{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"value::selected"
],
"parameters": [
{
"id": "688dc7cb-bea3-41ae-ae94-32d22e09568c",
"version": "KqlParameterItem/1.0",
"name": "DefaultWorkspace",
"type": 5,
"isRequired": true,
"value": "value::1",
"isHiddenWhenLocked": true,
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": [
"value::1"
]
}
},
{
"id": "c11b5651-cf86-4865-b23d-9ecc4f16b712",
"version": "KqlParameterItem/1.0",
"name": "ContextFree",
"type": 1,
"query": "{\"version\":\"1.0.0\",\"content\":\"\\\"{DefaultWorkspace}\\\"\"}",
"isHiddenWhenLocked": true,
"queryType": 8
},
{
"id": "bbbc300a-6f91-4b2b-b4b5-842b4bf8577a",
"version": "KqlParameterItem/1.0",
"name": "Selection",
"type": 1,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend match = strcat(\"'\", id, \"'\") =~ \"{DefaultWorkspace:value}\"\r\n| order by match desc, name asc\r\n| take 1\r\n| project value = tostring(pack('sub', subscriptionId, 'rg', resourceGroup, 'ws', id))",
"crossComponentResources": [
"value::selected"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"conditionalVisibility": {
"parameterName": "_",
"comparison": "isEqualTo",
"value": "_"
},
"name": "parameters - 0"
},
{
"type": 1,
"content": {
"json": "# Computer Security Status"
},
"conditionalVisibility": {
"parameterName": "ContextFree",
"comparison": "isEqualTo",
"value": "value::1"
},
"name": "text - 1"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspaces}"
],
"parameters": [
{
"id": "1db5ee15-fe52-458b-91d1-7ee39d8c2cd3",
"version": "KqlParameterItem/1.0",
"name": "Subscriptions",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "summarize by subscriptionId\r\n| project value = strcat('/subscriptions/', subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ todynamic('{Selection}').sub, true, false)",
"crossComponentResources": [
"value::selected"
],
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": []
},
{
"id": "9732eff8-fb57-4cbd-8ade-5ae746f33760",
"version": "KqlParameterItem/1.0",
"name": "Workspaces",
"type": 5,
"isRequired": true,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| summarize by id, name\r\n| project id, selected = iff(id =~ todynamic('{Selection}').ws, true, false)",
"crossComponentResources": [
"{Subscriptions}"
],
"value": "/subscriptions/82931e73-05c6-4da8-a666-bc4a7dd1bd3e/resourceGroups/fabrikamltdprodrg/providers/Microsoft.OperationalInsights/workspaces/fabrikamltdprod",
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "5f8cce4b-9c4c-47da-8683-7e5ccc9faed3",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000,
"createdTime": "2018-10-04T22:01:18.372Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 900000,
"createdTime": "2018-10-04T22:01:18.372Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 1800000,
"createdTime": "2018-10-04T22:01:18.372Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 3600000,
"createdTime": "2018-10-04T22:01:18.372Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 14400000,
"createdTime": "2018-10-04T22:01:18.374Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 43200000,
"createdTime": "2018-10-04T22:01:18.374Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 86400000,
"createdTime": "2018-10-04T22:01:18.374Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 172800000,
"createdTime": "2018-10-04T22:01:18.374Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 259200000,
"createdTime": "2018-10-04T22:01:18.375Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 604800000,
"createdTime": "2018-10-04T22:01:18.375Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 1209600000,
"createdTime": "2018-10-04T22:01:18.375Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 2592000000,
"createdTime": "2018-10-04T22:01:18.375Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 5184000000,
"createdTime": "2018-10-04T22:01:18.375Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
},
{
"durationMs": 7776000000,
"createdTime": "2018-10-04T22:01:18.375Z",
"isInitialTime": false,
"grain": 1,
"useDashboardTimeRange": false
}
],
"allowCustom": true
}
},
{
"id": "d6de19ff-cde4-41c2-9fba-b441312ea5c9",
"version": "KqlParameterItem/1.0",
"name": "Test",
"type": 1,
"query": "Perf\r\n| where TimeGenerated {TimeRange}\r\n| take 1",
"crossComponentResources": [
"{Workspaces}"
],
"isHiddenWhenLocked": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "4e5f340e-9ca8-4f16-aa10-48d30b486cce",
"version": "KqlParameterItem/1.0",
"name": "Computer",
"type": 5,
"query": "resources\r\n| where type == \"microsoft.compute/virtualmachines\" or type == \"microsoft.hybridcompute/machines\"\r\n| project name",
"crossComponentResources": [
"{Workspaces}"
],
"value": null,
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 2"
},
{
"type": 1,
"content": {
"json": "⚠ A subscription has not yet been selected. Select a subscription under the `Subscriptions` dropdown or refresh the workbook."
},
"conditionalVisibility": {
"parameterName": "Subscriptions",
"comparison": "isEqualTo",
"value": null
},
"name": "text - 29"
},
{
"type": 1,
"content": {
"json": "⚠ A specified time period was not selected (`{TimeRange:label}`). Either try a broader time range, select a different workspace, or onboard virtual machines to the selected workspace `{Workspaces:label}`.\r\n\r\n"
},
"conditionalVisibility": {
"parameterName": "Test",
"comparison": "isEqualTo",
"value": null
},
"name": "text - 3"
},
{
"type": 1,
"content": {
"json": "---"
},
"name": "text - 4"
},
{
"type": 1,
"content": {
"json": "Security Status for {Computer}
"
},
"name": "text - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "securityresources\r\n| where type == \"microsoft.security/securitystatuses\" or type == \"microsoft.security/securitystatuses/servers\" or type == \"microsoft.security/assessments\" \r\n| where name startswith '{Computer}'\r\n| extend p=array_length(properties.resourceDetails) \r\n| mvexpand prop=properties.resourceDetails\r\n| extend type = iif (name has \".\", \"Azure-Arc\",\"Azure-Compute\") \r\n| extend Status = iif (isempty(prop.value),Status = \"See Arc & Securtity asessment section below\",prop.value)\r\n| project ComputerName = name, Resource= prop.name, Status , type",
"size": 0,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "ComputerName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Resource",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Status",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
]
}
},
"name": "query - 7"
},
{
"type": 1,
"content": {
"json": "
\r\n### Securtity Events for: {Computer} "
},
"name": "text - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where Computer startswith \"{Computer}\"\r\n| summarize count() by Activity\r\n",
"size": 1,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Activity",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Activity",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "Activity",
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": null,
"hivesMargin": 5
}
},
"name": "query - 8"
},
{
"type": 1,
"content": {
"json": "
\r\n### Syslog for: {Computer}"
},
"name": "text - 9 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where Computer startswith \"{Computer}\"\r\n| summarize count() by Facility, SeverityLevel\r\n",
"size": 1,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"name": "query - 10"
},
{
"type": 1,
"content": {
"json": "
\r\n### CEF Events for: {Computer}"
},
"name": "text - 9 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where Computer startswith \"{Computer}\"\r\n| summarize count() by DeviceVendor, DeviceEventClassID, Message\r\n",
"size": 1,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"name": "query - 11"
},
{
"type": 1,
"content": {
"json": "
\r\n### Potential Source Location: {Computer}"
},
"name": "text - 9 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union isfuzzy=true (W3CIISLog\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), (DnsEvents\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country= RemoteIPCountry, Latitude = RemoteIPLatitude, Longitude = RemoteIPLongitude), (WireData\r\n| extend TrafficDirection = iff(Direction != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), (WindowsFirewall\r\n| extend TrafficDirection = iff(CommunicationDirection != \"SEND\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude), (CommonSecurityLog\r\n| extend TrafficDirection = iff(CommunicationDirection != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude, Confidence=ThreatDescription, Description=ThreatDescription), (VMConnection\r\n| where Type == \"VMConnection\"\r\n| extend TrafficDirection = iff(Direction != \"outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteCountry, Latitude=RemoteLatitude, Longitude=RemoteLongitude)\r\n| where isnotempty(MaliciousIP) and isnotempty(Country) and isnotempty(Latitude) and isnotempty(Longitude)\r\n| where Computer startswith \"{Computer}\"\r\n",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "map",
"mapSettings": {
"locInfo": "LatLong",
"latitude": "Latitude",
"longitude": "Longitude",
"sizeSettings": "EventCount",
"sizeAggregation": "Sum",
"labelSettings": "MaliciousIP",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "Confidence",
"colorAggregation": "Sum",
"type": "thresholds",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue"
}
]
}
}
},
"name": "query - 14"
},
{
"type": 1,
"content": {
"json": "## Azure Arc"
},
"name": "text - 19"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " resources\r\n| where type == \"microsoft.hybridcompute/machines\"\r\n| extend p=array_length(properties.provisioningState) \r\n| mvexpand prop=properties.provisioningState\r\n| project id, ComputerName = name, Resource= prop.name, Status = properties.status, State=prop, location, resourceGroup, type",
"size": 0,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscriptions}"
],
"sortBy": []
},
"name": "query - 18"
},
{
"type": 1,
"content": {
"json": "## Security Asessment findings for {Computer}"
},
"name": "text - 19"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "securityresources\r\n| where type == \"microsoft.security/assessments\"\r\n| where properties contains '{Computer}'\r\n| project Resource = properties.displayName, Status = trim(@\"[^\\w]+\",tostring(split(properties.status,\":\",1))), Location = trim(@\"[^\\w]+\",tostring(split(properties.resourceDetails,\":\",1)))\r\n| extend Status = iif(Status has \",\",trim(@\"[^\\w]+\",tostring(split(Status,\",\",0))),Status)\r\n| extend Location = iif(Location has \"\\\\\",trim(@\"[^\\w]+\",tostring(split(Location,\"\\\\\",0))),Location)",
"size": 0,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Workspaces}"
]
},
"name": "query - 18"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-SecurityStatus",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}