Added normalized networking events workbook
This commit is contained in:
Родитель
45841fb56b
Коммит
ba858dcd1f
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 278 KiB |
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 257 KiB |
|
@ -0,0 +1,399 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## Networking events (Normalized Networking table v1.0.0)\n\nThis workbook displays networking information across network appliances with parsers enabled to the normalized networking table in Sentinel. \nTo learn more about normalization in Sentinel, please visit the [Sentinel normalization documentation](https://aka.ms/sentinelnormalizationdocs)"
|
||||
},
|
||||
"name": "text - 2"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "64649b80-6857-4779-a918-bf69a5968ade",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 300000
|
||||
},
|
||||
{
|
||||
"durationMs": 900000
|
||||
},
|
||||
{
|
||||
"durationMs": 1800000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 14400000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 172800000
|
||||
},
|
||||
{
|
||||
"durationMs": 259200000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
{
|
||||
"durationMs": 2419200000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 1"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let data = Network_MetaParser;\r\ndata\r\n| summarize Count = count() by EventVendor\r\n| join kind = inner\r\n(\r\n data\r\n | make-series Trend = count() default = 0 on TimeGenerated from ago(30d) to now() step 1d by EventVendor) on EventVendor\r\n | project-away EventVendor1, TimeGenerated\r\n | extend EventVendors = EventVendor\r\n | union ( data\r\n | summarize Count = count()\r\n | extend jkey = 1\r\n | join kind=inner\r\n (\r\n data\r\n | make-series Trend = count() default = 0 on TimeGenerated from ago(30d) to now() step 1d\r\n | extend jkey = 1\r\n )\r\n on jkey\r\n | extend EventVendor = 'All', EventVendors = '*' )\r\n | order by Count desc\r\n | take 10",
|
||||
"size": 4,
|
||||
"title": "Networking events, by device vendor",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"exportFieldName": "EventVendor",
|
||||
"exportParameterName": "ReportingDeviceVendors",
|
||||
"exportDefaultValue": "All",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "EventVendor",
|
||||
"formatter": 1,
|
||||
"formatOptions": {}
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"secondaryContent": {
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 21,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blue"
|
||||
}
|
||||
},
|
||||
"showBorder": false
|
||||
}
|
||||
},
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Network_MetaParser\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| make-series count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DvcAction\r\n",
|
||||
"size": 0,
|
||||
"title": "Device actions over time",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"timeBrushParameterName": "TimeBrush",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 5 - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let data = Network_MetaParser\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\";\r\nlet countryData = data\r\n| summarize TotalCount = count() by EventVendor\r\n| join kind=inner\r\n(\r\n data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by EventVendor\r\n | project-away TimeGenerated\r\n)\r\non EventVendor\r\n| project EventVendor, TotalCount, Trend\r\n| order by TotalCount desc, EventVendor asc;\r\ndata\r\n| summarize TotalCount = count() by EventVendor, EventProduct\r\n| join kind=inner\r\n(\r\n data \r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by EventVendor, EventProduct\r\n | project-away TimeGenerated\r\n)\r\non EventVendor, EventProduct\r\n| order by TotalCount desc, EventVendor asc\r\n| project EventVendor, EventProduct,TotalCount, Trend\r\n| join kind=inner\r\n(\r\n countryData\r\n)\r\non EventVendor\r\n| project Id = EventProduct, Name = EventProduct, Type = 'Device Product', TotalCount, Trend, ParentId = EventVendor\r\n| union (countryData\r\n| project Id = EventVendor, Name = EventVendor, Type = 'Device Vendor', TotalCount, Trend, ParentId = 'root')\r\n| order by TotalCount desc, Name asc\r\n",
|
||||
"size": 0,
|
||||
"showAnalytics": true,
|
||||
"title": "Device actions over time",
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
},
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"showExpandCollapseGrid": true,
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Id",
|
||||
"formatter": 5,
|
||||
"formatOptions": {}
|
||||
},
|
||||
{
|
||||
"columnMatch": "TotalCount",
|
||||
"formatter": 3,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blue",
|
||||
"aggregation": "Sum"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 9,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "purple"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "ParentId",
|
||||
"formatter": 5,
|
||||
"formatOptions": {}
|
||||
}
|
||||
],
|
||||
"hierarchySettings": {
|
||||
"idColumn": "Id",
|
||||
"parentColumn": "ParentId",
|
||||
"treeType": 0,
|
||||
"expanderColumn": "Name"
|
||||
}
|
||||
}
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 5 - Copy - Copy"
|
||||
},
|
||||
{
|
||||
"type": 12,
|
||||
"content": {
|
||||
"version": "NotebookGroup/1.0",
|
||||
"groupType": "editable",
|
||||
"title": "Generic information - click on the items to filter the data",
|
||||
"items": [
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Network_MetaParser\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| where SrcIpAddr != \"\"\r\n| summarize Count = count() by SourceIP = SrcIpAddr\r\n| order by Count",
|
||||
"size": 0,
|
||||
"showAnalytics": true,
|
||||
"title": "Source IP addreses",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
"exportFieldName": "SourceIP",
|
||||
"exportParameterName": "SourceIP",
|
||||
"exportDefaultValue": "All",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blueOrange"
|
||||
}
|
||||
}
|
||||
],
|
||||
"rowLimit": 10000,
|
||||
"filter": true
|
||||
}
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "query - 3"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Network_MetaParser\r\n| where \"All\" == '{SourceIP}' or SrcIpAddr == '{SourceIP}'\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| where SrcIpAddr != \"\"\r\n| summarize Count = count() by DestinationIP = DstIpAddr\r\n| order by Count",
|
||||
"size": 0,
|
||||
"showAnalytics": true,
|
||||
"title": "Destination IP addreses",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
"exportFieldName": "DestinationIP",
|
||||
"exportParameterName": "DestinationIP",
|
||||
"exportDefaultValue": "All",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blueOrange"
|
||||
}
|
||||
}
|
||||
],
|
||||
"rowLimit": 10000,
|
||||
"filter": true
|
||||
}
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "query - 3 - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Network_MetaParser\r\n| where \"All\" == '{SourceIP}' or SrcIpAddr == '{SourceIP}'\r\n| where \"All\" == '{DestinationIP}' or DstIpAddr == '{DestinationIP}'\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| where SrcIpAddr != \"\"\r\n| summarize Count = count() by DestinationPort = DstPortNumber\r\n| order by Count",
|
||||
"size": 0,
|
||||
"showAnalytics": true,
|
||||
"title": "Destination port",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
"exportFieldName": "DestinationPort",
|
||||
"exportParameterName": "DestinationPort",
|
||||
"exportDefaultValue": "All",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blueOrange"
|
||||
}
|
||||
}
|
||||
],
|
||||
"rowLimit": 10000,
|
||||
"filter": true
|
||||
}
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "query - 3 - Copy - Copy"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Network_MetaParser\r\n| where \"All\" == '{SourceIP}' or SrcIpAddr == '{SourceIP}'\r\n| where \"All\" == '{DestinationIP}' or DstIpAddr == '{DestinationIP}'\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| where \"All\" == '{DestinationPort}' or DstPortNumber == '{DestinationPort}'\r\n| where SrcIpAddr != \"\"\r\n| summarize Count = count() by ApplicationLayerProtocol = NetworkApplicationProtocol\r\n| order by Count",
|
||||
"size": 0,
|
||||
"showAnalytics": true,
|
||||
"title": "Application protocol",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
"exportFieldName": "ApplicationLayerProtocol",
|
||||
"exportParameterName": "ApplicationLayerProtocol",
|
||||
"exportDefaultValue": "All",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blueOrange"
|
||||
}
|
||||
}
|
||||
],
|
||||
"rowLimit": 10000,
|
||||
"filter": true
|
||||
}
|
||||
},
|
||||
"customWidth": "25",
|
||||
"name": "Application protocol"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Network_MetaParser\r\n| where \"All\" == '{SourceIP}' or SrcIpAddr == '{SourceIP}'\r\n| where \"All\" == '{DestinationIP}' or DstIpAddr == '{DestinationIP}'\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| where \"All\" == '{DestinationPort}' or DstPortNumber == '{DestinationPort}'\r\n| where \"All\" == '{ApplicationLayerProtocol}' or NetworkApplicationProtocol == '{ApplicationLayerProtocol}'\r\n| summarize Count = count() by ReportingDeviceVendor = EventVendor, SourceIP = SrcIpAddr, DestinationIP = DstIpAddr, DestinationPort = DstPortNumber, ApplicationLayerProtocol = NetworkApplicationProtocol, NetworkProtocol = NetworkProtocol, DeviceAction = DvcAction\r\n| order by Count",
|
||||
"size": 0,
|
||||
"showAnalytics": true,
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeBrush",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 4,
|
||||
"formatOptions": {
|
||||
"min": 0,
|
||||
"palette": "blue"
|
||||
}
|
||||
}
|
||||
],
|
||||
"rowLimit": 10000,
|
||||
"filter": true
|
||||
},
|
||||
"sortBy": []
|
||||
},
|
||||
"name": "query - 3 - Copy"
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "Generic Filters"
|
||||
}
|
||||
],
|
||||
"fromTemplateId": "sentinel-NetworkNormalization",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
Загрузка…
Ссылка в новой задаче