Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Novermber Update. Add more search options for AAD users if 1000 or more have been found 

Add support for a warning message if > 1000 users of AAD are seen, and add UserMap AAD user selection options of (user by count, User by first Letter & free text search).
This commit is contained in:
Clive Watson 2020-11-12 14:08:49 +00:00 коммит произвёл GitHub
Родитель 366e65e29f
Коммит e8bc21d628
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 402 добавлений и 36 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

438
Workbooks/UserMap.json
Просмотреть файл

@ -5,9 +5,6 @@
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "1ca69445-60fc-4806-b43d-ac7e6aad630a",
@ -38,7 +35,8 @@
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
"resourceType": "microsoft.resourcegraph/resources",
"value": "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourceGroups/SOC/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC"
},
{
"id": "c4b69c01-2263-4ada-8d9c-43433b739ff3",
@ -47,7 +45,7 @@
"type": 4,
"isRequired": true,
"value": {
"durationMs": 7776000000
"durationMs": 5184000000
},
"typeSettings": {
"selectableValues": [
@ -106,12 +104,11 @@
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]",
"value": "Change Log"
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]"
}
],
"style": "above",
"queryType": 1,
"queryType": 0,
"resourceType": "microsoft.resourcegraph/resources"
},
"customWidth": "70",
@ -131,8 +128,7 @@
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n{\"value\": \"KM\", \"label\": \"KM\"},\r\n{\"value\": \"Miles\", \"label\": \"Miles\", \"selected\":true}\r\n]",
"value": "KM"
"jsonData": "[\r\n{\"value\": \"KM\", \"label\": \"KM\"},\r\n{\"value\": \"Miles\", \"label\": \"Miles\", \"selected\":true}\r\n]"
},
{
"id": "ba4eb749-336e-4aa0-8a4b-2b7987507852",
@ -193,7 +189,7 @@
{
"type": 1,
"content": {
"json": "#### Tab One. Malicious IP \r\nThis report can get data from a number of sources (six are defined in this release) to show the distance from the Malicious IP addresses to a selected users default location. \r\nYou may see an error if one or more data sources are missing. There will be no entries if *all* sources are missing - there is a warning dialog box displayed if this happens.\r\nThis is a similar view to the one shown on the Summary page of Azure Sentinel, but this is showing distance data as well.\r\nThere are three options to aid filtering:\r\n1. Select a Location from a list (for that you will have to edit this workbook and amend the \"CityList\" parameter if you require changes to the capital cities I have provided). Please save the JSON of any co-ordinates you add, as you will need to add them back if you ever update the workbook to a newer version. This is useful if you have some office locations or important places that you wish to add.\r\n2. Select from Azure Active Directory (AAD), if the SigninLogs table exists, this will populate from the latest record, a entry per City /( Country ) with Longitude and Latitude data.\r\n3. Enter a Latitude and Longitude of your choice, and a label to describe the location. \r\nYou may also select to show the data in Kilometers (KM) or Miles. You can also set how many locations to show, 5, 10, 20 etc...\r\n\r\nDatasources: WireData, VMconnection, CommonSecurityLog, WindowsFirewall, W3CIISLog and DnsEvents \r\n\t\t\t Note: SigninLogs is required to build the AAD list, if you dont have this critical datasource, please use options #1 or #3.\r\n\r\n#### Tab two. Locations and distances \r\nInformation using Azure Active Directory (AAD) Signinlogs data, this shows user Signin Locations and distane between as well as order visited (you select a User from a dropdown, ordered by their signin count). \r\n\r\nDatasources:SigninLogs\r\n",
"json": "#### Tab One. Malicious IP \r\nThis report can get data from a number of sources (six are defined in this release) to show the distance from the Malicious IP addresses to a selected users default location. \r\nYou may see an error if one or more data sources are missing. There will be no entries if *all* sources are missing - there is a warning dialog box displayed if this happens.\r\nThis is a similar view to the one shown on the Summary page of Azure Sentinel, but this is showing distance data as well.\r\nThere are three options to aid filtering:\r\n1. Select a Location from a list (for that you will have to edit this workbook and amend the \"CityList\" parameter if you require changes to the capital cities I have provided). Please save the JSON of any co-ordinates you add, as you will need to add them back if you ever update the workbook to a newer version. This is useful if you have some office locations or important places that you wish to add.\r\n2. Select from Azure Active Directory (AAD), if the SigninLogs table exists, this will populate from the latest record, a entry per City /( Country ) with Longitude and Latitude data.\r\n3. Enter a Latitude and Longitude of your choice, and a label to describe the location. \r\nYou may also select to show the data in Kilometers (KM) or Miles. You can also set how many locations to show, 5, 10, 20 etc...\r\n\r\nDatasources: WireData, VMconnection, CommonSecurityLog, WindowsFirewall, W3CIISLog and DnsEvents \r\n\t\t\t Note: SigninLogs is required to build the AAD list, if you dont have this critical datasource, please use options #1 or #3.\r\n\r\n#### Tab two. Locations and distances (User Data)\r\nInformation using Azure Active Directory (AAD) Signinlogs data, this shows user Signin Locations and distance between as well as order visited (you select a User from dropdown options, ordered by their signin count). \r\n\r\nDatasources:SigninLogs\r\n\r\n#### Tab three. Microsoft WAF \r\nShow Azure Front door and Application Gateway Web Application Firewall \r\n\r\nDatasources: AzureDiagnostics\r\n",
"style": "info"
},
"conditionalVisibility": {
@ -206,7 +202,7 @@
{
"type": 1,
"content": {
"json": "### Change Log\r\n|Version|Description|\r\n|---|---|\r\n|v1.0\t|Initial Version|\r\n|V1.1.0\t|Updated from 2019 version, combining new features and improving the look and feel. | \r\n|V1.1.1\t|Updated chart to display Location, Latitude, Longitude when a region is clicked| \r\n|V1.2\t|Added info when you select a region on the 'Map showing locations for User', fixed a time display message. Added dwell time (the time delay betwen the entires), in the \"looking for\" grid to augment the distance travelled.|"
"json": "### Change Log\r\n|Version|Description|\r\n|---|---|\r\n|v1.0\t|Initial Version|\r\n|V1.1.0\t|Updated from 2019 version, combining new features and improving the look and feel. | \r\n|V1.1.1\t|Updated chart to display Location, Latitude, Longitude when a region is clicked| \r\n|V1.2\t|Added info when you select a region on the 'Map showing locations for User', fixed a time display message. Added dwell time (the time delay between the entries), in the \"looking for\" grid to augment the distance travelled.|\r\n|V1.3| Add support for a drop down warning, and UserMap user selection options (user by count, User by first Letter & free text search) |"
},
"conditionalVisibility": {
"parameterName": "Help",
@ -328,7 +324,7 @@
"crossComponentResources": [
"{Workspace}"
],
"value": null,
"value": "Aeroskobing (DK),54.89149856567382,10.40470027923584",
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
@ -342,7 +338,7 @@
"name": "defaultCityListAAD",
"type": 1,
"isRequired": true,
"value": "\"no AAD\"",
"value": "Aeroskobing (DK),54.89149856567382,10.40470027923584",
"isHiddenWhenLocked": true,
"criteriaData": [
{
@ -508,7 +504,7 @@
"size": 0,
"title": "Top: '{Top}' Malicious IP distances from {locationName} in ('{Measurement}') ",
"timeContext": {
"durationMs": 5184000000
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportParameterName": "Selected",
@ -578,7 +574,7 @@
"size": 0,
"title": "Top: '{Top}' Malicious IP distances from {locationName} in ('{Measurement}') ",
"timeContext": {
"durationMs": 5184000000
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportParameterName": "Selected",
@ -666,7 +662,7 @@
"showAnalytics": true,
"title": "Top: '{Top}' Malicious IP distances from {locationName} in ('{Measurement}') ",
"timeContext": {
"durationMs": 5184000000
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
@ -806,6 +802,34 @@
"groupType": "editable",
"title": "Group: UserMap",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "268ebde4-5b20-4106-9e91-8e7d36b26d4f",
"version": "KqlParameterItem/1.0",
"name": "Select",
"label": "Select Users method",
"type": 10,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[\r\n {\"value\": \"name\", \"label\": \"Select User by Name\", \"selected\":true },\r\n {\"value\": \"letter\", \"label\": \"Select User by letter\"},\r\n {\"value\": \"free\", \"label\": \"Select User using free text search\"}\r\n]",
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 10"
},
{
"type": 9,
"content": {
@ -817,14 +841,14 @@
{
"id": "4fd13b3f-9856-4e1d-93f5-c4681a6b4c16",
"version": "KqlParameterItem/1.0",
"name": "SelectUser",
"name": "SelectUserName",
"type": 2,
"isRequired": true,
"query": "SigninLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where isnotempty(UserDisplayName) and UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| summarize Count = count() by UserDisplayName\r\n| order by Count desc, UserDisplayName asc\r\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\r\n",
"crossComponentResources": [
"{Workspace}"
],
"value": null,
"value": "Chris Boehm",
"typeSettings": {
"additionalResourceOptions": []
},
@ -834,19 +858,247 @@
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "8aa43840-1b93-449a-861e-450856dc1297",
"version": "KqlParameterItem/1.0",
"name": "userCount",
"label": "How many unique Users?",
"type": 10,
"description": "1000 users max are shown",
"isRequired": true,
"query": "SigninLogs\r\n| where isnotempty(UserDisplayName) and UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| distinct UserDisplayName\r\n| summarize Count = strcat(count(),\" of 1000\")",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"doNotRunWhenHidden": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Select",
"comparison": "isEqualTo",
"value": "name"
},
"name": "parameters - 7"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "adb47350-f652-4bd3-b2c7-dcfc3e380a23",
"version": "KqlParameterItem/1.0",
"name": "UserFilter",
"type": 2,
"isRequired": true,
"query": "SigninLogs\r\n| distinct UserDisplayName\r\n| project Alpha = toupper(substring(UserDisplayName,0,1))\r\n| summarize Count = count() by Alpha\r\n| order by Alpha asc\r\n| project Value=Alpha, Label=Alpha, selected = false",
"crossComponentResources": [
"{Workspace}"
],
"value": "A",
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "ad7f576a-5df8-49c1-99c2-f8fdbca5557b",
"version": "KqlParameterItem/1.0",
"name": "SelectUserLetter",
"label": " Select User Letter",
"type": 2,
"isRequired": true,
"query": "SigninLogs\r\n| where UserDisplayName startswith '{UserFilter:label}'\r\n| summarize by UserDisplayName\r\n| order by UserDisplayName asc",
"crossComponentResources": [
"{Workspace}"
],
"value": "Alex Humphrey",
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "96d46227-91be-4519-a83d-449e38b5f32c",
"version": "KqlParameterItem/1.0",
"name": "selectedUserCount",
"label": "How many unique Users?",
"type": 10,
"description": "1000 users max are shown",
"isRequired": true,
"query": "SigninLogs\r\n| where UserDisplayName startswith '{UserFilter:label}'\r\n| distinct UserDisplayName\r\n| summarize Count = strcat(count(),\" of 1000\")",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"doNotRunWhenHidden": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Select",
"comparison": "isEqualTo",
"value": "letter"
},
"name": "parameters - 9"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "c2577785-56e7-415e-b95d-4af62446fb49",
"version": "KqlParameterItem/1.0",
"name": "SelectUserFree",
"label": "Search for a User here",
"type": 1,
"description": "Enter a free text search for a User Name ",
"value": "",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange"
},
{
"id": "38ee7b13-de6b-48da-a98f-0ae75ae0517e",
"version": "KqlParameterItem/1.0",
"name": "SelectUserwithin",
"label": "Matched User(s)",
"type": 2,
"query": "SigninLogs\r\n| where UserDisplayName contains '{SelectUserFree}'\r\n| distinct UserDisplayName\r\n| project UserDisplayName \r\n| order by UserDisplayName asc",
"crossComponentResources": [
"{Workspace}"
],
"value": null,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 5184000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "1407f53f-c0b3-4eae-a3a8-8d60c737fb4d",
"version": "KqlParameterItem/1.0",
"name": "selectedUserCount2",
"label": "How many unique Users?",
"type": 10,
"description": "1000 users max are shown",
"isRequired": true,
"query": "SigninLogs\r\n| where UserDisplayName contains '{SelectUserFree}'\r\n| distinct UserDisplayName\r\n| summarize Count = strcat(count(),\" of 1000\")",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 7"
"conditionalVisibility": {
"parameterName": "Select",
"comparison": "isEqualTo",
"value": "free"
},
"name": "parameters - 12"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "ba660562-9b21-4412-b2d7-cc12bb64c33d",
"version": "KqlParameterItem/1.0",
"name": "SelectUser",
"type": 1,
"description": "Only shows user from name or letter parameter - depending on Toggle",
"query": "SigninLogs\r\n| extend SelectUser = case( '{Select}' == \"name\" , '{SelectUserName}',\r\n '{Select}' == \"letter\" , '{SelectUserLetter}',\r\n '{Select}' == \"free\" , '{SelectUserwithin}',\r\n // else\r\n \"error\"\r\n )\r\n| limit 1\r\n| project SelectUser",
"crossComponentResources": [
"{Workspace}"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 12"
},
{
"type": 1,
"content": {
"json": "#### Please select a user, or confirm data source: SigninLogs exists",
"style": "warning"
"json": "### Missing Input data Warning: diagnostics\r\n\r\nUser Name displayed, from the selected parameter: \r\n## {SelectUser}\r\n\r\n|Parameter|Value detected|\r\n|---|---|\r\n|Name|{SelectUserName}|\r\n|Letter|{SelectUserLetter}|\r\n|Free|{SelectUserFree}|"
},
"conditionalVisibility": {
"parameterName": "SelectUser",
@ -863,7 +1115,7 @@
"showAnalytics": true,
"title": "Map showing locations for user: '{SelectUser}'",
"timeContext": {
"durationMs": 5184000000
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportedParameters": [
@ -1032,7 +1284,7 @@
"title": "Looking for '{SelectUser}'",
"color": "green",
"timeContext": {
"durationMs": 0
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Namespace",
@ -1210,7 +1462,7 @@
"title": " '{SelectUser}' : Cities visitied",
"color": "green",
"timeContext": {
"durationMs": 5184000000
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Namespace",
@ -1360,7 +1612,7 @@
"title": " '{SelectUser}' : distance travelled",
"color": "green",
"timeContext": {
"durationMs": 5184000000
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Namespace",
@ -1510,7 +1762,7 @@
"title": " '{SelectUser}' : Countries visitied ",
"color": "green",
"timeContext": {
"durationMs": 5184000000
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Namespace",
@ -1660,7 +1912,7 @@
"title": "All Users : Countries by most frequent",
"color": "green",
"timeContext": {
"durationMs": 5184000000
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Namespace",
@ -1820,20 +2072,82 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"FRONTDOORS\" and Category == \"FrontdoorWebApplicationFirewallLog\"\r\n",
"query": "AzureDiagnostics\r\n| where ResourceType == \"FRONTDOORS\" and Category == \"FrontdoorWebApplicationFirewallLog\"\r\n\r\n",
"size": 0,
"title": "Front door",
"timeContext": {
"durationMs": 5184000000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true
}
},
"customWidth": "70",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"FRONTDOORS\" and Category == \"FrontdoorWebApplicationFirewallLog\"\r\n| summarize dcount(Resource), dcount(clientIP_s), dcount(clientPort_d) by Resource\r\n",
"size": 4,
"title": "Front door",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Resource",
"formatter": 1,
"tooltipFormat": {
"tooltip": "Front Door"
}
},
"leftContent": {
"columnMatch": "dcount_Resource",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"rightContent": {
"columnMatch": "dcount_clientIP_s",
"tooltipFormat": {
"tooltip": "ClientIPs"
}
},
"secondaryContent": {
"columnMatch": "dcount_clientPort_d",
"tooltipFormat": {
"tooltip": "Ports"
}
},
"showBorder": false
}
},
"name": "query - 0"
"customWidth": "30",
"name": "query - 0 - Copy"
},
{
"type": 3,
@ -1843,25 +2157,77 @@
"size": 0,
"title": "Application Gateway Web Application Firewall (WAF) Logs",
"timeContext": {
"durationMs": 5184000000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true
}
},
"customWidth": "70",
"name": "query - 0 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics \r\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"ApplicationGatewayFirewallLog\"\r\n| distinct Resource\r\n| summarize dcount(Resource) by Resource\r\n",
"size": 4,
"title": "Application Gateway Web Application Firewall (WAF) Logs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Resource",
"formatter": 1
},
"leftContent": {
"columnMatch": "dcount_Resource",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"showBorder": false
}
},
"name": "query - 0 - Copy"
"customWidth": "30",
"name": "query - 0 - Copy - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WAF"
},
"name": "group - WAF"
}
],
"fallbackResourceIds": [
"Azure Monitor"
],
"fromTemplateId": "community-Workbooks/Azure Sentinel - Workbooks/User Map",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}