Azure-Sentinel/Workbooks/ForcepointNGFW.json

{
  "version": "Notebook/1.0",
  "items": [
    {
      "type": 1,
      "content": {
        "json": "# Log results grouped by Activity type"
      },
      "name": "text - 7"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog \n| where DeviceVendor == \"Forcepoint\" and DeviceProduct == \"NGFW\" and TimeGenerated <= now()\n| summarize Count= count() by Activity\n| render barchart",
        "size": 1,
        "timeContext": {
          "durationMs": 2592000000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "chartSettings": {
          "xAxis": "Activity",
          "group": "Count",
          "createOtherGroup": 0,
          "showLegend": true
        }
      },
      "name": "query - 2"
    },
    {
      "type": 1,
      "content": {
        "json": "# Number of log results grouped by severity"
      },
      "name": "text - 6"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog \n| where DeviceVendor == \"Forcepoint\" and DeviceProduct == \"NGFW\" and TimeGenerated <= now()\n| summarize Count= count() by LogSeverity\n| render barchart",
        "size": 0,
        "timeContext": {
          "durationMs": 2592000000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "chartSettings": {
          "group": "Count",
          "createOtherGroup": 0,
          "showMetrics": false,
          "showLegend": true
        }
      },
      "name": "query - 5"
    },
    {
      "type": 1,
      "content": {
        "json": "# Log results grouped by Source IP address"
      },
      "name": "text - 8"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog \n| where DeviceVendor == \"Forcepoint\" and DeviceProduct == \"NGFW\" and TimeGenerated <= now()\n| summarize Count= count() by SourceIP\n| render barchart",
        "size": 0,
        "timeContext": {
          "durationMs": 2592000000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "query - 2"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog| where DeviceVendor == \"Forcepoint\" and DeviceProduct == \"NGFW\" and DeviceAction  == 'Terminate' and TimeGenerated <= now()",
        "size": 0,
        "timeContext": {
          "durationMs": 2592000000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "query - 3"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog| where DeviceVendor == \"Forcepoint\" and DeviceProduct == \"NGFW\" and LogSeverity  == '10' and TimeGenerated <= now()",
        "size": 0,
        "timeContext": {
          "durationMs": 6566400000,
          "endTime": "2020-01-16T13:46:00.000Z"
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "query - 4"
    }
  ],
  "fromTemplateId": "sentinel-ForcepointNGFW",
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}