322 строки
9.5 KiB
JSON
322 строки
9.5 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Thycotic Workbook\n"
|
|
},
|
|
"name": "text - 2",
|
|
"styleSettings": {
|
|
"margin": "1",
|
|
"padding": "1"
|
|
}
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "d273a798-8340-441a-9289-d1a79c87ed0c",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Timespan",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 43200000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Most usage operations for SecretServer"
|
|
},
|
|
"name": "text - 9"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"cellValue": "page",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Overview",
|
|
"subTarget": "FileType != \"test event\"",
|
|
"style": "primary"
|
|
},
|
|
{
|
|
"cellValue": "page",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Secret",
|
|
"subTarget": "FileType == \"Secret\"",
|
|
"style": "primary"
|
|
},
|
|
{
|
|
"cellValue": "page",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "User",
|
|
"subTarget": "FileType == \"User\"",
|
|
"style": "primary"
|
|
},
|
|
{
|
|
"cellValue": "page",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Folder",
|
|
"subTarget": "FileType == \"Folder\"",
|
|
"style": "secondary"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 3",
|
|
"styleSettings": {
|
|
"margin": "0px",
|
|
"padding": "0px"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\n| where DeviceVendor == \"Thycotic Software\" | where DeviceProduct == \"Secret Server\" | where LogSeverity == 2 \n| where {page:query}\n| where TimeGenerated {Timespan:query}\n| summarize countRecord = count(), lastDate = arg_max(TimeGenerated, *) by FileName\n| order by countRecord\n| take 10\n| project FileType, Activity, SecretName=FileName, countRecord, lastDate ",
|
|
"size": 2,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "FileType",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "countRecord",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "FileType",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "countRecord",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"nodeIdField": "countRecord",
|
|
"sourceIdField": "Activity",
|
|
"targetIdField": "FileType",
|
|
"graphOrientation": 3,
|
|
"showOrientationToggles": false,
|
|
"nodeSize": null,
|
|
"staticNodeSize": 100,
|
|
"colorSettings": null,
|
|
"hivesMargin": 5
|
|
}
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Expiring Secrets"
|
|
},
|
|
"name": "text - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Thycotic Software\" \r\n| where DeviceProduct == \"Secret Server\" \r\n| where LogSeverity == 2 \r\n| where TimeGenerated > ago(1d)\r\n| summarize count() by Activity\r\n| where extract(\"EXPIRE[S|D](\\\\d+)DAY\\\\w?\", 1, Activity) != \"\"\r\n| project extract(\"EXPIRE[S|D](\\\\d+)DAY\\\\w?\", 1, Activity), count_\r\n| order by count_ asc ",
|
|
"size": 0,
|
|
"noDataMessage": "Secrets that will soon expire are not found",
|
|
"noDataMessageStyle": 3,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "categoricalbar",
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "03",
|
|
"label": "Expiring in 3 days",
|
|
"comment": "Expire to 3 days"
|
|
},
|
|
{
|
|
"seriesName": "07",
|
|
"label": "Expiring in 7 days",
|
|
"comment": "Expire to 7 days"
|
|
},
|
|
{
|
|
"seriesName": "15",
|
|
"label": "Expiring in 15 days",
|
|
"comment": "Expire to 15 days"
|
|
},
|
|
{
|
|
"seriesName": "30",
|
|
"label": "Expiring in 30 days"
|
|
},
|
|
{
|
|
"seriesName": "01",
|
|
"label": "Expiring in 1 day"
|
|
}
|
|
],
|
|
"ySettings": {
|
|
"numberFormatSettings": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": true
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Expiring Today"
|
|
},
|
|
"name": "text - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n| where LogSeverity == 2 \r\n| where TimeGenerated > ago(1d)\r\n| summarize count() by Activity\r\n| where Activity == \"SECRET - EXPIREDTODAY\"\r\n| project count_\r\n| order by count_ asc ",
|
|
"size": 0,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "FileName",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n| where LogSeverity == 2 \r\n| where TimeGenerated > ago(1d)\r\n| summarize count() by Activity, FileName\r\n| where Activity == \"SECRET - EXPIREDTODAY\"\r\n| project FileName",
|
|
"size": 0,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "FileName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "150px"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "FileName",
|
|
"label": "Secret Name"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 8"
|
|
}
|
|
],
|
|
"fallbackResourceIds": [
|
|
"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic/providers/microsoft.operationalinsights/workspaces/thycotic02"
|
|
],
|
|
"fromTemplateId": "sentinel-Thycotic",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |