{ "version": "Notebook/1.0", "items": [ { "type": 1, "content": { "json": "## Check Point Software Technologies" }, "name": "text - 8" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "query": "", "crossComponentResources": [], "parameters": [ { "id": "932ebcf0-a1ca-48c6-bad4-a7001c05fba2", "version": "KqlParameterItem/1.0", "name": "TimeRange", "type": 4, "isRequired": true, "value": { "durationMs": 7776000000 }, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 }, { "durationMs": 172800000 }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2419200000 }, { "durationMs": 2592000000 }, { "durationMs": 5184000000 }, { "durationMs": 7776000000 } ], "allowCustom": true } }, { "id": "a5abcf5b-7db3-4424-8dd7-7c8b8821caaf", "version": "KqlParameterItem/1.0", "name": "DeviceProducts", "type": 2, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| summarize Count = count() by DeviceProduct\r\n| project Value = DeviceProduct, Label = strcat(DeviceProduct, \": \", Count)", "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "All", "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "8d31f627-c863-4479-accb-6b14241f8e4a", "version": "KqlParameterItem/1.0", "name": "LogSeverity", "type": 2, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| summarize Count = count() by LogSeverity\r\n| project Value = LogSeverity, Label = strcat(LogSeverity, \": \", Count)", "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "All" }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 0" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let data = CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\";\r\ndata\r\n| summarize Count = count() by DeviceProduct\r\n| join kind = fullouter (datatable(DeviceProduct:string)['OneDrive', 'SharePoint']) on DeviceProduct\r\n| project DeviceProduct = iff(DeviceProduct == '', DeviceProduct1, DeviceProduct), Count = iff(DeviceProduct == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceProduct)\r\n on DeviceProduct\r\n| project-away DeviceProduct1, TimeGenerated\r\n| extend DeviceProduct = DeviceProduct\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceProduct = 'All', DeviceProducts = '*' \r\n)\r\n| order by Count desc\r\n| take 10\r\n", "size": 4, "exportToExcelOptions": "visible", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", "gridSettings": { "sortBy": [ { "itemKey": "Logs", "sortOrder": 2 } ], "labelSettings": [] }, "tileSettings": { "titleContent": { "columnMatch": "DeviceProduct", "formatter": 1, "formatOptions": { "showIcon": true } }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { "showIcon": true }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "secondaryContent": { "columnMatch": "Trend", "formatter": 9, "formatOptions": { "palette": "pink", "showIcon": true } }, "showBorder": false } }, "name": "query - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| where DeviceVendor == \"Check Point\"// and DeviceProduct in~ (\"Application Control\", \"URL Filtering\")\r\n| summarize count() by bin(TimeGenerated, 1d),LogSeverity", "size": 0, "exportToExcelOptions": "visible", "title": "Application and Url filtering, by severity", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "categoricalbar" }, "customWidth": "50", "name": "query - 1" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| project origin = extract(\"origin=([^;]+)\",1,AdditionalExtensions), loguid = extract(\"loguid=([^;]+)\",1,AdditionalExtensions)\r\n| summarize ['Number of log Ids'] = dcount(loguid), ['Number of logs']=count() by origin\r\n//| summarize Count=count() by origin, loguid\r\n| order by ['Number of logs']\r\n", "size": 0, "exportToExcelOptions": "visible", "title": "Number of logs by IP address", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "origin", "formatter": 0, "formatOptions": { "showIcon": true } }, { "columnMatch": "Number of log Ids", "formatter": 4, "formatOptions": { "min": 0, "palette": "blue", "showIcon": true } }, { "columnMatch": "Number of logs", "formatter": 4, "formatOptions": { "min": 0, "palette": "purple", "showIcon": true } }, { "columnMatch": "Count", "formatter": 4, "formatOptions": { "min": 0, "palette": "purple", "showIcon": true } } ], "labelSettings": [] } }, "customWidth": "50", "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\" and DeviceProduct =~ \"Anti Malware\" and LogSeverity in~ (\"Medium\", \"High\", \"Critical\") and FlexNumber1 in (3,4,5) and DeviceCustomString3 in~ (\"DNS Reputation\",\"URL Reputation\",\"IP Reputation\")\r\n| summarize count() by SourceIP\r\n| summarize Count = count() , Title = \"Number of Infected Hosts\"", "size": 4, "exportToExcelOptions": "visible", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", "tileSettings": { "titleContent": { "columnMatch": "Title", "formatOptions": { "showIcon": true } }, "rightContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { "showIcon": true } }, "showBorder": false } }, "customWidth": "50", "name": "query - 4" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| project origin = extract(\"origin=([^;]+)\",1,AdditionalExtensions), loguid = extract(\"loguid=([^;]+)\",1,AdditionalExtensions)\r\n| summarize dcount(loguid) by origin\r\n| summarize Count = count(), Titel = \"Number of Gateways and Servers\"", "size": 4, "exportToExcelOptions": "visible", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "Titel", "formatter": 1 }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } } }, "customWidth": "50", "name": "query - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\" \r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| where DeviceProduct =~ \"Anti Malware\" and LogSeverity in~ (\"Medium\", \"High\", \"Critical\") and FlexNumber1 in (3,4,5) and DeviceCustomString3 in~ (\"DNS Reputation\",\"URL Reputation\",\"IP Reputation\")\r\n| summarize Amount = count() by SourceIP", "size": 0, "exportToExcelOptions": "visible", "title": "Infected hosts", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "SourceIP", "formatter": 0, "formatOptions": { "showIcon": true } }, { "columnMatch": "Amount", "formatter": 20, "formatOptions": { "palette": "gray", "showIcon": true } } ], "filter": true, "labelSettings": [] } }, "customWidth": "50", "name": "query - 6" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| project origin = extract(\"origin=([^;]+)\",1,AdditionalExtensions), loguid = extract(\"loguid=([^;]+)\",1,AdditionalExtensions)\r\n| summarize Logins = dcount(loguid), Count = count() by Origin = origin\r\n| order by Logins, Count", "size": 0, "exportToExcelOptions": "visible", "title": "Gateways and Servers", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "Origin", "formatter": 0, "formatOptions": { "showIcon": true } }, { "columnMatch": "Logins", "formatter": 4, "formatOptions": { "min": 0, "palette": "blue", "showIcon": true } }, { "columnMatch": "Count", "formatter": 4, "formatOptions": { "min": 0, "palette": "orange", "showIcon": true } } ], "labelSettings": [] } }, "customWidth": "50", "name": "query - 7" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let data = CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| where DeviceProduct in~ (\"Anti-Bot\", \"Anti-Virus\", \"DDoS Protector\", \"IPS\", \"Threat Emulation\") and FlexNumber1 in (3,4,5) and LogSeverity in~ (\"Medium\", \"High\", \"Very-High\") and DeviceAction in~ (\"Detect\",\"Prevent\");\r\nlet appData = data\r\n| summarize TotalCount = count() by DeviceAction\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by DeviceAction\r\n | project-away TimeGenerated) on DeviceAction\r\n| order by TotalCount desc, DeviceAction asc\r\n| project DeviceAction, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by DeviceProduct , DeviceAction\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by DeviceAction, DeviceProduct, LogSeverity\r\n | project-away TimeGenerated) on DeviceAction, DeviceProduct\r\n| order by TotalCount desc, DeviceAction asc\r\n| project DeviceAction, DeviceProduct, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on DeviceAction\r\n| project Id, Name = DeviceProduct, Type = 'DeviceProduct', ['DeviceProduct Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = DeviceAction, Type = 'DeviceAction', ['DeviceProduct Count'] = TotalCount, Trend )\r\n| order by ['DeviceProduct Count'] desc, Name asc\r\n", "size": 0, "exportToExcelOptions": "visible", "title": "Attack actions, by policy", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Id", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "Name", "formatter": 0, "formatOptions": { "showIcon": true } }, { "columnMatch": "Type", "formatter": 0, "formatOptions": { "showIcon": true } }, { "columnMatch": "DeviceProduct Count", "formatter": 8, "formatOptions": { "min": 0, "palette": "purple", "showIcon": true } }, { "columnMatch": "Trend", "formatter": 9, "formatOptions": { "palette": "blue", "showIcon": true } }, { "columnMatch": "ParentId", "formatter": 5, "formatOptions": { "showIcon": true } } ], "filter": true, "hierarchySettings": { "idColumn": "Id", "parentColumn": "ParentId", "treeType": 0, "expanderColumn": "Name" }, "labelSettings": [] } }, "name": "query - 9" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n//| where FlexNumber1 in (3,4,5) and LogSeverity in~ (\"High\", \"Very-High\", \"Critical\")\r\n| summarize Count = count() by LogSeverity, Message, DeviceProduct, SourceIP\r\n| order by Count", "size": 0, "exportToExcelOptions": "visible", "title": "Log severity detailed", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "$gen_group", "formatter": 18, "formatOptions": { "showIcon": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "contains", "thresholdValue": "High", "representation": "error", "text": "{0}{1}" }, { "operator": "contains", "thresholdValue": "Medium", "representation": "2", "text": "{0}{1}" }, { "thresholdValue": "Critical", "representation": "critical", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "1", "text": "{0}{1}" } ] } }, { "columnMatch": "LogSeverity", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "Message", "formatter": 0, "formatOptions": { "showIcon": true, "aggregation": "Unique" } }, { "columnMatch": "DeviceProduct", "formatter": 0, "formatOptions": { "showIcon": true, "aggregation": "Unique" } }, { "columnMatch": "SourceIP", "formatter": 0, "formatOptions": { "showIcon": true, "aggregation": "Unique" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "min": 0, "palette": "purpleBlue", "showIcon": true, "aggregation": "Sum" } }, { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "showIcon": true } }, { "columnMatch": "DeviceAction", "formatter": 0, "formatOptions": { "showIcon": true } }, { "columnMatch": "count_", "formatter": 0, "formatOptions": { "showIcon": true } } ], "rowLimit": 1000, "filter": true, "hierarchySettings": { "treeType": 1, "groupBy": [ "LogSeverity" ], "expandTopLevel": false }, "labelSettings": [] } }, "name": "query - 10" } ], "styleSettings": {}, "fromTemplateId": "sentinel-CheckPoint", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }