diff --git a/Workbooks/EventAnalyzer.json b/Workbooks/EventAnalyzer.json index 7ba9ce3a01..5ead87fd07 100644 --- a/Workbooks/EventAnalyzer.json +++ b/Workbooks/EventAnalyzer.json @@ -22,7 +22,7 @@ "name": "DefaultWorkspace", "type": 5, "isRequired": true, - "value": "/subscriptions/44e4eff8-1fcb-4a22-a7d6-992ac7286382/resourcegroups/soc/providers/microsoft.operationalinsights/workspaces/cybersecuritydemo", + "value": "/subscriptions//resourcegroups//providers/microsoft.operationalinsights/workspaces/", "isHiddenWhenLocked": true, "typeSettings": { "resourceTypeFilter": { @@ -99,9 +99,6 @@ "crossComponentResources": [ "value::all" ], - "value": [ - "/subscriptions/44e4eff8-1fcb-4a22-a7d6-992ac7286382" - ], "typeSettings": { "additionalResourceOptions": [ "value::all" @@ -138,7 +135,7 @@ "name": "TimeRange", "type": 4, "value": { - "durationMs": 5184000000 + "durationMs": 86400000 }, "typeSettings": { "selectableValues": [ @@ -383,11 +380,12 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityEvent\r\n| where EventID in (5140, 5142, 5143, 5144, 5168)\r\n| project Account , Computer , EventData , EventID , Activity ", + "query": "SecurityEvent\r\n| where EventID in (5140, 5142, 5143, 5144, 5168)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ", "size": 0, "timeContext": { "durationMs": 86400000 }, + "timeContextFromParameter": "TimeBrush", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", @@ -451,7 +449,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663, 4664, 4985, 5051, 4670)\r\n| project Account , Computer , EventData , EventID , Activity ", + "query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663, 4664, 4985, 5051, 4670)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ", "size": 0, "timeContext": { "durationMs": 86400000 @@ -502,9 +500,8 @@ "size": 1, "showAnnotations": true, "timeContext": { - "durationMs": 0 + "durationMs": 2592000000 }, - "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeBrush", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -516,10 +513,10 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityEvent\r\n| where EventID in (4658, 4690)\r\n| project Account , Computer , EventData , EventID , Activity ", + "query": "SecurityEvent\r\n| where EventID in (4658, 4690)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ", "size": 0, "timeContext": { - "durationMs": 86400000 + "durationMs": 0 }, "timeContextFromParameter": "TimeBrush", "queryType": 0, @@ -567,9 +564,8 @@ "size": 1, "showAnnotations": true, "timeContext": { - "durationMs": 0 + "durationMs": 2592000000 }, - "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeBrush", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -581,10 +577,10 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityEvent\r\n| where EventID in (5031, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159)\r\n| project Account , Computer , EventData , EventID , Activity", + "query": "SecurityEvent\r\n| where EventID in (5031, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity", "size": 0, "timeContext": { - "durationMs": 86400000 + "durationMs": 0 }, "timeContextFromParameter": "TimeBrush", "queryType": 0, @@ -646,10 +642,10 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663)\r\n| project Account , Computer , EventData , EventID , Activity ", + "query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ", "size": 0, "timeContext": { - "durationMs": 86400000 + "durationMs": 0 }, "timeContextFromParameter": "TimeBrush", "queryType": 0, @@ -732,7 +728,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityEvent\r\n| where EventID in (4671, 4691, 5148, 5149, 4698, 4699, 4700, 4701, 4702, 5888, 5889, 5890)\r\n| project Account , Computer , EventData , EventID , Activity ", + "query": "SecurityEvent\r\n| where EventID in (4671, 4691, 5148, 5149, 4698, 4699, 4700, 4701, 4702, 5888, 5889, 5890)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ", "size": 0, "timeContext": { "durationMs": 0 @@ -796,7 +792,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityEvent\r\n| where EventID in (4663, 4656, 4658, 4660, 4657, 5039, 4670)\r\n| project Account , Computer , EventData , EventID , Activity ", + "query": "SecurityEvent\r\n| where EventID in (4663, 4656, 4658, 4660, 4657, 5039, 4670)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ", "size": 0, "timeContext": { "durationMs": 0 @@ -861,7 +857,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4663)\r\n| project Account , Computer , EventData , EventID , Activity ", + "query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4663)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ", "size": 0, "timeContext": { "durationMs": 0 @@ -892,6 +888,7 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", + "loadType": "always", "items": [ { "type": 1, @@ -907,13 +904,12 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityEvent\r\n| where EventID == 4661\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity \r\n| top 1000 by TimeGenerated desc", + "query": "SecurityEvent\r\n| where EventID == 4661\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity ", "size": 1, "showAnnotations": true, "timeContext": { - "durationMs": 0 + "durationMs": 2592000000 }, - "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeBrush", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -925,7 +921,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityEvent\r\n| where EventID == 4661\r\n| project Account , Computer , EventData , EventID , Activity ", + "query": "SecurityEvent\r\n| where EventID == 4661\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ", "size": 0, "timeContext": { "durationMs": 0 @@ -956,6 +952,7 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", + "loadType": "always", "items": [ { "type": 1, @@ -969,11 +966,28 @@ "content": { "version": "KqlItem/1.0", "query": "SecurityEvent\r\n| where EventID in (4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905)\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity \r\n| top 1000 by TimeGenerated desc", + "size": 1, + "showAnnotations": true, + "timeContext": { + "durationMs": 2592000000 + }, + "timeBrushParameterName": "TimeBrush", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityEvent\r\n| where EventID in (4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ", "size": 0, "timeContext": { "durationMs": 0 }, - "timeContextFromParameter": "TimeRange", + "timeContextFromParameter": "TimeBrush", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { @@ -1011,16 +1025,33 @@ "showBorder": true } }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityEvent\r\n| where EventID in (4673, 4674, 4985)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ", + "size": 1, + "showAnnotations": true, + "timeContext": { + "durationMs": 2592000000 + }, + "timeBrushParameterName": "TimeBrush", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 2" + }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityEvent\r\n| where EventID in (4673, 4674, 4985)\r\n| project Account , Computer , EventData , EventID , Activity ", - "size": 0, + "size": 1, "timeContext": { "durationMs": 0 }, - "timeContextFromParameter": "TimeRange", + "timeContextFromParameter": "TimeBrush", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": {