changed to gallery templates and added AWS
This commit is contained in:
Родитель
5d9be1a2a2
Коммит
70e4a80f48
|
@ -0,0 +1,435 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## AWS network activities"
|
||||
},
|
||||
"name": "text - 0"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"query": "",
|
||||
"crossComponentResources": [],
|
||||
"parameters": [
|
||||
{
|
||||
"id": "b9e68383-3369-42fc-b7e7-506fd187832d",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 300000
|
||||
},
|
||||
{
|
||||
"durationMs": 900000
|
||||
},
|
||||
{
|
||||
"durationMs": 1800000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 14400000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 172800000
|
||||
},
|
||||
{
|
||||
"durationMs": 259200000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
{
|
||||
"durationMs": 2419200000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 1"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let data = AWSCloudTrail;\r\ndata\r\n| summarize Count = count() by AWSRegion\r\n| join kind = fullouter (datatable(AWSRegion:string)['OneDrive', 'SharePoint']) on AWSRegion\r\n| project AWSRegion = iff(AWSRegion == '', AWSRegion1, AWSRegion), Count = iff(AWSRegion == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by AWSRegion)\r\n on AWSRegion\r\n| project-away AWSRegion1, TimeGenerated\r\n| extend AWSRegion = AWSRegion\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend AWSRegion = 'All', AWSRegions = '*' \r\n)\r\n| order by Count desc\r\n| take 10\r\n",
|
||||
"size": 4,
|
||||
"exportFieldName": "AWSRegion",
|
||||
"exportParameterName": "AWSRegion",
|
||||
"exportDefaultValue": "All",
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Top 10 active regions - click to filter",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "AWSRegion",
|
||||
"formatter": 1,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto",
|
||||
"showIcon": true
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"secondaryContent": {
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 9,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blue",
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
"showBorder": false
|
||||
}
|
||||
},
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n//| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"replace\" or EventName startswith \"delete\" or EventName startswith \"authorize\" or EventName startswith \"revoke\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where AWSRegion == '{AWSRegion}' or '{AWSRegion}' == \"All\"\r\n| summarize count() by AWSRegion, bin(TimeGenerated, {TimeRange:grain})",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Network events, by region",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 3"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n//| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"replace\" or EventName startswith \"delete\" or EventName startswith \"authorize\" or EventName startswith \"revoke\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where AWSRegion == '{AWSRegion}' or '{AWSRegion}' == \"All\"\r\n| summarize count() by EventName, bin(TimeGenerated, {TimeRange:grain})",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Network event types",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "areachart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 4"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\r\n### Security group and network ACL change events"
|
||||
},
|
||||
"name": "text - 6"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName == \"AuthorizeSecurityGroupEgress\" or EventName == \"AuthorizeSecurityGroupIngress\" or EventName == \"CreateSecurityGroup\" or EventName == \"RevokeSecurityGroupEgress\" or EventName == \"RevokeSecurityGroupIngress\" or EventName == \"DeleteSecurityGroup\" or EventName == \"ReplaceNetworkAclEntry\" or EventName == \"CreateNetworkAcl\" or EventName == \"DeleteNetworkAcl\")\r\n| summarize Count = count() by EventName, UserIdentityArn, AWSRegion, EventTypeName, SessionIssuerType, EventSource, SourceIpAddress\r\n| project-rename TotalChanges = Count\r\n| order by TotalChanges desc\r\n",
|
||||
"size": 0,
|
||||
"exportFieldName": "EventName",
|
||||
"exportParameterName": "EventName",
|
||||
"exportDefaultValue": "All",
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Click to filter by event name",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "EventName",
|
||||
"formatter": 7,
|
||||
"formatOptions": {
|
||||
"linkTarget": "GenericDetails",
|
||||
"linkIsContextBlade": true,
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "UserIdentityArn",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true,
|
||||
"aggregation": "Unique"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "AWSRegion",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "EventTypeName",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SessionIssuerType",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "EventSource",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SourceIpAddress",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "TotalChanges",
|
||||
"formatter": 4,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "purple",
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"filter": true,
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 5"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName == \"AuthorizeSecurityGroupEgress\" or EventName == \"AuthorizeSecurityGroupIngress\" or EventName == \"CreateSecurityGroup\" or EventName == \"RevokeSecurityGroupEgress\" or EventName == \"RevokeSecurityGroupIngress\" or EventName == \"DeleteSecurityGroup\" or EventName == \"ReplaceNetworkAclEntry\" or EventName == \"CreateNetworkAcl\" or EventName == \"DeleteNetworkAcl\")\r\n| where EventName == '{EventName}' or '{EventName}' == \"All\"\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), EventName\r\n| project-rename TotalChanges = count_\r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Network ACL events over time",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 7"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\r\n### Create and Delete network events"
|
||||
},
|
||||
"name": "text - 8"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"delete\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| summarize count() by EventName, UserIdentityArn, AWSRegion, EventTypeName, SessionIssuerType, EventSource, SourceIpAddress\r\n| project-rename TotalChanges = count_ \r\n| order by TotalChanges desc\r\n\r\n",
|
||||
"size": 0,
|
||||
"exportFieldName": "EventName",
|
||||
"exportParameterName": "EventName",
|
||||
"exportDefaultValue": "All",
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Click to filter by event name",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "EventName",
|
||||
"formatter": 7,
|
||||
"formatOptions": {
|
||||
"linkTarget": "GenericDetails",
|
||||
"linkIsContextBlade": true,
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "UserIdentityArn",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "AWSRegion",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "EventTypeName",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SessionIssuerType",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "EventSource",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SourceIpAddress",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "TotalChanges",
|
||||
"formatter": 4,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blueDark",
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 9"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"delete\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where EventName == '{EventName}' or '{EventName}' == \"All\"\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), EventName\r\n| project-rename TotalChanges = count_\r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Create and Delete network events over time",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 10"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\r\n### Elastic IP Address Operations"
|
||||
},
|
||||
"name": "text - 11"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName == \"AllocateAddress\" or EventName == \"ReleaseAddress\" or EventName == \"AssociateAddress\" or EventName == \"DisassociateAddress\") \r\n| extend AllocationID1 = todynamic(ResponseElements).[\"allocationId\"]\r\n| extend AllocationID2 = todynamic(RequestParameters).[\"allocationId\"]\r\n| extend AssociationID = todynamic(ResponseElements).[\"associationId\"]\r\n| extend ElasticIP = todynamic(ResponseElements).[\"publicIp\"]\r\n| extend AllocationID = coalesce(AllocationID1, AllocationID2)\r\n| summarize count() by TimeGenerated, UserIdentityArn, EventName, tostring(todynamic(RequestParameters).[\"instanceId\"]), tostring(AllocationID), tostring(AssociationID), tostring(ElasticIP) \r\n| project-rename InstanceID = RequestParameters_instanceId\r\n| project-away count_\r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"filter": true,
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"name": "query - 12"
|
||||
}
|
||||
],
|
||||
"styleSettings": {},
|
||||
"fromTemplateId": "sentinel-AWSNetworkActivities",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
|
@ -0,0 +1,811 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## AWS user activities"
|
||||
},
|
||||
"name": "text - 1"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"query": "",
|
||||
"crossComponentResources": [],
|
||||
"parameters": [
|
||||
{
|
||||
"id": "b075dcf3-76b9-412a-8094-f7dfe264b4a1",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 300000
|
||||
},
|
||||
{
|
||||
"durationMs": 900000
|
||||
},
|
||||
{
|
||||
"durationMs": 1800000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 14400000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 172800000
|
||||
},
|
||||
{
|
||||
"durationMs": 259200000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
{
|
||||
"durationMs": 2419200000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 0"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "### Signin and login events"
|
||||
},
|
||||
"name": "text - 6"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where EventName contains \"Login\"\r\n| project TimeGenerated, UserIdentityArn, SourceIpAddress, LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin), EventName, UserIdentityUserName\r\n| where LoginResult != \"\"\r\n| summarize count() by TimeGenerated, LoginResult, EventName, UserIdentityUserName, bin(TimeGenerated, {TimeRange:grain})",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Sign-in events",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "areachart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let data = AWSCloudTrail\r\n| where EventName contains \"Login\"\r\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\r\n| where LoginResult != \"\";\r\nlet appData = data\r\n| summarize TotalCount = count() by LoginResult\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by LoginResult\r\n | project-away TimeGenerated) on LoginResult\r\n| order by TotalCount desc, LoginResult asc\r\n| project LoginResult, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by EventName , LoginResult\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by LoginResult, EventName\r\n | project-away TimeGenerated) on LoginResult, EventName\r\n| order by TotalCount desc, LoginResult asc\r\n| project LoginResult, EventName, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on LoginResult\r\n| project Id, Name = EventName, Type = 'EventName', ['LoginResults Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = LoginResult, Type = 'LoginResult', ['LoginResults Count'] = TotalCount, Trend)\r\n| order by ['LoginResults Count'] desc, Name asc",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Sign-in events results",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Id",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Name",
|
||||
"formatter": 18,
|
||||
"formatOptions": {
|
||||
"showIcon": true,
|
||||
"thresholdsOptions": "icons",
|
||||
"thresholdsGrid": [
|
||||
{
|
||||
"operator": "==",
|
||||
"thresholdValue": "Success",
|
||||
"representation": "success",
|
||||
"text": "{0}{1}"
|
||||
},
|
||||
{
|
||||
"operator": "==",
|
||||
"thresholdValue": "Failure",
|
||||
"representation": "failed",
|
||||
"text": "{0}{1}"
|
||||
},
|
||||
{
|
||||
"operator": "Default",
|
||||
"thresholdValue": null,
|
||||
"representation": "Blank",
|
||||
"text": "{0}{1}"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Type",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "LoginResults Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blueDark",
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 9,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "purple",
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "ParentId",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"hierarchySettings": {
|
||||
"idColumn": "Id",
|
||||
"parentColumn": "ParentId",
|
||||
"treeType": 0,
|
||||
"expanderColumn": "Name"
|
||||
},
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 3"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where EventName contains \"login\" or EventName contains \"signin\"\r\n| extend Result = tostring(parse_json(ResponseElements).ConsoleLogin)\r\n| where Result != \"\"\r\n| summarize Success = sum(Result == \"Success\"), Failure = sum(Result == \"Failure\") by UserIdentityUserName, UserIdentityAccountId, SourceIpAddress, EventName\r\n//| summarize NumberOfIPs = count() by UserIdentityUserName, UserIdentityAccountId, Success, Failure, EventName\r\n| sort by Failure desc \r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "User sign-ins, by failure rate, and IP addresses",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "UserIdentityUserName",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "UserIdentityAccountId",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true,
|
||||
"aggregation": "Unique"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SourceIpAddress",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true,
|
||||
"aggregation": "Unique"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "EventName",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true,
|
||||
"aggregation": "Unique"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Success",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "greenRed",
|
||||
"showIcon": true,
|
||||
"aggregation": "Sum"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Failure",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"palette": "greenRed",
|
||||
"showIcon": true,
|
||||
"aggregation": "Sum"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "NumberOfIPs",
|
||||
"formatter": 4,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blue",
|
||||
"showIcon": true,
|
||||
"aggregation": "Unique"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "$gen_group",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"hierarchySettings": {
|
||||
"treeType": 1,
|
||||
"groupBy": [
|
||||
"UserIdentityUserName"
|
||||
]
|
||||
},
|
||||
"sortBy": [
|
||||
{
|
||||
"itemKey": "$gen_heatmap_Failure_5",
|
||||
"sortOrder": 2
|
||||
}
|
||||
],
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 4"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where EventName contains \"login\" or EventName contains \"signin\"\r\n| summarize count() by Event = strcat(EventTypeName, \": \", EventName), bin(TimeGenerated, {TimeRange:grain})\r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Console and API signin events over time",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 5"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where EventName contains \"Login\"\r\n| where tostring(parse_json(ResponseElements).ConsoleLogin) == \"Failure\"\r\n| summarize count() by UserIdentityUserName, UserIdentityArn, SourceIpAddress, ErrorMessage, UserAgent, AWSRegion, TimeGenerated ",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Failed sign-ins",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "UserIdentityUserName",
|
||||
"formatter": 7,
|
||||
"formatOptions": {
|
||||
"linkTarget": "GenericDetails",
|
||||
"linkIsContextBlade": true,
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "UserIdentityArn",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SourceIpAddress",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "ErrorMessage",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "UserAgent",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "AWSRegion",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "TimeGenerated",
|
||||
"formatter": 6,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
},
|
||||
"dateFormat": {
|
||||
"formatName": "fullDateTimePattern"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "count_",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "redDark",
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"filter": true,
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"name": "query - 8"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\r\n### Activities, by user types"
|
||||
},
|
||||
"name": "text - 7"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where UserIdentityType == \"IAMUser\"\r\n| summarize NumberOfEvents = count() by UserIdentityUserName, bin(TimeGenerated, {TimeRange:grain})\r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Active users",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "query - 9"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| summarize NumberOfEvents = count() by UserIdentityAccountId , bin(TimeGenerated, {TimeRange:grain})\r\n| where UserIdentityAccountId != \"\"",
|
||||
"size": 0,
|
||||
"exportDefaultValue": "*",
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Active account IDs",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "query - 10"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| summarize count() by UserIdentityType, bin(TimeGenerated, {TimeRange:grain})",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "User identity types",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "query - 15"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n//| where UserIdentityAccountId != \"\"\r\n//| where UserIdentityUserName != \"\"\r\n| summarize NumberOfEvents = count() by UserIdentityAccountId, UserIdentityUserName, EventName,SourceIpAddress, UserIdentityType, EventTypeName, TimeGenerated\r\n| order by NumberOfEvents desc",
|
||||
"size": 0,
|
||||
"showAnalytics": true,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Summary",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "UserIdentityAccountId",
|
||||
"formatter": 7,
|
||||
"formatOptions": {
|
||||
"linkTarget": "GenericDetails",
|
||||
"linkIsContextBlade": true,
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "UserIdentityUserName",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "EventName",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "SourceIpAddress",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "UserIdentityType",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "EventTypeName",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "TimeGenerated",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "NumberOfEvents",
|
||||
"formatter": 4,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "purple",
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"rowLimit": 1000,
|
||||
"filter": true,
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 15"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where EventName == \"GetCallerIdentity\"\r\n| where UserIdentityType == \"AssumedRole\" \r\n| summarize Count = count() by SourceIpAddress, UserIdentityAccountId, UserIdentityPrincipalid, AWSRegion, TimeGenerated\r\n| sort by Count desc nulls last ",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Suspicious assumed-role account reconnaissance",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "SourceIpAddress",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "UserIdentityAccountId",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "UserIdentityPrincipalid",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "AWSRegion",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "TimeGenerated",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "redDark",
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 11"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\r\n### Region activities"
|
||||
},
|
||||
"name": "text - 19"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let data = AWSCloudTrail;\r\nlet appData = data\r\n| summarize TotalCount = count() by AWSRegion\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by AWSRegion\r\n | project-away TimeGenerated) on AWSRegion\r\n| order by TotalCount desc, AWSRegion asc\r\n| project AWSRegion, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by EventName , AWSRegion\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by AWSRegion, EventName\r\n | project-away TimeGenerated) on AWSRegion, EventName\r\n| order by TotalCount desc, AWSRegion asc\r\n| project AWSRegion, EventName, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on AWSRegion\r\n| project Id, Name = EventName, Type = 'EventName', ['AWSRegions Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = AWSRegion, Type = 'AWSRegion', ['AWSRegions Count'] = TotalCount, Trend)\r\n| order by ['AWSRegions Count'] desc, Name asc",
|
||||
"size": 0,
|
||||
"exportParameterName": "RegionFilter",
|
||||
"exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}",
|
||||
"showAnalytics": true,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Activities, by region - click to filter",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Id",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Name",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Type",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "AWSRegions Count",
|
||||
"formatter": 4,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "orange",
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 10,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "lightBlue",
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "ParentId",
|
||||
"formatter": 5,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"filter": true,
|
||||
"hierarchySettings": {
|
||||
"idColumn": "Id",
|
||||
"parentColumn": "ParentId",
|
||||
"treeType": 0,
|
||||
"expanderColumn": "Name"
|
||||
},
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 13"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let details = dynamic({RegionFilter});\r\nAWSCloudTrail\r\n| where details.Type == \"*\" or (details.Type == \"EventName\" and details.Name == EventName) or (details.Type == \"AWSRegion\" and details.Name == AWSRegion)\r\n| summarize count() by AWSRegion, bin(TimeGenerated, {TimeRange:grain})\r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Activities, by region over time",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "linechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 12"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\r\n### User agent"
|
||||
},
|
||||
"name": "text - 18"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| summarize Count = count() by UserAgent\r\n| order by Count\r\n",
|
||||
"size": 0,
|
||||
"exportFieldName": "UserAgent",
|
||||
"exportParameterName": "UserAgent",
|
||||
"exportDefaultValue": "All",
|
||||
"showAnalytics": true,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "User agent activities - click to filter",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "UserAgent",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"showIcon": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blueDark",
|
||||
"showIcon": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"filter": true,
|
||||
"labelSettings": []
|
||||
}
|
||||
},
|
||||
"customWidth": "40",
|
||||
"name": "query - 16"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "AWSCloudTrail\r\n| where '{UserAgent}' == UserAgent or '{UserAgent}' == \"All\"\r\n| summarize Count = count() by UserAgent, TimeGenerated",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "User agent activities over time",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "linechart"
|
||||
},
|
||||
"customWidth": "60",
|
||||
"name": "query - 17"
|
||||
}
|
||||
],
|
||||
"styleSettings": {},
|
||||
"fromTemplateId": "sentinel-AWSUserActivities",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
1083
Workbooks/Cisco.json
1083
Workbooks/Cisco.json
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 208 KiB |
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 170 KiB |
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 54 KiB |
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 52 KiB |
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -238,7 +238,7 @@
|
|||
"logoFileName": "azurevirtualmachine_logo.svg",
|
||||
"description": "Gain insights into your workspaces' Linux machines by connecting Azure Sentinel and using the logs to gather insights around Linux events and errors.",
|
||||
"dataTypesDependencies": [ "Syslog" ],
|
||||
"datasourceCardKeysDependencies": ["Syslog"],
|
||||
"datasourceCardKeysDependencies": [ "Syslog" ],
|
||||
"previewImagesFileNames": [ "LinuxMachinesWhite.png", "LinuxMachinesBlack.png" ],
|
||||
"version": "1.1",
|
||||
"title": "Linux machines",
|
||||
|
@ -375,5 +375,31 @@
|
|||
"templateRelativePath": "AzureInformationProtection.json",
|
||||
"subtitle": "",
|
||||
"provider": "Microsoft"
|
||||
},
|
||||
{
|
||||
"workbookKey": "AmazonWebServicesNetworkActivitiesWorkbook",
|
||||
"logoFileName": "amazon_web_services_Logo.svg",
|
||||
"description": "Gain insights into AWS network related resource activities, including the creation, update, and deletions of security groups, network ACLs and routes, gateways, elastic load balancers, VPCs, subnets, and network interfaces.",
|
||||
"dataTypesDependencies": [ "AWSCloudTrail" ],
|
||||
"datasourceCardKeysDependencies": [ "AWS" ],
|
||||
"previewImagesFileNames": [ "AwsNetworkActivitiesWhite.png", "AwsNetworkActivitiesBlack.png" ],
|
||||
"version": "1.0",
|
||||
"title": "AWS Network Activities",
|
||||
"templateRelativePath": "AmazonWebServicesNetworkActivities.json",
|
||||
"subtitle": "",
|
||||
"provider": "Microsoft"
|
||||
},
|
||||
{
|
||||
"workbookKey": "AmazonWebServicesUserActivitiesWorkbook",
|
||||
"logoFileName": "amazon_web_services_Logo.svg",
|
||||
"description": "Gain insights into AWS user activities, including failed sign-in attempts, IP addresses, regions, user agents, and identity types, as well as potential malicious user activities with assumed roles.",
|
||||
"dataTypesDependencies": [ "AWSCloudTrail" ],
|
||||
"datasourceCardKeysDependencies": [ "AWS" ],
|
||||
"previewImagesFileNames": [ "AwsUserActivitiesWhite.png", "AwsUserActivitiesBlack.png" ],
|
||||
"version": "1.0",
|
||||
"title": "AWS User Activities",
|
||||
"templateRelativePath": "AmazonWebServicesUserActivities.json",
|
||||
"subtitle": "",
|
||||
"provider": "Microsoft"
|
||||
}
|
||||
]
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Загрузка…
Ссылка в новой задаче