Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/InfobloxNIOS.json

502 строки
15 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "26773226-79a9-4dd2-9de6-ade1f250ace6",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 2419200000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
},
{
"id": "00be31a6-f3f8-4de8-845d-7a4985d41ef3",
"version": "KqlParameterItem/1.0",
"name": "InfobloxDevice",
"label": "Infoblox Device",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "InfobloxNIOS\r\n| distinct Computer\r\n| sort by Computer asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "DHCP",
"subTarget": "DHCPTab",
"preText": "DHCP",
"style": "link"
},
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "DNS",
"subTarget": "DNSTab",
"style": "link"
}
]
},
"name": "links - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "InfobloxNIOS\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where Type startswith \"DHCP\"\r\n| summarize count() by Type, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Total Events by DHCP Message Type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "DHCPTab"
},
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "InfobloxNIOS\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where Type in (\"DHCPDISCOVER\",\"DHCPREQUEST\",\"DHCPINFORM\")\r\n| summarize count() by Type, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "DHCP Requests by Message Type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "DHCPREQUEST",
"color": "magenta"
},
{
"seriesName": "DHCPDISCOVER",
"color": "green"
},
{
"seriesName": "DHCPINFORM",
"color": "blue"
}
],
"xSettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "DHCPTab"
},
"customWidth": "50",
"name": "query - 4 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "InfobloxNIOS\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where Type in (\"DHCPRESPONSE\",\"DHCPOFFER\")\r\n| summarize count() by Type, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "DHCP Responses by Message Type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "DHCPOFFER",
"color": "blue"
},
{
"seriesName": "DHCPRESPONSE",
"color": "magenta"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "DHCPTab"
},
"customWidth": "50",
"name": "query - 4 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "InfobloxNIOS\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where Log_Type == \"DHCPDISCOVER\"\r\n| summarize count() by Client_MAC_Address\r\n| top 10 by count_",
"size": 0,
"title": "Top 10 Clients by Requests",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "coldHot"
}
}
],
"labelSettings": [
{
"columnId": "Client_MAC_Address",
"label": "Client MAC Address"
},
{
"columnId": "count_",
"label": "Total"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "DHCPTab"
},
"customWidth": "50",
"name": "query - 4 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "InfobloxNIOS\r\n| where ProcessName == \"dhcpd\"\r\n| summarize count() by Network\r\n| distinct Network\r\n\r\n",
"size": 0,
"title": "Top 10 Clients by Requests",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "coldHot"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "DHCPTab"
},
"customWidth": "50",
"name": "query - 4 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "InfobloxNIOS \r\n| where ProcessName == \"named\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| summarize count() by Computer, bin(TimeGenerated,15m)",
"size": 0,
"showAnnotations": true,
"title": "DNS Activity by Server",
"color": "magenta",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "DNSTab"
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "InfobloxNIOS \r\n| where ProcessName == \"named\" and Log_Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| summarize Response = countif(isnotempty(ResponseCode)), Request = countif(isnotempty(QueryDomainName) and isempty(ResponseCode)), count() by bin(TimeGenerated, {TimeRange:grain})\r\n| project-away count_",
"size": 0,
"showAnnotations": true,
"title": "DNS Requests vs Responses",
"color": "magenta",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart",
"graphSettings": {
"type": 0
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "DNSTab"
},
"customWidth": "50",
"name": "query - 6 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "InfobloxNIOS \r\n| where ProcessName == \"named\" and Log_Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where isnotempty(ResponseCode)\r\n| summarize count() by ResponseCode, bin(TimeGenerated, {TimeRange:grain})\r\n",
"size": 0,
"title": "DNS Response Code",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "turquoise"
}
}
],
"labelSettings": [
{
"columnId": "count_",
"label": "Total"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "DNSTab"
},
"customWidth": "50",
"name": "query - 7 - Copy - Copy",
"styleSettings": {
"margin": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "InfobloxNIOS \r\n| where ProcessName == \"named\" and Log_Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where isempty(ResponseCode) and isnotempty(QueryDomainName)\r\n| summarize count() by Client_IP\r\n| top 10 by count_",
"size": 0,
"title": "Top 10 DNS Request Clients",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "turquoise"
}
}
],
"labelSettings": [
{
"columnId": "Client_IP",
"label": "Client IP"
},
{
"columnId": "count_",
"label": "Total"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "DNSTab"
},
"customWidth": "50",
"name": "query - 7",
"styleSettings": {
"margin": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "InfobloxNIOS \r\n| where ProcessName == \"named\" and Log_Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where isempty(ResponseCode) and isnotempty(QueryDomainName)\r\n| summarize count() by QueryDomainName\r\n| top 10 by count_",
"size": 0,
"title": "Top 10 DNS Request Domains",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "turquoise"
}
}
],
"labelSettings": [
{
"columnId": "QueryDomainName",
"label": "Domain Name"
},
{
"columnId": "count_",
"label": "Total"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "DNSTab"
},
"customWidth": "50",
"name": "query - 7 - Copy",
"styleSettings": {
"margin": "50"
}
}
],
"fromTemplateId": "sentinel-UserWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку