Merge pull request #5059 from Azure/v-spadarthi-PackagingCreation-Syslog
Package Creation for Syslog-- DO NOT MERGE AS 1P
This commit is contained in:
Anki Narravula
GitHub
Коммит
6744a2eed2
|
|
@ -6,6 +6,7 @@ description: |
|
|||
If there are many of hits, especially from outside your network, it could indicate a brute force attack.
|
||||
Default threshold for logon attempts is 15.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: Syslog
|
||||
dataTypes:
|
||||
|
|
@ -4,6 +4,7 @@ description: |
|
|||
'Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.
|
||||
http://www.squid-cache.org/Doc/config/access_log/'
|
||||
severity: Low
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: Syslog
|
||||
dataTypes:
|
||||
|
|
@ -4,6 +4,7 @@ description: |
|
|||
'Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.
|
||||
http://www.squid-cache.org/Doc/config/access_log/'
|
||||
severity: Low
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: Syslog
|
||||
dataTypes:
|
||||
|
|
@ -4,6 +4,7 @@ description: |
|
|||
'Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.
|
||||
http://www.squid-cache.org/Doc/config/access_log/'
|
||||
severity: Low
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: Syslog
|
||||
dataTypes:
|
||||
|
|
@ -3,6 +3,7 @@ name: New internet-exposed SSH endpoints
|
|||
description: |
|
||||
'Looks for SSH endpoints that rarely are accessed from a public IP address, in comparison with their history of sign-ins from private IP addresses.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: Syslog
|
||||
dataTypes:
|
||||
|
|
@ -3,6 +3,7 @@ name: SSH - Potential Brute Force
|
|||
description: |
|
||||
'Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.'
|
||||
severity: Low
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: Syslog
|
||||
dataTypes:
|
||||
|
|
@ -0,0 +1,107 @@
|
|||
{
|
||||
"id": "Syslog",
|
||||
"title": "Syslog",
|
||||
"publisher": "Microsoft",
|
||||
"descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.\n\n[Learn more >](https://aka.ms/sysLogInfo)",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "Syslog",
|
||||
"baseQuery": "Syslog"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "Last 1000 generated events",
|
||||
"query": "Syslog\n | top 1000 by TimeGenerated"
|
||||
},
|
||||
{
|
||||
"description": "All events by facility except for cron",
|
||||
"query": "Syslog\n | summarize count() by Facility | where Facility != \"cron\""
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
|
||||
]
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "Syslog",
|
||||
"lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "write permission.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"write": true,
|
||||
"delete": true
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "1. Install and onboard the agent for Linux",
|
||||
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"title": "Choose where to install the agent:",
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "Install agent on Azure Linux Virtual Machine",
|
||||
"description": "Select the machine to install the agent on and then click **Connect**.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"linkType": "InstallAgentOnLinuxVirtualMachine"
|
||||
},
|
||||
"type": "InstallAgent"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "Install agent on a non-Azure Linux Machine",
|
||||
"description": "Download the agent on the relevant machine and follow the instructions.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"linkType": "InstallAgentOnLinuxNonAzure"
|
||||
},
|
||||
"type": "InstallAgent"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "InstructionStepsGroup"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "2. Configure the logs to be collected",
|
||||
"description": "Configure the facilities you want to collect and their severities.\n\n1. Select the link below to open your workspace **agents configuration**, and select the **Syslog** tab.\n2. Select **Add facility** and choose from the drop-down list of facilities. Repeat for all the facilities you want to add.\n3. Mark the check boxes for the desired severities for each facility.\n4. Click **Apply**.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"linkType": "OpenSyslogSettings"
|
||||
},
|
||||
"type": "InstallAgent"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
{
|
||||
"Name": "Syslog",
|
||||
"Author": "Microsoft - support@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The Syslog solution allows you to ingest events from applications or appliances that generate and can forward logs in the Syslog format to a Syslog Forwarder. The Agent for Linux is then able to forward these logs to the Log Analytics/Microsoft Sentinel workspace.",
|
||||
"Data Connectors": [
|
||||
"Data Connectors/template_Syslog.json"
|
||||
],
|
||||
"Workbooks": [
|
||||
"Workbooks/LinuxMachines.json"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/FailedLogonAttempts_UnknownUser.yaml",
|
||||
"Analytic Rules/NRT_squid_events_for_mining_pools.yaml",
|
||||
"Analytic Rules/squid_cryptomining_pools.yaml",
|
||||
"Analytic Rules/squid_tor_proxies.yaml",
|
||||
"Analytic Rules/ssh_NewlyInternetExposed.yaml",
|
||||
"Analytic Rules/ssh_potentialBruteForce.yaml"
|
||||
],
|
||||
"Hunting Queries": [
|
||||
"Hunting Queries/Apache_log4j_Vulnerability.yaml",
|
||||
"Hunting Queries/Base64_Download_Activity.yaml",
|
||||
"Hunting Queries/Container_Miner_Activity.yaml",
|
||||
"Hunting Queries/CryptoCurrencyMiners.yaml",
|
||||
"Hunting Queries/Firewall_Disable_Activity.yaml",
|
||||
"Hunting Queries/Linux_Toolkit_Detected.yaml",
|
||||
"Hunting Queries/Process_Termination_Activity.yaml",
|
||||
"Hunting Queries/SCXExecuteRunAsProviders.yaml",
|
||||
"Hunting Queries/RareProcess_ForLxHost.yaml",
|
||||
"Hunting Queries/SchedTaskAggregation.yaml",
|
||||
"Hunting Queries/SchedTaskEditViaCrontab.yaml",
|
||||
"Hunting Queries/Suspicious_ShellScript_Activity.yaml",
|
||||
"Hunting Queries/squid_abused_tlds.yaml",
|
||||
"Hunting Queries/squid_malformed_requests.yaml",
|
||||
"Hunting Queries/squid_volume_anomalies.yaml"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Syslog",
|
||||
"Version": "2.0.0",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": true
|
||||
}
|
||||
Двоичный файл не отображается.
|
|
@ -0,0 +1,459 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
|
||||
"handler": "Microsoft.Azure.CreateUIDef",
|
||||
"version": "0.1.2-preview",
|
||||
"parameters": {
|
||||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Syslog solution allows you to ingest events from applications or appliances that generate and can forward logs in the Syslog format to a Syslog Forwarder. The Agent for Linux is then able to forward these logs to the Log Analytics/Microsoft Sentinel workspace.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\r\n\n\r\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 6, **Hunting Queries:** 15\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"Microsoft.Insights/workbooks",
|
||||
"Microsoft.Logic/workflows"
|
||||
]
|
||||
},
|
||||
"location": {
|
||||
"metadata": {
|
||||
"hidden": "Hiding location, we get it from the log analytics workspace"
|
||||
},
|
||||
"visible": false
|
||||
},
|
||||
"resourceGroup": {
|
||||
"allowExisting": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"basics": [
|
||||
{
|
||||
"name": "getLAWorkspace",
|
||||
"type": "Microsoft.Solutions.ArmApiControl",
|
||||
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
|
||||
"condition": "[greater(length(resourceGroup().name),0)]",
|
||||
"request": {
|
||||
"method": "GET",
|
||||
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workspace",
|
||||
"type": "Microsoft.Common.DropDown",
|
||||
"label": "Workspace",
|
||||
"placeholder": "Select a workspace",
|
||||
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
|
||||
"constraints": {
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"required": true
|
||||
},
|
||||
"visible": true
|
||||
}
|
||||
],
|
||||
"steps": [
|
||||
{
|
||||
"name": "dataconnectors",
|
||||
"label": "Data Connectors",
|
||||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the data connector that can help ingest Events in the Syslog format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-link2",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more about connecting data sources",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "workbooks",
|
||||
"label": "Workbooks",
|
||||
"subLabel": {
|
||||
"preValidation": "Configure the workbooks",
|
||||
"postValidation": "Done"
|
||||
},
|
||||
"bladeTitle": "Workbooks",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view. "
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workbooks-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytics",
|
||||
"label": "Analytics",
|
||||
"subLabel": {
|
||||
"preValidation": "Configure the analytics",
|
||||
"postValidation": "Done"
|
||||
},
|
||||
"bladeTitle": "Analytics",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytics-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "analytics-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "analytic1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Failed logon attempts in authpriv",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \nDefault threshold for logon attempts is 15."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic2",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "NRT Squid proxy events related to mining pools",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\n http://www.squid-cache.org/Doc/config/access_log/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic3",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Squid proxy events related to mining pools",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \n http://www.squid-cache.org/Doc/config/access_log/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic4",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Squid proxy events for ToR proxies",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\nhttp://www.squid-cache.org/Doc/config/access_log/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic5",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "New internet-exposed SSH endpoints",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic5-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Looks for SSH endpoints that rarely are accessed from a public IP address, in comparison with their history of sign-ins from private IP addresses."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic6",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "SSH - Potential Brute Force",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic6-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period."
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingqueries",
|
||||
"label": "Hunting Queries",
|
||||
"bladeTitle": "Hunting Queries",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingqueries-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "huntingqueries-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "huntingquery1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Possible exploitation of Apache log4j component detected",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. \nAttackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery2",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Suspicious Base64 download activity detected",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This hunting query will help detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files.\nThis technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent in the network.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery3",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Possible Container Miner related artifacts detected",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query uses syslog data to alert on possible artifacts associated with container running image related to digital cryptocurrency mining.\nAttackers may perform such operations post compromise as seen after CVE-2021-44228 log4j vulnerability exploitation to scope and prioritize post-compromise objectives.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery4",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Crypto currency miners EXECVE",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query hunts through EXECVE syslog data generated by AUOMS to find instances of crypto currency miners being\ndownloaded. It returns a table of suspicious command lines.\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery5",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Suspicious manipulation of firewall detected via Syslog data",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery5-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query uses syslog data to alert on any suspicious manipulation of firewall to evade defenses.\nAttackers often perform such operation as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache for C2 communications or exfiltration.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery6",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Possible Linux attack toolkit detected via Syslog data",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery6-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation attempts against a known vulnerability.\nAttackers may perform such operations as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache to scope and prioritize post-compromise objectives.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery7",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Linux security related process termination activity detected",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery7-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query will alert on any attempts to terminate processes related to security monitoring on the host. \nAttackers will often try to terminate such processes post-compromise as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery8",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "SCX Execute RunAs Providers",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery8-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This hunting query uses security events from the Microsoft Audit Collection Tool (AUOMS) collected via the Microsoft Sentinel Syslog data connector to explore the use of SCX Execute RunAs providers.\nExecute RunAs providers such as the ExecuteShellCommand and ExecuteScript can be used to execute any UNIX/Linux command and script respectively using the /bin/sh shell.\nExecution occurs from the /var/opt/microsoft/scx/tmp directory and depending on the execution RunAs provider, execution can be a command or a script.\nIf the ExecuteScript RunAs provider is used, then the script file is created in the following directory /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/ with the prefix scx (e.g. scxzOy96).\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. \n It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery9",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Rare process running on a Linux host",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery9-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Looks for rare processes that are running on Linux hosts. Looks for process seen less than 14 times in last 7 days,\n or observed rate is less than 1% of of the average for the environment and fewer than 100. It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery10",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Linux scheduled task Aggregation",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery10-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query aggregates information about all of the scheduled tasks (Cron jobs) and presents the data in a chart.\nThe aggregation is done based on unique user-commandline pairs. It returns how many times a command line has\nbeen run from a particular user, how many computers that pair has run on, and what percentage that is of the\ntotal number of computers in the tenant. It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery11",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Editing Linux scheduled tasks through Crontab",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery11-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query shows when users have edited or replaced the scheduled tasks using crontab. The events are bucketed into 10 minute intervals \nand all the actions that a particular used took are collected into the List of Actions. Default query is for seven days. It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery12",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Suspicious Shell script detected",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery12-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This hunting query will help detect post compromise suspicious shell scripts that attackers use for downloading and executing malicious files.\nThis technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent or for more exploitation in the network.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery13",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Squid commonly abused TLDs",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery13-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Some top level domains (TLDs) are more commonly associated with malware for a range of reasons - including how easy domains on these TLDs are to obtain. \nMany of these may be undesirable from an enterprise policy perspective. The clientCount column provides an initial insight into how widespread the domain \nusage is across the estate. This query presumes the default squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/ It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery14",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Squid malformed requests",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery14-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Malformed web requests are sometimes used for reconnaissance to detect the presence of network security devices.\nHunting for a large number of requests from a single source may assist in locating compromised hosts. Note: internal sites may\nbe detected by this query and may need excluding on a individual basis. This query presumes the default squid log format is\nbeing used. It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingquery15",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Squid data volume timeseries anomalies",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery15-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Malware infections or data exfiltration activity often leads to anomalies in network data volume\nthis hunting query looks for anomalies in the volume of bytes traversing a squid proxy. Anomalies require further\ninvestigation to determine cause. This query presumes the default squid log format is being used. It depends on the Syslog data connector and Syslog data type and Syslog parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"outputs": {
|
||||
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
|
||||
"location": "[location()]",
|
||||
"workspace": "[basics('workspace')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,20 @@
|
|||
{
|
||||
"publisherId": "azuresentinel",
|
||||
"offerId": "azure-sentinel-solution-syslog",
|
||||
"firstPublishDate": "2022-05-23",
|
||||
"providers": ["Microsoft"],
|
||||
"categories": {
|
||||
"domains" : ["IT Operations"],
|
||||
"verticals": []
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -1,392 +1,392 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## Linux Machines"
|
||||
},
|
||||
"name": "text - 0"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"query": "",
|
||||
"crossComponentResources": [],
|
||||
"parameters": [
|
||||
{
|
||||
"id": "1025a43d-241c-4e40-95dc-c9eb9c789bc5",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 300000
|
||||
},
|
||||
{
|
||||
"durationMs": 900000
|
||||
},
|
||||
{
|
||||
"durationMs": 1800000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 14400000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 172800000
|
||||
},
|
||||
{
|
||||
"durationMs": 259200000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
{
|
||||
"durationMs": 2419200000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "bc241870-7874-4927-8c74-d17e747522b1",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Computer",
|
||||
"type": 5,
|
||||
"isRequired": true,
|
||||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"query": "Syslog\r\n| summarize syslogEventsCount = count() by Computer\r\n| sort by syslogEventsCount desc\r\n| project Computer\r\n",
|
||||
"value": [
|
||||
"value::all"
|
||||
],
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [
|
||||
"value::all"
|
||||
],
|
||||
"selectAllValue": "All"
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
{
|
||||
"id": "e073f36e-2fb5-421d-9099-217205b247f5",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Severity",
|
||||
"type": 2,
|
||||
"isRequired": true,
|
||||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"value": [
|
||||
"value::all"
|
||||
],
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [
|
||||
"value::all"
|
||||
],
|
||||
"selectAllValue": "*"
|
||||
},
|
||||
"jsonData": "[\"Emergency\", \"Alert\", \"Critical\", \"Error\", \"Warning\", \"Notice\", \"Informational\", \"Debug\"]",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange"
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 1"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| summarize count() by SeverityLevel\r\n| extend severityNumber = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 0, iif(SeverityLevel == 'alert', 1, iif(SeverityLevel == 'crit', 2, iif(SeverityLevel == 'err' or SeverityLevel == 'error', 3, iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 4, iif(SeverityLevel == 'notice', 5, iif(SeverityLevel == 'info', 6, iif(SeverityLevel == 'debug', 7, 8))))))))\r\n| sort by severityNumber asc\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| project-away severityNumber\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n",
|
||||
"size": 4,
|
||||
"exportToExcelOptions": "visible",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "SeverityLevel",
|
||||
"formatter": 1,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "count_",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "hotCold",
|
||||
"showIcon": true
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"style": "decimal",
|
||||
"maximumFractionDigits": 2,
|
||||
"maximumSignificantDigits": 3
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortOrderField": 2
|
||||
}
|
||||
},
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"emerg\")\r\n| summarize count() by Computer, TimeGenerated\r\n",
|
||||
"size": 1,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "\"Emergency\" level events, by computer",
|
||||
"noDataMessage": "No emergency events within the defined scope",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "query - 2 - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"crit\")\r\n| summarize count() by Computer, TimeGenerated\r\n",
|
||||
"size": 1,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "\"Critical\" level events, by computer",
|
||||
"noDataMessage": "No critical events within the defined scope",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "query - 2 - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"alert\")\r\n| summarize count() by Computer, TimeGenerated\r\n",
|
||||
"size": 1,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "\"Alert\" level events, by computer",
|
||||
"noDataMessage": "No alert events within the defined scope",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "query - 2 - Copy - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| extend SeverityNumber = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 0, iif(SeverityLevel == 'alert', 1, iif(SeverityLevel == 'crit', 2, iif(SeverityLevel == 'err' or SeverityLevel == 'error', 3, iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 4, iif(SeverityLevel == 'notice', 5, iif(SeverityLevel == 'info', 6, iif(SeverityLevel == 'debug', 7, 8))))))))\r\n| where Severity in ({Severity})\r\n|extend Computer = iif(isempty(_ResourceId), Computer, _ResourceId)\r\n| project TimeGenerated, Computer, SeverityLevel, SeverityNumber, Facility, HostIP, ProcessNameAndID = strcat(ProcessName, ' (', iff(isempty(ProcessID), \"-\", tostring(ProcessID)), ')') \r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Events",
|
||||
"noDataMessage": "No events",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "TimeGenerated",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Computer",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SeverityLevel",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SeverityNumber",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 7,
|
||||
"max": 0,
|
||||
"palette": "redDark",
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Facility",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "HostIP",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "ProcessNameAndID",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"name": "query - 2 - Copy - Copy - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by SyslogMessage\r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Syslog messages of events",
|
||||
"noDataMessage": "No messages",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 7"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, ProcessName\r\n| project Process = strcat(ProcessName, ' (', Facility, ')'), Count = count_ \r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Process names of events",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 11"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, SeverityLevel\r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Event distribution, by facility",
|
||||
"noDataMessage": "No events",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 7 - Copy - Copy - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, SeverityLevel",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Severity levels, by facility",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "categoricalbar"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 11 - Copy"
|
||||
}
|
||||
],
|
||||
"styleSettings": {},
|
||||
"fromTemplateId": "sentinel-LinuxMachines",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## Linux Machines"
|
||||
},
|
||||
"name": "text - 0"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"query": "",
|
||||
"crossComponentResources": [],
|
||||
"parameters": [
|
||||
{
|
||||
"id": "1025a43d-241c-4e40-95dc-c9eb9c789bc5",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 300000
|
||||
},
|
||||
{
|
||||
"durationMs": 900000
|
||||
},
|
||||
{
|
||||
"durationMs": 1800000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 14400000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 172800000
|
||||
},
|
||||
{
|
||||
"durationMs": 259200000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
{
|
||||
"durationMs": 2419200000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "bc241870-7874-4927-8c74-d17e747522b1",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Computer",
|
||||
"type": 5,
|
||||
"isRequired": true,
|
||||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"query": "Syslog\r\n| summarize syslogEventsCount = count() by Computer\r\n| sort by syslogEventsCount desc\r\n| project Computer\r\n",
|
||||
"value": [
|
||||
"value::all"
|
||||
],
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [
|
||||
"value::all"
|
||||
],
|
||||
"selectAllValue": "All"
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
{
|
||||
"id": "e073f36e-2fb5-421d-9099-217205b247f5",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Severity",
|
||||
"type": 2,
|
||||
"isRequired": true,
|
||||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"value": [
|
||||
"value::all"
|
||||
],
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [
|
||||
"value::all"
|
||||
],
|
||||
"selectAllValue": "*"
|
||||
},
|
||||
"jsonData": "[\"Emergency\", \"Alert\", \"Critical\", \"Error\", \"Warning\", \"Notice\", \"Informational\", \"Debug\"]",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange"
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 1"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| summarize count() by SeverityLevel\r\n| extend severityNumber = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 0, iif(SeverityLevel == 'alert', 1, iif(SeverityLevel == 'crit', 2, iif(SeverityLevel == 'err' or SeverityLevel == 'error', 3, iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 4, iif(SeverityLevel == 'notice', 5, iif(SeverityLevel == 'info', 6, iif(SeverityLevel == 'debug', 7, 8))))))))\r\n| sort by severityNumber asc\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| project-away severityNumber\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n",
|
||||
"size": 4,
|
||||
"exportToExcelOptions": "visible",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "SeverityLevel",
|
||||
"formatter": 1,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "count_",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "hotCold",
|
||||
"showIcon": true
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"style": "decimal",
|
||||
"maximumFractionDigits": 2,
|
||||
"maximumSignificantDigits": 3
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortOrderField": 2
|
||||
}
|
||||
},
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"emerg\")\r\n| summarize count() by Computer, TimeGenerated\r\n",
|
||||
"size": 1,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "\"Emergency\" level events, by computer",
|
||||
"noDataMessage": "No emergency events within the defined scope",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "query - 2 - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"crit\")\r\n| summarize count() by Computer, TimeGenerated\r\n",
|
||||
"size": 1,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "\"Critical\" level events, by computer",
|
||||
"noDataMessage": "No critical events within the defined scope",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "query - 2 - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"alert\")\r\n| summarize count() by Computer, TimeGenerated\r\n",
|
||||
"size": 1,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "\"Alert\" level events, by computer",
|
||||
"noDataMessage": "No alert events within the defined scope",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "query - 2 - Copy - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| extend SeverityNumber = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 0, iif(SeverityLevel == 'alert', 1, iif(SeverityLevel == 'crit', 2, iif(SeverityLevel == 'err' or SeverityLevel == 'error', 3, iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 4, iif(SeverityLevel == 'notice', 5, iif(SeverityLevel == 'info', 6, iif(SeverityLevel == 'debug', 7, 8))))))))\r\n| where Severity in ({Severity})\r\n|extend Computer = iif(isempty(_ResourceId), Computer, _ResourceId)\r\n| project TimeGenerated, Computer, SeverityLevel, SeverityNumber, Facility, HostIP, ProcessNameAndID = strcat(ProcessName, ' (', iff(isempty(ProcessID), \"-\", tostring(ProcessID)), ')') \r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Events",
|
||||
"noDataMessage": "No events",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "TimeGenerated",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Computer",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SeverityLevel",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SeverityNumber",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 7,
|
||||
"max": 0,
|
||||
"palette": "redDark",
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Facility",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "HostIP",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "ProcessNameAndID",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"name": "query - 2 - Copy - Copy - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by SyslogMessage\r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Syslog messages of events",
|
||||
"noDataMessage": "No messages",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 7"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, ProcessName\r\n| project Process = strcat(ProcessName, ' (', Facility, ')'), Count = count_ \r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Process names of events",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 11"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, SeverityLevel\r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Event distribution, by facility",
|
||||
"noDataMessage": "No events",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 7 - Copy - Copy - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, SeverityLevel",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Severity levels, by facility",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "categoricalbar"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 11 - Copy"
|
||||
}
|
||||
],
|
||||
"styleSettings": {},
|
||||
"fromTemplateId": "sentinel-LinuxMachines",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче