Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

updating logic to new fields OperationNameValue

This commit is contained in:
Ashwin Patil 2021-09-17 18:18:33 -07:00
Родитель 4f2151a13c
Коммит b6067f45cc
2 изменённых файлов: 3 добавлений и 3 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Tools/Sample Code/AzureSentinel-ManagementAPICsharp/AzureSentinel_ManagementAPI/Templates/ScheduledAlertRulePayload/ScheduledAlertRulePayload.json
Просмотреть файл

@ -10,7 +10,7 @@
"Persistence", "Persistence",
"LateralMovement" "LateralMovement"
], ],
"query": "AzureActivity | where isnotempty(OperationName)", "query": "AzureActivity | where isnotempty(OperationNameValue)",
"queryFrequency": "PT1H", "queryFrequency": "PT1H",
"queryPeriod": "P2DT1H30M", "queryPeriod": "P2DT1H30M",
"triggerOperator": "GreaterThan", "triggerOperator": "GreaterThan",

4
Workbooks/AzureActivity.json
Просмотреть файл

@ -180,7 +180,7 @@
"type": 3, "type": 3,
"content": { "content": {
"version": "KqlItem/1.0", "version": "KqlItem/1.0",
"query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationName contains \"Delete\"), creations = countif(OperationName contains \"Create\"), updates = countif(OperationName contains \"Update\"), Activities = count(OperationName) by bin_at(TimeGenerated, 1h, now())\r\n", "query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue endswith \"delete\"), creations = countif(OperationNameValue endswith \"write\"), updates = countif(OperationNameValue endswith \"write\"), Activities = count(OperationNameValue) by bin_at(TimeGenerated, 1h, now())\r\n",
"size": 0, "size": 0,
"exportToExcelOptions": "visible", "exportToExcelOptions": "visible",
"title": "Activities over time", "title": "Activities over time",
@ -202,7 +202,7 @@
"type": 3, "type": 3,
"content": { "content": {
"version": "KqlItem/1.0", "version": "KqlItem/1.0",
"query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationName contains \"Delete\"), creations = countif(OperationName contains \"Create\"), updates = countif(OperationName contains \"Update\"), Activities = count() by Caller\r\n", "query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue endswith \"Delete\"), creations = countif(OperationNameValue endswith \"write\"), updates = countif(OperationNameValue endswith \"write\"), Activities = count() by Caller\r\n",
"size": 1, "size": 1,
"exportToExcelOptions": "visible", "exportToExcelOptions": "visible",
"title": "Caller activities", "title": "Caller activities",