cloudflare - added workbook
This commit is contained in:
Vitalii Uslystyi
Родитель
4c88f4a170
Коммит
8ba6be5e69
|
|
@ -0,0 +1,981 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": ">**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-CloudflareDataConnector-parser) to create the Kusto function alias **Cloudflare**."
|
||||
},
|
||||
"name": "text - 0"
|
||||
},
|
||||
{
|
||||
"type": 11,
|
||||
"content": {
|
||||
"version": "LinkItem/1.0",
|
||||
"style": "tabs",
|
||||
"links": [
|
||||
{
|
||||
"id": "2088f290-65ee-4357-badb-55ce732a5004",
|
||||
"cellValue": "tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Cloudflare Web Traffic Overview",
|
||||
"subTarget": "cloudflare_web_traffic_overview",
|
||||
"style": "link"
|
||||
},
|
||||
{
|
||||
"id": "25df6ee6-dcf7-4aa2-b90e-50f8a4b6548d",
|
||||
"cellValue": "tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Cloudflare Security Overview",
|
||||
"subTarget": "cloudflare_security_overview",
|
||||
"style": "link"
|
||||
},
|
||||
{
|
||||
"id": "a2108bc6-5769-4c86-a5c0-201f531ed929",
|
||||
"cellValue": "tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Cloudflare Reliability Summary",
|
||||
"subTarget": "cloudflare_reliability_summary",
|
||||
"style": "link"
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "links - 1"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "c64d5d3d-90c6-484a-ab88-c70652b75b6e",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 172800000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 300000
|
||||
},
|
||||
{
|
||||
"durationMs": 900000
|
||||
},
|
||||
{
|
||||
"durationMs": 1800000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 14400000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 172800000
|
||||
},
|
||||
{
|
||||
"durationMs": 259200000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
{
|
||||
"durationMs": 2419200000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
}
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 1"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL\n| summarize count() by ClientDeviceType_s",
|
||||
"size": 0,
|
||||
"title": "Traffic Type",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_web_traffic_overview"
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "Traffic Type"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL\n| summarize count() by ClientRequestProtocol_s",
|
||||
"size": 0,
|
||||
"title": "HTTP Protocols",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_web_traffic_overview"
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "HTTP Protocols"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL\n| summarize count() by ClientRequestMethod_s",
|
||||
"size": 0,
|
||||
"title": "Request Methods",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_web_traffic_overview"
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "Request Methods"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL\n| extend EdgeResponseContentType = iif(isempty(EdgeResponseContentType_s),\"empty\",EdgeResponseContentType_s )\n| summarize count() by EdgeResponseContentType",
|
||||
"size": 0,
|
||||
"title": "Content Types",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_web_traffic_overview"
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "Content Types"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL\n| summarize Count=count() by ClientRequestURI_s\n| sort by Count | project-rename ClientRequestURI=ClientRequestURI_s | take 50",
|
||||
"size": 0,
|
||||
"title": "Top Requested URIs",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_web_traffic_overview"
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "Top Requested URIs"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL\n| summarize Count=count() by ClientIP_s\n| sort by Count | take 50 | project-rename ClientIP=ClientIP_s",
|
||||
"size": 0,
|
||||
"title": "Top Traffic IPs",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_web_traffic_overview"
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "Top Traffic IPs"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL\n| extend ClientRequestReferer = iif(isempty(ClientRequestReferer_s),\"empty\",ClientRequestReferer_s )\n| summarize Count=count() by ClientRequestReferer\n| sort by Count | take 50\n",
|
||||
"size": 0,
|
||||
"title": "Top Referer",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_web_traffic_overview"
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "Top Referer"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL\n| summarize Count=count() by ClientIPClass_s | project-rename ClientIPClass=ClientIPClass_s\n| sort by Count | take 50\n",
|
||||
"size": 0,
|
||||
"title": "Top Traffic Types",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_web_traffic_overview"
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "Top Traffic Types"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL\n| summarize Count=count() by ClientRequestUserAgent_s | project-rename ClientRequestUserAgent=ClientRequestUserAgent_s\n| sort by Count | take 50",
|
||||
"size": 0,
|
||||
"title": "Top User Agents",
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "ClientRequestUserAgent",
|
||||
"formatter": 0,
|
||||
"formatOptions": {
|
||||
"customColumnWidthSetting": "75%"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_web_traffic_overview"
|
||||
},
|
||||
"name": "Top User Agents"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let total_number_of_requests =\nCloudflare_CL\n| summarize Count=count()\n| extend title=\"Total Number Of Requests\";\n\nlet threats_stopped =\nCloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat) | summarize Count=count()\n| extend title=\"Stopped Threats\";\n\nlet result_table = union total_number_of_requests, threats_stopped; \nresult_table \n| sort by Count\n\n",
|
||||
"size": 0,
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortCriteriaField": "Count",
|
||||
"sortOrderField": 2,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_security_overview"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Req_Threats_title"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize Count=count() by threat",
|
||||
"size": 0,
|
||||
"title": "Top Threats",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "categoricalbar",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortCriteriaField": "Count",
|
||||
"sortOrderField": 2,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_security_overview"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Top Threats"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let total_number_of_requests =\nCloudflare_CL\n| summarize Count=count()\n| extend title=\"Total Number Of Requests\";\n\nlet threats_stopped =\nCloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat) | summarize Count=count()\n| extend title=\"Stopped Threats\";\n\nlet result_table = union total_number_of_requests, threats_stopped; \nresult_table \n| sort by Count\n\n",
|
||||
"size": 0,
|
||||
"title": "Requests vs Threats",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortCriteriaField": "Count",
|
||||
"sortOrderField": 2,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_security_overview"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Requests vs Threats"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
|
||||
"size": 0,
|
||||
"title": "Threats Over Time",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortCriteriaField": "Count",
|
||||
"sortOrderField": 2,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_security_overview"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Threats Over Time"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize count() by ClientCountry_s | project-rename Country=ClientCountry_s | take 20",
|
||||
"size": 0,
|
||||
"title": "Top Threat Countries",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortCriteriaField": "Count",
|
||||
"sortOrderField": 2,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_security_overview"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Top Threat Countries"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize count() by ClientIP_s | project-rename ClientIP=ClientIP_s",
|
||||
"size": 0,
|
||||
"title": "Top Threat Client IPs",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortCriteriaField": "Count",
|
||||
"sortOrderField": 2,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_security_overview"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Top Threat Client IPs"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize Count=count() by ClientRequestURI_s | project-rename ClientRequestURI=ClientRequestURI_s",
|
||||
"size": 0,
|
||||
"title": "Top Threat URIs",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortCriteriaField": "Count",
|
||||
"sortOrderField": 2,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_security_overview"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Top Threat URIs"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize Count=count() by ClientRequestUserAgent_s | project-rename ClientRequestUserAgent=ClientRequestUserAgent_s",
|
||||
"size": 0,
|
||||
"title": "Top Threat User Agents",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortCriteriaField": "Count",
|
||||
"sortOrderField": 2,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_security_overview"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Top Threat User Agents"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize Count=count() by EdgePathingStatus_s | project-rename EdgePathingStatus=EdgePathingStatus_s",
|
||||
"size": 0,
|
||||
"title": "Top Threat User Agents",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"sortCriteriaField": "Count",
|
||||
"sortOrderField": 2,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_security_overview"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Top Threat User Agents - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let 5xx = Cloudflare_CL \n| where tostring(EdgeResponseStatus_d) startswith \"5\"\n| summarize Count=count()\n| extend title=\"5xx Errors (Edge)\";\n\nlet 4xx = Cloudflare_CL \n| where tostring(EdgeResponseStatus_d) startswith \"4\"\n| summarize Count=count()\n| extend title=\"4xx Errors (Edge)\";\n\nlet 3xx = Cloudflare_CL \n| where tostring(EdgeResponseStatus_d) startswith \"3\"\n| summarize Count=count()\n| extend title=\"3xx Errors (Edge)\";\n\nlet result_table = union 5xx, 4xx, 3xx; \nresult_table \n| sort by Count\n\n",
|
||||
"size": 0,
|
||||
"title": "ERRORS Counts (Edge)",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_reliability_summary"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Errors (Edge)"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend response_error_type= case(tostring(EdgeResponseStatus_d) startswith \"2\" , \"2xx\", tostring(EdgeResponseStatus_d) startswith \"3\" , \"3xx\", tostring(EdgeResponseStatus_d) startswith \"4\" , \"4xx\", tostring(EdgeResponseStatus_d) startswith \"5\" , \"5xx\",\"\")\n| where isnotempty(response_error_type)\n| summarize Count=count() by response_error_type",
|
||||
"size": 0,
|
||||
"title": "Edge Response Error Ratio",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_reliability_summary"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Edge Response Error Ratio"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend response_error_type= case(tostring(OriginResponseStatus_d) startswith \"2\" , \"2xx\", tostring(OriginResponseStatus_d) startswith \"3\" , \"3xx\", tostring(OriginResponseStatus_d) startswith \"4\" , \"4xx\", tostring(OriginResponseStatus_d) startswith \"5\" , \"5xx\",\"\")\n| where isnotempty(response_error_type)\n| summarize Count=count() by response_error_type",
|
||||
"size": 0,
|
||||
"title": "Origin Response Error Ratio",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_reliability_summary"
|
||||
},
|
||||
"customWidth": "33",
|
||||
"name": "Origin Response Error Ratio"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend response_error_type= case(tostring(EdgeResponseStatus_d) startswith \"2\" , \"2xx\", tostring(EdgeResponseStatus_d) startswith \"3\" , \"3xx\", tostring(EdgeResponseStatus_d) startswith \"4\" , \"4xx\", tostring(EdgeResponseStatus_d) startswith \"5\" , \"5xx\",\"\")\n| where isnotempty(response_error_type)\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by response_error_type;",
|
||||
"size": 0,
|
||||
"title": "Edge Response Status Over Time",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_reliability_summary"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "Edge Response Status Over Time"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cloudflare_CL \n| extend response_error_type= case(tostring(OriginResponseStatus_d) startswith \"2\" , \"2xx\", tostring(OriginResponseStatus_d) startswith \"3\" , \"3xx\", tostring(OriginResponseStatus_d) startswith \"4\" , \"4xx\", tostring(OriginResponseStatus_d) startswith \"5\" , \"5xx\",\"\")\n| where isnotempty(response_error_type)\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by response_error_type;",
|
||||
"size": 0,
|
||||
"title": "Origin Response Status Over Time",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cloudflare_reliability_summary"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "Origin Response Status Over Time"
|
||||
}
|
||||
],
|
||||
"fallbackResourceIds": [],
|
||||
"fromTemplateId": "sentinel-CloudflareWorkbook",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg">
|
||||
<path d="M57.9129 36.0524L56.4192 35.4482C49.3989 51.4259 21.471 41.7122 19.7906 46.4654C19.5104 49.676 35.0419 47.0759 46.1454 47.6201C49.5313 47.7859 51.2293 50.3713 49.7915 54.5854L52.6234 54.5942C55.8901 44.2933 66.3155 49.5503 66.7512 46.1507C66.0354 43.9155 54.7696 46.1507 57.9129 36.0524Z" fill="white"/>
|
||||
<path d="M50.5934 52.8234C51.0414 51.3125 50.8921 49.8016 50.1453 48.895C49.3983 47.9883 48.3527 47.3841 47.0083 47.233L21.0166 46.9306C20.8672 46.9306 20.7179 46.7796 20.5685 46.7796C20.4192 46.6285 20.4192 46.4775 20.5685 46.3264C20.7179 46.0243 20.8672 45.8729 21.1659 45.8729L47.307 45.5708C50.444 45.4198 53.7304 42.8512 54.9252 39.8294L56.4192 35.901C56.4192 35.7496 56.5685 35.5986 56.4192 35.4475C54.7758 27.7417 47.9046 22 39.8381 22C32.3692 22 25.946 26.8351 23.7053 33.6345C22.2116 32.5768 20.4192 31.9723 18.3278 32.1236C14.7427 32.4257 11.9046 35.4475 11.4563 39.0738C11.307 39.9804 11.4563 40.8871 11.6059 41.7935C5.78012 41.9445 1 46.7796 1 52.8234C1 53.4277 1 53.8811 1.14934 54.4854C1.14934 54.7878 1.44803 54.9388 1.59766 54.9388H49.5477C49.8464 54.9388 50.1453 54.7878 50.1453 54.4854L50.5934 52.8234Z" fill="#F4811F"/>
|
||||
<path d="M58.8091 35.9013H58.0621C57.9128 35.9013 57.7635 36.0524 57.6141 36.2034L56.5684 39.8298C56.1204 41.3406 56.2697 42.8518 57.0167 43.7582C57.7634 44.6648 58.8091 45.2691 60.1535 45.4204L65.6806 45.7225C65.83 45.7225 65.9793 45.8736 66.1287 45.8736C66.278 46.0246 66.278 46.1757 66.1287 46.3268C65.9793 46.6292 65.83 46.7802 65.531 46.7802L59.8548 47.0824C56.7178 47.2334 53.4316 49.802 52.2366 52.8238L51.9376 54.1839C51.7883 54.335 51.9376 54.6371 52.2366 54.6371H71.9545C72.2532 54.6371 72.4025 54.486 72.4025 54.1839C72.7012 52.9751 72.9999 51.6153 72.9999 50.2552C72.9999 42.3983 66.5767 35.9013 58.8091 35.9013Z" fill="#FAAD3F"/>
|
||||
</svg>
|
||||
|
После Ширина: | Высота: | Размер: 1.9 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 55 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 38 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 56 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 44 KiB |
|
|
@ -1322,5 +1322,18 @@
|
|||
"templateRelativePath": "pfsense.json",
|
||||
"subtitle": "",
|
||||
"provider": "Azure Sentinel community"
|
||||
},
|
||||
{
|
||||
"workbookKey": "CloudflareWorkbook",
|
||||
"logoFileName": "cloudflare.svg",
|
||||
"description": "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability.",
|
||||
"dataTypesDependencies": [ "Cloudflare_CL" ],
|
||||
"dataConnectorsDependencies": [ "CloudflareDataConnector" ],
|
||||
"previewImagesFileNames": ["CloudflareOverviewWhite01.png", "CloudflareOverviewWhite02.png", "CloudflareOverviewBlack01.png", "CloudflareOverviewBlack02.png"],
|
||||
"version": "1.0",
|
||||
"title": "Cloudflare",
|
||||
"templateRelativePath": "Cloudflare.json",
|
||||
"subtitle": "",
|
||||
"provider": "Cloudflare"
|
||||
}
|
||||
]
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче