Changes for ForcepointCloudSecurity
This commit is contained in:
v-admahe
Родитель
326b46c43d
Коммит
3f87f4e07d
|
|
@ -0,0 +1,127 @@
|
|||
{
|
||||
"id": "ForcepointCloudSecurityGateway",
|
||||
"title": "Forcepoint Cloud Security Gateway",
|
||||
"publisher": "Forcepoint",
|
||||
"descriptionMarkdown": "Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "Forcepoint CSG",
|
||||
"baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description" : "Top 5 Web requested Domains with log severity equal to 6 (Medium)",
|
||||
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart"
|
||||
},
|
||||
{
|
||||
"description" : "Top 5 Web Users with 'Action' equal to 'Blocked'",
|
||||
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity == \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart"
|
||||
},
|
||||
{
|
||||
"description" : "Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0",
|
||||
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 10.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n| render barchart"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "CommonSecurityLog (Forcepoint CSG)",
|
||||
"lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
},
|
||||
{
|
||||
"name": "CommonSecurityLog (Forcepoint CSG)",
|
||||
"lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
|
||||
"\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": true
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "read and write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"read": true,
|
||||
"write": true,
|
||||
"delete": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
|
||||
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
|
||||
"providerDisplayName": "Keys",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"action": true
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "1. Linux Syslog agent configuration",
|
||||
"description": "This integration requires the Linux Syslog agent to collect your Forcepoint Cloud Security Gateway Web/Email logs on port 514 TCP as Common Event Format (CEF) and forward them to Azure Sentinel.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId",
|
||||
"PrimaryKey"
|
||||
],
|
||||
"label": "Your Data Connector Syslog Agent Installation Command is:",
|
||||
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "2. Implementation options",
|
||||
"description": "The integration is made available with two implementations options.",
|
||||
"innerSteps": [
|
||||
{
|
||||
"title": "2.1 Docker Implementation",
|
||||
"description": "Leverages docker images where the integration component is already installed with all necessary dependencies.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
|
||||
},
|
||||
{
|
||||
"title": "2.2 Traditional Implementation",
|
||||
"description": "Requires the manual deployment of the integration component inside a clean Linux machine.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "3. Validate connection",
|
||||
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version \n \n>2. You must have elevated permissions (sudo) on your machine",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId"
|
||||
],
|
||||
"label": "Run the following command to validate your connectivity:",
|
||||
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "4. Secure your machine ",
|
||||
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)."
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
<svg xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" version="1.0" viewBox="0 0 75 75" xml:space="preserve">
|
||||
<path fill="#00af9a" d="M36.3 34.5h7.2v7.2h-7.2z"/>
|
||||
<path d="M48.3 21.3H26.7v13.2h6.7v-6.8h14.9zM26.7 41.7h6.7v12h-6.7z"/>
|
||||
</svg>
|
||||
|
После Ширина: | Высота: | Размер: 245 B |
|
|
@ -0,0 +1,9 @@
|
|||
TenantId,SourceSystem,TimeGenerated [UTC],ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime [UTC],EndTime [UTC],Type,_ResourceId
|
||||
ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:47.092 AM",,Forcepoint CSG,Web,"""Productivity Loss",0,,Authentication Required,Authentication Required,,,,,168.63.129.16,,,,,,10.0.100.4,,,,,,,,,,,,1,None,HTTP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Unknown,HealthService,,0,,,,,,,,,,890,HTTP://168.63.129.16/HealthService,None,,,Post,,,,,,,,,,,Not available,,,,,,,,,,,,,,,,,,,,,,,,,Web Hosting,Category Name,168.63.129.16,Domain name of the destination site,Cork BizDev,Policy Name,52.136.205.45,IP address of connection to the cloud service.,None,Cloud App Risk Level,,,2020-12-10T10:20:03.000Z,Log Created Time ,,,,,,,,,Netherlands - Amsterdam (X),The cloud service data center that processed therequest.,,,,,,CommonSecurityLog,
|
||||
ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:47.421 AM",,Forcepoint CSG,Web,"""Productivity Loss",0,,Authentication Required,Authentication Required,,,,,168.63.129.16,,,,,,10.0.100.4,,,,,,,,,,,,1,None,HTTP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Unknown,machine,,0,,,,,,,,,,669,HTTP://168.63.129.16/machine?comp\=goalstate,None,,,Get,,,,,,,,,,,Not available,,,,,,,,,,,,,,,,,,,,,,,,,Web Hosting,Category Name,168.63.129.16,Domain name of the destination site,Cork BizDev,Policy Name,52.136.205.45,IP address of connection to the cloud service.,None,Cloud App Risk Level,,,2020-12-10T10:21:05.000Z,Log Created Time ,,,,,,,,,Netherlands - Amsterdam (X),The cloud service data center that processed therequest.,,,,,,CommonSecurityLog,
|
||||
ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:47.476 AM",,Forcepoint CSG,Web,"""Productivity Loss",0,,Blocked,Blocked,,,,,168.63.129.16,,,,,,52.136.205.45,,,,,,,,,,,,1,None,HTTP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Unknown,HealthService,,0,,,,,,,,,,429,HTTP://168.63.129.16/HealthService,None,,,Post,,,,,,,,,,,Not available,,,,,,,,,,,,,,,,,,,,,,,,,Web Hosting,Category Name,168.63.129.16,Domain name of the destination site,Cork BizDev,Policy Name,52.136.205.45,IP address of connection to the cloud service.,None,Cloud App Risk Level,,,2020-12-10T10:21:06.000Z,Log Created Time ,,,,,,,,,Netherlands - Amsterdam (X),The cloud service data center that processed therequest.,,,,,,CommonSecurityLog,
|
||||
ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:47.530 AM",,Forcepoint CSG,Web,"""Productivity Loss",0,,Authentication Required,Authentication Required,,,,,168.63.129.16,,,,,,10.0.100.4,,,,,,,,,,,,1,None,HTTP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Unknown,HealthService,,0,,,,,,,,,,890,HTTP://168.63.129.16/HealthService,None,,,Post,,,,,,,,,,,Not available,,,,,,,,,,,,,,,,,,,,,,,,,Web Hosting,Category Name,168.63.129.16,Domain name of the destination site,Cork BizDev,Policy Name,52.136.205.45,IP address of connection to the cloud service.,None,Cloud App Risk Level,,,2020-12-10T10:21:05.000Z,Log Created Time ,,,,,,,,,Netherlands - Amsterdam (X),The cloud service data center that processed therequest.,,,,,,CommonSecurityLog,
|
||||
ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:49.185 AM",,Forcepoint CSG,Email,Business Usage,0,,Accepted,Accepted,,1,,,,,,Warning: could not send message for past 4 hours,,,127.0.0.1,,,,,,,,,,,,1,CSG EMail,,,,,,,,,,,,,,,,,,,,,,,39LXRXxQKBKsRZZRWPLWPced-YZcPaWjRZZRWP.NZXUOZPWLMdP.Pf@alerts.bounces.google.com,,,,,,,,,,"None""",None,0,,,,,,,,,,,,,,,,,,,,,,,,,,,Mail Delivery Subsystem,MAILER-DAEMON@rly10d.srv.mailcontrol.com,,,,,,,,,,0,Spam Score,,,,,,,27707,Message Size,,,,,None,Black/white listed,None,Virus Name,DEFAULT,Policy Name,None,Advanced Encryption,,,,,2020-12-10T10:14:25.000Z,Log Created Time ,,,,,,,,,Clean,Filtering Reason,,,,,,CommonSecurityLog,
|
||||
ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:49.497 AM",,Forcepoint CSG,Email,Business Usage,0,,Accepted,Accepted,,0,,,,,,Alerte Google : South Africa,,,209.85.219.198,,,,,,,,,,,,1,CSG EMail,,,,,,,,,,,,,,,,,,,,,,,jdoe@labse.eu,,,,,,,,,,"None""",None,0,,,,,,,,,,,,,,,,,,,,,,,,,,,Google Alerts,googlealerts-noreply@google.com,,,,,,,,,,-105.4,Spam Score,,,,,,,14767,Message Size,,,,,None,Black/white listed,None,Virus Name,DEFAULT,Policy Name,None,Advanced Encryption,,,,,2020-12-10T10:15:58.000Z,Log Created Time ,,,,,,,,,Clean,Filtering Reason,,,,,,CommonSecurityLog,
|
||||
ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:49.878 AM",,Forcepoint CSG,Email,Productivity Loss,0,,Accepted,Accepted,,0,,,,,,Alerte Google : Israel,,,209.85.219.198,,,,,,,,,,,,1,CSG EMail,,,,,,,,,,,,,,,,,,,,,,,jdoe@labse.eu,,,,,,,,,,"None""",None,0,,,,,,,,,,,,,,,,,,,,,,,,,,,Google Alerts,googlealerts-noreply@google.com,,,,,,,,,,-105.6,Spam Score,,,,,,,44172,Message Size,,,,,None,Black/white listed,None,Virus Name,DEFAULT,Policy Name,None,Advanced Encryption,,,,,2020-12-10T10:15:58.000Z,Log Created Time ,,,,,,,,,Clean,Filtering Reason,,,,,,CommonSecurityLog,
|
||||
ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:49.932 AM",,Forcepoint CSG,Email,Productivity Loss,0,,Accepted,Accepted,,1,,,,,,Returned mail: see transcript for details,,,127.0.0.1,,,,,,,,,,,,1,CSG EMail,,,,,,,,,,,,,,,,,,,,,,,3FrfIXxQKBKsRZZRWPLWPced-YZcPaWjRZZRWP.NZXUOZPWLMdP.Pf@alerts.bounces.google.com,,,,,,,,,,"None""",None,0,,,,,,,,,,,,,,,,,,,,,,,,,,,Mail Delivery Subsystem,MAILER-DAEMON@rly01a.srv.mailcontrol.com,,,,,,,,,,0,Spam Score,,,,,,,102814,Message Size,,,,,None,Black/white listed,None,Virus Name,DEFAULT,Policy Name,None,Advanced Encryption,,,,,2020-12-10T10:16:11.000Z,Log Created Time ,,,,,,,,,Clean,Filtering Reason,,,,,,CommonSecurityLog,
|
||||
|
|
|
@ -0,0 +1,229 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## Top 5 Web requested Domains with log severity equal to 6 (Medium)\n---"
|
||||
},
|
||||
"name": "text - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart",
|
||||
"size": 3,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "RequestURL",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"graphSettings": {
|
||||
"type": 0,
|
||||
"topContent": {
|
||||
"columnMatch": "RequestURL",
|
||||
"formatter": 1
|
||||
},
|
||||
"centerContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 1,
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"mapSettings": {
|
||||
"locInfo": "LatLong",
|
||||
"sizeSettings": "Count",
|
||||
"sizeAggregation": "Sum",
|
||||
"legendMetric": "Count",
|
||||
"legendAggregation": "Sum",
|
||||
"itemColorSettings": {
|
||||
"type": "heatmap",
|
||||
"colorAggregation": "Sum",
|
||||
"nodeColorField": "Count",
|
||||
"heatmapPalette": "greenRed"
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## Top 5 Web requested Domains with log severity equal to 9 (High)\n---"
|
||||
},
|
||||
"name": "text - 7"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 9\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart",
|
||||
"size": 3,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "RequestURL",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"graphSettings": {
|
||||
"type": 0,
|
||||
"topContent": {
|
||||
"columnMatch": "RequestURL",
|
||||
"formatter": 1
|
||||
},
|
||||
"centerContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 1,
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"mapSettings": {
|
||||
"locInfo": "LatLong",
|
||||
"sizeSettings": "Count",
|
||||
"sizeAggregation": "Sum",
|
||||
"legendMetric": "Count",
|
||||
"legendAggregation": "Sum",
|
||||
"itemColorSettings": {
|
||||
"type": "heatmap",
|
||||
"colorAggregation": "Sum",
|
||||
"nodeColorField": "Count",
|
||||
"heatmapPalette": "greenRed"
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": "query - 2 - Copy"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## Top 5 Web Users with 'Action' equal to 'Blocked'\n---"
|
||||
},
|
||||
"name": "text - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity != \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart",
|
||||
"size": 1,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart"
|
||||
},
|
||||
"name": "query - 3"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0\n---"
|
||||
},
|
||||
"name": "text - 4"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 1.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n",
|
||||
"size": 1,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "categoricalbar",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "SourceIP",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"graphSettings": {
|
||||
"type": 0,
|
||||
"topContent": {
|
||||
"columnMatch": "SourceUserName",
|
||||
"formatter": 1
|
||||
},
|
||||
"centerContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 1,
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": "query - 5"
|
||||
}
|
||||
],
|
||||
"fallbackResourceIds": [
|
||||
"/subscriptions/42b86d52-1a90-43ad-ade0-3b43bdfdc113/resourcegroups/dlo-az-303/providers/microsoft.operationalinsights/workspaces/demo-csg-sentinel-dlo"
|
||||
],
|
||||
"fromTemplateId": "sentinel-ForcepointCloudSecuirtyGatewayworkbook",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
<svg xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" version="1.0" viewBox="0 0 75 75" xml:space="preserve">
|
||||
<path fill="#00af9a" d="M36.3 34.5h7.2v7.2h-7.2z"/>
|
||||
<path d="M48.3 21.3H26.7v13.2h6.7v-6.8h14.9zM26.7 41.7h6.7v12h-6.7z"/>
|
||||
</svg>
|
||||
|
После Ширина: | Высота: | Размер: 245 B |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 37 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 38 KiB |
|
|
@ -1115,6 +1115,19 @@
|
|||
"subtitle": "",
|
||||
"provider": "Thycotic"
|
||||
},
|
||||
{
|
||||
"workbookKey": "ForcepointCloudSecurityGatewayWorkbook",
|
||||
"logoFileName": "Forcepoint_new_logo.svg",
|
||||
"description": "Use this report to understand query runs across your workspace.",
|
||||
"dataTypesDependencies": ["CommonSecurityLog"],
|
||||
"dataConnectorsDependencies": ["ForcepointCloudSecurityGateway"],
|
||||
"previewImagesFileNames": ["ForcepointCloudSecurityGatewayWhite.PNG","ForcepointCloudSecurityGatewayBlack.PNG"],
|
||||
"version": "1.0",
|
||||
"title": "Forcepoint Cloud Security Gateway Workbook",
|
||||
"templateRelativePath": "ForcepointCloudSecuirtyGatewayworkbook.json",
|
||||
"subtitle": "",
|
||||
"provider": "Forcepoint"
|
||||
},
|
||||
{
|
||||
"workbookKey": "IntsightsIOCWorkbook",
|
||||
"logoFileName": "IntSights_logo.svg",
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче