Коммит
6d6e7dd1b6
|
@ -0,0 +1,189 @@
|
||||||
|
{
|
||||||
|
"Name": "Netclean_Incidents_CL",
|
||||||
|
"Properties": [
|
||||||
|
{
|
||||||
|
"Name": "TenantId",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "SourceSystem",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "MG",
|
||||||
|
"type": "Guid"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "ManagementGroupName",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "TimeGenerated",
|
||||||
|
"type": "datetime"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "Computer",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "RawData",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "Hostname_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "agentType_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "Identifier_g",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "type_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "version_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "foundTime_t",
|
||||||
|
"type": "datetime"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "detectionMethod_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "agentInformatonIdentifier_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "osVersion_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "machineName_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "microsoftCultureId_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "timeZoneId_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "microsoftGeoId_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "domainname_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "Agentversion_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "Agentidentifier_g",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "loggedOnUsers_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "size_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "creationTime_t",
|
||||||
|
"type": "datetime"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "lastAccessTime_t",
|
||||||
|
"type": "datetime"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "lastWriteTime_t",
|
||||||
|
"type": "datetime"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "sha1_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "nearbyFiles_sha1_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "externalIP_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "domain_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "hasCollectedNearbyFiles_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "filePath_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "m365WebUrl_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "m365CreatedBymail_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "m365LastModifiedByMail_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "m365LibraryId_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "m365LibraryDisplayName_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "m365Librarytype_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "m365siteid_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "m365sitedisplayName_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "m365sitename_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "countOfAllNearByFiles_s",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "Type",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "_ResourceId",
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
|
@ -1,4 +1,5 @@
|
||||||
[
|
[
|
||||||
|
"Netclean_ProActive_Incidents",
|
||||||
"42CrunchAPIProtection",
|
"42CrunchAPIProtection",
|
||||||
"AIVectraDetect",
|
"AIVectraDetect",
|
||||||
"AIVectraStream",
|
"AIVectraStream",
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 96">
|
||||||
|
<path d="M-.1 0h96v96h-96z" fill="#0e2343"></path>
|
||||||
|
<defs>
|
||||||
|
<path id="32107c20-0d95-48af-bb4f-166c97fbc658" d="M11.3 12.6H82v70.7H11.3z"></path>
|
||||||
|
</defs>
|
||||||
|
<clipPath id="a3cb2b70-ce10-473d-be64-4cd9106404dd">
|
||||||
|
<use href="#32107c20-0d95-48af-bb4f-166c97fbc658"></use>
|
||||||
|
</clipPath>
|
||||||
|
<g clip-path="url(#a3cb2b70-ce10-473d-be64-4cd9106404dd)" fill="#fff">
|
||||||
|
<path d="M79.6 43.3H58.8c-.3 0-.5-.4-.3-.6l16.6-16.6c.2-.2.2-.4.2-.6v-2.3c0-.2-.1-.4-.2-.6l-3-3c-.2-.2-.4-.2-.6-.2h-2.3c-.2 0-.4.1-.6.2L52 36.1c-.2.2-.6.1-.6-.3V15.1c0-.2-.1-.4-.2-.6l-1.7-1.7c-.2-.2-.4-.2-.6-.2h-4.3c-.2 0-.4.1-.6.2l-1.7 1.7c-.2.2-.2.4-.2.6v31.2c0 .2.1.4.2.6l5.4 5.4c.2.2.4.2.6.2h31.2c.2 0 .4-.1.6-.2l1.7-1.7c.2-.2.2-.4.2-.6v-4.3c0-.2-.1-.4-.2-.6l-1.7-1.7c-.1 0-.3-.1-.5-.1h0z" fill-rule="evenodd"></path>
|
||||||
|
<path d="M23.6 64.6l-.6.6c-.2.2-.2.4 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7a.37.37 0 0 0 0-.6l-5.9-5.9c-.2-.1-.5-.1-.7.1z"></path>
|
||||||
|
<path d="M18.3 52.6H20c.2 0 .3-.2.1-.4l-7.5-7.5c-.1-.1-.3-.1-.5 0l-.5.5-.3.3c-.1.1-.1.3 0 .5l6.4 6.4c.2.1.4.2.6.2h0z" fill-rule="evenodd"></path>
|
||||||
|
<path d="M25.7 62.5l-.7.6c-.2.2-.2.4 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7a.37.37 0 0 0 0-.6l-5.9-5.9a.47.47 0 0 0-.6.1zm4.2-4.2l-.7.7c-.2.2-.2.4 0 .6l5.9 5.9c.2.2.4.2.6 0l.7-.7c.2-.2.2-.4 0-.6l-5.9-5.9c-.2-.1-.5-.1-.6 0zM19.5 68.7l-.7.7a.37.37 0 0 0 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7c.2-.2.2-.4 0-.6l-5.9-5.9c-.2-.2-.5-.2-.6 0zm2.1-2.1l-.7.7c-.2.2-.2.4 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7a.37.37 0 0 0 0-.6l-5.9-5.9c-.2-.1-.5-.1-.6 0z"></path>
|
||||||
|
<path d="M18.1 71.4v1.7c0 .1 0 .2.1.3l3.1 3.1c.1.1.2.1.3.1h1.6c.2 0 .3-.2.1-.4l-4.9-4.9c0-.1-.3-.1-.3.1h0z" fill-rule="evenodd"></path>
|
||||||
|
<path d="M31.9 56.3l-.7.7c-.2.2-.2.4 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7c.2-.2.2-.4 0-.6l-5.9-5.9c-.1-.2-.4-.2-.6 0zm-4.1 4.1l-.7.7c-.2.2-.2.4 0 .6l5.9 5.9c.2.2.4.2.6 0l.7-.7a.37.37 0 0 0 0-.6l-5.9-5.9c-.2-.1-.5-.1-.6 0zm6.2-6.2l-.7.7c-.2.2-.2.4 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7c.2-.2.2-.4 0-.6l-5.9-5.9a.37.37 0 0 0-.6 0z"></path>
|
||||||
|
<g fill-rule="evenodd">
|
||||||
|
<path d="M27.6 43.3h-1.7c-.2 0-.3.2-.1.4L51 69c.1.1.4 0 .4-.1V67c0-.1 0-.2-.1-.3L28 43.5c-.1-.1-.2-.2-.4-.2h0zm8.3 0h-1.7c-.2 0-.3.2-.1.4l17 17c.1.1.4 0 .4-.1v-1.8c0-.1 0-.2-.1-.3l-15.1-15c-.1-.1-.2-.2-.4-.2h0zm4.6 2.2v-1.9c0-.1-.1-.2-.2-.2h-1.9c-.2 0-.3.2-.1.4l1.9 1.9s.3 0 .3-.2zm1.6 16.8V64c0 .2.1.3.2.4l8.7 8.7c.1.1.4 0 .4-.1v-1.7c0-.2-.1-.3-.2-.4l-8.7-8.7c-.1-.2-.4-.1-.4.1h0zm9.1-8.1h-2c-.2 0-.3.2-.1.4l2 2c.1.1.4 0 .4-.1v-2c-.1-.2-.2-.3-.3-.3zM31.8 43.3H30c-.2 0-.3.2-.1.4L51 64.8c.1.1.4 0 .4-.1v-1.8c0-.1 0-.2-.1-.3L32.2 43.5a.76.76 0 0 0-.4-.2h0zm-5.2 9.3h1.7c.2 0 .3-.2.1-.4l-8.7-8.7a.76.76 0 0 0-.4-.2h-1.7c-.2 0-.3.2-.1.4l8.7 8.7c0 .1.2.2.4.2h0zm-4.2 0h1.7c.2 0 .3-.2.1-.4l-8.7-8.7a.76.76 0 0 0-.4-.2h-1.7c-.2 0-.3.2-.1.4l8.7 8.7a.76.76 0 0 0 .4.2h0zm-.8-8.9l8.7 8.7a.76.76 0 0 0 .4.2h1.7c.2 0 .3-.2.1-.4l-8.7-8.7a.76.76 0 0 0-.4-.2h-1.7c-.2 0-.3.2-.1.4h0zM14 52.6h1.8c.2 0 .3-.2.1-.4l-4.3-4.3c-.1-.1-.4 0-.4.1v1.8c0 .1 0 .2.1.3l2.3 2.3c.2.1.3.2.4.2h0zm28.1 13.8v1.7c0 .2.1.3.2.4l8.7 8.7c.1.1.4 0 .4-.1v-1.7c0-.2-.1-.3-.2-.4l-8.7-8.7c-.1-.2-.4-.1-.4.1h0zm0 10v-1.7c0-.2.2-.3.4-.1L50 82c.1.1.1.3 0 .5l-.5.5-.3.3c-.1.1-.3.1-.5 0l-6.4-6.4c-.1-.1-.2-.3-.2-.5h0zm0-4.1v-1.7c0-.2.2-.3.4-.1l8.7 8.7a.76.76 0 0 1 .2.4v1.7c0 .2-.2.3-.4.1l-8.7-8.7a.76.76 0 0 1-.2-.4zm0 8.4v-1.8c0-.2.2-.3.4-.1l4.3 4.3c.1.1 0 .4-.1.4h-1.8c-.1 0-.2 0-.3-.1L42.3 81c-.1-.1-.2-.2-.2-.3z"></path>
|
||||||
|
</g>
|
||||||
|
</g>
|
||||||
|
</svg>
|
После Ширина: | Высота: | Размер: 3.5 KiB |
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
@ -0,0 +1,48 @@
|
||||||
|
id: 77548170-5c60-42e5-bdac-b0360d0779bb
|
||||||
|
name: NetClean ProActive Incidents
|
||||||
|
description: |
|
||||||
|
'NetClean Incident'
|
||||||
|
severity: High
|
||||||
|
requiredDataConnectors:
|
||||||
|
- connectorId: Netclean_ProActive_Incidents
|
||||||
|
dataTypes:
|
||||||
|
- Netclean_ProActive_Incidents
|
||||||
|
status: Available
|
||||||
|
queryFrequency: 10m
|
||||||
|
queryPeriod: 10m
|
||||||
|
triggerOperator: gt
|
||||||
|
triggerThreshold: 0
|
||||||
|
suppressionDuration: 5h
|
||||||
|
tactics:
|
||||||
|
- Discovery
|
||||||
|
relevantTechniques:
|
||||||
|
- T1083
|
||||||
|
query: |
|
||||||
|
Netclean_Incidents_CL | where version_s == 1
|
||||||
|
entityMappings:
|
||||||
|
- entityType: FileHash
|
||||||
|
fieldMappings:
|
||||||
|
- identifier: Value
|
||||||
|
columnName: sha1_s
|
||||||
|
- identifier: Algorithm
|
||||||
|
columnName: detectionMethod_s
|
||||||
|
- entityType: DNS
|
||||||
|
fieldMappings:
|
||||||
|
- identifier: DomainName
|
||||||
|
columnName: domain_s
|
||||||
|
- entityType: Host
|
||||||
|
fieldMappings:
|
||||||
|
- identifier: HostName
|
||||||
|
columnName: Hostname_s
|
||||||
|
- entityType: IP
|
||||||
|
fieldMappings:
|
||||||
|
- identifier: Address
|
||||||
|
columnName: externalIP_s
|
||||||
|
alertDetailsOverride:
|
||||||
|
alertDisplayNameFormat: NetClean {{agentType_s}} {{type_s}}
|
||||||
|
alertDescriptionFormat: A new NetClean {{agentType_s}} {{type_s}} has been Created {{TimeGenerated}}
|
||||||
|
version: 1.0.1
|
||||||
|
kind: Scheduled
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,115 @@
|
||||||
|
{
|
||||||
|
"id": "Netclean_ProActive_Incidents",
|
||||||
|
"title": "Netclean ProActive Incidents",
|
||||||
|
"publisher": "NetClean Technologies",
|
||||||
|
"descriptionMarkdown": "This connector uses the Netclean Webhook (required) and Logic Apps to push data into Microsoft Sentinel Log Analytics",
|
||||||
|
"graphQueries": [
|
||||||
|
{
|
||||||
|
"metricName": "Total data received",
|
||||||
|
"legend": "Netclean_Incidents_CL",
|
||||||
|
"baseQuery": "Netclean_Incidents_CL"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"sampleQueries": [
|
||||||
|
{
|
||||||
|
"description" : "Netclean - All Activities.",
|
||||||
|
"query": "Netclean_Incidents_CL | sort by TimeGenerated desc"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"dataTypes": [
|
||||||
|
{
|
||||||
|
"name": "Netclean_Incidents_CL",
|
||||||
|
"lastDataReceivedQuery": "Netclean_Incidents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"connectivityCriterias": [
|
||||||
|
{
|
||||||
|
"type": "IsConnectedQuery",
|
||||||
|
"value": [
|
||||||
|
"Netclean_Incidents_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"availability": {
|
||||||
|
"status": 1,
|
||||||
|
"isPreview": true
|
||||||
|
},
|
||||||
|
"permissions": {
|
||||||
|
"resourceProvider": [
|
||||||
|
{
|
||||||
|
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||||
|
"permissionsDisplayText": "read and write permissions are required.",
|
||||||
|
"providerDisplayName": "Workspace",
|
||||||
|
"scope": "Workspace",
|
||||||
|
"requiredPermissions": {
|
||||||
|
"write": true,
|
||||||
|
"read": true,
|
||||||
|
"delete": true
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
|
||||||
|
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
|
||||||
|
"providerDisplayName": "Keys",
|
||||||
|
"scope": "Workspace",
|
||||||
|
"requiredPermissions": {
|
||||||
|
"action": true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
||||||
|
},
|
||||||
|
"instructionSteps": [
|
||||||
|
{
|
||||||
|
"title": "",
|
||||||
|
"description": ">**NOTE:** The data connector relies on Azure Logic Apps to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2",
|
||||||
|
"instructions": [
|
||||||
|
{
|
||||||
|
"parameters": {
|
||||||
|
"fillWith": [
|
||||||
|
"WorkspaceId"
|
||||||
|
],
|
||||||
|
"label": "Workspace ID"
|
||||||
|
},
|
||||||
|
"type": "CopyableLabel"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"parameters": {
|
||||||
|
"fillWith": [
|
||||||
|
"PrimaryKey"
|
||||||
|
],
|
||||||
|
"label": "Primary Key"
|
||||||
|
},
|
||||||
|
"type": "CopyableLabel"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": " Option 1: deploy Logic app (requires NetClean Proactive)",
|
||||||
|
"description": "1. Download and install the Logic app here:\n https://portal.azure.com/#create/netcleantechnologiesab1651557549734.netcleanlogicappnetcleanproactivelogicapp)\n2. Configure Send Data: \n2.1 Go to your newly created logic app \n In your Logic app designer, click +New Step and search for “Azure Log Analytics Data Collector” click it and select “Send Data” \n Enter the Custom Log Name: Netclean_Incidents and a dummy value in the Json request body and click save \n Go to code view on the top ribbon and scroll down to line ~100 it should start with \"Body\" \n replace the line entirly with: \n \"body\": \"{\\n\\\"Hostname\\\":\\\"@{variables('machineName')}\\\",\\n\\\"agentType\\\":\\\"@{triggerBody()['value']['agent']['type']}\\\",\\n\\\"Identifier\\\":\\\"@{triggerBody()?['key']?['identifier']}\\\",\\n\\\"type\\\":\\\"@{triggerBody()?['key']?['type']}\\\",\\n\\\"version\\\":\\\"@{triggerBody()?['value']?['incidentVersion']}\\\",\\n\\\"foundTime\\\":\\\"@{triggerBody()?['value']?['foundTime']}\\\",\\n\\\"detectionMethod\\\":\\\"@{triggerBody()?['value']?['detectionHashType']}\\\",\\n\\\"agentInformatonIdentifier\\\":\\\"@{triggerBody()?['value']?['device']?['identifier']}\\\",\\n\\\"osVersion\\\":\\\"@{triggerBody()?['value']?['device']?['operatingSystemVersion']}\\\",\\n\\\"machineName\\\":\\\"@{variables('machineName')}\\\",\\n\\\"microsoftCultureId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftCultureId']}\\\",\\n\\\"timeZoneId\\\":\\\"@{triggerBody()?['value']?['device']?['timeZoneName']}\\\",\\n\\\"microsoftGeoId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftGeoId']}\\\",\\n\\\"domainname\\\":\\\"@{variables('domain')}\\\",\\n\\\"Agentversion\\\":\\\"@{triggerBody()['value']['agent']['version']}\\\",\\n\\\"Agentidentifier\\\":\\\"@{triggerBody()['value']['identifier']}\\\",\\n\\\"loggedOnUsers\\\":\\\"@{variables('Usernames')}\\\",\\n\\\"size\\\":\\\"@{triggerBody()?['value']?['file']?['size']}\\\",\\n\\\"creationTime\\\":\\\"@{triggerBody()?['value']?['file']?['creationTime']}\\\",\\n\\\"lastAccessTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastAccessTime']}\\\",\\n\\\"lastWriteTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedTime']}\\\",\\n\\\"sha1\\\":\\\"@{triggerBody()?['value']?['file']?['calculatedHashes']?['sha1']}\\\",\\n\\\"nearbyFiles_sha1\\\":\\\"@{variables('nearbyFiles_sha1s')}\\\",\\n\\\"externalIP\\\":\\\"@{triggerBody()?['value']?['device']?['resolvedExternalIp']}\\\",\\n\\\"domain\\\":\\\"@{variables('domain')}\\\",\\n\\\"hasCollectedNearbyFiles\\\":\\\"@{variables('hasCollectedNearbyFiles')}\\\",\\n\\\"filePath\\\":\\\"@{replace(triggerBody()['value']['file']['path'], '\\\\', '\\\\\\\\')}\\\",\\n\\\"m365WebUrl\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['webUrl']}\\\",\\n\\\"m365CreatedBymail\\\":\\\"@{triggerBody()?['value']?['file']?['createdBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LastModifiedByMail\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LibraryId\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['id']}\\\",\\n\\\"m365LibraryDisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['displayName']}\\\",\\n\\\"m365Librarytype\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['type']}\\\",\\n\\\"m365siteid\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['id']}\\\",\\n\\\"m365sitedisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['displayName']}\\\",\\n\\\"m365sitename\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['parent']?['name']}\\\",\\n\\\"countOfAllNearByFiles\\\":\\\"@{variables('countOfAllNearByFiles')}\\\",\\n\\n}\", \n click save \n3. Copy the HTTP POST URL\n4. Go to your NetClean ProActive web console, and go to settings, Under Webhook configure a new webhook using the URL copied from step 3 \n 5. Verify functionality by triggering a Demo Incident."
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": " Option 2 (Testing only)",
|
||||||
|
"description": "Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data.\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script"
|
||||||
|
}
|
||||||
|
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"metadata": {
|
||||||
|
"id": "d6a16a5e-19c0-4599-bbbc-04d6c38b00d4",
|
||||||
|
"version": "1.0.0",
|
||||||
|
"kind": "dataConnector",
|
||||||
|
"source": {
|
||||||
|
"kind": "solution",
|
||||||
|
"name": "Netclean ProActive Incidents"
|
||||||
|
},
|
||||||
|
"author": {
|
||||||
|
"name": "NetClean"
|
||||||
|
},
|
||||||
|
"support": {
|
||||||
|
"tier": "developer",
|
||||||
|
"name": "NetClean support",
|
||||||
|
"email": "Support@netclean.com",
|
||||||
|
"link":"www.netclean.com"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveBlack1.png
Normal file
Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveBlack1.png
Normal file
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 83 KiB |
Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveBlack2.png
Normal file
Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveBlack2.png
Normal file
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 208 KiB |
Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveWhite1.png.png
Normal file
Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveWhite1.png.png
Normal file
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 103 KiB |
Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveWhite2.png
Normal file
Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveWhite2.png
Normal file
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 93 KiB |
|
@ -0,0 +1,619 @@
|
||||||
|
{
|
||||||
|
"version": "Notebook/1.0",
|
||||||
|
"items": [
|
||||||
|
{
|
||||||
|
"type": 12,
|
||||||
|
"content": {
|
||||||
|
"version": "NotebookGroup/1.0",
|
||||||
|
"groupType": "editable",
|
||||||
|
"items": [
|
||||||
|
{
|
||||||
|
"type": 1,
|
||||||
|
"content": {
|
||||||
|
"json": "## NetClean Overview last 30 Days\nShows only original incident, please specify the incident you would like to view to include near by files\n"
|
||||||
|
},
|
||||||
|
"name": "text - 2"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by Type, type_s\n",
|
||||||
|
"size": 1,
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "categoricalbar",
|
||||||
|
"chartSettings": {
|
||||||
|
"xAxis": "type_s",
|
||||||
|
"yAxis": [
|
||||||
|
"Count"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "query - 2"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by sha1_s",
|
||||||
|
"size": 4,
|
||||||
|
"title": "SHA1",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "piechart"
|
||||||
|
},
|
||||||
|
"name": "SHA1",
|
||||||
|
"styleSettings": {
|
||||||
|
"showBorder": true
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by agentType_s",
|
||||||
|
"size": 4,
|
||||||
|
"title": "Agent Type",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "piechart"
|
||||||
|
},
|
||||||
|
"name": "Agent Type"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by Hostname_s",
|
||||||
|
"size": 4,
|
||||||
|
"title": "Hostname",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "piechart"
|
||||||
|
},
|
||||||
|
"name": "Hostname"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where version_s == 1 | distinct Identifier_g, TimeGenerated, agentType_s | sort by TimeGenerated desc | project-rename Incident_Identifier=Identifier_g, TimeGenerated, Agent_Type=agentType_s ",
|
||||||
|
"size": 0,
|
||||||
|
"title": "List of incidents ",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"sortBy": []
|
||||||
|
},
|
||||||
|
"name": "List of incidents "
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where version_s == 1 | sort by TimeGenerated asc\n| summarize Count=count() by format_datetime (TimeGenerated,'yy-MM-dd '), Identifier_g\n",
|
||||||
|
"size": 0,
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "barchart",
|
||||||
|
"tileSettings": {
|
||||||
|
"showBorder": false,
|
||||||
|
"titleContent": {
|
||||||
|
"columnMatch": "Week",
|
||||||
|
"formatter": 1
|
||||||
|
},
|
||||||
|
"leftContent": {
|
||||||
|
"columnMatch": "count_",
|
||||||
|
"formatter": 12,
|
||||||
|
"formatOptions": {
|
||||||
|
"palette": "auto"
|
||||||
|
},
|
||||||
|
"numberFormat": {
|
||||||
|
"unit": 17,
|
||||||
|
"options": {
|
||||||
|
"maximumSignificantDigits": 3,
|
||||||
|
"maximumFractionDigits": 2
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"graphSettings": {
|
||||||
|
"type": 0
|
||||||
|
},
|
||||||
|
"chartSettings": {
|
||||||
|
"xAxis": "TimeGenerated",
|
||||||
|
"yAxis": [
|
||||||
|
"Count"
|
||||||
|
],
|
||||||
|
"xSettings": {
|
||||||
|
"numberFormatSettings": {
|
||||||
|
"unit": 0,
|
||||||
|
"options": {
|
||||||
|
"style": "decimal",
|
||||||
|
"useGrouping": false
|
||||||
|
},
|
||||||
|
"missingSparkDataOption": "Zero"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"ySettings": {
|
||||||
|
"numberFormatSettings": {
|
||||||
|
"unit": 0,
|
||||||
|
"options": {
|
||||||
|
"style": "decimal",
|
||||||
|
"useGrouping": true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"mapSettings": {
|
||||||
|
"locInfo": "LatLong",
|
||||||
|
"sizeSettings": "count_",
|
||||||
|
"sizeAggregation": "Sum",
|
||||||
|
"legendMetric": "count_",
|
||||||
|
"legendAggregation": "Sum",
|
||||||
|
"itemColorSettings": {
|
||||||
|
"type": "heatmap",
|
||||||
|
"colorAggregation": "Sum",
|
||||||
|
"nodeColorField": "count_",
|
||||||
|
"heatmapPalette": "greenRed"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "query - 4"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"name": "NetClean Oerview"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 12,
|
||||||
|
"content": {
|
||||||
|
"version": "NotebookGroup/1.0",
|
||||||
|
"groupType": "editable",
|
||||||
|
"items": [
|
||||||
|
{
|
||||||
|
"type": 1,
|
||||||
|
"content": {
|
||||||
|
"json": "## NetClean Incident"
|
||||||
|
},
|
||||||
|
"name": "text - 4"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 9,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlParameterItem/1.0",
|
||||||
|
"parameters": [
|
||||||
|
{
|
||||||
|
"id": "1e3b2c62-399e-43e6-a643-8a7484ac5c91",
|
||||||
|
"version": "KqlParameterItem/1.0",
|
||||||
|
"name": "incident",
|
||||||
|
"type": 2,
|
||||||
|
"query": "Netclean_Incidents_CL |where version_s == 1 | sort by TimeGenerated desc | project Identifier_g ",
|
||||||
|
"typeSettings": {
|
||||||
|
"additionalResourceOptions": [],
|
||||||
|
"showDefault": false
|
||||||
|
},
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"value": "ebcd8124-27b4-416c-8ca7-45011691b9dc"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "a3554367-06f8-4027-8134-07af2b82675b",
|
||||||
|
"version": "KqlParameterItem/1.0",
|
||||||
|
"name": "agentType",
|
||||||
|
"type": 2,
|
||||||
|
"isRequired": true,
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | distinct agentType_s",
|
||||||
|
"typeSettings": {
|
||||||
|
"additionalResourceOptions": [
|
||||||
|
"value::1"
|
||||||
|
],
|
||||||
|
"showDefault": false
|
||||||
|
},
|
||||||
|
"defaultValue": "value::1",
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"style": "pills",
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||||
|
},
|
||||||
|
"name": "parameters - 2"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project sha1_s",
|
||||||
|
"size": 4,
|
||||||
|
"title": "SHA1",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "card",
|
||||||
|
"textSettings": {
|
||||||
|
"style": "bignumber"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "SHA1"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project filePath_s",
|
||||||
|
"size": 4,
|
||||||
|
"title": "File Path",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "card",
|
||||||
|
"textSettings": {
|
||||||
|
"style": "bignumber"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "File Path"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" |summarize Count=count()",
|
||||||
|
"size": 4,
|
||||||
|
"title": "Number of log entrys for specified incident",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "tiles",
|
||||||
|
"tileSettings": {
|
||||||
|
"titleContent": {
|
||||||
|
"columnMatch": "Count",
|
||||||
|
"formatter": 12,
|
||||||
|
"formatOptions": {
|
||||||
|
"min": 1,
|
||||||
|
"palette": "purpleDark"
|
||||||
|
},
|
||||||
|
"tooltipFormat": {
|
||||||
|
"tooltip": "Number of log entrys for specified incident"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"showBorder": false
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"customWidth": "20",
|
||||||
|
"name": "Number of log entrys for specified incident"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project hasCollectedNearbyFiles_s",
|
||||||
|
"size": 4,
|
||||||
|
"title": "Has Collected Nearby Files",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "tiles",
|
||||||
|
"tileSettings": {
|
||||||
|
"titleContent": {
|
||||||
|
"columnMatch": "hasCollectedNearbyFiles_s",
|
||||||
|
"formatter": 1,
|
||||||
|
"numberFormat": {
|
||||||
|
"unit": 0,
|
||||||
|
"options": {
|
||||||
|
"style": "decimal"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"showBorder": false,
|
||||||
|
"size": "auto"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"customWidth": "20",
|
||||||
|
"name": "hasCollectedNearbyFiles"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project domain_s",
|
||||||
|
"size": 4,
|
||||||
|
"title": "Domain",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "tiles",
|
||||||
|
"tileSettings": {
|
||||||
|
"titleContent": {
|
||||||
|
"columnMatch": "domain_s",
|
||||||
|
"formatter": 1,
|
||||||
|
"numberFormat": {
|
||||||
|
"unit": 0,
|
||||||
|
"options": {
|
||||||
|
"style": "decimal"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"showBorder": false,
|
||||||
|
"size": "auto"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"customWidth": "20",
|
||||||
|
"name": "domain"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project countOfAllNearByFiles_s\n\n\n\n\n",
|
||||||
|
"size": 4,
|
||||||
|
"title": "Number of nearby files",
|
||||||
|
"noDataMessage": "0",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "tiles",
|
||||||
|
"sortBy": [],
|
||||||
|
"tileSettings": {
|
||||||
|
"titleContent": {
|
||||||
|
"columnMatch": "countOfAllNearByFiles_s",
|
||||||
|
"formatter": 1,
|
||||||
|
"numberFormat": {
|
||||||
|
"unit": 17,
|
||||||
|
"options": {
|
||||||
|
"style": "decimal"
|
||||||
|
},
|
||||||
|
"emptyValCustomText": "0"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"showBorder": true,
|
||||||
|
"size": "auto"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"customWidth": "20",
|
||||||
|
"name": "Number of nearby files"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | where hasCollectedNearbyFiles_s == true | top 1 by countof(nearbyFiles_sha1_s, \",\") | project countof(nearbyFiles_sha1_s, \",\")\n\n\n\n\n",
|
||||||
|
"size": 4,
|
||||||
|
"title": "Number of nearby files with match",
|
||||||
|
"noDataMessage": "0",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "tiles",
|
||||||
|
"sortBy": [],
|
||||||
|
"tileSettings": {
|
||||||
|
"titleContent": {
|
||||||
|
"columnMatch": "Column1",
|
||||||
|
"formatter": 12,
|
||||||
|
"formatOptions": {
|
||||||
|
"palette": "orange"
|
||||||
|
},
|
||||||
|
"numberFormat": {
|
||||||
|
"unit": 17,
|
||||||
|
"options": {
|
||||||
|
"style": "decimal"
|
||||||
|
},
|
||||||
|
"emptyValCustomText": "0"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"showBorder": true,
|
||||||
|
"size": "auto"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"customWidth": "20",
|
||||||
|
"name": "Number of nearby files with match"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project Hostname_s, osVersion_s, hasCollectedNearbyFiles_s, externalIP_s\n\n\n\n",
|
||||||
|
"size": 4,
|
||||||
|
"title": "Hostname",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "table",
|
||||||
|
"gridSettings": {
|
||||||
|
"sortBy": [
|
||||||
|
{
|
||||||
|
"itemKey": "hasCollectedNearbyFiles_s",
|
||||||
|
"sortOrder": 1
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"sortBy": [
|
||||||
|
{
|
||||||
|
"itemKey": "hasCollectedNearbyFiles_s",
|
||||||
|
"sortOrder": 1
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"tileSettings": {
|
||||||
|
"titleContent": {
|
||||||
|
"columnMatch": "Hostname_s",
|
||||||
|
"formatter": 1,
|
||||||
|
"numberFormat": {
|
||||||
|
"unit": 0,
|
||||||
|
"options": {
|
||||||
|
"style": "decimal"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"showBorder": false,
|
||||||
|
"sortCriteriaField": "hasCollectedNearbyFiles_s",
|
||||||
|
"sortOrderField": 1,
|
||||||
|
"size": "auto"
|
||||||
|
},
|
||||||
|
"textSettings": {
|
||||||
|
"style": "header"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"conditionalVisibility": {
|
||||||
|
"parameterName": "agentType",
|
||||||
|
"comparison": "isEqualTo",
|
||||||
|
"value": "computer"
|
||||||
|
},
|
||||||
|
"name": "Hostname"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | mvexpand LoggedOnUsers=split(loggedOnUsers_s, '|') to typeof(string) | project LoggedOnUsers\n ",
|
||||||
|
"size": 0,
|
||||||
|
"title": "All Logged On Users",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "table",
|
||||||
|
"tileSettings": {
|
||||||
|
"titleContent": {
|
||||||
|
"columnMatch": "loggedOnUsers_s",
|
||||||
|
"formatter": 1
|
||||||
|
},
|
||||||
|
"showBorder": true,
|
||||||
|
"size": "auto"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"conditionalVisibility": {
|
||||||
|
"parameterName": "agentType",
|
||||||
|
"comparison": "isEqualTo",
|
||||||
|
"value": "computer"
|
||||||
|
},
|
||||||
|
"name": "LoggedOnUsers"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | mvexpand LoggedOnUser=split(loggedOnUsers_s, '|') to typeof(string) | where LoggedOnUser hassuffix Hostname_s or LoggedOnUser endswith domain_s | where LoggedOnUser !contains \"WORKGROUP\" |distinct LoggedOnUser",
|
||||||
|
"size": 4,
|
||||||
|
"title": "Users where domain matches hostname or domainname",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||||
|
},
|
||||||
|
"conditionalVisibility": {
|
||||||
|
"parameterName": "agentType",
|
||||||
|
"comparison": "isEqualTo",
|
||||||
|
"value": "computer"
|
||||||
|
},
|
||||||
|
"name": "user"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated\n| project format_datetime (creationTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (lastAccessTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (lastWriteTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (TimeGenerated,'yyyy-MM-dd HH:mm:ss'), format_datetime (foundTime_t,'yyyy-MM-dd HH:mm:ss') ",
|
||||||
|
"size": 4,
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "table",
|
||||||
|
"tileSettings": {
|
||||||
|
"titleContent": {
|
||||||
|
"columnMatch": "creationTime_t",
|
||||||
|
"numberFormat": {
|
||||||
|
"unit": 27,
|
||||||
|
"options": {
|
||||||
|
"style": "decimal"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"showBorder": true,
|
||||||
|
"size": "auto"
|
||||||
|
},
|
||||||
|
"graphSettings": {
|
||||||
|
"type": 0,
|
||||||
|
"topContent": {},
|
||||||
|
"nodeIdField": "foundTime_t",
|
||||||
|
"sourceIdField": "foundTime_t",
|
||||||
|
"targetIdField": "foundTime_t",
|
||||||
|
"graphOrientation": 3,
|
||||||
|
"showOrientationToggles": false,
|
||||||
|
"nodeSize": null,
|
||||||
|
"staticNodeSize": 100,
|
||||||
|
"colorSettings": null,
|
||||||
|
"hivesMargin": 5
|
||||||
|
},
|
||||||
|
"mapSettings": {
|
||||||
|
"locInfo": "LatLong"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "query - 3"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": 3,
|
||||||
|
"content": {
|
||||||
|
"version": "KqlItem/1.0",
|
||||||
|
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project m365LibraryDisplayName_s,m365Librarytype_s, m365WebUrl_s, m365LibraryId_s, m365siteid_s, m365CreatedBymail_s, m365LastModifiedByMail_s, m365sitedisplayName_s, m365sitename_s\n\n",
|
||||||
|
"size": 4,
|
||||||
|
"title": "Cloud Agent ",
|
||||||
|
"timeContext": {
|
||||||
|
"durationMs": 2592000000
|
||||||
|
},
|
||||||
|
"queryType": 0,
|
||||||
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||||
|
"visualization": "table"
|
||||||
|
},
|
||||||
|
"conditionalVisibility": {
|
||||||
|
"parameterName": "agentType",
|
||||||
|
"comparison": "isEqualTo",
|
||||||
|
"value": "microsoft365"
|
||||||
|
},
|
||||||
|
"name": "Cloud Agent "
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"name": "group - 5"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"fromTemplateId": "sentinel-NetCleanProActiveWorkbook",
|
||||||
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||||
|
}
|
Загрузка…
Ссылка в новой задаче