621 строка
22 KiB
JSON
621 строка
22 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Workspace auditing report\r\nUse this report to understand query runs across your workspace. \r\n<br/>\r\n<br/>"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "ccd5adcd-8d59-4cfe-99ec-98075de2e253",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DefaultSubscription_Internal",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "1ca69445-60fc-4806-b43d-ac7e6aad630a",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Subscription",
|
|
"type": 6,
|
|
"query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\r\n",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"value": "/subscriptions/7b76bfbc-cb1e-4df1-b6e8-b826eef6c592"
|
|
},
|
|
{
|
|
"id": "e94aafa3-c5d9-4523-89f0-4e87aa754511",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspace",
|
|
"type": 5,
|
|
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\n| project id",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"value": "/subscriptions/7b76bfbc-cb1e-4df1-b6e8-b826eef6c592/resourceGroups/soc/providers/microsoft.operationalinsights/workspaces/cybersecuritysoc",
|
|
"typeSettings": {
|
|
"resourceTypeFilter": {
|
|
"microsoft.operationalinsights/workspaces": true
|
|
},
|
|
"additionalResourceOptions": []
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "c4b69c01-2263-4ada-8d9c-43433b739ff3",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": false
|
|
},
|
|
"value": {
|
|
"durationMs": 1209600000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.insights/components"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Summary",
|
|
"subTarget": "Summary",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Failed Queries",
|
|
"subTarget": "Failed Queries",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Query Run Performance",
|
|
"subTarget": "Query Run Performance",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Queries run by user",
|
|
"subTarget": "Queries run by user",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Query explorer",
|
|
"subTarget": "Query explorer",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "CRUD Operations",
|
|
"subTarget": "CRUD Operations",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 19"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "LAQueryLogs\r\n| summarize events_count=count() by bin(TimeGenerated, 1d)",
|
|
"size": 0,
|
|
"title": "Total queries run on workspace",
|
|
"timeContext": {
|
|
"durationMs": 1209600000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "LAQueryLogs\r\n| summarize events_count=count() by AADEmail\r\n| extend UserPrincipalName = AADEmail, Queries = events_count\r\n| join kind= leftouter (\r\n SigninLogs)\r\n on UserPrincipalName\r\n| extend User = UserPrincipalName, NoOfQueries = Queries\r\n| project User, NoOfQueries\r\n| summarize arg_max(NoOfQueries, *) by User\r\n| sort by NoOfQueries desc\r\n| take 20",
|
|
"size": 0,
|
|
"title": "Top query users",
|
|
"timeContext": {
|
|
"durationMs": 1209600000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "User",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "NoOfQueries",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 1"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Summary"
|
|
},
|
|
"name": "group - 8"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "LAQueryLogs\r\n| where ResponseCode != 200 \r\n| summarize events_count=count() by AADEmail\r\n| sort by events_count desc \r\n| take 10",
|
|
"size": 0,
|
|
"title": "Users with the most failed queries",
|
|
"timeContext": {
|
|
"durationMs": 1209600000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "barchart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "AADEmail",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "events_count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "LAQueryLogs\r\n| where ResponseCode != 200 \r\n| summarize events_count=count() by ResponseCode\r\n| extend HTTPResponse = ResponseCode, QueryCount = events_count\r\n| project-away ResponseCode, events_count\r\n| sort by QueryCount desc ",
|
|
"size": 0,
|
|
"title": "Number of failed queries by error code",
|
|
"timeContext": {
|
|
"durationMs": 1209600000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table",
|
|
"tileSettings": {
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "query - 1"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Failed Queries"
|
|
},
|
|
"name": "group - 9"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "LAQueryLogs\r\n|summarize arg_max(StatsCPUTimeMs, *) by AADClientId\r\n| extend User = AADEmail, QueryRunTimeMs = StatsCPUTimeMs\r\n| project User, QueryRunTimeMs, QueryText\r\n| order by QueryRunTimeMs desc ",
|
|
"size": 0,
|
|
"title": "Longest running queries",
|
|
"timeContext": {
|
|
"durationMs": 1209600000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table"
|
|
},
|
|
"name": "query - 0"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Query Run Performance"
|
|
},
|
|
"name": "group - 10"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "LAQueryLogs\r\n| summarize count () by AADEmail, bin(TimeGenerated, 1d)",
|
|
"size": 0,
|
|
"title": "Query runs by user",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeBrushParameterName": "TimeBrush",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "timechart"
|
|
},
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "LAQueryLogs\r\n| project TimeGenerated, AADEmail, QueryTimeRangeStart, QueryTimeRangeEnd, QueryText",
|
|
"size": 0,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeBrush",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 1"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Query explorer"
|
|
},
|
|
"name": "group - 6"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "76ca20d6-06fd-4aa0-bbf4-8adbdebf7d40",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "User",
|
|
"type": 2,
|
|
"query": "SigninLogs\r\n| distinct UserPrincipalName",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": "cboehmsa@seccxpninja.onmicrosoft.com",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 1209600000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "LAQueryLogs\r\n| where AADEmail contains '{User}'\r\n| summarize events_count=count() by bin(TimeGenerated, 1d) ",
|
|
"size": 0,
|
|
"title": "Query runs by user",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "LAQueryLogs\r\n| where AADEmail contains '{User}'\r\n| project TimeGenerated, AADEmail, QueryTimeRangeStart, QueryTimeRangeEnd, QueryText\r\n",
|
|
"size": 0,
|
|
"title": "User query details",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table"
|
|
},
|
|
"name": "query - 2"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Queries run by user"
|
|
},
|
|
"name": "group - 7"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureActivity \r\n| where OperationNameValue contains \"SecurityInsights\" \r\n| where OperationName contains \"Delete\" \r\n| where ActivityStatusValue contains \"Succeeded\" \r\n| project TimeGenerated, Caller, OperationName \r\n| extend User = Caller\r\n| project-away Caller\r\n| summarize events_count=count() by User\r\n| sort by events_count desc ",
|
|
"size": 0,
|
|
"title": "Workspace delete activity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
]
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureActivity \r\n| where OperationNameValue contains \"SecurityInsights\" \r\n| where OperationName contains \"Create\" \r\n| where ActivityStatusValue contains \"Succeeded\" \r\n| project TimeGenerated, Caller, OperationName \r\n| extend User = Caller\r\n| project-away Caller\r\n| summarize events_count=count() by User\r\n| sort by events_count desc ",
|
|
"size": 0,
|
|
"title": "Workspace create activity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
]
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureActivity \r\n| where OperationNameValue contains \"SecurityInsights\" \r\n| where OperationName contains \"Update\" \r\n| where ActivityStatusValue contains \"Succeeded\" \r\n| project TimeGenerated, Caller, OperationName \r\n| extend User = Caller\r\n| project-away Caller\r\n| summarize events_count=count() by User\r\n| sort by events_count desc ",
|
|
"size": 0,
|
|
"title": "Workspace update activity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
]
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureActivity \r\n| where OperationNameValue contains \"SecurityInsights\" \r\n| where ActivityStatusValue contains \"Failed\" \r\n| summarize count() by Caller",
|
|
"size": 0,
|
|
"title": "Unauthorized requests",
|
|
"color": "redBright",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeBrushParameterName": "Unauthorized",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "barchart"
|
|
},
|
|
"name": "query - 3"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "CRUD Operations"
|
|
},
|
|
"name": "group - 8"
|
|
}
|
|
],
|
|
"fallbackResourceIds": [
|
|
"/subscriptions/7b76bfbc-cb1e-4df1-b6e8-b826eef6c592/resourcegroups/soc/providers/microsoft.operationalinsights/workspaces/cybersecuritysoc"
|
|
],
|
|
"fromTemplateId": "sentinel-WorkspaceAuditing",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |