Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

modified workbook to include parsing for additional action types

This commit is contained in:
sean.macdonald 2024-02-05 16:02:33 -08:00
Родитель bc043b8035
Коммит 4f1e426773
1 изменённых файлов: 24 добавлений и 4 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

28
Solutions/Darktrace/Workbooks/DarktraceWorkbook.json
Просмотреть файл

@ -1822,7 +1822,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| extend Actions = parse_json(actions_s)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| extend Junk_Email=set_has_element(Actions, \"Move to Junk\")\n| extend Lock_Link=set_has_element(Actions, \"Lock All Links\")\n| extend Double_Lock_Link=set_has_element(Actions, \"Double Lock All Links\")\n| extend Strip_Attachment=set_has_element(Actions, \"Stip All Attachments\")\n| extend Convert_Attachment=set_has_element(Actions, \"Convert All Attachments\")\n| extend Unspoof=set_has_element(Actions, \"Unspoof\")\n| extend XAxis=set_has_element(Actions, \"Unspoof\")\n| summarize XAxis=countif(XAxis == true), Hold_Email=countif(Hold_Email == true), Junk_Email=countif(Junk_Email == true), Lock_Link=countif(Lock_Link == true), Double_Lock_Link=countif(Double_Lock_Link == true), Convert_Attachment=countif(Convert_Attachment == true), Strip_Attachment=countif(Strip_Attachment == true), Unspoof=countif(Unspoof == true)",
"query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| extend Actions = parse_json(actions_s)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| extend Junk_Email=set_has_element(Actions, \"Move to Junk\")\n| extend Lock_Link=set_has_element(Actions, \"Lock Link\")\n| extend Lock_All_Links=set_has_element(Actions, \"Lock All Links\")\n| extend Double_Lock_Link=set_has_element(Actions, \"Double Lock Link\")\n| extend Double_Lock_All_Links=set_has_element(Actions, \"Double Lock All Links\")\n| extend Strip_Attachment=set_has_element(Actions, \"Stip Attachment\")\n| extend Strip_All_Attachments=set_has_element(Actions, \"Strip All Attachments\")\n| extend Convert_Attachment=set_has_element(Actions, \"Convert Attachment\")\n| extend Convert_All_Attachments=set_has_element(Actions, \"Convert All Attachments\")\n| extend Unspoof=set_has_element(Actions, \"Unspoof\")\n| extend XAxis=set_has_element(Actions, \"Unspoof\")\n| summarize XAxis=countif(XAxis == true), Hold_Email=countif(Hold_Email == true), Junk_Email=countif(Junk_Email == true), Lock_Link=countif(Lock_Link == true), Lock_All_Links=countif(Lock_All_Links == true), Double_Lock_Link=countif(Double_Lock_Link == true), Double_Lock_All_Links=countif(Double_Lock_All_Links == true), Convert_Attachment=countif(Convert_Attachment == true), Convert_All_Attachments=countif(Convert_All_Attachments == true), Strip_Attachment=countif(Strip_Attachment == true), Strip_All_Attachments=countif(Strip_All_Attachments == true), Unspoof=countif(Unspoof == true)",
"size": 0,
"title": "Total Actions Taken",
"timeContextFromParameter": "Timeframe",
@ -1864,17 +1864,17 @@
{
"seriesName": "Double_Lock_Link",
"label": "Double Lock Link",
"color": "blueDark"
"color": "green"
},
{
"seriesName": "Strip_Attachment",
"label": "Strip Attachment",
"color": "greenDarkDark"
"color": "purple"
},
{
"seriesName": "Convert_Attachment",
"label": "Convert Attachment",
"color": "green"
"color": "orange"
},
{
"seriesName": "Unspoof",
@ -1885,6 +1885,26 @@
"seriesName": "Hold_Email",
"label": "Hold Email",
"color": "redDark"
},
{
"seriesName": "Lock_All_Links",
"label": "Lock All Links",
"color": "blueDark"
},
{
"seriesName": "Double_Lock_All_Links",
"label": "Double Lock All Links",
"color": "greenDark"
},
{
"seriesName": "Convert_All_Attachments",
"label": "Convert All Attachments",
"color": "orangeDark"
},
{
"seriesName": "Strip_All_Attachments",
"label": "Strip All Attachments",
"color": "purpleDark"
}
]
},