Workbooks: first commit
This commit is contained in:
Alex Verbniak
Родитель
25f6111b42
Коммит
d4a13fd133
|
|
@ -0,0 +1,362 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "## Cisco Identity Services Engine\nCisco ISE allows you to provide highly secure network access to users and devices. It helps you gain visibility into what is happening in your network, such as who is connected, which applications are installed and running, and much more. It also shares vital contextual data, such as user and device identities, threats, and vulnerabilities with integrated solutions from Cisco technology partners, so you can identify, contain, and remediate threats faster.",
|
||||
"style": "info"
|
||||
},
|
||||
"name": "Text"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "88aa96e3-fc48-4b04-836e-fc2ec8ebf37f",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"label": " Time Range",
|
||||
"type": 4,
|
||||
"value": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 300000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 259200000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
]
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
}
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "Parameters"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CiscoISEEvent\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventCategory;",
|
||||
"size": 0,
|
||||
"title": "Events over time",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"customWidth": "70",
|
||||
"name": "EventsOverTime"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CiscoISEEvent\r\n| summarize TotalEvents = count() by EventSeverity",
|
||||
"size": 4,
|
||||
"title": "Event Severity Distribution",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "EventSeverity",
|
||||
"formatter": 1,
|
||||
"numberFormat": {
|
||||
"unit": 0,
|
||||
"options": {
|
||||
"style": "decimal"
|
||||
}
|
||||
}
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "TotalEvents",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
}
|
||||
},
|
||||
"showBorder": true,
|
||||
"rowLimit": 7,
|
||||
"size": "auto"
|
||||
},
|
||||
"graphSettings": {
|
||||
"type": 0,
|
||||
"topContent": {
|
||||
"columnMatch": "EventSeverity",
|
||||
"formatter": 1
|
||||
},
|
||||
"centerContent": {
|
||||
"columnMatch": "TotalEvents",
|
||||
"formatter": 1,
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "EventSeverityDistribution"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CiscoISEEvent\n| summarize TotalEvents = count() by EventCategory\n| join kind = inner (CiscoISEEvent\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventCategory)\n on EventCategory\n| project-away EventCategory1, TimeGenerated\n| project EventCategory, TotalEvents, Trend\n| order by TotalEvents desc\n\n\n",
|
||||
"size": 4,
|
||||
"title": "Event Categories Distribution",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "EventCategory",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "TotalEvents",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"secondaryContent": {
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 9,
|
||||
"formatOptions": {
|
||||
"palette": "blue"
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"rowLimit": 10
|
||||
}
|
||||
},
|
||||
"name": "EventCategoriesDistribution"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CiscoISEEvent\r\n| where DvcHostname != ''\r\n| summarize TotalEvents = count() by DvcHostname\r\n| join kind = inner (CiscoISEEvent\r\n | where DvcHostname != ''\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DvcHostname)\r\n on DvcHostname\r\n| project-away DvcHostname1, TimeGenerated\r\n| project DvcHostname, TotalEvents, Trend\r\n| order by TotalEvents\r\n| take 10\r\n",
|
||||
"size": 0,
|
||||
"title": "Top Reporting Devices",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "TotalEvents",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"palette": "blueGreen"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 10,
|
||||
"formatOptions": {
|
||||
"palette": "turquoise"
|
||||
}
|
||||
}
|
||||
],
|
||||
"rowLimit": 10,
|
||||
"labelSettings": [
|
||||
{
|
||||
"columnId": "TotalEvents",
|
||||
"label": "Total Events"
|
||||
},
|
||||
{
|
||||
"columnId": "Trend"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"customWidth": "31",
|
||||
"name": "TopReportingDevices"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CiscoISEEvent\r\n| where DstUserName != ''\r\n| summarize TotalEvents = count() by DstUserName\r\n| order by TotalEvents\r\n| take 10",
|
||||
"size": 3,
|
||||
"title": "Top Users Activity (Events)",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"chartSettings": {
|
||||
"seriesLabelSettings": [
|
||||
{
|
||||
"seriesName": "rancid",
|
||||
"label": "John Doe"
|
||||
},
|
||||
{
|
||||
"seriesName": "JPTOK1N1571.ap.adsint.biz",
|
||||
"label": "John Smith"
|
||||
},
|
||||
{
|
||||
"seriesName": "yumas",
|
||||
"label": "root"
|
||||
},
|
||||
{
|
||||
"seriesName": "zhangsta",
|
||||
"label": "sales"
|
||||
},
|
||||
{
|
||||
"seriesName": "louluc",
|
||||
"label": "CFO"
|
||||
},
|
||||
{
|
||||
"seriesName": "JPTOK1N1536.ap.adsint.biz",
|
||||
"label": "ciseadmin"
|
||||
},
|
||||
{
|
||||
"seriesName": "prime",
|
||||
"label": "cisebackup"
|
||||
},
|
||||
{
|
||||
"seriesName": "apurva",
|
||||
"label": "ciseoperator"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "TopUsersActivity "
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CiscoISEEvent\r\n| where EventId in ('5400', '5401')\r\n| where DstUserName != ''\r\n| summarize TotalEvents = count() by DstUserName\r\n",
|
||||
"size": 0,
|
||||
"title": "Top Users with Failed Authentication",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"chartSettings": {
|
||||
"seriesLabelSettings": [
|
||||
{
|
||||
"seriesName": "rancid",
|
||||
"label": "ciseadmin"
|
||||
},
|
||||
{
|
||||
"seriesName": "host/CNSHA1N5663.ap.adsint.biz",
|
||||
"label": "jsmith"
|
||||
},
|
||||
{
|
||||
"seriesName": "Anguljun",
|
||||
"label": "jdoe"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "TopUsersFailedAuthentication"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CiscoISEEvent\r\n| where PostureStatus != ''\r\n| where PostureStatus != 'Compliant'\r\n| summarize TotalEvents = count() by DstIpAddr\r\n\r\n",
|
||||
"size": 1,
|
||||
"title": "Non-Compliant Posture Status",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "NonCompliantPostureStatus"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CiscoISEEvent\r\n| where EventSeverity in ('FATAL', 'ERROR')\r\n| summarize errorCnt = count() by EventId, ErrorMessage = EventMessage\r\n| sort by errorCnt\r\n| project ['❌ Error Code'] = EventId, ['Error Message'] = ErrorMessage , ['Error Count'] = toint(errorCnt)",
|
||||
"size": 1,
|
||||
"title": "Details of top errors",
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table"
|
||||
},
|
||||
"customWidth": "39",
|
||||
"name": "DetailsTopErrors"
|
||||
}
|
||||
],
|
||||
"fallbackResourceIds": [
|
||||
"/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourcegroups/socprime/providers/microsoft.operationalinsights/workspaces/azuresocprimesentinel"
|
||||
],
|
||||
"fromTemplateId": "sentinel-CiscoISE",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
|
|
@ -0,0 +1,700 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": ">**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/CiscoUmbrella/Cisco_Umbrella) to create the Kusto function alias **Cisco_Umbrella**."
|
||||
},
|
||||
"name": "Text"
|
||||
},
|
||||
{
|
||||
"type": 11,
|
||||
"content": {
|
||||
"version": "LinkItem/1.0",
|
||||
"style": "tabs",
|
||||
"links": [
|
||||
{
|
||||
"id": "464b6899-a8de-4f01-84a6-d4e3ecc7f282",
|
||||
"cellValue": "Tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Cisco Umbrella Main Dashboard",
|
||||
"subTarget": "cisco_umbrella_main_dashboard",
|
||||
"preText": "Cisco Umbrella Main Dashboard",
|
||||
"style": "link"
|
||||
},
|
||||
{
|
||||
"id": "a3798d8a-a610-475c-9cbf-7252301dab7e",
|
||||
"cellValue": "Tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Cisco Umbrella Dns Dashboard",
|
||||
"subTarget": "cisco_umbrella_dns_dashboard",
|
||||
"style": "link"
|
||||
},
|
||||
{
|
||||
"id": "80bcf252-bcf6-4736-993d-59da0a8e4c76",
|
||||
"cellValue": "Tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Cisco Umbrella Proxy Dashboard",
|
||||
"subTarget": "cisco_umbrella_proxy_dashboard",
|
||||
"style": "link"
|
||||
},
|
||||
{
|
||||
"id": "f536a1e9-362e-4d98-bdd1-0f7dfb23901a",
|
||||
"cellValue": "Tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Cisco Umbrella Firewall Dashboard",
|
||||
"subTarget": "cisco_umbrella_firewall_dashboard",
|
||||
"style": "link"
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "Links"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "37b91baf-6272-4709-a028-1370823249d4",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 300000
|
||||
},
|
||||
{
|
||||
"durationMs": 900000
|
||||
},
|
||||
{
|
||||
"durationMs": 1800000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 14400000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 172800000
|
||||
},
|
||||
{
|
||||
"durationMs": 259200000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
{
|
||||
"durationMs": 2419200000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
}
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "Parameters1"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| summarize Count=count() by EventType\n| render barchart",
|
||||
"size": 3,
|
||||
"title": "Events Count by EventType",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "EventType",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"graphSettings": {
|
||||
"type": 0,
|
||||
"topContent": {
|
||||
"columnMatch": "EventType",
|
||||
"formatter": 1
|
||||
},
|
||||
"centerContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 1,
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_main_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "EventsCountByEventType"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType;",
|
||||
"size": 0,
|
||||
"title": "Events over time",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_main_dashboard"
|
||||
},
|
||||
"customWidth": "70",
|
||||
"name": "EventsOverTime"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where DvcAction contains \"block\"\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
|
||||
"size": 0,
|
||||
"title": "Blocks over time",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_main_dashboard"
|
||||
},
|
||||
"customWidth": "70",
|
||||
"name": "query - 4"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let CU_Total_Requests =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| summarize count()\n| extend evttype=\"Total Requests\";\n\nlet CU_Total_Blocked =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where DvcAction contains \"block\"\n| summarize count()\n| extend evttype=\"Total Blocked\";\n\nlet CU_Security_Blocked =\nCisco_Umbrella \n| where TimeGenerated {TimeRange} \n| where DvcAction contains \"block\"\n| where isnotempty(ThreatCategory)\n| summarize count()\n| extend evttype=\"Security Blocked\";\n\nunion CU_Security_Blocked,CU_Total_Blocked,CU_Total_Requests",
|
||||
"size": 3,
|
||||
"title": "Network Breakdown Statistic",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "evttype",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "count_",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_main_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "NetworkBreakdownStatistic"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| summarize count() by DvcAction",
|
||||
"size": 3,
|
||||
"title": "DNS - Events count by Action",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "DvcAction",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "count_",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_dns_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "DNSEventsCountByAction"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| summarize Count=count() by DnsQueryTypeName | sort by Count",
|
||||
"size": 0,
|
||||
"title": "DNS - Events count by QueryType",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "categoricalbar"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_dns_dashboard"
|
||||
},
|
||||
"customWidth": "70",
|
||||
"name": "DNSEventsCountByQueryType"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where EventType == \"dnslogs\"\n| where TimeGenerated {TimeRange} \n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| summarize Count=count() by tostring(Threat_Category)\n| sort by Count \n| join kind = inner (\nCisco_Umbrella\n| where EventType == \"dnslogs\"\n| where isnotempty(ThreatCategory)\n| where TimeGenerated {TimeRange} \n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Threat_Category))\n on Threat_Category\n | project-away Threat_Category1, TimeGenerated\n | project Threat_Category, Count, Trend\n | order by Count\n| take 10",
|
||||
"size": 0,
|
||||
"title": "DNS - Events by Threat Category",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"palette": "blueGreen"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 10,
|
||||
"formatOptions": {
|
||||
"palette": "turquoise"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_dns_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "DNSEventsByThreatCategory"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| summarize Count=count() by tostring(Url_Category)\n| sort by Count\n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Url_Category))\n on Url_Category\n | project-away Url_Category1, TimeGenerated\n | project Url_Category, Count, Trend\n | order by Count\n| take 10",
|
||||
"size": 0,
|
||||
"title": "DNS - Events by Url Category",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"palette": "blueGreen"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 10,
|
||||
"formatOptions": {
|
||||
"palette": "turquoise"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_dns_dashboard"
|
||||
},
|
||||
"customWidth": "35",
|
||||
"name": "DNSEventsByUrlCategory"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let list_IP = Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n|summarize Count=count() by SrcIpAddr | top 10 by Count\n| summarize makelist(SrcIpAddr);\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n|summarize Count=count() by SrcIpAddr \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n| where SrcIpAddr in (list_IP)\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcIpAddr)\n on SrcIpAddr\n | project-away SrcIpAddr1, TimeGenerated\n | project SrcIpAddr, Count, Trend\n | order by Count\n| take 10\n\n",
|
||||
"size": 0,
|
||||
"title": "DNS - Top 10 SrcIp with Blocked Action",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"palette": "blueGreen"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 10,
|
||||
"formatOptions": {
|
||||
"palette": "turquoise"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_dns_dashboard"
|
||||
},
|
||||
"customWidth": "35",
|
||||
"name": "DNSTop10SrcIpBlockedAction"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange}\n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n| summarize Count=count() by DnsQueryName, UrlCategory \n| top 10 by Count\n",
|
||||
"size": 0,
|
||||
"title": "DNS - Top 10 Blocked Url ",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_dns_dashboard"
|
||||
},
|
||||
"name": "DNSTop10BlockedUrl "
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| summarize count() by DvcAction",
|
||||
"size": 3,
|
||||
"title": "Proxy - Events count by Action",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_proxy_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "ProxyEventsCountByAction"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let CU_proxy_outcoming_traffic =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| extend TrafficType = \"Outcoming\", Bytes = SrcBytes\n| project TrafficType, Bytes, TimeGenerated;\n\nlet CU_proxy_incoming_traffic =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| extend TrafficType = \"Incoming\", Bytes = DstBytes\n| project TrafficType, Bytes, TimeGenerated;\n\n\nunion CU_proxy_outcoming_traffic, CU_proxy_incoming_traffic\n| make-series TotalGbytes = round(sum(Bytes/(1024*1024*1024)),2) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by TrafficType\n",
|
||||
"size": 0,
|
||||
"title": "Proxy - Traffic timechart, GB",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_proxy_dashboard"
|
||||
},
|
||||
"customWidth": "70",
|
||||
"name": "ProxyTrafficTimechart"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| summarize Count=count() by tostring(Url_Category)\n| sort by Count\n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Url_Category))\n on Url_Category\n | project-away Url_Category1, TimeGenerated\n | project Url_Category, Count, Trend\n | order by Count\n| take 10",
|
||||
"size": 0,
|
||||
"title": "Proxy - Events by Url Category",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"palette": "blueGreen"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 10,
|
||||
"formatOptions": {
|
||||
"palette": "turquoise"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_proxy_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "ProxyEventsByUrlCategory"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let list_IP = Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n|summarize Count=count() by SrcIpAddr | top 10 by Count\n| summarize makelist(SrcIpAddr);\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n|summarize Count=count() by SrcIpAddr \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n| where SrcIpAddr in (list_IP)\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcIpAddr)\n on SrcIpAddr\n | project-away SrcIpAddr1, TimeGenerated\n | project SrcIpAddr, Count, Trend\n | order by Count\n| take 10\n\n",
|
||||
"size": 0,
|
||||
"title": "Proxy - Top 10 Source IP with Blocked Action",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"palette": "blueGreen"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 10,
|
||||
"formatOptions": {
|
||||
"palette": "turquoise"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_proxy_dashboard"
|
||||
},
|
||||
"customWidth": "35",
|
||||
"name": "ProxyTop10SourceIPBlockedAction"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| summarize Count=count() by tostring(Threat_Category)\n| sort by Count \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Threat_Category))\n on Threat_Category\n | project-away Threat_Category1, TimeGenerated\n | project Threat_Category, Count, Trend\n | order by Count\n| take 10",
|
||||
"size": 0,
|
||||
"title": "Proxy - Events by Threat Category",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Count",
|
||||
"formatter": 8,
|
||||
"formatOptions": {
|
||||
"palette": "blueGreen"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 10,
|
||||
"formatOptions": {
|
||||
"palette": "turquoise"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_proxy_dashboard"
|
||||
},
|
||||
"customWidth": "35",
|
||||
"name": "ProxyEventsByThreatCategory"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange}\n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n| summarize Count=count() by UrlOriginal, UrlCategory \n| top 10 by Count\n",
|
||||
"size": 0,
|
||||
"title": "Proxy - Top 10 Blocked Url ",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_proxy_dashboard"
|
||||
},
|
||||
"name": "ProxyTop10BlockedUrl "
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"cloudfirewalllogs\"\n| summarize count() by DvcAction",
|
||||
"size": 3,
|
||||
"title": "Firewall - Events count by Action",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "DvcAction",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "count_",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_firewall_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "FirewallEventsCountByAction"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"cloudfirewalllogs\"\n| make-series Packets = sum(toint(NetworkPackets)) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by NetworkDirection",
|
||||
"size": 0,
|
||||
"title": "Firewall - Traffic over time, Packets",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_firewall_dashboard"
|
||||
},
|
||||
"customWidth": "70",
|
||||
"name": "FirewallTrafficOverTime"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "Cisco_Umbrella\n|where EventType == \"cloudfirewalllogs\"\n| where DvcAction contains \"BLOCK\"\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
|
||||
"size": 0,
|
||||
"title": "Firewall - Block Events over time",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "cisco_umbrella_firewall_dashboard"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 19"
|
||||
}
|
||||
],
|
||||
"fallbackResourceIds": [
|
||||
"/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourcegroups/socprime/providers/microsoft.operationalinsights/workspaces/azuresocprimesentinel"
|
||||
],
|
||||
"fromTemplateId": "sentinel-CiscoUmbrella",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 52 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 61 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 52 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 62 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 246 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 336 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 265 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 346 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 204 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 219 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 247 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 138 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 273 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 143 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 232 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 295 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 247 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 310 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 204 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 128 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 244 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 117 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 194 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 182 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 99 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 101 KiB |
|
|
@ -0,0 +1,580 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "\n>**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/ProofpointPODConnector/Parsers/ProofpointPOD/ProofpointPOD) to create the Kusto function alias **ProofpointPOD**."
|
||||
},
|
||||
"name": "text - 16"
|
||||
},
|
||||
{
|
||||
"type": 11,
|
||||
"content": {
|
||||
"version": "LinkItem/1.0",
|
||||
"style": "tabs",
|
||||
"links": [
|
||||
{
|
||||
"id": "3fb8c41a-e970-467a-8975-0b87bfda8cc0",
|
||||
"cellValue": "Tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Proofpoint Email Security Main Dashboard",
|
||||
"subTarget": "proofpoint_email_security_main_dashboard",
|
||||
"preText": "Proofpoint Email Security Main Dashboard",
|
||||
"style": "link"
|
||||
},
|
||||
{
|
||||
"id": "40d6c856-9ecd-428b-ada5-ad76ba351f5e",
|
||||
"cellValue": "Tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "TLS Dashboard",
|
||||
"subTarget": "tls_dashboard",
|
||||
"style": "link"
|
||||
},
|
||||
{
|
||||
"id": "68036e0c-acaa-48d3-aae0-911917ec637d",
|
||||
"cellValue": "Tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Message Summary",
|
||||
"subTarget": "messages_summary",
|
||||
"style": "link"
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "Tab"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "f1aebfc5-f1bd-4462-bb99-f87af7f027ba",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 300000
|
||||
},
|
||||
{
|
||||
"durationMs": 900000
|
||||
},
|
||||
{
|
||||
"durationMs": 1800000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 14400000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 172800000
|
||||
},
|
||||
{
|
||||
"durationMs": 259200000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
{
|
||||
"durationMs": 2419200000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
}
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isNotEqualTo",
|
||||
"value": "messages_summary"
|
||||
},
|
||||
"name": "Parameters"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "ProofpointPOD\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType;",
|
||||
"size": 1,
|
||||
"title": "Events over time",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "proofpoint_email_security_main_dashboard"
|
||||
},
|
||||
"name": "EventsOverTime"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let email_security_total_messages_timechart=ProofpointPOD\n| where EventType == \"message\" \n| where TimeGenerated {TimeRange}\n| extend event_type = \"Message Rate\";\n\nlet email_security_total_blocked_timechart =\nProofpointPOD\n| where EventType == \"message\" \n| where FilterDisposition == \"discard\" or FilterDisposition == \"reject\"\n| extend event_type = \"Blocked Message Rate\";\n\nlet quarantine_trends = \nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange}\n| where isnotempty(FilterQuarantineFolder)\n| extend event_type = \"Quarantined Message Rate\";\n\nlet result = union email_security_total_messages_timechart, email_security_total_blocked_timechart, quarantine_trends\n| make-series Trend = dcount(MsgHeaderMessageId) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by event_type;\nresult",
|
||||
"size": 0,
|
||||
"title": "Email Messages over time",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "proofpoint_email_security_main_dashboard"
|
||||
},
|
||||
"customWidth": "60",
|
||||
"name": "EmailMessagesOverTime"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let email_security_total_messages_processed =\nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| summarize Count=dcount(MsgHeaderMessageId) \n| extend title=\"Total Messages Processed\";\n\nlet email_security_inbound_messages_processed =\nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| where NetworkDirection == \"inbound\"\n| summarize Count=dcount(MsgHeaderMessageId) \n| extend title=\"Inbound Messages Processed\";\n\nlet email_security_outbound_messages_processed =\nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| where NetworkDirection == \"outbound\"\n| summarize Count=dcount(MsgHeaderMessageId) \n| extend title=\"Outbound Messages Processed\";\n\nlet email_security_total_blocked_messages =\nProofpointPOD\n| where EventType == \"message\" \n| where TimeGenerated {TimeRange} \n| where FilterDisposition == \"discard\" or FilterDisposition == \"reject\"\n| summarize Count=dcount(MsgHeaderMessageId) \n| extend title=\"Total Blocked Messages\";\n\nlet email_security_total_quarantined_messages = \nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange}\n| where isnotempty(FilterQuarantineFolder)\n| summarize Count=dcount(MsgHeaderMessageId) \n| extend title = \"Quarantined Messages\";\n\nlet email_security_result_table = union email_security_total_messages_processed, email_security_inbound_messages_processed,email_security_outbound_messages_processed,email_security_total_blocked_messages,email_security_total_quarantined_messages; \nemail_security_result_table \n| sort by Count",
|
||||
"size": 3,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "title",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"showBorder": false,
|
||||
"size": "auto"
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "proofpoint_email_security_main_dashboard"
|
||||
},
|
||||
"customWidth": "40",
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "ProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| where isnotempty(FilterQuarantineRule)\n| summarize Count = dcount(MsgNormalizedHeaderMessageId) by FilterQuarantineRule",
|
||||
"size": 3,
|
||||
"title": "Quarantine Rules Hits",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "proofpoint_email_security_main_dashboard"
|
||||
},
|
||||
"customWidth": "35",
|
||||
"name": "QuarantineRulesHits"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "ProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| where isnotempty(FilterModulesDmarcFilterdResult)\n| summarize Count = dcount(MsgNormalizedHeaderMessageId) by FilterModulesDmarcFilterdResult",
|
||||
"size": 3,
|
||||
"title": "DMARC Summary Results",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "proofpoint_email_security_main_dashboard"
|
||||
},
|
||||
"customWidth": "35",
|
||||
"name": "DMARCSummaryResults"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "ProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| where isnotempty(FilterModulesSpamTriggeredClassifier)\n| summarize Count = dcount(MsgNormalizedHeaderMessageId) by FilterModulesSpamTriggeredClassifier",
|
||||
"size": 3,
|
||||
"title": "Top AntiSpam Results",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "proofpoint_email_security_main_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "TopAntiSpamResults"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "ProofpointPOD\n| where EventType == \"message\"\n| where FilterDisposition == \"discard\" or FilterDisposition == \"reject\" or isnotempty(FilterQuarantineFolder)\n| where TimeGenerated {TimeRange} \n| extend dstUserUpn = todynamic(DstUserUpn) \n| mv-expand dstUserUpn\n| summarize Count = dcount(MsgNormalizedHeaderMessageId) by tostring(dstUserUpn) | top 10 by Count",
|
||||
"size": 0,
|
||||
"title": "Top Recipients with high block rate",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "proofpoint_email_security_main_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "TopRecipients"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "ProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| extend srcUserUpn = todynamic(SrcUserUpn) \n| mv-expand srcUserUpn\n| where isnotempty(srcUserUpn)\n| summarize Count = dcount(MsgNormalizedHeaderMessageId) by tostring(srcUserUpn) | top 10 by Count",
|
||||
"size": 0,
|
||||
"title": "Top Senders",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "proofpoint_email_security_main_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "TopSenders"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "afe179f1-6dc8-4a97-bc20-5b8aadf5a9aa",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange1",
|
||||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 172800000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 300000
|
||||
},
|
||||
{
|
||||
"durationMs": 900000
|
||||
},
|
||||
{
|
||||
"durationMs": 1800000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 14400000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 172800000
|
||||
},
|
||||
{
|
||||
"durationMs": 259200000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
{
|
||||
"durationMs": 2419200000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
]
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
},
|
||||
"label": "TimeRange"
|
||||
},
|
||||
{
|
||||
"id": "cc0743b6-1893-4f3d-8c7c-96f075f3006c",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Direction",
|
||||
"type": 2,
|
||||
"isRequired": true,
|
||||
"query": "ProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange1} \n| project NetworkDirection | distinct NetworkDirection | where isnotempty(NetworkDirection)\n| order by NetworkDirection asc",
|
||||
"value": null,
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [],
|
||||
"showDefault": false
|
||||
},
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
{
|
||||
"id": "34bcd907-7f33-4d49-b158-eb7877a763f9",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Sender",
|
||||
"type": 1,
|
||||
"value": ""
|
||||
},
|
||||
{
|
||||
"id": "65c7de4d-b953-407a-ac81-9c2fe2fddd99",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Recipient",
|
||||
"type": 1,
|
||||
"value": ""
|
||||
},
|
||||
{
|
||||
"id": "e819f521-396a-4292-ae6d-99a173eb09b6",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Subject",
|
||||
"type": 1,
|
||||
"value": ""
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "messages_summary"
|
||||
},
|
||||
"name": "Parameters2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "ProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange1}\n| project-rename Direction = NetworkDirection, Sender = MsgHeaderFrom, Recipient = MsgHeaderTo, Subject = MsgHeaderSubject, Filter_Action = FilterDisposition\n| project TimeGenerated, Direction, Sender, Recipient, Subject, Filter_Action, MsgNormalizedHeaderMessageId\n| search Sender contains \"{Sender:value}\" and Recipient contains \"{Recipient:value}\" and Subject contains \"{Subject:value}\"\n| search Direction == \"{Direction:value}\" | project TimeGenerated, Direction, Sender, Recipient, Subject, Filter_Action, MsgNormalizedHeaderMessageId | take 50",
|
||||
"size": 0,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"sortBy": [
|
||||
{
|
||||
"itemKey": "MsgNormalizedHeaderMessageId",
|
||||
"sortOrder": 1
|
||||
}
|
||||
]
|
||||
},
|
||||
"sortBy": [
|
||||
{
|
||||
"itemKey": "MsgNormalizedHeaderMessageId",
|
||||
"sortOrder": 1
|
||||
}
|
||||
]
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "messages_summary"
|
||||
},
|
||||
"name": "Table"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let inbound_tls_encrypted = \nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange}\n| where FilterIsMsgEncrypted == \"true\" and NetworkDirection == \"inbound\"\n| extend event_type = \"Inbound TLS Encrypted\";\n\nlet inbound_tls_unencrypted = \nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| where FilterIsMsgEncrypted == \"false\" and NetworkDirection == \"inbound\"\n| extend event_type = \"Inbound TLS Unencrypted\";\n\nlet inbound_total = \nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| where NetworkDirection == \"inbound\"\n| extend event_type = \"Inbound Total\";\n\nlet trend_result = union inbound_tls_encrypted, inbound_tls_unencrypted, inbound_total;\ntrend_result | summarize Count=dcount(MsgNormalizedHeaderMessageId) by event_type \n| join kind=inner (trend_result | make-series Trend = dcount(MsgNormalizedHeaderMessageId) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by event_type) on event_type \n;\n",
|
||||
"size": 1,
|
||||
"title": "TLS Usage over time",
|
||||
"timeContext": {
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "tls_dashboard"
|
||||
},
|
||||
"customWidth": "70",
|
||||
"name": "TLSUsage"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let inbound_tls_encrypted = \nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange}\n| where FilterIsMsgEncrypted == \"true\" and NetworkDirection == \"inbound\"\n| extend event_type = \"Inbound TLS Encrypted\";\n\nlet inbound_tls_unencrypted = \nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| where FilterIsMsgEncrypted == \"false\" and NetworkDirection == \"inbound\"\n| extend event_type = \"Inbound TLS Unencrypted\";\n\nlet inbound_total = \nProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| where NetworkDirection == \"inbound\"\n| extend event_type = \"Inbound Total\";\n\nlet trend_result = union inbound_tls_encrypted, inbound_tls_unencrypted, inbound_total;\ntrend_result | summarize Count=dcount(MsgNormalizedHeaderMessageId) by event_type \n| join kind=inner (trend_result | make-series Trend = dcount(MsgNormalizedHeaderMessageId) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by event_type) on event_type \n| order by Count desc\n| project event_type, Trend, Count\n;",
|
||||
"size": 3,
|
||||
"title": "TLS Statistics",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 9,
|
||||
"formatOptions": {
|
||||
"palette": "blue"
|
||||
}
|
||||
}
|
||||
],
|
||||
"sortBy": [
|
||||
{
|
||||
"itemKey": "Count",
|
||||
"sortOrder": 2
|
||||
}
|
||||
]
|
||||
},
|
||||
"sortBy": [
|
||||
{
|
||||
"itemKey": "Count",
|
||||
"sortOrder": 2
|
||||
}
|
||||
],
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "event_type",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"style": "decimal",
|
||||
"maximumFractionDigits": 2,
|
||||
"maximumSignificantDigits": 3
|
||||
}
|
||||
}
|
||||
},
|
||||
"secondaryContent": {
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 9,
|
||||
"formatOptions": {
|
||||
"palette": "blue"
|
||||
}
|
||||
},
|
||||
"showBorder": false
|
||||
}
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "tls_dashboard"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "TLSStatistics"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "ProofpointPOD\n| where EventType == \"message\"\n| where TimeGenerated {TimeRange} \n| where FilterIsMsgEncrypted == \"false\"\n| summarize Count=dcount(MsgNormalizedHeaderMessageId) by MsgHeaderFrom | top 10 by Count | extend Domain = extract(\"(.*@)([a-zA-z0-9.-]*)\", 2, MsgHeaderFrom)\n| project Domain, Count\n",
|
||||
"size": 0,
|
||||
"title": "Top 10 Sender domains not using TLS",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "tls_dashboard"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "Top10SenderNotUsingTLS"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "\nProofpointPOD\n| where EventType == \"message\"\n| where FilterIsMsgEncrypted == \"false\"\n| where TimeGenerated {TimeRange} \n| extend splited=split(MsgHeaderTo,\",\") | mv-expand splited | extend Domain = extract(\"(.*@)([a-zA-z0-9.-]*)\", 2, tostring(splited))\n| where isnotempty(Domain)\n| summarize Count=dcount(MsgNormalizedHeaderMessageId) by Domain | top 10 by Count\n",
|
||||
"size": 0,
|
||||
"title": "Top 10 Recipient domains not using TLS",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "tls_dashboard"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "Top10RecipientNotUsingTLS"
|
||||
}
|
||||
],
|
||||
"fallbackResourceIds": [
|
||||
"/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourcegroups/socprime/providers/microsoft.operationalinsights/workspaces/azuresocprimesentinel"
|
||||
],
|
||||
"fromTemplateId": "sentinel-ProofpointPOD",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
|
|
@ -1088,5 +1088,44 @@
|
|||
"templateRelativePath": "IntsightsIOCWorkbook.json",
|
||||
"subtitle": "",
|
||||
"provider": "Intsights Cyber Intelligence"
|
||||
},
|
||||
{
|
||||
"workbookKey": "ProofpointPODWorkbook",
|
||||
"logoFileName": "proofpointlogo.svg",
|
||||
"description": "Gain insights into your Proofpoint on Demand Email Security activities, including maillog and messages data. The Workbook provides users with an executive dashboard showing the reporting capabilities, message traceability and monitoring.",
|
||||
"dataTypesDependencies": [ "ProofpointPOD_maillog_CL", "ProofpointPOD_message_CL" ],
|
||||
"dataConnectorsDependencies": [ "ProofpointPOD" ],
|
||||
"previewImagesFileNames": [ "ProofpointPODMainBlack1.png", "ProofpointPODMainBlack2.png", "ProofpointPODMainWhite1.png", "ProofpointPODMainWhite2.png", "ProofpointPODMessageSummaryBlack.png", "ProofpointPODMessageSummaryWhite.png", "ProofpointPODTLSBlack.png", "ProofpointPODTLSWhite.png" ],
|
||||
"version": "1.0",
|
||||
"title": "Proofpoint On-Demand Email Security",
|
||||
"templateRelativePath": "ProofpointPOD.json",
|
||||
"subtitle": "",
|
||||
"provider": "Proofpoint"
|
||||
},
|
||||
{
|
||||
"workbookKey": "CiscoISEWorkbook",
|
||||
"logoFileName": "cisco_logo.svg",
|
||||
"description": "Gain insights into your Cisco Identity Services Engine activities by analyzing events.\nYou can get high-level overview on data flow and event categories distribution, learn about trends across devices, users and identify critical errors.",
|
||||
"dataTypesDependencies": [ "Syslog" ],
|
||||
"dataConnectorsDependencies": [ "CiscoISE" ],
|
||||
"previewImagesFileNames": [ "CiscoISEWhite1.png", "CiscoISEWhite2.png", "CiscoISEDark1.png", "CiscoISEDark2.png" ],
|
||||
"version": "1.0",
|
||||
"title": "Cisco Identity Services Engine",
|
||||
"templateRelativePath": "CiscoISE.json",
|
||||
"subtitle": "",
|
||||
"provider": "Cisco"
|
||||
},
|
||||
{
|
||||
"workbookKey": "CiscoUmbrellaWorkbook",
|
||||
"logoFileName": "cisco_logo.svg",
|
||||
"description": "Gain insights into Cisco Umbrella activities, including the DNS, Proxy and Cloud Firewall data. Workbook shows general information along with threat landscape including categories, blocked destinations and URLs.",
|
||||
"dataTypesDependencies": [ "Cisco_Umbrella_dns_CL", "Cisco_Umbrella_proxy_CL", "Cisco_Umbrella_ip_CL", "Cisco_Umbrella_cloudfirewall_CL" ],
|
||||
"dataConnectorsDependencies": [ "CiscoUbrella" ],
|
||||
"previewImagesFileNames": [ "CiscoUmbrellaDNSBlack1.png", "CiscoUmbrellaDNSBlack2.png", "CiscoUmbrellaDNSWhite1.png", "CiscoUmbrellaDNSWhite2.png", "CiscoUmbrellaFirewallBlack.png", "CiscoUmbrellaFirewallWhite.png", "CiscoUmbrellaMainBlack1.png", "CiscoUmbrellaMainBlack2.png", "CiscoUmbrellaMainWhite1.png", "CiscoUmbrellaMainWhite2.png", "CiscoUmbrellaProxyBlack1.png", "CiscoUmbrellaProxyBlack2.png", "CiscoUmbrellaProxyWhite1.png", "CiscoUmbrellaProxyWhite2.png" ],
|
||||
"version": "1.0",
|
||||
"title": "Cisco Umbrella",
|
||||
"templateRelativePath": "CiscoUmbrella.json",
|
||||
"subtitle": "",
|
||||
"provider": "Cisco"
|
||||
}
|
||||
]
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче