Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Create CopilotforSecurityMonitoring.json

This commit is contained in:
Samik Roy 2024-09-16 12:45:15 +05:30 коммит произвёл GitHub
Родитель 1eec56829c
Коммит a1cc63253b
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
1 изменённых файлов: 555 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

555
Workbooks/CopilotforSecurityMonitoring.json Normal file
Просмотреть файл

@ -0,0 +1,555 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Copilot for Security Workbook\n---\n\nThis is a workbook to monitor the Copilot for Secuirty \n\n|Overview | Signins | Activity|\n|--|--|--| \n|User Signins across the globe | Successful Login Over Time | Average of SCU processing time by resource| \n|Process time with each apps | Top 5 Users with Successful Login | Total of SCU processing time by resource| \n|Failed MFA authentication against the Standalone experience. |Successful Login | Users created or changed Copilot for Security SCUs| \n|Average of SCU processing time | Non Interactive User SignIns Over Time |Role that enabled Copilot for Security| \n||Top 5 Users Non Interactive SignIns | Capacity changes captured in CloudAppEvents | \n|| Non Interactive User SignIns from Locations |Identify enabling Copilot for Security in the CloudAppEvents log| \n||Failed MFA authentication against the Standalone experience | Activities from Unified Console| \n||Failed Logins against the Standalone experience|Identifies when the Intune extension for CfS has been used| \n||Success vs Failed Logins for Users|Current Copilot Instances from Azure Resource Graph Explorer|"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "d28a5d7b-3fc5-4a38-a250-2417a0e6b48f",
"version": "KqlParameterItem/1.0",
"name": "Timespan",
"type": 4,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 7776000000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 1,
"content": {
"json": "### Overview",
"style": "info"
},
"name": "text - 22"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union (SigninLogs\n| where AppDisplayName == \"Medeina Service\"\n| extend City = tostring(parse_json(Location).city)\n| extend ST = parse_json(Location).state\n| extend LAT = tostring(parse_json(tostring(parse_json(Location).geoCoordinates)).latitude)\n| extend LONG = tostring(parse_json(tostring(parse_json(Location).geoCoordinates)).longitude)),\n(AADNonInteractiveUserSignInLogs\n| where AppDisplayName == \"Medeina Service\"\n| extend City = tostring(parse_json(LocationDetails).city)\n| extend ST = parse_json(LocationDetails).state\n| extend LAT = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude)\n| extend LONG = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude))\n| extend City = \"Mumbai\", LAT = \"19.076000213623048\", LONG = \"72.87770080566406\"\n| summarize count() by City, LAT, LONG\n",
"size": 1,
"title": "User Signins across the globe",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "LatLong",
"latitude": "LAT",
"longitude": "LONG",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"labelSettings": "City",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "count_",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "30",
"name": "query - 2 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union SigninLogs,\nAADNonInteractiveUserSignInLogs\n| where ResourceDisplayName has \"Medeina\"\n| project TimeGenerated, ResourceDisplayName, AppDisplayName, toint(ProcessingTimeInMs)\n| summarize Total_Processing_Time_in_ms = sum(ProcessingTimeInMs) by AppDisplayName",
"size": 1,
"title": "Process time with each apps",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"showMetrics": false,
"showLegend": true
}
},
"customWidth": "20",
"name": "query - 2 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union SigninLogs,\nAADNonInteractiveUserSignInLogs\n| where AppDisplayName == \"Medeina Portal\" \n| where ResultType == \"50074\" \n| summarize count() by UserPrincipalName\n| extend Status = 3",
"size": 1,
"title": "Failed MFA authentication against the Standalone experience.",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"palette": "redDark"
}
},
{
"columnMatch": "Status",
"formatter": 11
}
]
}
},
"customWidth": "30",
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AADNonInteractiveUserSignInLogs\n| where ResourceDisplayName has \"Medeina\"\n| project TimeGenerated, ResourceDisplayName, AppDisplayName, toint(ProcessingTimeInMs)\n| summarize Avg_Processing_Time_in_ms = avg(ProcessingTimeInMs) by ResourceDisplayName",
"size": 1,
"title": "Average of SCU processing time",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "ResourceDisplayName",
"formatter": 1
},
"leftContent": {
"columnMatch": "Avg_Processing_Time_in_ms",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 2 - Copy"
},
{
"type": 1,
"content": {
"json": "### SignIns",
"style": "info"
},
"name": "text - 23"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union SigninLogs,\nAADNonInteractiveUserSignInLogs\n| where AppDisplayName == \"Medeina Portal\" \n| where ResultType ==0\n| summarize count() by bin(TimeGenerated, {Timespan:grain})",
"size": 1,
"title": "Successful Login Over Time",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union SigninLogs,\nAADNonInteractiveUserSignInLogs\n| where AppDisplayName == \"Medeina Portal\" \n| where ResultType == 0\n| summarize count() by UserPrincipalName\n| order by count_ desc\n| limit 5",
"size": 1,
"title": "Top 5 Users with Successful Login",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union SigninLogs,\nAADNonInteractiveUserSignInLogs\n| where ResourceDisplayName == \"Medeina Service\"\n| where ResultType ==0",
"size": 1,
"title": "Successful Logins",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AADNonInteractiveUserSignInLogs\n| where AppDisplayName == \"Medeina Service\"\n| summarize count() by bin (TimeGenerated,{Timespan:grain})",
"size": 1,
"title": "Non Interactive User SignIns Over Time",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AADNonInteractiveUserSignInLogs\n| where AppDisplayName == \"Medeina Service\"\n| summarize count() by UserPrincipalName\n| order by count_ desc\n| limit 5\n",
"size": 1,
"title": "Top 5 Users Non Interactive SignIns",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"gridSettings": {
"filter": true
}
},
"name": "query - 2 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AADNonInteractiveUserSignInLogs\n| where AppDisplayName == \"Medeina Service\"\n| extend Burg = parse_json(LocationDetails).city\n| extend ST = parse_json(LocationDetails).state\n| extend LAT = parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude\n| extend LONG = parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude\n| project TimeGenerated, Identity, Burg, ST, LAT, LONG\n| order by TimeGenerated desc\n",
"size": 1,
"title": "Non Interactive User SignIns from Locations",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 2 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs \n| where AppDisplayName == \"Medeina Portal\" \n| where ResultType == \"50074\" \n| extend city = LocationDetails.city \n| extend state = LocationDetails.state \n| extend region = LocationDetails.countryOrRegion \n| extend latitude = parse_json(tostring(LocationDetails.geoCoordinates)).latitude \n| extend longitude = parse_json(tostring(LocationDetails.geoCoordinates)).longitude \n| project UserDisplayName, UserPrincipalName, UserType, city, state, region, latitude, longitude, AADTenantId",
"size": 1,
"title": "Failed MFA authentication against the Standalone experience",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs \n| where AppDisplayName == \"Medeina Portal\" \n| where ResultType != 0 \n| extend city = LocationDetails.city \n| extend state = LocationDetails.state \n| extend region = LocationDetails.countryOrRegion \n| extend latitude = parse_json(tostring(LocationDetails.geoCoordinates)).latitude \n| extend longitude = parse_json(tostring(LocationDetails.geoCoordinates)).longitude \n| project UserPrincipalName,IPAddress, UserType, city, state, region, latitude, longitude, AADTenantId",
"size": 1,
"title": "Failed Logins against the Standalone experience",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union SigninLogs,\nAADNonInteractiveUserSignInLogs\n| where TimeGenerated >ago(30d)\n| where AppDisplayName == \"Medeina Portal\" \n| summarize SuccessfulLogin = countif(ResultType == 0), FailedLogin = countif(ResultType != 0) by UserPrincipalName",
"size": 1,
"title": "Success vs Failed Logins for Users",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "SuccessfulLogin",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "green",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "FailedLogin",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "red",
"text": "{0}{1}"
}
]
}
}
],
"filter": true
}
},
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 1,
"content": {
"json": "### Activity",
"style": "info"
},
"name": "text - 24"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Average of SCU processing time by resource\n\nAADNonInteractiveUserSignInLogs\n| where ResourceDisplayName has \"Medeina\"\n| summarize Avg_Processing_Time_in_ms = avg(toint(ProcessingTimeInMs)) by AppDisplayName",
"size": 1,
"title": "Average of SCU processing time by resource",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Avg_Processing_Time_in_ms",
"formatter": 8,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "50",
"name": "query - 2 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Average of SCU processing time by resource\n\nAADNonInteractiveUserSignInLogs\n| where ResourceDisplayName has \"Medeina\"\n| summarize Total_Processing_Time_in_ms = sum(toint(ProcessingTimeInMs)) by AppDisplayName",
"size": 1,
"title": "Total of SCU processing time by resource",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Total_Processing_Time_in_ms",
"formatter": 8,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Avg_Processing_Time_in_ms",
"formatter": 8,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "50",
"name": "query - 2 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Users created or changed Copilot for Security SCUs\n\nAzureActivity\n| where OperationNameValue == \"MICROSOFT.SECURITYCOPILOT/CAPACITIES/WRITE\"\n| where ActivityStatusValue == \"Success\"\n| summarize count() by Caller",
"size": 1,
"title": "Users created or changed Copilot for Security SCUs",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - 2 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Role that enabled Copilot for Security\nAzureActivity\n| where OperationNameValue == \"MICROSOFT.SECURITYCOPILOT/REGISTER/ACTION\"\n| where ActivityStatusValue == \"Success\"\n| extend role_ = tostring(parse_json(tostring(parse_json(Authorization).evidence)).role)\n| summarize count() by role_",
"size": 1,
"title": "Role that enabled Copilot for Security",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "50",
"name": "query - 2 - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CloudAppEvents\n| where ActionType == \"Write Capacities\"\n| project AccountDisplayName, City, CountryCode, ISP, ObjectName",
"size": 1,
"title": "Capacity changes captured in CloudAppEvents",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CloudAppEvents\n| where ActionType == \"Register Microsoft.SecurityCopilot\"\n| project AccountDisplayName, City, CountryCode, ISP, ObjectName",
"size": 1,
"title": "Identify enabling Copilot for Security in the CloudAppEvents log",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AADNonInteractiveUserSignInLogs \n| where AppDisplayName == \"Microsoft 365 Security and Compliance Center\" \n| where ResourceDisplayName has \"Medeina\" \n| extend city_ = tostring(parse_json(LocationDetails).city) \n| extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) \n| extend latitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude) \n| extend longitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude) \n| extend state_ = tostring(parse_json(LocationDetails).state) \n| project TimeGenerated, Identity, UserType, UserPrincipalName, city_, countryOrRegion_, state_, latitude_, longitude_, ResourceDisplayName, AppDisplayName, ProcessingTimeInMs",
"size": 1,
"title": "Activities from Unified Console",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Identifies when the Intune extension for CfS has been used\n\nAADNonInteractiveUserSignInLogs \n| where AppDisplayName == \"Microsoft Intune portal extension\" \n| extend city_ = tostring(parse_json(LocationDetails).city) \n| extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) \n| extend latitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude) \n| extend longitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude) \n| extend state_ = tostring(parse_json(LocationDetails).state) \n| project TimeGenerated, Identity, UserType, UserPrincipalName, city_, countryOrRegion_, state_, latitude_, longitude_, ResourceDisplayName, AppDisplayName, ProcessingTimeInMs;",
"size": 1,
"title": "Identifies when the Intune extension for CfS has been used",
"timeContextFromParameter": "Timespan",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n| where type == \"microsoft.securitycopilot/capacities\"\r\n| extend GEO = tostring(properties['geo'])\r\n| extend NumberofSCUs = tostring(properties['numberOfUnits'])\r\n| extend State = tostring(properties['provisioningState'])\r\n| project ComputeName = name, location, resourceGroup, ['type'], NumberofSCUs, GEO, State, subscriptionId, tenantId",
"size": 0,
"title": "Current Copilot Instances from Azure Resource Graph Explorer",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "query - 14"
}
],
"fallbackResourceIds": [],
"fromTemplateId": "sentinel-MicrosoftCopilotforSecurity",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}