{ "version": "Notebook/1.0", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "3448d079-06d5-493b-8769-0a54a0309367", "version": "KqlParameterItem/1.0", "name": "time_range", "label": "Time Range", "type": 4, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 86400000 }, { "durationMs": 604800000 }, { "durationMs": 2592000000 } ], "allowCustom": true, "defaultValue": 86400000 }, "timeContext": { "durationMs": 86400000 }, "value": { "durationMs": 2592000000 } }, { "id": "73dba27b-6754-4b81-a3fe-254d8d03f2b6", "version": "KqlParameterItem/1.0", "name": "category", "label": "Category", "type": 2, "multiSelect": true, "quote": "", "delimiter": ",", "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\r\n { \"value\":1, \"label\":\"User Activity\", \"selected\":true },\r\n { \"value\":2, \"label\":\"Exploitation\", \"selected\":true },\r\n { \"value\":3, \"label\":\"Vulnerable Access\", \"selected\":true },\r\n { \"value\":4, \"label\":\"Sensitive Access\", \"selected\":true }\r\n]", "value": [ "1", "4" ] }, { "id": "9a5ccc66-29a2-473a-b93d-a1e0a1442815", "version": "KqlParameterItem/1.0", "name": "asset", "label": "Asset", "type": 2, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" | distinct DeviceCustomString1", "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "time_range", "defaultValue": "value::all", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | summarize count=count() by DeviceEventClassID | extend Category=case(DeviceEventClassID==1,\"User Activity\", DeviceEventClassID==2,\"Exploitation\",DeviceEventClassID==3,\"Vulnerable Access\",\"Sensitive Access\")", "size": 0, "title": "Alarm breakdown by category", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "time_range", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart", "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "incident_type_s", "formatter": 1 }, "leftContent": { "columnMatch": "count_", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "graphSettings": { "type": 0, "topContent": { "columnMatch": "incident_type_s", "formatter": 1 }, "centerContent": { "columnMatch": "count_", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "chartSettings": { "yAxis": [ "count" ], "group": "Category", "createOtherGroup": null }, "mapSettings": { "locInfo": "LatLong", "sizeSettings": "count_", "sizeAggregation": "Sum", "legendMetric": "count_", "legendAggregation": "Sum", "itemColorSettings": { "type": "heatmap", "colorAggregation": "Sum", "nodeColorField": "count_", "heatmapPalette": "greenRed" } } }, "customWidth": "30", "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | summarize Count=count() by bin(TimeGenerated, 1d)", "size": 0, "title": "Alarm volume over time", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "time_range", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "timechart" }, "customWidth": "40", "name": "query - 4" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | summarize count() by DeviceCustomString1 | take 10", "size": 0, "title": "Assets triggering the most alarms", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "time_range", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "barchart", "graphSettings": { "type": 0, "topContent": { "columnMatch": "asset_name_s", "formatter": 1 }, "centerContent": { "columnMatch": "count_", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } } }, "customWidth": "30", "name": "query - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | summarize Count=count() by SourceUserName | order by Count | take 10 | project Username=SourceUserName, Count", "size": 1, "title": "Users triggering the most alarms", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "time_range", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "Username", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "50%" } }, { "columnMatch": "Count", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "50%" } } ] } }, "customWidth": "50", "name": "query - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | summarize Count=count() by SourceIP | order by Count | take 10 | project Source=SourceIP, Count", "size": 1, "title": "Sources triggering the most alarms", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "time_range", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "Source", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "50%" } }, { "columnMatch": "Count", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "50%" } } ] } }, "customWidth": "50", "name": "query - 6" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | parse kind = regex AdditionalExtensions with \"sev=\" Criticality |summarize Count = count() by Message, Criticality | order by Criticality, Count | project Incident_Name=Message, Criticality, Count", "size": 1, "title": "Incident Report", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "time_range", "exportFieldName": "Incident_Name", "exportParameterName": "incident_name", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "query - 7" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "incident_lookup | where IncidentName == '{incident_name}'", "size": 0, "title": "Incident Details", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", "gridSettings": { "sortBy": [ { "itemKey": "RootCause", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "RootCause", "sortOrder": 1 } ], "tileSettings": { "showBorder": false }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "conditionalVisibility": { "parameterName": "incident_name", "comparison": "isNotEqualTo" }, "customWidth": "50", "name": "query - 8" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and Message == '{incident_name}' and DeviceCustomString1 in ({asset}) | project Time=TimeGenerated, Asset=DeviceCustomString1, Client=DeviceCustomString2, Username=SourceUserName, Source=SourceIP, Logline=DeviceCustomString5 | order by Time", "size": 0, "title": "Incident Occurrences", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "time_range", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "incident_name", "comparison": "isNotEqualTo" }, "customWidth": "50", "name": "query - 8" } ], "styleSettings": {}, "fromTemplateId": "sentinel-OnapsisAlarms", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }