Ports",
|
"title": "Top 10 Blocked inbound Ports",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 1209600000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -1268,9 +1214,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Top 10 Blocked outbound IPs",
|
"title": "Top 10 Blocked outbound IPs",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 1209600000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -1297,9 +1240,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationPort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationPort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Top 10 Blocked outbound Ports",
|
"title": "Top 10 Blocked outbound Ports",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 1209600000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -1326,9 +1266,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Protocol\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Protocol\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Top 10 Blocked Protocols",
|
"title": "Top 10 Blocked Protocols",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 1209600000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -1355,9 +1292,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Computer, DeviceName\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Computer, DeviceName\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Top 10 Blocked Computer vs. DeviceName",
|
"title": "Top 10 Blocked Computer vs. DeviceName",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 1209600000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
@ -1415,7 +1349,7 @@
|
||||||
"{Workspace}"
|
"{Workspace}"
|
||||||
],
|
],
|
||||||
"value": [
|
"value": [
|
||||||
"Detect"
|
"value::all"
|
||||||
],
|
],
|
||||||
"typeSettings": {
|
"typeSettings": {
|
||||||
"additionalResourceOptions": [
|
"additionalResourceOptions": [
|
||||||
|
@ -1565,9 +1499,6 @@
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (SourceIP in ({SourceIP}) or '{SourceIP:label}' == \"All\") \r\n and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") \r\n and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n and (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")",
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (SourceIP in ({SourceIP}) or '{SourceIP:label}' == \"All\") \r\n and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") \r\n and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n and (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"title": "Filtered View, count: {$rowCount}",
|
"title": "Filtered View, count: {$rowCount}",
|
||||||
"timeContext": {
|
|
||||||
"durationMs": 1209600000
|
|
||||||
},
|
|
||||||
"timeContextFromParameter": "TimeRange",
|
"timeContextFromParameter": "TimeRange",
|
||||||
"showExportToExcel": true,
|
"showExportToExcel": true,
|
||||||
"queryType": 0,
|
"queryType": 0,
|
||||||
|
|
|
@ -422,7 +422,7 @@
|
||||||
"type": 3,
|
"type": 3,
|
||||||
"content": {
|
"content": {
|
||||||
"version": "KqlItem/1.0",
|
"version": "KqlItem/1.0",
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceEventClassID =~ 'vulnerability' \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| top 20 by Amount",
|
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceEventClassID =~ 'vulnerability' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| top 20 by Amount",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"exportToExcelOptions": "visible",
|
"exportToExcelOptions": "visible",
|
||||||
"title": "Top vulnerability events",
|
"title": "Top vulnerability events",
|
||||||
|
@ -558,7 +558,7 @@
|
||||||
"type": 3,
|
"type": 3,
|
||||||
"content": {
|
"content": {
|
||||||
"version": "KqlItem/1.0",
|
"version": "KqlItem/1.0",
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n//| where DeviceEventClassID =~ 'correlation' \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions)\r\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\r\n| top 20 by Amount",
|
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n//| where DeviceEventClassID =~ 'correlation' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\r\n| top 20 by Amount",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"exportToExcelOptions": "visible",
|
"exportToExcelOptions": "visible",
|
||||||
"title": "Top correlation events",
|
"title": "Top correlation events",
|
||||||
|
|
|
@ -598,7 +598,7 @@
|
||||||
"type": 3,
|
"type": 3,
|
||||||
"content": {
|
"content": {
|
||||||
"version": "KqlItem/1.0",
|
"version": "KqlItem/1.0",
|
||||||
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason= extract(';reason=(.*?);',1,AdditionalExtensions)\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n",
|
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(';reason=(.*?);',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"exportToExcelOptions": "visible",
|
"exportToExcelOptions": "visible",
|
||||||
"title": "Reasons for session ending, by time",
|
"title": "Reasons for session ending, by time",
|
||||||
|
@ -1390,7 +1390,7 @@
|
||||||
"type": 3,
|
"type": 3,
|
||||||
"content": {
|
"content": {
|
||||||
"version": "KqlItem/1.0",
|
"version": "KqlItem/1.0",
|
||||||
"query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= extract(';cat=(.*?);',1,AdditionalExtensions) \r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount\r\n",
|
"query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract(';cat=(.*?)($|;)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount",
|
||||||
"size": 0,
|
"size": 0,
|
||||||
"exportToExcelOptions": "visible",
|
"exportToExcelOptions": "visible",
|
||||||
"title": "Summary of Palo Alto file categories, by activity",
|
"title": "Summary of Palo Alto file categories, by activity",
|
||||||
|
|
|
@ -84,7 +84,7 @@
|
||||||
"dataTypesDependencies": [ "CommonSecurityLog" ],
|
"dataTypesDependencies": [ "CommonSecurityLog" ],
|
||||||
"dataConnectorsDependencies": [ "PaloAltoNetworks" ],
|
"dataConnectorsDependencies": [ "PaloAltoNetworks" ],
|
||||||
"previewImagesFileNames": [ "PaloAltoOverviewWhite1.png", "PaloAltoOverviewBlack1.png", "PaloAltoOverviewWhite2.png", "PaloAltoOverviewBlack2.png", "PaloAltoOverviewWhite3.png", "PaloAltoOverviewBlack3.png" ],
|
"previewImagesFileNames": [ "PaloAltoOverviewWhite1.png", "PaloAltoOverviewBlack1.png", "PaloAltoOverviewWhite2.png", "PaloAltoOverviewBlack2.png", "PaloAltoOverviewWhite3.png", "PaloAltoOverviewBlack3.png" ],
|
||||||
"version": "1.2.0",
|
"version": "1.2.2",
|
||||||
"title": "Palo Alto overview",
|
"title": "Palo Alto overview",
|
||||||
"templateRelativePath": "PaloAltoOverview.json",
|
"templateRelativePath": "PaloAltoOverview.json",
|
||||||
"subtitle": "",
|
"subtitle": "",
|
||||||
|
@ -1541,7 +1541,7 @@
|
||||||
"dataTypesDependencies": [ "CommonSecurityLog"],
|
"dataTypesDependencies": [ "CommonSecurityLog"],
|
||||||
"dataConnectorsDependencies": [],
|
"dataConnectorsDependencies": [],
|
||||||
"previewImagesFileNames": [ "CiscoFirepowerBlack.png", "CiscoFirepowerWhite.png" ],
|
"previewImagesFileNames": [ "CiscoFirepowerBlack.png", "CiscoFirepowerWhite.png" ],
|
||||||
"version": "1.0.0",
|
"version": "1.0.1",
|
||||||
"title": "Cisco Firepower",
|
"title": "Cisco Firepower",
|
||||||
"templateRelativePath": "CiscoFirepower.json",
|
"templateRelativePath": "CiscoFirepower.json",
|
||||||
"subtitle": "",
|
"subtitle": "",
|
||||||
|
|
Загрузка…
Ссылка в новой задаче