Updated AnalyticsHealthAudit.json
This commit is contained in:
JeremyT
Родитель
2fe573ad66
Коммит
4628948f69
|
|
@ -237,7 +237,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| summarize count() by Status, bin(TimeGenerated,1h)",
|
||||
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| summarize count() by Status, bin(TimeGenerated,1h)",
|
||||
"size": 0,
|
||||
"title": "Analytics rule run by Status over time",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
|
@ -275,7 +275,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| summarize count() by Status",
|
||||
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| summarize count() by Status",
|
||||
"size": 0,
|
||||
"title": "Analytics rule run by Status",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
|
@ -313,7 +313,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| distinct SentinelResourceId\r\n| count \r\n| extend title = \"Total running Unique rule\"",
|
||||
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| distinct SentinelResourceId\r\n| count \r\n| extend title = \"Total running Unique rule\"",
|
||||
"size": 4,
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
|
|
@ -366,7 +366,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| summarize Count=count() by Reason, Status",
|
||||
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| summarize Count=count() by Reason, Status",
|
||||
"size": 1,
|
||||
"title": "Analytics health summary by Reason",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
|
@ -444,7 +444,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| where Status in (\"Failure\",\"Warning\")\r\n| summarize RunCount=count() by SentinelResourceId, RuleName=SentinelResourceName,Status\r\n| order by RunCount desc, Status asc",
|
||||
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| where Status in (\"Failure\",\"Warning\")\r\n| summarize RunCount=count() by SentinelResourceId, RuleName=SentinelResourceName,Status\r\n| order by RunCount desc, Status asc",
|
||||
"size": 1,
|
||||
"title": "Analytics rule with Failure and Warning occurence",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
|
@ -534,7 +534,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| where Status in ('Failure', 'Warning')\r\n| project TimeGenerated, RuleName=SentinelResourceName, Status, Description, Reason, Type=SentinelResourceKind\r\n| order by TimeGenerated desc",
|
||||
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| where Status in ('Failure', 'Warning')\r\n| project TimeGenerated, RuleName=SentinelResourceName, Status, Description, Reason, Type=SentinelResourceKind\r\n| order by TimeGenerated desc",
|
||||
"size": 0,
|
||||
"title": "Failure and Warning event",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
|
@ -639,7 +639,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| summarize count() by Description, bin(TimeGenerated,1h)",
|
||||
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| summarize count() by Description, bin(TimeGenerated,1h)",
|
||||
"size": 0,
|
||||
"title": "Analytics rule audit by Activity over time",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
|
@ -669,7 +669,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| summarize count() by Description",
|
||||
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| summarize count() by Description",
|
||||
"size": 0,
|
||||
"title": "Analytics rule audit by Activity",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
|
@ -712,7 +712,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let Data = (\r\nSentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n);\r\nlet Total = (\r\nData\r\n| summarize TotalEvents = count() by SentinelResourceId, RuleName=SentinelResourceName, Type=SentinelResourceKind\r\n);\r\nlet Activity = (\r\nData\r\n| summarize Count=count() by SentinelResourceId, Description\r\n| extend bag = bag_pack(Description,Count) \r\n| project-away Description, Count\r\n| summarize obj_bag = make_bag(bag) by SentinelResourceId\r\n| evaluate bag_unpack(obj_bag)\r\n);\r\nTotal | join kind=inner Activity on SentinelResourceId\r\n| project-away SentinelResourceId1\r\n",
|
||||
"query": "let Data = (\r\n_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n);\r\nlet Total = (\r\nData\r\n| summarize TotalEvents = count() by SentinelResourceId, RuleName=SentinelResourceName, Type=SentinelResourceKind\r\n);\r\nlet Activity = (\r\nData\r\n| summarize Count=count() by SentinelResourceId, Description\r\n| extend bag = bag_pack(Description,Count) \r\n| project-away Description, Count\r\n| summarize obj_bag = make_bag(bag) by SentinelResourceId\r\n| evaluate bag_unpack(obj_bag)\r\n);\r\nTotal | join kind=inner Activity on SentinelResourceId\r\n| project-away SentinelResourceId1\r\n",
|
||||
"size": 0,
|
||||
"title": "Analytics rule audit by activity volume",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
|
@ -858,7 +858,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| summarize count() by Status, bin(TimeGenerated,1h)",
|
||||
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| summarize count() by Status, bin(TimeGenerated,1h)",
|
||||
"size": 0,
|
||||
"title": "Analytics rule run Trending over time",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
|
@ -906,7 +906,7 @@
|
|||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"query": "SentinelHealth\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| distinct Reason",
|
||||
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| distinct Reason",
|
||||
"crossComponentResources": [
|
||||
"{Workspace}"
|
||||
],
|
||||
|
|
@ -935,7 +935,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| summarize count() by Status",
|
||||
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| summarize count() by Status",
|
||||
"size": 4,
|
||||
"title": "Analytics rule run by Status",
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
|
|
@ -973,7 +973,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let Data =(\r\nSentinelHealth\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n);\r\nlet Total =(\r\nData\r\n| summarize Total=dcount(SentinelResourceId) by Status);\r\nlet Scheduled=(\r\nData\r\n| where SentinelResourceKind == \"Scheduled\"\r\n| summarize Scheduled =dcount(SentinelResourceId) by Status);\r\nlet NRT=(\r\nData\r\n| where SentinelResourceKind == \"NRT\"\r\n| summarize NRT =dcount(SentinelResourceId) by Status);\r\nunion Total, Scheduled, NRT\r\n| summarize Unique_Rule= sum(Total), Scheduled= sum(Scheduled), NRT=sum(NRT) by Status\r\n| extend StatusText = strcat(\"'\",Status,\"'\")\r\n",
|
||||
"query": "let Data =(\r\n_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n);\r\nlet Total =(\r\nData\r\n| summarize Total=dcount(SentinelResourceId) by Status);\r\nlet Scheduled=(\r\nData\r\n| where SentinelResourceKind == \"Scheduled\"\r\n| summarize Scheduled =dcount(SentinelResourceId) by Status);\r\nlet NRT=(\r\nData\r\n| where SentinelResourceKind == \"NRT\"\r\n| summarize NRT =dcount(SentinelResourceId) by Status);\r\nunion Total, Scheduled, NRT\r\n| summarize Unique_Rule= sum(Total), Scheduled= sum(Scheduled), NRT=sum(NRT) by Status\r\n| extend StatusText = strcat(\"'\",Status,\"'\")\r\n",
|
||||
"size": 4,
|
||||
"title": "Number of unique rule by Rule type and Status",
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
|
|
@ -1107,7 +1107,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| summarize Unique_Reason=dcount(Reason) by Status\r\n| extend StatusText = strcat(\"'\",Status,\"'\")",
|
||||
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| summarize Unique_Reason=dcount(Reason) by Status\r\n| extend StatusText = strcat(\"'\",Status,\"'\")",
|
||||
"size": 4,
|
||||
"title": "Number of unique reason by Status",
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
|
|
@ -1184,7 +1184,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| summarize Occurence=count(), Unique_Rule= dcount(SentinelResourceId) by Status,Reason\r\n| extend ReasonText = strcat(\"'\",Reason,\"'\")",
|
||||
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| summarize Occurence=count(), Unique_Rule= dcount(SentinelResourceId) by Status,Reason\r\n| extend ReasonText = strcat(\"'\",Reason,\"'\")",
|
||||
"size": 1,
|
||||
"title": "Unique reason by Status",
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
|
|
@ -1289,7 +1289,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let Data = ( \r\nSentinelHealth\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n);\r\nData\r\n| summarize arg_max(TimeGenerated,*) by SentinelResourceId\r\n| project SentinelResourceId, SentinelResourceName,Type=SentinelResourceKind, LastStatus=Status,LastStatusDateTime=TimeGenerated\r\n| join kind= leftouter ( \r\nData\r\n| where Status ==\"Success\"\r\n| make-series SuccessTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| join kind= leftouter ( \r\nData\r\n| where Status ==\"Failure\"\r\n| make-series FailureTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| join kind= leftouter (\r\nData\r\n| where Status ==\"Warning\"\r\n| make-series WarningTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| join kind= leftouter ( \r\nData\r\n| where Status ==\"Informational\"\r\n| make-series InformationalTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| order by SentinelResourceName asc\r\n| project-rename RuleName=SentinelResourceName",
|
||||
"query": "let Data = ( \r\n_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n);\r\nData\r\n| summarize arg_max(TimeGenerated,*) by SentinelResourceId\r\n| project SentinelResourceId, SentinelResourceName,Type=SentinelResourceKind, LastStatus=Status,LastStatusDateTime=TimeGenerated\r\n| join kind= leftouter ( \r\nData\r\n| where Status ==\"Success\"\r\n| make-series SuccessTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| join kind= leftouter ( \r\nData\r\n| where Status ==\"Failure\"\r\n| make-series FailureTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| join kind= leftouter (\r\nData\r\n| where Status ==\"Warning\"\r\n| make-series WarningTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| join kind= leftouter ( \r\nData\r\n| where Status ==\"Informational\"\r\n| make-series InformationalTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| order by SentinelResourceName asc\r\n| project-rename RuleName=SentinelResourceName",
|
||||
"size": 0,
|
||||
"title": "Analytics rule by Status and Trending",
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
|
|
@ -1425,7 +1425,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelHealth\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| where SentinelResourceId ==\"{SentinelResourceId}\"\r\n| project TimeGenerated, RuleName=SentinelResourceName, Status, Type=SentinelResourceKind, Description, Reason",
|
||||
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| where SentinelResourceId ==\"{SentinelResourceId}\"\r\n| project TimeGenerated, RuleName=SentinelResourceName, Status, Type=SentinelResourceKind, Description, Reason",
|
||||
"size": 0,
|
||||
"title": "Health details for Analytics rule : - {RuleName}",
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
|
|
@ -1526,7 +1526,7 @@
|
|||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"query": "SentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| distinct SentinelResourceKind",
|
||||
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| distinct SentinelResourceKind",
|
||||
"crossComponentResources": [
|
||||
"{Workspace}"
|
||||
],
|
||||
|
|
@ -1571,7 +1571,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| summarize count() by Description, bin(TimeGenerated,1h)\r\n",
|
||||
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| summarize count() by Description, bin(TimeGenerated,1h)\r\n",
|
||||
"size": 0,
|
||||
"title": "Analytics rule audit trending by activity",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
|
@ -1613,7 +1613,7 @@
|
|||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"query": "SentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| distinct Description",
|
||||
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| distinct Description",
|
||||
"crossComponentResources": [
|
||||
"{Workspace}"
|
||||
],
|
||||
|
|
@ -1642,7 +1642,7 @@
|
|||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"query": "SentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| distinct Caller",
|
||||
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| distinct Caller",
|
||||
"crossComponentResources": [
|
||||
"{Workspace}"
|
||||
],
|
||||
|
|
@ -1671,7 +1671,7 @@
|
|||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"query": "SentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| where Caller in ({Caller})\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| distinct SentinelResourceId",
|
||||
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| where Caller in ({Caller})\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| distinct SentinelResourceId",
|
||||
"crossComponentResources": [
|
||||
"{Workspace}"
|
||||
],
|
||||
|
|
@ -1714,7 +1714,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let Data =(\r\nSentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| where Caller in ({Caller})\r\n);\r\nlet Total =(\r\nData \r\n| summarize Total=count() by Description);\r\nlet Scheduled=(\r\nData\r\n| where SentinelResourceKind == \"Scheduled\"\r\n| summarize Scheduled =count() by Description);\r\nlet NRT=(\r\nData\r\n| where SentinelResourceKind == \"NRT\"\r\n| summarize NRT =count() by Description);\r\nlet MLBehaviorAnalytics=(\r\nData\r\n| where SentinelResourceKind == \"MLBehaviorAnalytics\"\r\n| summarize MLBehaviorAnalytics =count() by Description);\r\nlet MicrosoftSecurityIncidentCreation=(\r\nData\r\n| where SentinelResourceKind == \"MicrosoftSecurityIncidentCreation\"\r\n| summarize MicrosoftSecurityIncidentCreation =count() by Description);\r\nlet ThreatIntelligence=(\r\nData\r\n| where SentinelResourceKind == \"ThreatIntelligence\"\r\n| summarize ThreatIntelligence =count() by Description);\r\nlet Fusion=(\r\nData\r\n| where SentinelResourceKind == \"Fusion\"\r\n| summarize Fusion =count() by Description);\r\nunion Total, Scheduled, NRT, MLBehaviorAnalytics, MicrosoftSecurityIncidentCreation, ThreatIntelligence, Fusion\r\n| summarize TotalEvents= sum(Total), Scheduled= sum(Scheduled), NRT=sum(NRT), MLBehaviorAnalytics=sum(MLBehaviorAnalytics), MicrosoftSecurityIncidentCreation= sum(MicrosoftSecurityIncidentCreation), ThreatIntelligence=sum(ThreatIntelligence), Fusion=sum(Fusion) by Description\r\n| extend DescriptionText = strcat(\"'\",Description,\"'\")\r\n",
|
||||
"query": "let Data =(\r\n_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| where Caller in ({Caller})\r\n);\r\nlet Total =(\r\nData \r\n| summarize Total=count() by Description);\r\nlet Scheduled=(\r\nData\r\n| where SentinelResourceKind == \"Scheduled\"\r\n| summarize Scheduled =count() by Description);\r\nlet NRT=(\r\nData\r\n| where SentinelResourceKind == \"NRT\"\r\n| summarize NRT =count() by Description);\r\nlet MLBehaviorAnalytics=(\r\nData\r\n| where SentinelResourceKind == \"MLBehaviorAnalytics\"\r\n| summarize MLBehaviorAnalytics =count() by Description);\r\nlet MicrosoftSecurityIncidentCreation=(\r\nData\r\n| where SentinelResourceKind == \"MicrosoftSecurityIncidentCreation\"\r\n| summarize MicrosoftSecurityIncidentCreation =count() by Description);\r\nlet ThreatIntelligence=(\r\nData\r\n| where SentinelResourceKind == \"ThreatIntelligence\"\r\n| summarize ThreatIntelligence =count() by Description);\r\nlet Fusion=(\r\nData\r\n| where SentinelResourceKind == \"Fusion\"\r\n| summarize Fusion =count() by Description);\r\nunion Total, Scheduled, NRT, MLBehaviorAnalytics, MicrosoftSecurityIncidentCreation, ThreatIntelligence, Fusion\r\n| summarize TotalEvents= sum(Total), Scheduled= sum(Scheduled), NRT=sum(NRT), MLBehaviorAnalytics=sum(MLBehaviorAnalytics), MicrosoftSecurityIncidentCreation= sum(MicrosoftSecurityIncidentCreation), ThreatIntelligence=sum(ThreatIntelligence), Fusion=sum(Fusion) by Description\r\n| extend DescriptionText = strcat(\"'\",Description,\"'\")\r\n",
|
||||
"size": 1,
|
||||
"title": "Number of audit event by Activity and Rule type",
|
||||
"timeContextFromParameter": "TimeBrushAudit",
|
||||
|
|
@ -1849,7 +1849,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| where Caller in ({Caller})\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| where SentinelResourceId in ({AuditSentinelResourceId})\r\n| summarize TotalEvents = count() by SentinelResourceId, RuleName=SentinelResourceName, Type=SentinelResourceKind\r\n| extend AuditSentinelResourceIdText = strcat(\"'\",SentinelResourceId,\"'\")",
|
||||
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| where Caller in ({Caller})\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| where SentinelResourceId in ({AuditSentinelResourceId})\r\n| summarize TotalEvents = count() by SentinelResourceId, RuleName=SentinelResourceName, Type=SentinelResourceKind\r\n| extend AuditSentinelResourceIdText = strcat(\"'\",SentinelResourceId,\"'\")",
|
||||
"size": 0,
|
||||
"title": "Audit activity by Rule name",
|
||||
"timeContextFromParameter": "TimeBrushAudit",
|
||||
|
|
@ -1922,7 +1922,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| where SentinelResourceId in ({AuditSentinelResourceId})\r\n| summarize TotalEvents = count() by Caller\r\n",
|
||||
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| where SentinelResourceId in ({AuditSentinelResourceId})\r\n| summarize TotalEvents = count() by Caller\r\n",
|
||||
"size": 4,
|
||||
"title": "Audit activity by Caller",
|
||||
"timeContextFromParameter": "TimeBrushAudit",
|
||||
|
|
@ -1962,7 +1962,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SentinelAudit\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| where SentinelResourceId in ({AuditSentinelResourceId})\r\n| project TimeGenerated, SentinelResourceName, Status, Description, SentinelResourceKind, ExtendedProperties",
|
||||
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| where SentinelResourceId in ({AuditSentinelResourceId})\r\n| project TimeGenerated, SentinelResourceName, Status, Description, SentinelResourceKind, ExtendedProperties",
|
||||
"size": 0,
|
||||
"title": "Audit activity for rule: - {AuditSelectedRuleName}",
|
||||
"timeContextFromParameter": "TimeBrushAudit",
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче