Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/PhishingAnalysis.json

1981 строка
101 KiB
JSON
Исходник Постоянная ссылка Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "7d392d5c-1643-415c-bb72-7553e2b14c3e",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": false,
"showDefault": false
},
"value": ""
},
{
"id": "72128dde-c135-4fea-a974-5d4a3b4e833d",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"isRequired": true,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project value =id, label = name",
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": ""
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Top Navigation"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Search Email with Network Message ID",
"expandable": true,
"expanded": true,
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "ad972143-0e44-48d4-a25a-7e07c48cbdf4",
"version": "KqlParameterItem/1.0",
"name": "NetworkMessageIDSearch",
"label": "Enter Network Message ID",
"type": 1,
"timeContext": {
"durationMs": 86400000
},
"value": ""
},
{
"id": "3a86ced4-2472-4d90-91c8-68a79fd90597",
"version": "KqlParameterItem/1.0",
"name": "NMIDTimeRange",
"label": "Time Range",
"type": 4,
"typeSettings": {
"selectableValues": [
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailEvents\r\n| where NetworkMessageId == tolower('{NetworkMessageIDSearch}')\r\n| project TimeGenerated, SenderFromAddress, SenderMailFromAddress, SenderDisplayName, SenderIP=iff(SenderIPv4!=\"\",SenderIPv4, SenderIPv6), RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, AuthenticationDetails, ConfidenceLevel, DetectionMethods, ThreatTypes, EmailDirection, EmailLanguage, EmailActionPolicy, EmailAction, AttachmentCount, UrlCount",
"size": 1,
"title": "Email Details",
"timeContextFromParameter": "NMIDTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 6,
"dateFormat": {
"showUtcTime": true,
"formatName": null
}
},
{
"columnMatch": "TenantId",
"formatter": 5
}
]
}
},
"conditionalVisibilities": [
{
"parameterName": "NetworkMessageIDSearch",
"comparison": "isNotEqualTo"
},
{
"parameterName": "NMIDTimeRange",
"comparison": "isNotEqualTo"
}
],
"name": "EmailDetails"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailPostDeliveryEvents\r\n| where NetworkMessageId == '{NetworkMessageIDSearch}'\r\n| project TimeGenerated, ActionTrigger, Action, ActionResult, DeliveryLocation, RecipientEmailAddress, ThreatTypes, DetectionMethods\r\n",
"size": 1,
"title": "Post Delivery Actions (if applicable)",
"timeContextFromParameter": "NMIDTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 6,
"dateFormat": {
"showUtcTime": true,
"formatName": null
}
}
],
"sortBy": [
{
"itemKey": "RecipientEmailAddress",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "RecipientEmailAddress",
"sortOrder": 1
}
]
},
"conditionalVisibilities": [
{
"parameterName": "NetworkMessageIDSearch",
"comparison": "isNotEqualTo"
},
{
"parameterName": "NMIDTimeRange",
"comparison": "isNotEqualTo"
}
],
"name": "Post Delivery Actions"
}
]
},
"name": "NetworkMsgIDSearch"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "3158fff3-d9b4-472d-8f5a-18e331f1d76f",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 3600000
}
},
{
"id": "e63f1a36-a44c-4936-8ad9-30bc7d8587d4",
"version": "KqlParameterItem/1.0",
"name": "Sender",
"label": "Sender Email",
"type": 1,
"description": "SenderFromAddress/SenderMailFromAddress",
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "175b1a45-d1f0-4e23-b1dd-a19afab7ef7b",
"version": "KqlParameterItem/1.0",
"name": "Recipient",
"label": "Recipient Email",
"type": 1,
"value": "",
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "86a41861-0346-4a1a-95f7-8e1b5db915c1",
"version": "KqlParameterItem/1.0",
"name": "Subject",
"type": 9,
"description": "Search executes with (has_all)",
"multiSelect": true,
"quote": "\"",
"delimiter": ",",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange"
},
{
"id": "17469545-eef5-486c-83fc-742ab79ee164",
"version": "KqlParameterItem/1.0",
"name": "EmailDirection",
"label": "Email Direction",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "EmailEvents\r\n| distinct EmailDirection",
"crossComponentResources": [
""
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
},
{
"id": "14791a6d-e300-46f7-aabf-82ed0c482b47",
"version": "KqlParameterItem/1.0",
"name": "SenderDomain",
"label": "Sender Domain",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "EmailEvents\r\n| where (isempty(\"{Sender}\") or SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| summarize Messages=count() by SenderDomain=iff(SenderFromDomain==\"\",SenderMailFromDomain,SenderFromDomain)\r\n| sort by Messages desc\r\n| project SenderDomain, strcat(SenderDomain, ' - ', Messages, ' messages')",
"crossComponentResources": [
""
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "32adf9e4-b5e6-4cdd-8b9a-1024789334b8",
"version": "KqlParameterItem/1.0",
"name": "RecipientDomain",
"label": "Recipient Domain",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "EmailEvents\r\n| where (isempty(\"{Sender}\") or SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| summarize Messages=count() by RecipientDomain\r\n| sort by Messages desc\r\n| project RecipientDomain, strcat(RecipientDomain, ' - ', Messages, ' messages')",
"crossComponentResources": [
""
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "100",
"name": "PhishParam"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailEvents\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where EmailDirection in ({EmailDirection})\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| summarize Count=count() by EmailDirection\r\n| sort by Count desc",
"size": 0,
"title": "Email Direction *Clickable*",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "EmailDirection",
"exportParameterName": "Direction",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "EmailDirection",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "22",
"name": "EmailDirection"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailEvents\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| summarize Count=count() by DeliveryAction\r\n| sort by Count desc",
"size": 0,
"title": "Delivery Action *Clickable*",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DeliveryAction",
"exportParameterName": "DeliveryAction",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "DeliveryAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false
}
},
"customWidth": "22",
"name": "DeliveryAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailEvents\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| summarize Count=count() by DeliveryLocation",
"size": 0,
"title": "Initial Delivery Location",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "EmailAction",
"exportParameterName": "Action",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"tileSettings": {
"titleContent": {
"columnMatch": "DeliveryAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false
}
},
"customWidth": "22",
"conditionalVisibility": {
"parameterName": "Nav",
"comparison": "isNotEqualTo",
"value": "Attachments"
},
"name": "DeliveryLocation"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "2e5b2b41-60f3-4618-a738-d761a59f0785",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Top Sender IPs",
"subTarget": "SenderIP",
"style": "link"
},
{
"id": "c3f8d980-8b4c-41d1-80de-daeeb2a2e2a8",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Sender IP Heatmap",
"subTarget": "SenderHeatmap",
"style": "link"
}
]
},
"name": "SenderIP-Heatmap"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailEvents\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| extend SenderIP=iff(SenderIPv4!=\"\",SenderIPv4, SenderIPv6)\r\n| summarize Count=count() by SenderIP",
"size": 0,
"timeContextFromParameter": "TimeRange",
"exportFieldName": "SenderIPv4",
"exportParameterName": "senderip",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "SenderIPv4",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "SenderIPv4",
"formatter": 1
},
"centerContent": {
"columnMatch": "Count",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "Count",
"sizeAggregation": "Sum",
"legendMetric": "Count",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "Count",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "SenderIP"
},
"name": "TopSenderIP"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailEvents\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| extend SenderIP=iff(SenderIPv4!=\"\",SenderIPv4, SenderIPv6)\r\n| summarize Count=count() by SenderIP, Country=tostring(geo_info_from_ip_address(SenderIP).country)",
"size": 0,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "Country",
"sizeSettings": "Count",
"sizeAggregation": "Sum",
"legendMetric": "Count",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "Count",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "SenderHeatmap"
},
"name": "SenderIPHeatmap"
}
]
},
"customWidth": "34",
"name": "SenderIP-Heatmap"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailEvents\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| summarize DistinctMessages=dcount(InternetMessageId), DistinctRecipients=dcount(RecipientEmailAddress), DistinctRecipientDomains=dcount(RecipientDomain), NetworkMessageIds=make_set(NetworkMessageId) by Sender=(iff(SenderFromAddress==\"\",SenderMailFromAddress,SenderFromAddress)), SenderDomain=(iff(SenderFromDomain==\"\",SenderMailFromDomain,SenderFromDomain))\r\n| sort by DistinctMessages desc",
"size": 0,
"title": "Top Senders Based on Sender Domain {Expand Sender Domain and select Sender to filter results}",
"exportedParameters": [
{
"fieldName": "Sender",
"parameterName": "Sender2",
"parameterType": 1,
"defaultValue": "All"
},
{
"fieldName": "NetworkMessageIds",
"parameterName": "NetworkMessageIdsSender",
"parameterType": 1,
"defaultValue": "[]"
}
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "DistinctMessages",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "DistinctRecipients",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"customColumnWidthSetting": "21ch"
}
},
{
"columnMatch": "DistinctRecipientDomains",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"customColumnWidthSetting": "27ch"
}
},
{
"columnMatch": "NetworkMessageIds",
"formatter": 5
},
{
"columnMatch": "SenderFromDomain",
"formatter": 5
},
{
"columnMatch": "Group",
"formatter": 1
},
{
"columnMatch": "SenderMailFromAddress",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "29ch"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"SenderDomain"
]
}
}
},
"customWidth": "40",
"name": "TopSenders"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailEvents\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| summarize DistinctMessages=dcount(InternetMessageId), DistinctSenders=dcount(SenderFromAddress), NetworkMessageIds=make_set(NetworkMessageId) by RecipientEmailAddress\r\n| sort by DistinctMessages\r\n//| where DistinctMessages > 1 or DistinctSenders > 1",
"size": 0,
"title": "Top Recipients *Clickable*",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "NetworkMessageIds",
"exportParameterName": "NetworkMessageIdsRecipient",
"exportDefaultValue": "[]",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "RecipientEmailAddress",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "28ch"
}
},
{
"columnMatch": "DistinctMessages",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"customColumnWidthSetting": "143px"
}
},
{
"columnMatch": "DistinctSenders",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"customColumnWidthSetting": "140px"
}
},
{
"columnMatch": "NetworkMessageIds",
"formatter": 5
}
],
"sortBy": [
{
"itemKey": "$gen_bar_DistinctMessages_1",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "$gen_bar_DistinctMessages_1",
"sortOrder": 1
}
]
},
"customWidth": "30",
"name": "TopRecipients"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailEvents\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| summarize DistinctMessages=dcount(InternetMessageId), DistinctSenders=dcount(SenderFromAddress), NetworkMessageIds=make_set(NetworkMessageId) by RecipientDomain\r\n| sort by DistinctMessages desc",
"size": 0,
"title": "Top Recipient Domains *Clickable*",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "NetworkMessageIds",
"exportParameterName": "NetworkMessageIdsDomain",
"exportDefaultValue": "[]",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "RecipientDomain",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25.8571ch"
}
},
{
"columnMatch": "DistinctMessages",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"customColumnWidthSetting": "143px"
}
},
{
"columnMatch": "DistinctSenders",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"customColumnWidthSetting": "140px"
}
},
{
"columnMatch": "NetworkMessageIds",
"formatter": 5
}
]
}
},
"customWidth": "30",
"name": "TopRecipientDomains"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Top & Unique Email URL/Attachments",
"items": [
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "06b938ca-9906-4cd5-bf4a-e6814a705f37",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "URLs",
"subTarget": "EmailURL",
"style": "link"
},
{
"id": "d4c44556-1a6c-4c1b-a53b-1f5664d21fee",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Attachments",
"subTarget": "EmailAttachment",
"style": "link"
}
]
},
"name": "EmailArtifactsParams"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| project NetworkMessageId\r\n| join kind=inner EmailUrlInfo on NetworkMessageId\r\n| summarize Count=count() by Url\r\n| sort by Count desc ",
"size": 0,
"title": "Top URL's",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Url",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "80%"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "10%"
}
}
],
"rowLimit": 500,
"filter": true
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "EmailURL"
},
"name": "TopURLs"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| join kind=inner EmailUrlInfo on NetworkMessageId\r\n| distinct Url",
"size": 0,
"title": "Unique URLs",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Url",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "100%"
}
}
],
"rowLimit": 500,
"filter": true,
"sortBy": [
{
"itemKey": "Url",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "Url",
"sortOrder": 1
}
]
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "EmailURL"
},
"name": "UniqueUrls"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| project NetworkMessageId\r\n| join kind=inner EmailAttachmentInfo on NetworkMessageId\r\n| distinct FileName, SHA256",
"size": 0,
"title": "Unique Attachments",
"noDataMessage": "No Attachments found",
"timeContextFromParameter": "TimeRange",
"showRefreshButton": true,
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "SHA256",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "50%"
}
}
],
"rowLimit": 500,
"filter": true,
"sortBy": [
{
"itemKey": "FileName",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "FileName",
"sortOrder": 2
}
]
},
"customWidth": "35",
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "EmailAttachment"
},
"name": "UniqueEmailAttachment",
"styleSettings": {
"margin": "5px"
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "d039e688-018f-43d3-8663-9e644fa9e4f9",
"version": "KqlParameterItem/1.0",
"name": "ExecutionTimeFrame",
"label": "Execution Time Range",
"type": 4,
"isRequired": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 5184000000
}
},
{
"id": "e7b371bd-3465-4269-b327-9a528926a9a9",
"version": "KqlParameterItem/1.0",
"name": "AttachmentType",
"label": "Attachment Type",
"type": 2,
"isRequired": true,
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| project NetworkMessageId\r\n| join kind=inner EmailAttachmentInfo on NetworkMessageId\r\n| distinct FileType",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": null
}
],
"style": "pills",
"doNotRunWhenHidden": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "ExecutionTimeFrame",
"styleSettings": {
"margin": "5px"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| project NetworkMessageId\r\n| join kind=inner EmailAttachmentInfo on NetworkMessageId\r\n| distinct FileName, FileType, SHA256\r\n| where FileType in (\"{AttachmentType}\")\r\n| join kind=inner DeviceFileEvents on SHA256\r\n| project TimeGenerated, FileName=FileName1, FileType, SHA256, ActionType, DeviceId, DeviceName, FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName, AdditionalFields",
"size": 0,
"title": "Attachment Execution on Devices - {AttachmentType}",
"noDataMessage": "No executions",
"timeContextFromParameter": "ExecutionTimeFrame",
"showRefreshButton": true,
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 6,
"dateFormat": {
"showUtcTime": true,
"formatName": null
}
},
{
"columnMatch": "FileType",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "12ch"
}
},
{
"columnMatch": "SHA256",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20%"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "50%"
}
}
],
"filter": true
}
},
"customWidth": "70",
"name": "AttachmentExecution",
"styleSettings": {
"margin": "5px"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or SenderFromAddress =~ \"{Sender}\"\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or SenderFromDomain in ({SenderDomain})\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| project NetworkMessageId\r\n| join kind=inner EmailAttachmentInfo on NetworkMessageId\r\n| distinct FileName, FileType, SHA256\r\n| where FileType in (\"{AttachmentType}\")\r\n| join kind=inner DeviceFileEvents on SHA256\r\n| distinct DeviceName",
"size": 0,
"title": "Distinct Devices",
"noDataMessage": "No executions ",
"timeContextFromParameter": "ExecutionTimeFrame",
"showRefreshButton": true,
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "FileType",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "12ch"
}
},
{
"columnMatch": "SHA256",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20%"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "50%"
}
}
],
"filter": true
}
},
"customWidth": "30",
"name": "DistinctDevices",
"styleSettings": {
"margin": "5px"
}
}
]
},
"customWidth": "65",
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "EmailAttachment"
},
"name": "AttachmentExecutionGroup",
"styleSettings": {
"margin": "5px"
}
}
]
},
"name": "EmailArtifacts"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| join kind=inner (_GetWatchlist('YourVIPWatchlist') on $left.RecipientEmailAddress== $right.VIPWatchlistEmailColumnHere",
"size": 0,
"title": "Emails received by VIP Users (use your VIP Watchlist)",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 6,
"dateFormat": {
"formatName": null
}
}
]
}
},
"customWidth": "70",
"name": "VIPList",
"styleSettings": {
"margin": "5 px"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| join kind=inner (_GetWatchlist('YourVIPWatchlist') on $left.RecipientEmailAddress== $right.VIPWatchlistEmailColumnHere\r\n | join UrlClickEvents on NetworkMessageId\r\n | project TimeGenerated, AccountUpn=tolower(AccountUpn),Subject, Url, UrlChain, ActionType, IsClickedThrough, SenderFromAddress",
"size": 0,
"title": "VIP User Clicks - *Select to take actions",
"noDataMessage": "No Clicks Detected",
"timeContextFromParameter": "TimeRange",
"exportMultipleValues": true,
"exportedParameters": [
{
"fieldName": "AccountUpn",
"parameterName": "VIPUser",
"parameterType": 1,
"quote": "'"
},
{
"fieldName": "Subject",
"parameterName": "VIPPhishSubject",
"parameterType": 1,
"quote": "'"
},
{
"fieldName": "SenderFromAddress",
"parameterName": "VIPPhishSender",
"parameterType": 1,
"quote": "'"
}
],
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 6,
"dateFormat": {
"showUtcTime": true,
"formatName": null
}
}
]
}
},
"customWidth": "30",
"name": "VIPClicks",
"styleSettings": {
"margin": "5 px"
}
},
{
"type": 1,
"content": {
"json": "#### Selected VIP User List (Duplicates are removed):\r\n<br>\r\n{VIPUser}\r\n<br><br>"
},
"conditionalVisibility": {
"parameterName": "VIPUser",
"comparison": "isNotEqualTo"
},
"name": "CriticalUserList"
}
],
"exportParameters": true
},
"name": "VIPUsers"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "d3a88652-9ee4-47b5-bfda-9c3eb0685fa4",
"cellValue": "EmailTab",
"linkTarget": "parameter",
"linkLabel": "Email Details",
"subTarget": "EmailDetails",
"style": "link"
},
{
"id": "db2ff104-1eff-4385-8ff3-5fcae2488444",
"cellValue": "EmailTab",
"linkTarget": "parameter",
"linkLabel": "Unique Subjects",
"subTarget": "UniqueSubject",
"style": "link"
}
]
},
"name": "EmailDetailsParams"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| project TimeGenerated, NetworkMessageId, Subject, EmailClusterId, SenderFromAddress, SenderMailFromAddress, SenderDisplayName, SenderIP=iff(SenderIPv4!=\"\",SenderIPv4, SenderIPv6), RecipientEmailAddress, SenderFromDomain, DeliveryAction, DeliveryLocation, UrlCount, AttachmentCount, AuthenticationDetails, EmailDirection, EmailLanguage, InternetMessageId",
"size": 0,
"showAnalytics": true,
"title": "Email Details {Limited to 500 results} *select an email to see its URL/Attachment details*",
"noDataMessage": "No Emails found",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "NetworkMessageId",
"exportParameterName": "NetworkMessageId",
"exportDefaultValue": "None",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 6,
"dateFormat": {
"showUtcTime": true,
"formatName": null
}
},
{
"columnMatch": "NetworkMessageId",
"formatter": 5
},
{
"columnMatch": "Subject",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "35ch"
}
},
{
"columnMatch": "RecipientEmailAddress",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "30ch"
}
},
{
"columnMatch": "DeliveryAction",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Delivered",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Blocked",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Junked",
"representation": "Disable",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "unknown",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "UrlCount",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "AttachmentCount",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "EmailDirection",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Outbound",
"representation": "right",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Inbound",
"representation": "left",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Intra-org",
"representation": "Pending",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "unknown",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "SenderMailFromAddress",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "30ch"
}
},
{
"columnMatch": "ConfidenceLevel",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25ch"
}
}
],
"rowLimit": 500,
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "EmailTab",
"comparison": "isEqualTo",
"value": "EmailDetails"
},
"showPin": false,
"name": "EmailDetails"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| summarize Count=count() by Subject\r\n| sort by Count desc",
"size": 0,
"showAnalytics": true,
"title": "Unique Subjects {Limited to 500 results}",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "NetworkMessageId",
"exportParameterName": "NetworkMessageId",
"exportDefaultValue": "None",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Subject",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "80%"
}
},
{
"columnMatch": "SenderMailFromAddress",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "30ch"
}
},
{
"columnMatch": "RecipientEmailAddress",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "30ch"
}
},
{
"columnMatch": "EmailDirection",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Outbound",
"representation": "right",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Inbound",
"representation": "left",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Intra-org",
"representation": "Pending",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "unknown",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "DeliveryAction",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Delivered",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Blocked",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Junked",
"representation": "Disable",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "unknown",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "ConfidenceLevel",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25ch"
}
},
{
"columnMatch": "AttachmentCount",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "UrlCount",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "NetworkMessageId",
"formatter": 5
}
],
"rowLimit": 500,
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "EmailTab",
"comparison": "isEqualTo",
"value": "UniqueSubject"
},
"showPin": false,
"name": "UniqueSubject"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Email Attachment/URL details",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailAttachmentInfo\r\n| where NetworkMessageId == \"{NetworkMessageId}\"\r\n| project FileName, FileType, SHA256, ThreatTypes, ThreatNames, DetectionMethods",
"size": 1,
"title": "Email Attachment(s) - *select to check match in Sentinel Threat Intel*",
"noDataMessage": "Either no message was selected or no attachments were present",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "SHA256",
"exportParameterName": "SHA256",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "65",
"name": "AttachedFiles"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "EmailUrlInfo\r\n| where NetworkMessageId == \"{NetworkMessageId}\"\r\n| project Url, UrlDomain",
"size": 1,
"title": "Embedded URLs - *select to check match in Sentinel Threat Intel*",
"noDataMessage": "Either no message was selected or no URLs were present",
"timeContextFromParameter": "TimeRange",
"exportedParameters": [
{
"fieldName": "Url",
"parameterName": "RemUrl",
"parameterType": 1
},
{
"fieldName": "UrlDomain",
"parameterName": "UrlDom",
"parameterType": 1
}
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "35",
"name": "EmbeddedURLs"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n| where ExpirationDateTime <>now()\r\n| where Url contains trim(\"^(http|https)://\",\"{RemUrl}\")",
"size": 1,
"title": "Threat Intel Url",
"noDataMessage": "No Details found on Threat Intel",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "RemUrl",
"comparison": "isNotEqualTo"
},
"name": "ThreatIntelUrl"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n| where ExpirationDateTime <>now()\r\n| where DomainName == \"{UrlDom}\"\r\n| project TimeGenerated, Action, Active, IP=NetworkIP, Threat=ThreatType, Sev=ThreatSeverity, Confidence=ConfidenceScore, AdditionalInformation, Tags",
"size": 1,
"title": "Threat Intel Domain",
"noDataMessage": "No Details found on Threat Intel",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "UrlDom",
"comparison": "isNotEqualTo"
},
"name": "ThreatIntelDomain"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n| where ExpirationDateTime <> now()\r\n| where FileHashValue == \"{SHA256}\"",
"size": 1,
"title": "Threat Intel SHA256",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "SHA256",
"comparison": "isNotEqualTo"
},
"name": "ThreatIntelSHA"
}
]
},
"name": "Email-URL-AttachmentDetails"
}
]
},
"name": "Email/DistinctSubject"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| distinct NetworkMessageId, Subject, SenderFromAddress,SenderMailFromAddress\r\n| join EmailPostDeliveryEvents on $left.NetworkMessageId == $right.NetworkMessageId\r\n| project NetworkMessageId, SenderFromAddress, SenderMailFromAddress, Subject, ActionType, ActionTrigger, Action, ActionResult, DeliveryLocation",
"size": 0,
"title": "Post Delivery Events (Actions taken)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "EmailPostDelEvents"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "explicit",
"loadButtonText": "Click here to Check for User Clicks",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ids = array_concat(dynamic({NetworkMessageIdsSender}),dynamic({NetworkMessageIdsRecipient}),dynamic({NetworkMessageIdsDomain}));\r\nEmailEvents\r\n| where NetworkMessageId in (ids) or array_length(ids) == 0\r\n| where EmailDirection in ({EmailDirection})\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where isempty(\"{Sender}\") or (SenderFromAddress =~ \"{Sender}\") or (SenderMailFromAddress =~ \"{Sender}\")\r\n| where isempty(\"{Recipient}\") or RecipientEmailAddress =~ \"{Recipient}\"\r\n| where \"{Direction}\" == \"All\" or EmailDirection == \"{Direction}\"\r\n| where \"{DeliveryAction}\" == \"All\" or DeliveryAction == \"{DeliveryAction}\"\r\n| extend RecipientDomain = tostring(split(RecipientEmailAddress, \"@\", 1)[0])\r\n| where \"*\" in ({RecipientDomain}) or RecipientDomain in ({RecipientDomain})\r\n| where \"*\" in ({SenderDomain}) or (SenderFromDomain in ({SenderDomain}) or SenderMailFromDomain in ({SenderDomain}))\r\n| where \"{Sender2}\" == \"All\" or (SenderFromAddress =~ \"{Sender2}\") or (SenderMailFromAddress =~ \"{Sender2}\")\r\n| where Subject has_all (dynamic([{Subject}]))\r\n| distinct NetworkMessageId, Subject, SenderFromAddress,SenderMailFromAddress\r\n| join UrlClickEvents on NetworkMessageId\r\n| project TimeGenerated, NetworkMessageId, Subject, SenderFromAddress, SenderMailFromAddress, AccountUpn=tolower(AccountUpn), Url, UrlChain, ActionType, IsClickedThrough, IPAddress",
"size": 0,
"title": "User Clicks Identified - Includes Exec users - *select user to check if inbox rules created*",
"timeContextFromParameter": "TimeRange",
"showRefreshButton": true,
"exportMultipleValues": true,
"exportedParameters": [
{
"fieldName": "AccountUpn",
"parameterName": "clickeduserupn"
},
{
"fieldName": "AccountUpn",
"parameterName": "pwdresetlist",
"parameterType": 1
}
],
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 6,
"dateFormat": {
"showUtcTime": true,
"formatName": null
}
}
],
"sortBy": [
{
"itemKey": "AccountUpn",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "AccountUpn",
"sortOrder": 1
}
]
},
"name": "urlclicks"
},
{
"type": 1,
"content": {
"json": "#### Selected Users: Duplicate entries are removed\r\n<br>\r\n{pwdresetlist}"
},
"conditionalVisibility": {
"parameterName": "pwdresetlist",
"comparison": "isNotEqualTo"
},
"name": "PWDResetList-Users",
"styleSettings": {
"margin": "10px",
"padding": "10px",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let alert=dynamic([\"User restricted from sending email\",\"Suspicious email sending patterns detected\",\"Email sending limit exceeded\"]);\r\nlet clickeduserupngrp = dynamic([{clickeduserupn}]);\r\nSecurityAlert\r\n| where AlertName in (alert)\r\n| where parse_json(Entities)[0].Upn in ('{clickeduserupn}')",
"size": 0,
"title": "Rules Created for the Clicked User - You can create your own post click checks",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "clickeduserupn",
"comparison": "isNotEqualTo"
},
"name": "Rules Created for the Clicked User"
}
]
},
"name": "UserClicksGroup"
}
]
},
"name": "Phishing"
}
],
"fromTemplateId": "sentinel-PhishingAnalysisWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку