Added Anomaly Visualization Workbook and Anomaly Data workbook (#5226)
* Added Anomaly Visualization Workbook and Anomaly Data workbook * Update Anomalies Visualization to show latest Anomalies Update Anomalies Visualization to show latest Anomalies * Update Workbook Metadata dataType Dependencies Update Workbook Metadata dataType Dependencies with Anomalies table * Update Workbook keys of new workbooks
This commit is contained in:
Родитель
25b758a907
Коммит
5f5b87f18d
|
@ -0,0 +1,416 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 12,
|
||||
"content": {
|
||||
"version": "NotebookGroup/1.0",
|
||||
"groupType": "editable",
|
||||
"title": "Anomaly Summary",
|
||||
"items": [
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident \r\n| mv-expand AlertIds\r\n| extend AlertIds = tostring(AlertIds)\r\n| join \r\n(\r\n SecurityAlert\r\n) on $left.AlertIds == $right.SystemAlertId\r\n| where AlertType == '8ecf8077-cf51-4820-aadd-14040956f35d_212ef723-bb93-4450-8ef5-166c43dc6e57'\r\n| summarize by ProviderIncidentId, TenantId\r\n| count",
|
||||
"size": 4,
|
||||
"title": "Incidents with Anomalies",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 3,
|
||||
"formatOptions": {
|
||||
"palette": "blue"
|
||||
}
|
||||
},
|
||||
"showBorder": false
|
||||
}
|
||||
},
|
||||
"customWidth": "20",
|
||||
"name": "query - 4"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Anomalies\r\n| count",
|
||||
"size": 4,
|
||||
"title": "Anomalies",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 3,
|
||||
"formatOptions": {
|
||||
"palette": "blue"
|
||||
}
|
||||
},
|
||||
"showBorder": false
|
||||
}
|
||||
},
|
||||
"customWidth": "20",
|
||||
"name": "Anomalies"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Anomalies\r\n| where tostring(Entities) contains '\"Type\":\"host\"'\r\n| count",
|
||||
"size": 4,
|
||||
"title": "Anomalies by Host",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 3,
|
||||
"formatOptions": {
|
||||
"palette": "blue"
|
||||
}
|
||||
},
|
||||
"showBorder": false
|
||||
}
|
||||
},
|
||||
"customWidth": "20",
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Anomalies\r\n| where tostring(Entities) contains '\"Type\":\"account\"'\r\n| count",
|
||||
"size": 4,
|
||||
"title": "Anomalies by Account",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 3,
|
||||
"formatOptions": {
|
||||
"palette": "blue"
|
||||
}
|
||||
},
|
||||
"showBorder": false
|
||||
}
|
||||
},
|
||||
"customWidth": "20",
|
||||
"name": "query - 2 - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Anomalies\r\n| where tostring(Entities) contains '\"Type\":\"ip\"'\r\n| count",
|
||||
"size": 4,
|
||||
"title": "Anomalies by IP",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 3,
|
||||
"formatOptions": {
|
||||
"palette": "blue"
|
||||
}
|
||||
},
|
||||
"showBorder": false
|
||||
}
|
||||
},
|
||||
"customWidth": "20",
|
||||
"name": "query - 2 - Copy - Copy"
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "Anomaly Summary"
|
||||
},
|
||||
{
|
||||
"type": 12,
|
||||
"content": {
|
||||
"version": "NotebookGroup/1.0",
|
||||
"groupType": "editable",
|
||||
"items": [
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let incidentIdList = SecurityIncident \r\n| mv-expand AlertIds\r\n| extend AlertIds = tostring(AlertIds)\r\n| join SecurityAlert on $left.AlertIds == $right.SystemAlertId\r\n| where AlertType == '8ecf8077-cf51-4820-aadd-14040956f35d_212ef723-bb93-4450-8ef5-166c43dc6e57'\r\n| summarize by ProviderIncidentId, TenantId;\r\nSecurityIncident\r\n| join kind=innerunique incidentIdList on ProviderIncidentId, TenantId\r\n| project-away ProviderIncidentId1, TenantId1\r\n| project Title, IncidentUrl, TimeGenerated, IncidentName, Description, Severity, Status, Classification, ClassificationComment, ClassificationReason, Owner, ProviderName, ProviderIncidentId, FirstActivityTime, LastActivityTime, FirstModifiedTime, LastModifiedTime, CreatedTime, ClosedTime, IncidentNumber, RelatedAnalyticRuleIds, AlertIds, BookmarkIds, Comments, Labels, AdditionalData, ModifiedBy, SourceSystem\r\n| order by TimeGenerated desc",
|
||||
"size": 0,
|
||||
"title": "Incidents",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"sortBy": [
|
||||
{
|
||||
"itemKey": "IncidentName",
|
||||
"sortOrder": 2
|
||||
}
|
||||
]
|
||||
},
|
||||
"sortBy": [
|
||||
{
|
||||
"itemKey": "IncidentName",
|
||||
"sortOrder": 2
|
||||
}
|
||||
]
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Anomalies \r\n| project TimeGenerated, Id, AnomalyTemplateName, AnomalyTemplateId, AnomalyTemplateVersion, WorkspaceId, VendorName, RuleId, RuleStatus, RuleName, RuleConfigVersion, Score, Description, StartTime, EndTime, ExtendedLinks, Tactics, Techniques, UserName, UserPrincipalName, SourceIpAddress, SourceLocation, SourceDevice, DestinationIpAddress, DestinationLocation, DestinationDevice, ActivityInsights, DeviceInsights, UserInsights, AnomalyReasons, Entities, ExtendedProperties, AnomalyDetails, SourceSystem \r\n| order by TimeGenerated desc",
|
||||
"size": 0,
|
||||
"title": "Latest Anomalies (Last 7 Days)",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "Latest Anomalies"
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "group - 3"
|
||||
},
|
||||
{
|
||||
"type": 12,
|
||||
"content": {
|
||||
"version": "NotebookGroup/1.0",
|
||||
"groupType": "editable",
|
||||
"items": [
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Anomalies\r\n| extend AnomalyType = AnomalyTemplateName\r\n| summarize count() by AnomalyType\r\n| sort by count_ desc",
|
||||
"size": 0,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"exportFieldName": "AnomalyType",
|
||||
"exportParameterName": "AnomalyType",
|
||||
"exportDefaultValue": "*",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"filter": true
|
||||
}
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "query - 0"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let AnomalyTypeString_ = trim('\"', '{AnomalyType}');\r\nAnomalies\r\n| where AnomalyTemplateName == iif(AnomalyTypeString_ == '*', AnomalyTemplateName, AnomalyTypeString_)\r\n| summarize count() by bin(TimeGenerated, 1h)",
|
||||
"size": 0,
|
||||
"title": "Anomalies Trend",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "areachart"
|
||||
},
|
||||
"customWidth": "75",
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let AnomalyTypeString_ = trim('\"', '{AnomalyType}');\r\nAnomalies\r\n| where AnomalyTemplateName == iif(AnomalyTypeString_ == '*', AnomalyTemplateName, AnomalyTypeString_)\r\n| extend idParam = strcat('\"id\":', Id)\r\n| sort by Score desc\r\n| project Id, AnomalyTemplateName, Entities, Description, StartTime, EndTime, Score, idParam\r\n",
|
||||
"size": 0,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"exportedParameters": [
|
||||
{
|
||||
"fieldName": "Id",
|
||||
"parameterName": "AnomalyId",
|
||||
"parameterType": 1
|
||||
},
|
||||
{
|
||||
"fieldName": "AnomalyTemplateName",
|
||||
"parameterName": "AnomalyTemplateName",
|
||||
"parameterType": 1
|
||||
},
|
||||
{
|
||||
"fieldName": "Description",
|
||||
"parameterName": "AnomalyDescription",
|
||||
"parameterType": 1
|
||||
},
|
||||
{
|
||||
"fieldName": "StartTime",
|
||||
"parameterName": "StartTime",
|
||||
"parameterType": 1
|
||||
}
|
||||
],
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Id",
|
||||
"formatter": 5
|
||||
},
|
||||
{
|
||||
"columnMatch": "AnomalyTemplateName",
|
||||
"formatter": 7,
|
||||
"formatOptions": {
|
||||
"linkTarget": "WorkbookTemplate",
|
||||
"linkLabel": "",
|
||||
"workbookContext": {
|
||||
"componentIdSource": "workbook",
|
||||
"resourceIdsSource": "workbook",
|
||||
"templateIdSource": "static",
|
||||
"templateId": "<PlaceHolder, please update to anomaly data workbook or workbook of choice>",
|
||||
"typeSource": "workbook",
|
||||
"gallerySource": "workbook",
|
||||
"locationSource": "default",
|
||||
"passSpecificParams": true,
|
||||
"templateParameters": [
|
||||
{
|
||||
"name": "Id",
|
||||
"source": "column",
|
||||
"value": "Id"
|
||||
},
|
||||
{
|
||||
"name": "Description",
|
||||
"source": "column",
|
||||
"value": "Description"
|
||||
},
|
||||
{
|
||||
"name": "AnomalyTemplateName",
|
||||
"source": "column",
|
||||
"value": "AnomalyTemplateName"
|
||||
},
|
||||
{
|
||||
"name": "StartTime",
|
||||
"source": "column",
|
||||
"value": "StartTime"
|
||||
},
|
||||
{
|
||||
"name": "EndTime",
|
||||
"source": "column",
|
||||
"value": "EndTime"
|
||||
}
|
||||
]
|
||||
},
|
||||
"bladeOpenContext": {
|
||||
"bladeName": "UsageNotebookBlade",
|
||||
"extensionName": "AppInsightsExtension",
|
||||
"bladeParameters": [
|
||||
{
|
||||
"name": "ComponentId",
|
||||
"source": "static",
|
||||
"value": "<PlaceHolder, please update to anomaly data workbook or workbook of choice>"
|
||||
},
|
||||
{
|
||||
"name": "ConfigurationId",
|
||||
"source": "static",
|
||||
"value": "<PlaceHolder, please update to anomaly data workbook or workbook of choice>"
|
||||
},
|
||||
{
|
||||
"name": "Type",
|
||||
"source": "static",
|
||||
"value": "sentinel"
|
||||
},
|
||||
{
|
||||
"name": "WorkbookTemplateName",
|
||||
"source": "static",
|
||||
"value": "Anomaly Data Workbook"
|
||||
},
|
||||
{
|
||||
"name": "NotebookParams",
|
||||
"source": "column",
|
||||
"value": "idParam"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Description",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"customColumnWidthSetting": "70ch"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "EndTime",
|
||||
"formatter": 5
|
||||
},
|
||||
{
|
||||
"columnMatch": "Score",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"customColumnWidthSetting": "8ch"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "idParam",
|
||||
"formatter": 5
|
||||
}
|
||||
],
|
||||
"sortBy": [
|
||||
{
|
||||
"itemKey": "Score",
|
||||
"sortOrder": 2
|
||||
}
|
||||
]
|
||||
},
|
||||
"sortBy": [
|
||||
{
|
||||
"itemKey": "Score",
|
||||
"sortOrder": 2
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "query - 1"
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "group - 1"
|
||||
}
|
||||
],
|
||||
"fromTemplateId": "sentinel-AnomaliesVisualizationWorkbook",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
|
@ -0,0 +1,133 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "b4bca4a8-7fef-494e-9dd0-5ccd77fee390",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Id",
|
||||
"type": 1,
|
||||
"isGlobal": true,
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
},
|
||||
"value": "85ff04bc-c150-4444-8e2a-48f39679c785"
|
||||
},
|
||||
{
|
||||
"id": "d4383faf-970a-42d3-acbb-29c0445c615b",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "AnomalyTemplateName",
|
||||
"type": 1,
|
||||
"isGlobal": true,
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
},
|
||||
"value": "(Preview) UEBA Anomalous Account Creation"
|
||||
},
|
||||
{
|
||||
"id": "7fc9760f-8718-47b9-9e00-de6e7da6a6f1",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Description",
|
||||
"type": 1,
|
||||
"isGlobal": true,
|
||||
"value": "91f40573-5825-407e-90ad-32c68bbe5f5d's account Performed a UserManagement action, Add user (490826a1-e130-4d0a-b119-9501012b4bd4@contosohotelb2corgp1.onmicrosoft.com). from quincy, united states From IP address 40.126.26.160 "
|
||||
},
|
||||
{
|
||||
"id": "79c838d7-e4f0-46cb-bf3b-e19c52a75609",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "StartTime",
|
||||
"type": 1,
|
||||
"isGlobal": true,
|
||||
"value": "2022-05-19T19:31:20Z"
|
||||
},
|
||||
{
|
||||
"id": "014cb5c1-87ca-4dd7-b081-8877734abc20",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "EndTime",
|
||||
"type": 1,
|
||||
"isGlobal": true,
|
||||
"value": "2022-05-19T19:31:20Z"
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 5"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## {AnomalyTemplateName}\r\n\r\n{Description}\r\n\r\n**Start Date**: {StartTime} \r\n**End Date**: {EndTime}"
|
||||
},
|
||||
"name": "text - 1"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Anomalies\r\n| where Id == '{Id}'\r\n| mv-expand Entities\r\n| project Entities\r\n| evaluate bag_unpack(Entities, columnsConflict='replace_source')",
|
||||
"size": 1,
|
||||
"title": "Entities",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "query - 4"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Anomalies\r\n| where AnomalyTemplateName == '{AnomalyTemplateName}'\r\n| summarize count() by bin(TimeGenerated, 1h)",
|
||||
"size": 0,
|
||||
"title": "Anomaly Job Trend",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "areachart"
|
||||
},
|
||||
"name": "query - 4"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let fusionAlert = SecurityAlert\r\n| extend extendedPropertiesDict = parse_json(ExtendedProperties)\r\n| extend originalSystemAlertId = extendedPropertiesDict['OriginalSystemAlertId']\r\n| where originalSystemAlertId == '{Id}';\r\nlet incidentIdList = SecurityIncident \r\n| mv-expand AlertIds\r\n| extend AlertIds = tostring(AlertIds)\r\n| join fusionAlert on $left.AlertIds == $right.SystemAlertId\r\n| summarize by ProviderIncidentId, TenantId;\r\nSecurityIncident\r\n| join kind=innerunique incidentIdList on ProviderIncidentId, TenantId\r\n| project-away ProviderIncidentId1, TenantId1\r\n| project Title, IncidentUrl, TimeGenerated, IncidentName, Description, Severity, Status, Classification, ClassificationComment, ClassificationReason, Owner, ProviderName, ProviderIncidentId, FirstActivityTime, LastActivityTime, FirstModifiedTime, LastModifiedTime, CreatedTime, ClosedTime, IncidentNumber, RelatedAnalyticRuleIds, AlertIds, BookmarkIds, Comments, Labels, AdditionalData, ModifiedBy, SourceSystem\r\n| order by TimeGenerated desc",
|
||||
"size": 0,
|
||||
"title": "Related Incidents",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "query - 5"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let fusionAlert = SecurityAlert\r\n| extend extendedPropertiesDict = parse_json(ExtendedProperties)\r\n| extend originalSystemAlertId = extendedPropertiesDict['OriginalSystemAlertId']\r\n| where originalSystemAlertId == '{Id}';\r\nlet incidentIdList = SecurityIncident \r\n| mv-expand AlertIds\r\n| extend AlertIds = tostring(AlertIds)\r\n| join fusionAlert on $left.AlertIds == $right.SystemAlertId\r\n| summarize by ProviderIncidentId, TenantId;\r\nlet uniqueIncidentIdList = SecurityIncident\r\n| join kind=innerunique incidentIdList on ProviderIncidentId, TenantId;\r\nlet incidentBookmarkIds = uniqueIncidentIdList\r\n| mv-expand BookmarkIds\r\n| project BookmarkId = tostring(BookmarkIds);\r\nHuntingBookmark\r\n| join incidentBookmarkIds on BookmarkId;",
|
||||
"size": 0,
|
||||
"title": "Related Hunting Bookmarks",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "query - 5"
|
||||
}
|
||||
],
|
||||
"fromTemplateId": "sentinel-AnomalyDataWorkbook",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 98 KiB |
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 93 KiB |
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 55 KiB |
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 58 KiB |
|
@ -1612,5 +1612,31 @@
|
|||
"templateRelativePath": "microsoftdefenderforidentity.json",
|
||||
"subtitle": "",
|
||||
"provider": "Microsoft Sentinel Community"
|
||||
},
|
||||
{
|
||||
"workbookKey": "AnomaliesVisualizationWorkbook",
|
||||
"logoFileName": "",
|
||||
"description": "A workbook that provides contextual information to a user for better insight on Anomalies and their impact. The workbook will help with investigation of anomalies as well as identify patterns that can lead to a threat.",
|
||||
"dataTypesDependencies": ["Anomalies"],
|
||||
"dataConnectorsDependencies": [],
|
||||
"previewImagesFileNames": [ "AnomaliesVisualizationWorkbookWhite.png", "AnomaliesVisualizationWorkbookBlack.png" ],
|
||||
"version": "1.0.0",
|
||||
"title": "AnomaliesVisulization",
|
||||
"templateRelativePath": "AnomaliesVisulization.json",
|
||||
"subtitle": "",
|
||||
"provider": "Microsoft Sentinel Community"
|
||||
},
|
||||
{
|
||||
"workbookKey": "AnomalyDataWorkbook",
|
||||
"logoFileName": "",
|
||||
"description": "A workbook providing details, related Incident, and related Hunting Workbook for a specific Anomaly.",
|
||||
"dataTypesDependencies": ["Anomalies"],
|
||||
"dataConnectorsDependencies": [],
|
||||
"previewImagesFileNames": [ "AnomalyDataWorkbookWhite.png", "AnomalyDataWorkbookBlack.png" ],
|
||||
"version": "1.0.0",
|
||||
"title": "AnomalyData",
|
||||
"templateRelativePath": "AnomalyData.json",
|
||||
"subtitle": "",
|
||||
"provider": "Microsoft Sentinel Community"
|
||||
}
|
||||
]
|
||||
|
|
Загрузка…
Ссылка в новой задаче