Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Added Anomaly Visualization Workbook and Anomaly Data workbook (#5226) 

* Added Anomaly Visualization Workbook and Anomaly Data workbook

* Update Anomalies Visualization to show latest Anomalies

Update Anomalies Visualization to show latest Anomalies

* Update Workbook Metadata dataType Dependencies

Update Workbook Metadata dataType Dependencies with Anomalies table

* Update Workbook keys of new workbooks
This commit is contained in:
Jean Park 2022-06-16 22:06:56 -07:00 коммит произвёл GitHub
Родитель 25b758a907
Коммит 5f5b87f18d
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
7 изменённых файлов: 575 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

416
Workbooks/AnomaliesVisualization.json Normal file
Просмотреть файл

@ -0,0 +1,416 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Anomaly Summary",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident \r\n| mv-expand AlertIds\r\n| extend AlertIds = tostring(AlertIds)\r\n| join \r\n(\r\n SecurityAlert\r\n) on $left.AlertIds == $right.SystemAlertId\r\n| where AlertType == '8ecf8077-cf51-4820-aadd-14040956f35d_212ef723-bb93-4450-8ef5-166c43dc6e57'\r\n| summarize by ProviderIncidentId, TenantId\r\n| count",
"size": 4,
"title": "Incidents with Anomalies",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {},
"leftContent": {
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Anomalies\r\n| count",
"size": 4,
"title": "Anomalies",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {},
"leftContent": {
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "Anomalies"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Anomalies\r\n| where tostring(Entities) contains '\"Type\":\"host\"'\r\n| count",
"size": 4,
"title": "Anomalies by Host",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {},
"leftContent": {
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Anomalies\r\n| where tostring(Entities) contains '\"Type\":\"account\"'\r\n| count",
"size": 4,
"title": "Anomalies by Account",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {},
"leftContent": {
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 2 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Anomalies\r\n| where tostring(Entities) contains '\"Type\":\"ip\"'\r\n| count",
"size": 4,
"title": "Anomalies by IP",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {},
"leftContent": {
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 2 - Copy - Copy"
}
]
},
"name": "Anomaly Summary"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let incidentIdList = SecurityIncident \r\n| mv-expand AlertIds\r\n| extend AlertIds = tostring(AlertIds)\r\n| join SecurityAlert on $left.AlertIds == $right.SystemAlertId\r\n| where AlertType == '8ecf8077-cf51-4820-aadd-14040956f35d_212ef723-bb93-4450-8ef5-166c43dc6e57'\r\n| summarize by ProviderIncidentId, TenantId;\r\nSecurityIncident\r\n| join kind=innerunique incidentIdList on ProviderIncidentId, TenantId\r\n| project-away ProviderIncidentId1, TenantId1\r\n| project Title, IncidentUrl, TimeGenerated, IncidentName, Description, Severity, Status, Classification, ClassificationComment, ClassificationReason, Owner, ProviderName, ProviderIncidentId, FirstActivityTime, LastActivityTime, FirstModifiedTime, LastModifiedTime, CreatedTime, ClosedTime, IncidentNumber, RelatedAnalyticRuleIds, AlertIds, BookmarkIds, Comments, Labels, AdditionalData, ModifiedBy, SourceSystem\r\n| order by TimeGenerated desc",
"size": 0,
"title": "Incidents",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"sortBy": [
{
"itemKey": "IncidentName",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "IncidentName",
"sortOrder": 2
}
]
},
"customWidth": "50",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Anomalies \r\n| project TimeGenerated, Id, AnomalyTemplateName, AnomalyTemplateId, AnomalyTemplateVersion, WorkspaceId, VendorName, RuleId, RuleStatus, RuleName, RuleConfigVersion, Score, Description, StartTime, EndTime, ExtendedLinks, Tactics, Techniques, UserName, UserPrincipalName, SourceIpAddress, SourceLocation, SourceDevice, DestinationIpAddress, DestinationLocation, DestinationDevice, ActivityInsights, DeviceInsights, UserInsights, AnomalyReasons, Entities, ExtendedProperties, AnomalyDetails, SourceSystem \r\n| order by TimeGenerated desc",
"size": 0,
"title": "Latest Anomalies (Last 7 Days)",
"timeContext": {
"durationMs": 604800000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "Latest Anomalies"
}
]
},
"name": "group - 3"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Anomalies\r\n| extend AnomalyType = AnomalyTemplateName\r\n| summarize count() by AnomalyType\r\n| sort by count_ desc",
"size": 0,
"timeContext": {
"durationMs": 2592000000
},
"exportFieldName": "AnomalyType",
"exportParameterName": "AnomalyType",
"exportDefaultValue": "*",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"customWidth": "25",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AnomalyTypeString_ = trim('\"', '{AnomalyType}');\r\nAnomalies\r\n| where AnomalyTemplateName == iif(AnomalyTypeString_ == '*', AnomalyTemplateName, AnomalyTypeString_)\r\n| summarize count() by bin(TimeGenerated, 1h)",
"size": 0,
"title": "Anomalies Trend",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"customWidth": "75",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AnomalyTypeString_ = trim('\"', '{AnomalyType}');\r\nAnomalies\r\n| where AnomalyTemplateName == iif(AnomalyTypeString_ == '*', AnomalyTemplateName, AnomalyTypeString_)\r\n| extend idParam = strcat('\"id\":', Id)\r\n| sort by Score desc\r\n| project Id, AnomalyTemplateName, Entities, Description, StartTime, EndTime, Score, idParam\r\n",
"size": 0,
"timeContext": {
"durationMs": 2592000000
},
"exportedParameters": [
{
"fieldName": "Id",
"parameterName": "AnomalyId",
"parameterType": 1
},
{
"fieldName": "AnomalyTemplateName",
"parameterName": "AnomalyTemplateName",
"parameterType": 1
},
{
"fieldName": "Description",
"parameterName": "AnomalyDescription",
"parameterType": 1
},
{
"fieldName": "StartTime",
"parameterName": "StartTime",
"parameterType": 1
}
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Id",
"formatter": 5
},
{
"columnMatch": "AnomalyTemplateName",
"formatter": 7,
"formatOptions": {
"linkTarget": "WorkbookTemplate",
"linkLabel": "",
"workbookContext": {
"componentIdSource": "workbook",
"resourceIdsSource": "workbook",
"templateIdSource": "static",
"templateId": "<PlaceHolder, please update to anomaly data workbook or workbook of choice>",
"typeSource": "workbook",
"gallerySource": "workbook",
"locationSource": "default",
"passSpecificParams": true,
"templateParameters": [
{
"name": "Id",
"source": "column",
"value": "Id"
},
{
"name": "Description",
"source": "column",
"value": "Description"
},
{
"name": "AnomalyTemplateName",
"source": "column",
"value": "AnomalyTemplateName"
},
{
"name": "StartTime",
"source": "column",
"value": "StartTime"
},
{
"name": "EndTime",
"source": "column",
"value": "EndTime"
}
]
},
"bladeOpenContext": {
"bladeName": "UsageNotebookBlade",
"extensionName": "AppInsightsExtension",
"bladeParameters": [
{
"name": "ComponentId",
"source": "static",
"value": "<PlaceHolder, please update to anomaly data workbook or workbook of choice>"
},
{
"name": "ConfigurationId",
"source": "static",
"value": "<PlaceHolder, please update to anomaly data workbook or workbook of choice>"
},
{
"name": "Type",
"source": "static",
"value": "sentinel"
},
{
"name": "WorkbookTemplateName",
"source": "static",
"value": "Anomaly Data Workbook"
},
{
"name": "NotebookParams",
"source": "column",
"value": "idParam"
}
]
}
}
},
{
"columnMatch": "Description",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "70ch"
}
},
{
"columnMatch": "EndTime",
"formatter": 5
},
{
"columnMatch": "Score",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "8ch"
}
},
{
"columnMatch": "idParam",
"formatter": 5
}
],
"sortBy": [
{
"itemKey": "Score",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "Score",
"sortOrder": 2
}
]
},
"name": "query - 1"
}
]
},
"name": "group - 1"
}
],
"fromTemplateId": "sentinel-AnomaliesVisualizationWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

133
Workbooks/AnomalyData.json Normal file
Просмотреть файл

@ -0,0 +1,133 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "b4bca4a8-7fef-494e-9dd0-5ccd77fee390",
"version": "KqlParameterItem/1.0",
"name": "Id",
"type": 1,
"isGlobal": true,
"timeContext": {
"durationMs": 86400000
},
"value": "85ff04bc-c150-4444-8e2a-48f39679c785"
},
{
"id": "d4383faf-970a-42d3-acbb-29c0445c615b",
"version": "KqlParameterItem/1.0",
"name": "AnomalyTemplateName",
"type": 1,
"isGlobal": true,
"timeContext": {
"durationMs": 86400000
},
"value": "(Preview) UEBA Anomalous Account Creation"
},
{
"id": "7fc9760f-8718-47b9-9e00-de6e7da6a6f1",
"version": "KqlParameterItem/1.0",
"name": "Description",
"type": 1,
"isGlobal": true,
"value": "91f40573-5825-407e-90ad-32c68bbe5f5d's account Performed a UserManagement action, Add user (490826a1-e130-4d0a-b119-9501012b4bd4@contosohotelb2corgp1.onmicrosoft.com). from quincy, united states From IP address 40.126.26.160 "
},
{
"id": "79c838d7-e4f0-46cb-bf3b-e19c52a75609",
"version": "KqlParameterItem/1.0",
"name": "StartTime",
"type": 1,
"isGlobal": true,
"value": "2022-05-19T19:31:20Z"
},
{
"id": "014cb5c1-87ca-4dd7-b081-8877734abc20",
"version": "KqlParameterItem/1.0",
"name": "EndTime",
"type": 1,
"isGlobal": true,
"value": "2022-05-19T19:31:20Z"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 5"
},
{
"type": 1,
"content": {
"json": "## {AnomalyTemplateName}\r\n\r\n{Description}\r\n\r\n**Start Date**: {StartTime} \r\n**End Date**: {EndTime}"
},
"name": "text - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Anomalies\r\n| where Id == '{Id}'\r\n| mv-expand Entities\r\n| project Entities\r\n| evaluate bag_unpack(Entities, columnsConflict='replace_source')",
"size": 1,
"title": "Entities",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Anomalies\r\n| where AnomalyTemplateName == '{AnomalyTemplateName}'\r\n| summarize count() by bin(TimeGenerated, 1h)",
"size": 0,
"title": "Anomaly Job Trend",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let fusionAlert = SecurityAlert\r\n| extend extendedPropertiesDict = parse_json(ExtendedProperties)\r\n| extend originalSystemAlertId = extendedPropertiesDict['OriginalSystemAlertId']\r\n| where originalSystemAlertId == '{Id}';\r\nlet incidentIdList = SecurityIncident \r\n| mv-expand AlertIds\r\n| extend AlertIds = tostring(AlertIds)\r\n| join fusionAlert on $left.AlertIds == $right.SystemAlertId\r\n| summarize by ProviderIncidentId, TenantId;\r\nSecurityIncident\r\n| join kind=innerunique incidentIdList on ProviderIncidentId, TenantId\r\n| project-away ProviderIncidentId1, TenantId1\r\n| project Title, IncidentUrl, TimeGenerated, IncidentName, Description, Severity, Status, Classification, ClassificationComment, ClassificationReason, Owner, ProviderName, ProviderIncidentId, FirstActivityTime, LastActivityTime, FirstModifiedTime, LastModifiedTime, CreatedTime, ClosedTime, IncidentNumber, RelatedAnalyticRuleIds, AlertIds, BookmarkIds, Comments, Labels, AdditionalData, ModifiedBy, SourceSystem\r\n| order by TimeGenerated desc",
"size": 0,
"title": "Related Incidents",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let fusionAlert = SecurityAlert\r\n| extend extendedPropertiesDict = parse_json(ExtendedProperties)\r\n| extend originalSystemAlertId = extendedPropertiesDict['OriginalSystemAlertId']\r\n| where originalSystemAlertId == '{Id}';\r\nlet incidentIdList = SecurityIncident \r\n| mv-expand AlertIds\r\n| extend AlertIds = tostring(AlertIds)\r\n| join fusionAlert on $left.AlertIds == $right.SystemAlertId\r\n| summarize by ProviderIncidentId, TenantId;\r\nlet uniqueIncidentIdList = SecurityIncident\r\n| join kind=innerunique incidentIdList on ProviderIncidentId, TenantId;\r\nlet incidentBookmarkIds = uniqueIncidentIdList\r\n| mv-expand BookmarkIds\r\n| project BookmarkId = tostring(BookmarkIds);\r\nHuntingBookmark\r\n| join incidentBookmarkIds on BookmarkId;",
"size": 0,
"title": "Related Hunting Bookmarks",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 5"
}
],
"fromTemplateId": "sentinel-AnomalyDataWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

Двоичные данные
Workbooks/Images/Preview/AnomaliesVisualizationWorkbookBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 98 KiB

Двоичные данные
Workbooks/Images/Preview/AnomaliesVisualizationWorkbookWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 93 KiB

Двоичные данные
Workbooks/Images/Preview/AnomalyDataWorkbookBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 55 KiB

Двоичные данные
Workbooks/Images/Preview/AnomalyDataWorkbookWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 58 KiB

26
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -1612,5 +1612,31 @@
"templateRelativePath": "microsoftdefenderforidentity.json",
"subtitle": "",
"provider": "Microsoft Sentinel Community"
},
{
"workbookKey": "AnomaliesVisualizationWorkbook",
"logoFileName": "",
"description": "A workbook that provides contextual information to a user for better insight on Anomalies and their impact. The workbook will help with investigation of anomalies as well as identify patterns that can lead to a threat.",
"dataTypesDependencies": ["Anomalies"],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [ "AnomaliesVisualizationWorkbookWhite.png", "AnomaliesVisualizationWorkbookBlack.png" ],
"version": "1.0.0",
"title": "AnomaliesVisulization",
"templateRelativePath": "AnomaliesVisulization.json",
"subtitle": "",
"provider": "Microsoft Sentinel Community"
},
{
"workbookKey": "AnomalyDataWorkbook",
"logoFileName": "",
"description": "A workbook providing details, related Incident, and related Hunting Workbook for a specific Anomaly.",
"dataTypesDependencies": ["Anomalies"],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [ "AnomalyDataWorkbookWhite.png", "AnomalyDataWorkbookBlack.png" ],
"version": "1.0.0",
"title": "AnomalyData",
"templateRelativePath": "AnomalyData.json",
"subtitle": "",
"provider": "Microsoft Sentinel Community"
}
]