{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "Top 5 Users by Number of Failed Attempts
"
},
"name": "text - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog \r\n| where TimeGenerated <= now()\r\n| extend outcome = coalesce(\r\n column_ifexists(\"EventOutcome\", \"\"),\r\n split(split(AdditionalExtensions, \";\", 2)[0], \"=\", 1)[0],\r\n \"\"\r\n )\r\n| extend reason = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n split(split(AdditionalExtensions, \";\", 3)[0], \"=\", 1)[0],\r\n \"\"\r\n )\r\n| where DeviceVendor == \"Forcepoint CASB\"\r\n| where DeviceProduct in (\"SaaS Security Gateway\", \"Cloud Service Monitoring\", \"CASB Admin audit log\")\r\n| where outcome ==\"Failure\" \r\n| summarize Count= count() by DestinationUserName| render barchart",
"size": 0,
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 2"
},
{
"type": 1,
"content": {
"json": "\r\nTop 5 Users With The Highest Number Of Logs
"
},
"name": "text - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog \r\n| where TimeGenerated <= now()\r\n| where DeviceVendor == \"Forcepoint CASB\"\r\n| where DeviceProduct in (\"SaaS Security Gateway\", \"Cloud Service Monitoring\", \"CASB Admin audit log\")\r\n| summarize Count = count() by DestinationUserName\r\n| top 5 by DestinationUserName| render barchart",
"size": 1,
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 4"
}
],
"fromTemplateId": "sentinel-ForcepointCASB",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}