Update IoTOTThreatMonitoringwithDefenderforIoT.json

2022-09-07 15:36:58 +03:00 · 2022-09-07 15:36:58 +03:00 · 41a42c3090
--- a/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Workbooks/IoTOTThreatMonitoringwithDefenderforIoT.json
+++ b/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Workbooks/IoTOTThreatMonitoringwithDefenderforIoT.json
@ -69,10 +69,7 @@
            },
            "defaultValue": "value::all",
            "queryType": 1,
-            "resourceType": "microsoft.resourcegraph/resources",
-            "value": [
-              "value::all"
-            ]
+            "resourceType": "microsoft.resourcegraph/resources"
          },
          {
            "id": "e3225ed0-6210-40a1-b2d0-66e42ffa71d6",
@ -107,7 +104,7 @@
            "type": 4,
            "isRequired": true,
            "value": {
-              "durationMs": 604800000
+              "durationMs": 1209600000
            },
            "typeSettings": {
              "selectableValues": [
@ -1681,7 +1678,7 @@
                  "type": 3,
                  "content": {
                    "version": "KqlItem/1.0",
-                    "query": "iotsecurityresources \n| where type=='microsoft.iotsecurity/locations/devicegroups/alerts' \n| extend TimeFirstSeen=properties.startTimeUtc\n| where TimeFirstSeen {TimeRange}\n| extend AlertName = tostring(properties.displayName)\n| extend AlertSeverity = tostring(properties.severity)\n| extend Status = tostring(properties.status)\n| extend Tactics = tostring(properties.intent)\n| extend SeverityRank = iff(AlertSeverity == \"High\", 3, iff(AlertSeverity == \"Medium\", 2, iff(AlertSeverity == \"Low\", 1, iff(AlertSeverity == \"Informational\", 0, 0))))\n| sort by SeverityRank, todatetime(TimeFirstSeen) \n| project TimeFirstSeen,  AlertName,  AlertSeverity, Tactics, Status\n| take 20",
+                    "query": "iotsecurityresources \n| where type=='microsoft.iotsecurity/locations/devicegroups/alerts' \n| extend TimeFirstSeen=properties.startTimeUtc\n| where TimeFirstSeen {TimeRange}\n| extend AlertName = tostring(properties.displayName)\n| extend AlertSeverity = tostring(properties.severity)\n| extend Status = tostring(properties.status)\n| extend Tactics = tostring(properties.intent)\n| extend data = split(id, '/')\n| extend type = tostring(properties.alertType)\n| extend StringforBase64function = strcat('{\"alertType\":\"', type, '\",\"location\":\"', data[6], '\",\"deviceGroupName\":\"', data[8], '\",\"alertId\":\"', data[10], '\",\"subscriptionId\":\"', data[2], '\"}')\n| extend alertlink = base64_encode_tostring(StringforBase64function)\n| extend SeverityRank = iff(AlertSeverity == \"High\", 3, iff(AlertSeverity == \"Medium\", 2, iff(AlertSeverity == \"Low\", 1, iff(AlertSeverity == \"Informational\", 0, 0))))\n| sort by SeverityRank, todatetime(TimeFirstSeen) \n| project TimeFirstSeen,  AlertName,  AlertSeverity, Tactics, Status, AlertLink=strcat(\"https://portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IAlertBlade/data/\",alertlink)\n| take 50",
                    "size": 0,
                    "showAnalytics": true,
                    "title": "🟦 Recent Security Alerts",
@ -12160,7 +12157,7 @@
            "type": 3,
            "content": {
              "version": "KqlItem/1.0",
-              "query": "    iotsecurityresources\n    | where type == \"microsoft.iotsecurity/locations/devicegroups/devices\"\n    | extend TimLastSeen=properties.lastSeen\n    | extend DeviceName=properties.deviceName\n    | where TimLastSeen {TimeRange}\n    | extend Sensor=properties.sensor.name\n    | where Sensor in ({SensorName})\n    | extend DeviceSubType=iff(properties.deviceSubTypeDisplayName==\"Unclassified\", \"\", properties.deviceSubTypeDisplayName)\n    | extend Site=properties.sensor.site\n    | where Site in ({SiteName})\n    | extend Zone=tostring(properties.sensor.zone)\n    | where Zone in ({ZoneName})\n    | extend IPv4=properties.nics.[0].ipv4Address\n    | extend MACAddress=properties.nics.[0].macAddress\n    | extend Vendor=properties.hardware.vendor\n    | extend PurdueLevel=properties.purdueLevel\n    | extend OperatingSystem=properties.operatingSystem.platform\n    | extend Protocols = trim(@'^\\[\"|\"]$|\"', tostring(properties.protocols))\n    | where properties.deviceDataSource=='OtSensor'\n    | project TimLastSeen, tostring(DeviceName), tostring(DeviceSubType), tostring(Site), tostring(Zone), tostring(Sensor),tostring(PurdueLevel), tostring(IPv4), tostring(MACAddress), Protocols, tostring(Vendor), tostring(OperatingSystem), DeviceID=name, tostring(name)\n    | join kind=leftouter\n        (iotsecurityresources \n         | where type=='microsoft.iotsecurity/locations/devicegroups/vulnerabilities' \n         | summarize CVECount=count() by name2=tostring(properties.deviceId)) on $left.name == $right.name2 \n    | join kind=leftouter\n    (iotsecurityresources \n         | where type=='microsoft.iotsecurity/locations/devicegroups/alerts' \n         | where properties.status != \"Closed\"\n         | extend name3= tostring(properties.extendedProperties.SourceDeviceAddress)\n         | summarize AlertCount=count() by name3) on $left.DeviceName == $right.name3 \n    | join kind=leftouter\n    (iotsecurityresources \n         | where type=='microsoft.iotsecurity/locations/devicegroups/alerts' \n         | where properties.status != \"Closed\"\n         | where tostring(properties.extendedProperties.DestinationDeviceAddress)!=tostring(properties.extendedProperties.SourceDeviceAddress)\n         | summarize AlertCount2=count() by name4=tostring(properties.extendedProperties.DestinationDeviceAddress)) on $left.DeviceName == $right.name4 \n    | project  TimLastSeen, tostring(DeviceName), tostring(DeviceSubType), AlertCountSum=coalesce(AlertCount,0)+coalesce(AlertCount2,0), CVECount, tostring(Site), tostring(Zone), tostring(Sensor),tostring(PurdueLevel), tostring(IPv4), tostring(MACAddress), Protocols, tostring(Vendor), tostring(OperatingSystem), DeviceID=name\n   | sort by tostring(TimLastSeen)\n",
+              "query": "    iotsecurityresources\n    | where type == \"microsoft.iotsecurity/locations/devicegroups/devices\"\n    | extend TimLastSeen=properties.lastSeen\n    | extend DeviceName=properties.deviceName\n    | where TimLastSeen {TimeRange}\n    | extend Sensor=properties.sensor.name\n    | where Sensor in ({SensorName})\n    | extend DeviceSubType=iff(properties.deviceSubTypeDisplayName==\"Unclassified\", \"\", properties.deviceSubTypeDisplayName)\n    | extend Site=properties.sensor.site\n    | where Site in ({SiteName})\n    | extend Zone=tostring(properties.sensor.zone)\n    | where Zone in ({ZoneName})\n    | extend IPv4=properties.nics.[0].ipv4Address\n    | extend MACAddress=properties.nics.[0].macAddress\n    | extend Vendor=properties.hardware.vendor\n    | extend PurdueLevel=properties.purdueLevel\n    | extend OperatingSystem=properties.operatingSystem.platform\n    | extend Protocols = trim(@'^\\[\"|\"]$|\"', tostring(properties.protocols))\n    | where properties.deviceDataSource=='OtSensor'\n    | extend data=split(id, '/')\n    | extend StringforBase64function = strcat('{\"subscriptionId\":\"', data[2], '\",\"deviceId\":\"', data[10], '\",\"location\":\"', data[6], '\",\"deviceGroupName\":\"', data[8], '\"}')\n    | extend devicelink = base64_encode_tostring(StringforBase64function)\n    | project TimLastSeen, tostring(DeviceName),DeviceLink=strcat(\"https://portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IDeviceBlade/data/\",devicelink), tostring(DeviceSubType), tostring(Site), tostring(Zone), tostring(Sensor),tostring(PurdueLevel), tostring(IPv4), tostring(MACAddress), Protocols, tostring(Vendor), tostring(OperatingSystem), DeviceID=name, tostring(name)\n    | join kind=leftouter\n        (iotsecurityresources \n         | where type=='microsoft.iotsecurity/locations/devicegroups/vulnerabilities' \n         | summarize CVECount=count() by name2=tostring(properties.deviceId)) on $left.name == $right.name2 \n    | join kind=leftouter\n    (iotsecurityresources \n         | where type=='microsoft.iotsecurity/locations/devicegroups/alerts' \n         | where properties.status != \"Closed\"\n         | extend name3= tostring(properties.extendedProperties.SourceDeviceAddress)\n         | summarize AlertCount=count() by name3) on $left.DeviceName == $right.name3 \n    | join kind=leftouter\n    (iotsecurityresources \n         | where type=='microsoft.iotsecurity/locations/devicegroups/alerts' \n         | where properties.status != \"Closed\"\n         | where tostring(properties.extendedProperties.DestinationDeviceAddress)!=tostring(properties.extendedProperties.SourceDeviceAddress)\n         | summarize AlertCount2=count() by name4=tostring(properties.extendedProperties.DestinationDeviceAddress)) on $left.DeviceName == $right.name4 \n    | project  TimLastSeen, tostring(DeviceName), DeviceLink, tostring(DeviceSubType), AlertCountSum=coalesce(AlertCount,0)+coalesce(AlertCount2,0), CVECount, tostring(Site), tostring(Zone), tostring(Sensor),tostring(PurdueLevel), tostring(IPv4), tostring(MACAddress), Protocols, tostring(Vendor), tostring(OperatingSystem), DeviceID=name\n   | sort by tostring(TimLastSeen)\n",
              "size": 0,
              "showAnalytics": true,
              "title": "🟦 OT Assets",
@ -12193,6 +12190,15 @@
                      "customColumnWidthSetting": "20ch"
                    }
                  },
+                  {
+                    "columnMatch": "DeviceLink",
+                    "formatter": 7,
+                    "formatOptions": {
+                      "linkTarget": "Url",
+                      "linkLabel": "Device >>",
+                      "customColumnWidthSetting": "15ch"
+                    }
+                  },
                  {
                    "columnMatch": "DeviceSubType",
                    "formatter": 0,
@ -12293,6 +12299,10 @@
                    "columnId": "DeviceName",
                    "label": "Name"
                  },
+                  {
+                    "columnId": "DeviceLink",
+                    "label": "Device Link"
+                  },
                  {
                    "columnId": "DeviceSubType",
                    "label": "Type"
@ -13054,7 +13064,7 @@
                  "type": 3,
                  "content": {
                    "version": "KqlItem/1.0",
-                    "query": "    iotsecurityresources\n    | where type == \"microsoft.iotsecurity/locations/devicegroups/devices\"\n    | extend TimeFirstSeen=properties.firstSeen\n    | extend DeviceName=properties.deviceName\n    | where TimeFirstSeen {TimeRange}\n    | extend DeviceSubType=iff(properties.deviceSubTypeDisplayName==\"Unclassified\", \"\", properties.deviceSubTypeDisplayName)\n    | extend Site=properties.sensor.site\n    | where properties.deviceDataSource=='OtSensor'\n    | project TimeFirstSeen, tostring(DeviceName), tostring(DeviceSubType), tostring(Site)\n    | join kind=leftouter\n    (iotsecurityresources \n         | where type=='microsoft.iotsecurity/locations/devicegroups/alerts' \n         | where properties.status != \"Closed\"\n         | extend name3= tostring(properties.extendedProperties.SourceDeviceAddress)\n         | summarize AlertCount=count() by name3) on $left.DeviceName == $right.name3 \n    | join kind=leftouter\n    (iotsecurityresources \n         | where type=='microsoft.iotsecurity/locations/devicegroups/alerts' \n         | where properties.status != \"Closed\"\n         | where tostring(properties.extendedProperties.DestinationDeviceAddress)!=tostring(properties.extendedProperties.SourceDeviceAddress)\n         | summarize AlertCount2=count() by name4=tostring(properties.extendedProperties.DestinationDeviceAddress)) on $left.DeviceName == $right.name4 \n    | project  TimeFirstSeen, tostring(DeviceName), tostring(DeviceSubType), AlertCountSum=coalesce(AlertCount,0)+coalesce(AlertCount2,0), tostring(Site)\n   | sort by tostring(TimeFirstSeen)\n   | take 50",
+                    "query": "    iotsecurityresources\n    | where type == \"microsoft.iotsecurity/locations/devicegroups/devices\"\n    | extend TimeFirstSeen=properties.firstSeen\n    | extend DeviceName=properties.deviceName\n    | where TimeFirstSeen {TimeRange}\n    | extend DeviceSubType=iff(properties.deviceSubTypeDisplayName==\"Unclassified\", \"\", properties.deviceSubTypeDisplayName)\n    | extend Site=properties.sensor.site\n    | where properties.deviceDataSource=='OtSensor'\n    | extend data=split(id, '/')\n    | extend StringforBase64function = strcat('{\"subscriptionId\":\"', data[2], '\",\"deviceId\":\"', data[10], '\",\"location\":\"', data[6], '\",\"deviceGroupName\":\"', data[8], '\"}')\n    | extend devicelink = base64_encode_tostring(StringforBase64function)\n    | project TimeFirstSeen, tostring(DeviceName), DeviceLink=strcat(\"https://portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IDeviceBlade/data/\",devicelink), tostring(DeviceSubType), tostring(Site)\n    | join kind=leftouter\n    (iotsecurityresources \n         | where type=='microsoft.iotsecurity/locations/devicegroups/alerts' \n         | where properties.status != \"Closed\"\n         | extend name3= tostring(properties.extendedProperties.SourceDeviceAddress)\n         | summarize AlertCount=count() by name3) on $left.DeviceName == $right.name3 \n    | join kind=leftouter\n    (iotsecurityresources \n         | where type=='microsoft.iotsecurity/locations/devicegroups/alerts' \n         | where properties.status != \"Closed\"\n         | where tostring(properties.extendedProperties.DestinationDeviceAddress)!=tostring(properties.extendedProperties.SourceDeviceAddress)\n         | summarize AlertCount2=count() by name4=tostring(properties.extendedProperties.DestinationDeviceAddress)) on $left.DeviceName == $right.name4 \n    | project  TimeFirstSeen, tostring(DeviceName), DeviceLink, tostring(DeviceSubType), AlertCountSum=coalesce(AlertCount,0)+coalesce(AlertCount2,0), tostring(Site)\n   | sort by tostring(TimeFirstSeen)\n   | take 50",
                    "size": 0,
                    "title": "Recent Discovered Devices",
                    "queryType": 1,
@ -13082,6 +13092,15 @@
                            "customColumnWidthSetting": "20ch"
                          }
                        },
+                        {
+                          "columnMatch": "DeviceLink",
+                          "formatter": 7,
+                          "formatOptions": {
+                            "linkTarget": "Url",
+                            "linkLabel": "Device >>",
+                            "customColumnWidthSetting": "16ch"
+                          }
+                        },
                        {
                          "columnMatch": "DeviceSubType",
                          "formatter": 0,
@ -13114,6 +13133,10 @@
                          "columnId": "DeviceName",
                          "label": "Device Name"
                        },
+                        {
+                          "columnId": "DeviceLink",
+                          "label": "Device Link"
+                        },
                        {
                          "columnId": "DeviceSubType",
                          "label": "Type"
@ -13268,7 +13291,7 @@
                  "type": 3,
                  "content": {
                    "version": "KqlItem/1.0",
-                    "query": "SecurityIncident\n| extend ProductName = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0])\n| where ProductName contains \"iot\"\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\n| extend SeverityRank=iff(Severity == \"High\", 3, iff(Severity == \"Medium\", 2, iff(Severity == \"Low\", 1, iff(Severity == \"Informational\", 0, 0))))\n| sort by SeverityRank, TimeGenerated desc\n| project TimeGenerated,['Incident Name']=Title, IncidentNumber, Severity, Status, URL=IncidentUrl\n| limit 50",
+                    "query": "SecurityIncident\n| extend ProductName = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0])\n| where ProductName contains \"iot\"\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\n| extend SeverityRank=iff(Severity == \"High\", 3, iff(Severity == \"Medium\", 2, iff(Severity == \"Low\", 1, iff(Severity == \"Informational\", 0, 0))))\n| sort by SeverityRank, TimeGenerated desc\n| project TimeGenerated,['Incident Name']=Title, URL=IncidentUrl, IncidentNumber, Severity, Status\n| limit 50",
                    "size": 0,
                    "title": "Recent Open Incidents",
                    "timeContextFromParameter": "TimeRange",
@ -13398,13 +13421,13 @@
                          "columnId": "Incident Name",
                          "label": "Incident Name"
                        },
-                        {
-                          "columnId": "IncidentNumber",
-                          "label": "Incident ID"
-                        },
                        {
                          "columnId": "URL",
                          "label": "Link"
+                        },
+                        {
+                          "columnId": "IncidentNumber",
+                          "label": "Incident ID"
                        }
                      ]
                    }