Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update EventAnalyzer.json 

change Json to include time brush
This commit is contained in:
morshabi 2020-04-12 09:42:43 +03:00 коммит произвёл GitHub
Родитель c3ad10de2f
Коммит 28fe87c28b
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 58 добавлений и 27 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

85
Workbooks/EventAnalyzer.json
Просмотреть файл

@ -22,7 +22,7 @@
"name": "DefaultWorkspace",
"type": 5,
"isRequired": true,
"value": "/subscriptions/44e4eff8-1fcb-4a22-a7d6-992ac7286382/resourcegroups/soc/providers/microsoft.operationalinsights/workspaces/cybersecuritydemo",
"value": "/subscriptions/<subs_ID>/resourcegroups/<rg_name>/providers/microsoft.operationalinsights/workspaces/<workspace_name>",
"isHiddenWhenLocked": true,
"typeSettings": {
"resourceTypeFilter": {
@ -99,9 +99,6 @@
"crossComponentResources": [
"value::all"
],
"value": [
"/subscriptions/44e4eff8-1fcb-4a22-a7d6-992ac7286382"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
@ -138,7 +135,7 @@
"name": "TimeRange",
"type": 4,
"value": {
"durationMs": 5184000000
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
@ -383,11 +380,12 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (5140, 5142, 5143, 5144, 5168)\r\n| project Account , Computer , EventData , EventID , Activity ",
"query": "SecurityEvent\r\n| where EventID in (5140, 5142, 5143, 5144, 5168)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
@ -451,7 +449,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663, 4664, 4985, 5051, 4670)\r\n| project Account , Computer , EventData , EventID , Activity ",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663, 4664, 4985, 5051, 4670)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 86400000
@ -502,9 +500,8 @@
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 0
"durationMs": 2592000000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -516,10 +513,10 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4658, 4690)\r\n| project Account , Computer , EventData , EventID , Activity ",
"query": "SecurityEvent\r\n| where EventID in (4658, 4690)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 86400000
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
@ -567,9 +564,8 @@
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 0
"durationMs": 2592000000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -581,10 +577,10 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (5031, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159)\r\n| project Account , Computer , EventData , EventID , Activity",
"query": "SecurityEvent\r\n| where EventID in (5031, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity",
"size": 0,
"timeContext": {
"durationMs": 86400000
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
@ -646,10 +642,10 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663)\r\n| project Account , Computer , EventData , EventID , Activity ",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 86400000
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
@ -732,7 +728,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4671, 4691, 5148, 5149, 4698, 4699, 4700, 4701, 4702, 5888, 5889, 5890)\r\n| project Account , Computer , EventData , EventID , Activity ",
"query": "SecurityEvent\r\n| where EventID in (4671, 4691, 5148, 5149, 4698, 4699, 4700, 4701, 4702, 5888, 5889, 5890)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
@ -796,7 +792,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4663, 4656, 4658, 4660, 4657, 5039, 4670)\r\n| project Account , Computer , EventData , EventID , Activity ",
"query": "SecurityEvent\r\n| where EventID in (4663, 4656, 4658, 4660, 4657, 5039, 4670)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
@ -861,7 +857,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4663)\r\n| project Account , Computer , EventData , EventID , Activity ",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4663)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
@ -892,6 +888,7 @@
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
@ -907,13 +904,12 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4661\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity \r\n| top 1000 by TimeGenerated desc",
"query": "SecurityEvent\r\n| where EventID == 4661\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity ",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 0
"durationMs": 2592000000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -925,7 +921,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4661\r\n| project Account , Computer , EventData , EventID , Activity ",
"query": "SecurityEvent\r\n| where EventID == 4661\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
@ -956,6 +952,7 @@
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
@ -969,11 +966,28 @@
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905)\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity \r\n| top 1000 by TimeGenerated desc",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 2592000000
},
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
@ -1011,16 +1025,33 @@
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4673, 4674, 4985)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 2592000000
},
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4673, 4674, 4985)\r\n| project Account , Computer , EventData , EventID , Activity ",
"size": 0,
"size": 1,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {