{ "version": "Notebook/1.0", "items": [ { "type": 1, "content": { "json": "## Azure DDoS Protection Workbook\n---\n" }, "name": "text - 2" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "2647367d-91d2-4325-8923-6de1e66ba14f", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "DDoS Summary", "subTarget": "DDoS Summary", "preText": "DDoS Summary", "style": "link" }, { "id": "cf2e2031-1a40-42e2-b7f9-66bdf68e7b41", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "DDoS Metrics", "subTarget": "DDoS Metrics", "style": "link" }, { "id": "e9425dcf-63f3-4cc7-afda-2682cafb513b", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "DDoS Investigation", "subTarget": "DDoS Investigate", "style": "link" } ] }, "name": "links - 23" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "value::selected" ], "parameters": [ { "id": "f9e7e362-f017-409a-8b8d-52da17b2df7c", "version": "KqlParameterItem/1.0", "name": "Workspaces", "type": 5, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id, name\r\n| order by name desc", "crossComponentResources": [ "value::selected" ], "value": [], "typeSettings": { "additionalResourceOptions": [ "value::all" ] }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "e04e88aa-42d1-4bd4-a15d-33e4b161e108", "version": "KqlParameterItem/1.0", "name": "TimeRange", "type": 4, "isRequired": true, "value": { "durationMs": 2419200000 }, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 }, { "durationMs": 172800000 }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2419200000 }, { "durationMs": 2592000000 }, { "durationMs": 5184000000 }, { "durationMs": 7776000000 } ], "allowCustom": true } }, { "id": "8ae1c617-04d0-4918-ac8e-4ba9083300f3", "version": "KqlParameterItem/1.0", "name": "Resource", "type": 5, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "where type =~ 'Microsoft.Network/PublicIPAddresses'\r\n| project id", "crossComponentResources": [ "value::selected" ], "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "", "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "label": "Public IP Addresses" } ], "style": "pills", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "conditionalVisibility": { "parameterName": "DDoS Summary", "comparison": "isEqualTo" }, "name": "parameters - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Category == \"DDoSProtectionNotifications\" or Category == \"DDoSMitigationReports\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| extend TrafficOverview = coalesce(parse_json(column_ifexists(\"TrafficOverview_s\",\"\")),parse_json(AdditionalFields[\"TrafficOverview\"]))\r\n| extend TrafficOverview = parse_json(tostring(TrafficOverview))\r\n| extend TotalTCPPackets = todouble(TrafficOverview.Total_TCP_packets)\r\n| extend TotalTCPPacketsDropped = todouble(TrafficOverview.Total_TCP_packets_dropped)\r\n| extend TotalUDPPackets = todouble(TrafficOverview.Total_UDP_packets)\r\n| extend TotalUDPPacketsDropped = todouble(TrafficOverview.Total_UDP_packets_dropped)\r\n| extend TotalOtherPackets = todouble(TrafficOverview.Total_other_packets)\r\n| extend TotalOtherPacketsDropped = todouble(TrafficOverview.Total_other_packets_dropped)\r\n| extend TotalPackets = todouble(TrafficOverview.Total_packets)\r\n| extend TotalPacketsDropped = todouble(TrafficOverview.Total_packets_dropped)\r\n| summarize sum(TotalPacketsDropped), sum(TotalPackets), sum(TotalUDPPackets),sum(TotalUDPPacketsDropped),sum(TotalOtherPackets),sum(TotalOtherPacketsDropped),sum(TotalTCPPackets),sum(TotalTCPPacketsDropped)\r\n| extend TotalPackets = sum_TotalPackets , TotalPacketsDropped = sum_TotalPacketsDropped, TotalUDPPackets = sum_TotalUDPPackets, TotalUDPPacketsDropped = sum_TotalUDPPacketsDropped, TotalOtherPackets = sum_TotalOtherPackets, TotalOtherPacketsDropped = sum_TotalOtherPacketsDropped, TotalTCPPackets = sum_TotalTCPPackets, TotalTCPPacketsDropped = sum_TotalTCPPacketsDropped\r\n| project TotalPackets, TotalPacketsDropped, TotalTCPPackets, TotalTCPPacketsDropped, TotalUDPPackets, TotalUDPPacketsDropped, TotalOtherPackets, TotalOtherPacketsDropped \r\n| evaluate narrow()\r\n| extend TableName = Column\r\n| extend Count = Value\r\n| project TableName, Count", "size": 4, "title": "Traffic Overview", "noDataMessage": "You do not have DDOS enabled", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "tiles", "gridSettings": { "sortBy": [ { "itemKey": "Count", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "Count", "sortOrder": 1 } ], "tileSettings": { "titleContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false } } }, "subtitleContent": { "columnMatch": "TableName" }, "showBorder": true, "size": "auto" } }, "customWidth": "100", "name": "Traffic Overview" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| sort by TimeGenerated desc\r\n| extend TopAttackVector = coalesce(tostring(parse_json(column_ifexists(\"AttackVectors_s\",\"\"))[0]), AdditionalFields[\"AttackVectors\"])\r\n| extend TrafficOverview = coalesce(parse_json(column_ifexists(\"TrafficOverview_s\",\"\")),parse_json(AdditionalFields[\"TrafficOverview\"]))\r\n| extend TrafficOverview = parse_json(tostring(TrafficOverview))\r\n| extend TotalPackets = todouble(TrafficOverview.Total_packets)\r\n| extend Total_packets_dropped_ = todouble(TrafficOverview.Total_packets_dropped)\r\n| where TotalPackets > 0\r\n| where TopAttackVector <> \"\"\r\n| take 10\r\n| project TimeGenerated , TopAttackVector , TotalPackets, TotalPacketsDropped = Total_packets_dropped_ , ResourceId , IPAddress, Resource\r\n\r\n", "size": 1, "title": "Last Ten DDoS Attack Reports, select attack to provide resource lookup", "noDataMessage": "No DDoS Attacks Mitigated in~ Selected TimeRange", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "exportedParameters": [ { "fieldName": "IPAddress", "parameterName": "IPAddress", "parameterType": 1 }, { "fieldName": "ResourceId", "parameterName": "ResourceId", "parameterType": 1, "defaultValue": "ResourceId" }, { "fieldName": "Resource", "parameterName": "AttackReport", "parameterType": 1, "defaultValue": "/" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "TotalPackets", "formatter": 4, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumSignificantDigits": 4 } } }, { "columnMatch": "TotalPacketsDropped", "formatter": 4, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumSignificantDigits": 4 } } }, { "columnMatch": "Resource", "formatter": 5 }, { "columnMatch": "Total_packets_", "formatter": 4, "formatOptions": { "palette": "hotCold" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumSignificantDigits": 4 } } }, { "columnMatch": "Total_packets_dropped_", "formatter": 4, "formatOptions": { "palette": "hotCold" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumSignificantDigits": 4 } } } ] }, "tileSettings": { "titleContent": { "columnMatch": "IPAddress", "formatter": 12, "formatOptions": { "palette": "auto" } }, "subtitleContent": { "columnMatch": "TopAttackVector", "formatter": 1 }, "leftContent": { "columnMatch": "Resource" }, "rightContent": { "columnMatch": "TimeGenerated" }, "showBorder": true, "size": "auto" } }, "customWidth": "50", "name": "query - 7" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Resources\r\n| where properties contains \"{AttackReport}\"\r\n| project id, name, type, tenantId, location, resourceGroup, subscriptionId", "size": 1, "title": "Resource Lookup, based on Most Recent DDoS Attack Report", "noDataMessage": "Unable to find resources", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "value::selected" ] }, "customWidth": "50", "name": "query - 24" }, { "type": 10, "content": { "chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328", "version": "MetricsItem/2.0", "size": 0, "chartType": 2, "resourceType": "microsoft.network/publicipaddresses", "metricScope": 0, "resourceParameter": "Resource", "resourceIds": [ "{Resource}" ], "timeContextFromParameter": "TimeRange", "timeContext": { "durationMs": 2419200000 }, "metrics": [ { "namespace": "microsoft.network/publicipaddresses", "metric": "microsoft.network/publicipaddresses--PacketCount", "aggregation": 4, "splitBy": null } ], "title": "Public IP Address Packet Count (Average)", "gridSettings": { "rowLimit": 10000 } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Metrics" }, "customWidth": "50", "name": "metric - 25 - Copy - Copy - Copy - Copy" }, { "type": 10, "content": { "chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328", "version": "MetricsItem/2.0", "size": 0, "chartType": 2, "resourceType": "microsoft.network/publicipaddresses", "metricScope": 0, "resourceParameter": "Resource", "resourceIds": [ "{Resource}" ], "timeContextFromParameter": "TimeRange", "timeContext": { "durationMs": 2419200000 }, "metrics": [ { "namespace": "microsoft.network/publicipaddresses", "metric": "microsoft.network/publicipaddresses--ByteCount", "aggregation": 4, "splitBy": null } ], "title": "Public IP Address Byte Count (Average)", "gridSettings": { "rowLimit": 10000 } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Metrics" }, "customWidth": "50", "name": "metric - 25 - Copy - Copy - Copy - Copy - Copy" }, { "type": 10, "content": { "chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328", "version": "MetricsItem/2.0", "size": 0, "chartType": 2, "resourceType": "microsoft.network/publicipaddresses", "metricScope": 0, "resourceParameter": "Resource", "resourceIds": [ "{Resource}" ], "timeContextFromParameter": "TimeRange", "timeContext": { "durationMs": 2419200000 }, "metrics": [ { "namespace": "microsoft.network/publicipaddresses", "metric": "microsoft.network/publicipaddresses--DDoSTriggerSYNPackets", "aggregation": 3, "splitBy": null } ], "title": "Inbound SYN Packets to trigger DDoS (MAX)", "gridSettings": { "rowLimit": 10000 } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Metrics" }, "customWidth": "50", "name": "metric - 25" }, { "type": 10, "content": { "chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328", "version": "MetricsItem/2.0", "size": 0, "chartType": 2, "resourceType": "microsoft.network/publicipaddresses", "metricScope": 0, "resourceParameter": "Resource", "resourceIds": [ "{Resource}" ], "timeContextFromParameter": "TimeRange", "timeContext": { "durationMs": 2419200000 }, "metrics": [ { "namespace": "microsoft.network/publicipaddresses", "metric": "microsoft.network/publicipaddresses--DDoSTriggerTCPPackets", "aggregation": 3, "splitBy": null } ], "title": "Inbound TCP Packets to trigger DDoS (MAX)", "gridSettings": { "rowLimit": 10000 } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Metrics" }, "customWidth": "50", "name": "metric - 25 - Copy" }, { "type": 10, "content": { "chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328", "version": "MetricsItem/2.0", "size": 0, "chartType": 2, "resourceType": "microsoft.network/publicipaddresses", "metricScope": 0, "resourceParameter": "Resource", "resourceIds": [ "{Resource}" ], "timeContextFromParameter": "TimeRange", "timeContext": { "durationMs": 2419200000 }, "metrics": [ { "namespace": "microsoft.network/publicipaddresses", "metric": "microsoft.network/publicipaddresses--DDoSTriggerUDPPackets", "aggregation": 3, "splitBy": null } ], "title": "Inbound UDP Packets to trigger DDoS (MAX)", "gridSettings": { "rowLimit": 10000 } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Metrics" }, "customWidth": "50", "name": "metric - 25 - Copy - Copy" }, { "type": 10, "content": { "chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328", "version": "MetricsItem/2.0", "size": 0, "chartType": 2, "resourceType": "microsoft.network/publicipaddresses", "metricScope": 0, "resourceParameter": "Resource", "resourceIds": [ "{Resource}" ], "timeContextFromParameter": "TimeRange", "timeContext": { "durationMs": 2419200000 }, "metrics": [ { "namespace": "microsoft.network/publicipaddresses", "metric": "microsoft.network/publicipaddresses--IfUnderDDoSAttack", "aggregation": 3, "splitBy": null } ], "title": "Under DDoS Attack or Not (MAX)", "gridSettings": { "rowLimit": 10000 } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Metrics" }, "customWidth": "50", "name": "metric - 25 - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend Protocols_s = coalesce(parse_json(column_ifexists(\"Protocols_s\",\"\")),parse_json(AdditionalFields[\"Protocols\"]))\r\n| extend Protocols_s = parse_json(tostring(Protocols_s))\r\n| where Protocols_s <> \"{}\" \r\n| extend DynamicProtocols = todynamic(Protocols_s)\r\n| project DynamicProtocols\r\n| as T\r\n| mv-apply DynamicProtocols on (extend Protocol = tostring(bag_keys(DynamicProtocols)[0])\r\n| project Protocol, value = todouble(DynamicProtocols[Protocol]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T | count), 3)) by Protocol\r\n| extend PercDec = todouble(Percentage)\r\n| render piechart\r\n", "size": 0, "title": "Protocols", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart", "chartSettings": { "ySettings": { "unit": 1, "min": null, "max": null } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "customWidth": "20", "name": "query - 16" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend SourceContinents_s = coalesce(parse_json(column_ifexists(\"SourceContinents_s\",\"\")),parse_json(AdditionalFields[\"SourceContinents\"]))\r\n| where SourceContinents_s <> \"{}\"\r\n| extend SourceContinents_s = parse_json(tostring(SourceContinents_s))\r\n| extend DynamicContinents = todynamic(SourceContinents_s) \r\n| project DynamicContinents\r\n| as T\r\n| mv-apply DynamicContinents on (\r\n extend Continent = tostring(bag_keys(DynamicContinents)[0])\r\n | project Continent, value = todouble(DynamicContinents[Continent])\r\n)\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T | count), 3)) by Continent\r\n| extend Percent = todouble(Percentage)", "size": 0, "title": "Continent of orgin", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart", "chartSettings": { "ySettings": { "unit": 1, "min": null, "max": null } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "customWidth": "20", "name": "query - 13 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend TopSourceCountries_s = coalesce(parse_json(column_ifexists(\"TopSourceCountries_s\",\"\")),parse_json(AdditionalFields[\"TopSourceCountries\"]))\r\n| where TopSourceCountries_s <> \"{}\"\r\n| extend TopSourceCountries_s = parse_json(tostring(TopSourceCountries_s))\r\n| extend DynamicCountries = todynamic(TopSourceCountries_s)\r\n| project DynamicCountries\r\n| as T\r\n| mv-apply DynamicCountries\r\non (extend Countries = tostring(bag_keys(DynamicCountries)[0])\r\n| project Countries, value = todouble(DynamicCountries[Countries]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3)) by Countries\r\n| sort by Percentage desc\r\n| extend Percent = todouble(Percentage)", "size": 0, "title": "Countries of Origin", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart", "chartSettings": { "ySettings": { "unit": 1, "min": null, "max": null } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "customWidth": "20", "name": "query - 13 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend TopSourceASNs_s = coalesce(parse_json(column_ifexists(\"TopSourceASNs_s\",\"\")),parse_json(AdditionalFields[\"TopSourceASNs\"]))\r\n| where TopSourceASNs_s <> \"{}\"\r\n| extend TopSourceASNs_s = parse_json(tostring(TopSourceASNs_s))\r\n| extend DynamicASNs = todynamic(TopSourceASNs_s)\r\n| project DynamicASNs\r\n| as T\r\n| mv-apply DynamicASNs on (extend ASN = tostring(bag_keys(DynamicASNs)[0])\r\n| project ASN, value = todouble(DynamicASNs[ASN]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T | count), 3)) by ASN\r\n| extend PercDec = todouble(Percentage)\r\n| sort by PercDec desc\r\n| render piechart", "size": 0, "title": "AS Numbers", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "chartSettings": { "ySettings": { "unit": 1, "min": null, "max": null } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "customWidth": "20", "name": "query - 15 - Copy", "styleSettings": { "margin": "15" } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend DropReasons_s = coalesce(parse_json(column_ifexists(\"DropReasons_s\",\"\")),parse_json(AdditionalFields[\"DropReasons\"]))\r\n| extend DropReasons_s = parse_json(tostring(DropReasons_s))\r\n| where DropReasons_s <> \"{}\"\r\n| extend DynamicDroppedReasons = todynamic(DropReasons_s)\r\n| project DynamicDroppedReasons\r\n| as T\r\n| mv-apply DynamicDroppedReasons on (extend Reasons = tostring(bag_keys(DynamicDroppedReasons)[0])\r\n| project Reasons, value = todouble(DynamicDroppedReasons[Reasons]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3)) by Reasons\r\n| extend PercDec = todouble(Percentage)\r\n| render piechart", "size": 0, "title": "Drop Reasons", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "count_", "formatter": 4, "formatOptions": { "palette": "coldHot", "showIcon": true } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "coldHot", "showIcon": true } } ], "sortBy": [ { "itemKey": "Percentage", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "Percentage", "sortOrder": 2 } ], "chartSettings": { "ySettings": { "unit": 1, "min": null, "max": null } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "customWidth": "20", "name": "Top Attack Vectors - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend Protocols_s = coalesce(parse_json(column_ifexists(\"Protocols_s\",\"\")),parse_json(AdditionalFields[\"Protocols\"]))\r\n| extend Protocols_s = parse_json(tostring(Protocols_s))\r\n| where Protocols_s <> \"{}\"\r\n| extend DynamicProtocols = todynamic(Protocols_s)\r\n| project DynamicProtocols\r\n| as T\r\n| mv-apply DynamicProtocols on (extend Protocol = tostring(bag_keys(DynamicProtocols)[0])\r\n| project Protocol, value = todouble(DynamicProtocols[Protocol]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3), \"%\") by Protocol\r\n| sort by Percentage desc", "size": 1, "title": "Protocols", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "customWidth": "20", "name": "query - 16 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend SourceContinents_s = coalesce(parse_json(column_ifexists(\"SourceContinents_s\",\"\")),parse_json(AdditionalFields[\"SourceContinents\"]))\r\n| extend SourceContinents_s = parse_json(tostring(SourceContinents_s))\r\n| where SourceContinents_s <> \"{}\"\r\n| extend DynamicContinents = todynamic(SourceContinents_s) \r\n| project DynamicContinents\r\n| as T\r\n| mv-apply DynamicContinents on (\r\n extend Continent = tostring(bag_keys(DynamicContinents)[0])\r\n | project Continent, value = todouble(DynamicContinents[Continent])\r\n)\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T | count), 3), \"%\") by Continent\r\n| sort by Percentage desc", "size": 1, "title": "Continent of orgin", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "customWidth": "20", "name": "query - 13" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend TopSourceCountries_s = coalesce(parse_json(column_ifexists(\"TopSourceCountries_s\",\"\")),parse_json(AdditionalFields[\"TopSourceCountries\"]))\r\n| extend TopSourceCountries_s = parse_json(tostring(TopSourceCountries_s))\r\n| where TopSourceCountries_s <> \"{}\"\r\n| extend DynamicCountries = todynamic(TopSourceCountries_s)\r\n| project DynamicCountries\r\n| as T\r\n| mv-apply DynamicCountries on (extend Countries = tostring(bag_keys(DynamicCountries)[0])\r\n| project Countries, value = todouble(DynamicCountries[Countries]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3), \"%\") by Countries\r\n| sort by Percentage desc", "size": 1, "title": "Countries of Origin", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "customWidth": "20", "name": "query - 14" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend TopSourceASNs_s = coalesce(parse_json(column_ifexists(\"TopSourceASNs_s\",\"\")),parse_json(AdditionalFields[\"TopSourceASNs\"]))\r\n| extend TopSourceASNs_s = parse_json(tostring(TopSourceASNs_s))\r\n| where TopSourceASNs_s <> \"{}\"\r\n| extend DynamicASNs = todynamic(TopSourceASNs_s)\r\n| project DynamicASNs\r\n| as T\r\n| mv-apply DynamicASNs on (extend ASN = tostring(bag_keys(DynamicASNs)[0])\r\n| project ASN, value = todouble(DynamicASNs[ASN]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3), \"%\") by ASN\r\n| sort by Percentage desc", "size": 1, "title": "AS Numbers", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "customWidth": "20", "name": "query - 15", "styleSettings": { "margin": "15" } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend DropReasons_s = coalesce(parse_json(column_ifexists(\"DropReasons_s\",\"\")),parse_json(AdditionalFields[\"DropReasons\"]))\r\n| extend DropReasons_s = parse_json(tostring(DropReasons_s))\r\n| where DropReasons_s <> \"{}\"\r\n| extend DynamicDroppedReasons = todynamic(DropReasons_s)\r\n| project DynamicDroppedReasons\r\n| as T\r\n| mv-apply DynamicDroppedReasons on (extend Reasons = tostring(bag_keys(DynamicDroppedReasons)[0])\r\n| project Reasons, value = todouble(DynamicDroppedReasons[Reasons]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3), \"%\") by Reasons\r\n| sort by Percentage desc", "size": 1, "title": "Drop Reasons", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "count_", "formatter": 4, "formatOptions": { "palette": "coldHot", "showIcon": true } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "coldHot", "showIcon": true } } ], "sortBy": [ { "itemKey": "Percentage", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "Percentage", "sortOrder": 2 } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "customWidth": "20", "name": "Top Attack Vectors" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend ReportType_s = coalesce(tostring(parse_json(column_ifexists(\"ReportType_s\",\"\"))[0]), AdditionalFields[\"ReportType\"])\r\n| extend MitigationPeriodStart_t = coalesce(column_ifexists(\"MitigationPeriodStart_t\", datetime(null)), todatetime(parse_json(AdditionalFields[\"MitigationPeriodStart\"])))\r\n| extend MitigationPeriodEnd_t = coalesce(column_ifexists(\"MitigationPeriodEnd_t\", datetime(null)), todatetime(parse_json(AdditionalFields[\"MitigationPeriodEnd\"])))\r\n| extend AttackVectors_s = coalesce(tostring(parse_json(column_ifexists(\"AttackVectors_s\",\"\"))[0]), AdditionalFields[\"AttackVectors\"])\r\n| extend TrafficOverview_s = coalesce(tostring(parse_json(column_ifexists(\"TrafficOverview_s\",\"\"))[0]), AdditionalFields[\"TrafficOverview\"])\r\n| extend Protocols_s = coalesce(tostring(parse_json(column_ifexists(\"Protocols_s\",\"\"))[0]), AdditionalFields[\"Protocols\"])\r\n| extend DropReasons_s = coalesce(tostring(parse_json(column_ifexists(\"DropReasons_s\",\"\"))[0]), AdditionalFields[\"DropReasons\"])\r\n| project TimeGenerated, ResourceGroup, SubscriptionId, Resource, ResourceType, Message, ReportType = ReportType_s, MitigationStartingTime = MitigationPeriodStart_t, MitigationEndingTime = MitigationPeriodEnd_t, IPAddress, AttackVectors = AttackVectors_s, TrafficOverview = TrafficOverview_s,Protocols = Protocols_s, DropReasons = DropReasons_s", "size": 0, "title": "Raw DDoS Mitigation Logs", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "name": "query - 23" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationFlowLogs\"\r\n| extend sourcePublicIpAddress_s = coalesce(tostring(parse_json(column_ifexists(\"sourcePublicIpAddress_s\",\"\"))[0]), AdditionalFields[\"sourcePublicIpAddress\"])\r\n| extend sourcePort_s = coalesce(tostring(parse_json(column_ifexists(\"sourcePort_s\",\"\"))[0]), AdditionalFields[\"sourcePort\"])\r\n| extend destPublicIpAddress_s = coalesce(tostring(parse_json(column_ifexists(\"destPublicIpAddress_s\",\"\"))[0]), AdditionalFields[\"destPublicIpAddress\"])\r\n| extend destPort_s = coalesce(tostring(parse_json(column_ifexists(\"destPort_s\",\"\"))[0]), AdditionalFields[\"destPort\"])\r\n| extend protocol_s = coalesce(tostring(parse_json(column_ifexists(\"protocol_s\",\"\"))[0]), AdditionalFields[\"protocol\"])\r\n| project TimeGenerated, ResourceGroup, SubscriptionId, Resource, ResourceType, Message, SourcePublicIPAddress = sourcePublicIpAddress_s, SourcePorts = sourcePort_s, DestinationPublicIpAddress = destPublicIpAddress_s, DestinationPorts = destPort_s, Protocol = protocol_s, ResouceID = _ResourceId\r\n", "size": 0, "title": "Raw DDoS Flow Logs", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Summary" }, "name": "query - 22" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationFlowLogs\" \r\n| where Message == \"Packet was forwarded to service\" \r\n| extend protocol_s = coalesce(parse_json(column_ifexists(\"protocol_s\",\"\")),parse_json(AdditionalFields[\"protocol\"]))\r\n| extend destPort_s = coalesce(parse_json(column_ifexists(\"destPort_s\",\"\")),parse_json(AdditionalFields[\"destPort\"]))\r\n| summarize count() by strcat(protocol_s, destPort_s) ", "size": 4, "showAnalytics": true, "title": "Allowed Traffic During Mitigation", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "tiles", "tileSettings": { "titleContent": { "formatter": 1 }, "leftContent": { "columnMatch": "count_", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } }, "secondaryContent": { "columnMatch": "Column1" }, "showBorder": false }, "graphSettings": { "type": 0, "topContent": { "columnMatch": "destPort_s", "formatter": 1 }, "centerContent": { "columnMatch": "count_", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Investigate" }, "customWidth": "50", "name": "query - 4" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationFlowLogs\" \r\n| where Message startswith \"Protocol violation\" \r\n| extend protocol_s = coalesce(parse_json(column_ifexists(\"protocol_s\",\"\")),parse_json(AdditionalFields[\"protocol\"]))\r\n| extend destPort_s = coalesce(parse_json(column_ifexists(\"destPort_s\",\"\")),parse_json(AdditionalFields[\"destPort\"]))\r\n| summarize count() by strcat(protocol_s, destPort_s) ", "size": 4, "showAnalytics": true, "title": "Dropped Traffic During Mitigation", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "tiles", "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "Column1", "formatter": 1 }, "leftContent": { "columnMatch": "count_", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Investigate" }, "customWidth": "50", "name": "query - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\n| where \"{Resource:label}\" == \"All\" or Resource in~ (split(\"{Resource:label}\", \", \"))\n| where Category == \"DDoSMitigationFlowLogs\" \n| extend sourcePublicIpAddress_s = coalesce(column_ifexists(\"sourcePublicIpAddress_s\",\"\"),parse_json(AdditionalFields[\"sourcePublicIpAddress_s\"]))\n| summarize count() by TimeGenerated, sourcePublicIpAddress_s\n", "size": 1, "showAnnotations": true, "showAnalytics": true, "title": "Top Attacking IPs", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "brushtime", "exportFieldName": "Category", "exportParameterName": "Category", "exportToExcelOptions": "all", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "areachart" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Investigate" }, "customWidth": "100", "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSProtectionNotifications\"\r\n| extend publicIpAddress_s = coalesce(parse_json(column_ifexists(\"publicIpAddress_s\",\"\")),parse_json(AdditionalFields[\"publicIpAddress\"]))\r\n| project Message , publicIpAddress_s , ResourceId, TimeGenerated", "size": 0, "showAnalytics": true, "title": "DDoS Mitigation Activity", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "ResourceId", "formatter": 13, "formatOptions": { "linkColumn": "ResourceId", "linkTarget": "Metrics", "showIcon": true } } ], "sortBy": [ { "itemKey": "TimeGenerated", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "TimeGenerated", "sortOrder": 1 } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Investigate" }, "customWidth": "50", "name": "query - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| distinct IPAddress", "size": 0, "showAnalytics": true, "title": "All Attacked IP Addresses - Select to Search Related", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "IPAddress", "exportParameterName": "IPAddress", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "table", "gridSettings": { "sortBy": [ { "itemKey": "IPAddress", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "IPAddress", "sortOrder": 1 } ], "tileSettings": { "titleContent": { "columnMatch": "IPAddress", "formatter": 12, "formatOptions": { "showIcon": true } }, "showBorder": false } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Investigate" }, "customWidth": "25", "name": "query - 7" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "search \"{IPAddress}\"\r\n| distinct Type", "size": 0, "showAnalytics": true, "title": "Table Matches - Select to View Logs", "noDataMessage": "Select an IP Address to discovery tables", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "brushtime", "exportFieldName": "Type", "exportParameterName": "Type", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Investigate" }, "customWidth": "25", "name": "query - 8" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{Type}\r\n| search \"{IPAddress}\"\r\n| sort by TimeGenerated desc", "size": 0, "showAnalytics": true, "title": "Logs Related to Attacked IP Address", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "brushtime", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "table", "gridSettings": { "filter": true } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DDoS Investigate" }, "name": "query - 9" } ], "fallbackResourceIds": [ "" ], "fromTemplateId": "sentinel-AzDDoSStandardWorkbook", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }