Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Dashboards/Cylance.json

1375 строки
50 KiB
JSON
Исходник Ответственный История

Этот файл содержит невидимые символы Юникода!

Этот файл содержит невидимые символы Юникода, которые могут быть отображены не так, как показано ниже. Если это намеренно, можете спокойно проигнорировать это предупреждение. Используйте кнопку Экранировать, чтобы показать скрытые символы.

{
"name": "CylanceDashboard_{Workspace_Name}",
"type": "Microsoft.Portal/dashboards",
"location": "{Dashboard_Location}",
"tags": {
"dashboardKey": "CylanceDashboard",
"hidden-title": "Cylance - {Workspace_Name}",
"version": "1.2",
"workspaceName": "{Workspace_Name}"
},
"properties": {
"lenses": {
"0": {
"order": 0,
"parts": {
"0": {
"position": {
"x": 1,
"y": 0,
"colSpan": 11,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Cylance overview</div> ",
"title": "",
"subtitle": ""
}
}
}
}
},
"1": {
"position": {
"x": 12,
"y": 0,
"colSpan": 6,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<body style='background-color:#FF0000;'><img width='600' height='50' src='https://download.cylance.com/updates/CylanceDetectImages/cylance_signin_logo.png'/> \n</body>",
"title": "",
"subtitle": ""
}
}
}
}
},
"2": {
"position": {
"x": 0,
"y": 1,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//log type trend\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| summarize LogTypeCount= count() by LogType , TimeGenerated\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "LogTypeCount",
"type": "Int64"
}
],
"splitBy": [
{
"name": "LogType",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "d88fd7ce-0325-45b7-80bf-7f4aa8709fa7"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Event type trend over time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"3": {
"position": {
"x": 6,
"y": 1,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//log volume trend\nSyslog\n| where Computer =~ 'sysloghost' \n| summarize LogVolume= count() by TimeGenerated "
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "LogVolume",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "5256b3b9-e294-49be-95da-c01b3eec7bf9"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Event count trend over time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"4": {
"position": {
"x": 12,
"y": 1,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "// log type count\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| summarize LogTypeCount= count() by LogType \n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "LogType",
"type": "String"
},
"yAxis": [
{
"name": "LogTypeCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "8c4bdd63-3db8-4c6f-8479-2e730f87ad1e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Event type summary",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"5": {
"position": {
"x": 0,
"y": 5,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Malware posture</div> ",
"title": "",
"subtitle": ""
}
}
}
}
},
"6": {
"position": {
"x": 0,
"y": 6,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 5 malware seen\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend MalwareMD5= extract('MD5: (.*?),',1,SyslogMessage) \n| summarize MalwareCount= count() by MalwareMD5\n| top 5 by MalwareCount desc \n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "a63faa99-b0b5-42c7-8e8f-7de3bca4391b"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 malware events",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"7": {
"position": {
"x": 6,
"y": 6,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Threat classification\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend Classification= extract('Threat Classification: (.*?)#',1,SyslogMessage)\n| summarize count() by Classification \n| top 5 by count_ desc \n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ac7b0173-e513-4388-a1cc-8cf5b7498893"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 malware types",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"8": {
"position": {
"x": 12,
"y": 6,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//how new is malware\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend Unique= extract('Is Unique To Cylance: (.*?),',1,SyslogMessage)\n| summarize count() by Unique \n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "8e4ef54c-4a1f-4101-a8eb-390059b26332"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "First time malware type detected?",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"9": {
"position": {
"x": 0,
"y": 10,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Threat posture in environment</div> ",
"title": "",
"subtitle": ""
}
}
}
}
},
"10": {
"position": {
"x": 0,
"y": 11,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Detected By\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend DetectionMethod= extract('Detected By: (.*?),',1,SyslogMessage)\n| summarize count() by DetectionMethod\n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "106a734c-1b9a-44e9-8541-b4b2b1f787fb"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Cylance threat, by feature",
"PartSubTitle": " ",
"Query": "//Detected By\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend DetectionMethod= extract('Detected By: (.*?),',1,SyslogMessage)\n| summarize Count=count() by DetectionMethod\n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"11": {
"position": {
"x": 6,
"y": 11,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Count by status\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend CylanceStatus= extract('Status: (.*?),',1,SyslogMessage)\n| summarize count() by CylanceStatus \n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "636dd1a9-1304-4da0-9a4b-fdd8d734bfda"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Clyance threat status summary",
"PartSubTitle": " ",
"Query": "//Count by status\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend CylanceStatus= extract('Status: (.*?),',1,SyslogMessage)\n| summarize StatusCount=count() by CylanceStatus \n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"12": {
"position": {
"x": 12,
"y": 11,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//threat type make pie chart \nSyslog \n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat' \n| extend EventName = extract('Event Name: (.*?),',1,SyslogMessage ) \n| summarize EventType= count() by EventName \n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "EventName",
"type": "String"
},
"yAxis": [
{
"name": "EventType",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ab497652-b6c8-46c9-be16-fd656372373c"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Threat event summary",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"13": {
"position": {
"x": 0,
"y": 15,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 5 device in threat\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend DeviceName = extract('Device Name: (.*?),',1,SyslogMessage)\n| where DeviceName != ''\n| summarize DeviceCount=count() by DeviceName\n| top 5 by DeviceCount desc \n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "fe52d69e-369f-4ec0-9210-1860baa3c55a"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 devices with threats, by count",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"14": {
"position": {
"x": 6,
"y": 15,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//unsafe count by device\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend CylanceStatus= extract('Status: (.*?),',1,SyslogMessage)\n| where CylanceStatus =~'Unsafe'\n| extend DeviceName = extract('Device Name: (.*?),',1,SyslogMessage)\n| summarize count() by DeviceName \n| top 5 by count_ desc nulls last \n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "55fb4a5b-a9ce-4d64-9db4-1e113859f4ff"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 devices with unsafe threats, by count",
"PartSubTitle": " ",
"Query": "//unsafe count by device\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend CylanceStatus= extract('Status: (.*?),',1,SyslogMessage)\n| where CylanceStatus =~'Unsafe'\n| extend DeviceName = extract('Device Name: (.*?),',1,SyslogMessage)\n| summarize StatusCount=count() by DeviceName \n| top 5 by StatusCount nulls last \n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"15": {
"position": {
"x": 12,
"y": 15,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//malware type pie chart \nSyslog \n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat' \n| extend FileType= extract('File Type: (.*?),',1,SyslogMessage) \n| summarize FileTypeCount=count() by FileType \n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "FileType",
"type": "String"
},
"yAxis": [
{
"name": "FileTypeCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "4ec2c57b-16a4-4632-846f-e83c33c10e6f"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "File type associated with threat, by count",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"16": {
"position": {
"x": 0,
"y": 19,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Cylance mangement</div> \n",
"title": "",
"subtitle": ""
}
}
}
}
},
"17": {
"position": {
"x": 0,
"y": 20,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Audit logs type\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'AuditLog'\n| extend EventName = extract('Event Name: (.*?),',1,SyslogMessage ) \n| summarize EventType= count() by EventName\n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "3a902863-3cfc-41af-9832-bc18926c22bd"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Audit event summary",
"PartSubTitle": " ",
"Query": "//Audit logs type\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'AuditLog'\n| extend EventName = extract('Event Name: (.*?),',1,SyslogMessage ) \n| summarize EventCount= count() by EventName\n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"18": {
"position": {
"x": 6,
"y": 20,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Agent Version Across \nSyslog \n| where Computer =~ 'sysloghost' \n| extend AgentVersion= extract('Agent Version: (.*?),',1,SyslogMessage) \n| where AgentVersion !='' \n| extend DeviceName = extract('Device Name: (.*?),',1,SyslogMessage) \n| summarize DeviceCount=dcount(DeviceName) by AgentVersion \n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "591a1ebd-822d-4188-a3f8-63fe9d376c77"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Agent version summary",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"19": {
"position": {
"x": 12,
"y": 20,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//device logs\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Device'\n| extend EventName = extract('Event Name: (.*?),',1,SyslogMessage ) \n| summarize EventType= count() by EventName\n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "1dc8e02e-d322-45fd-800e-07c9f889d64b"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Device event summary",
"PartSubTitle": " ",
"Query": "//device logs\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Device'\n| extend EventName = extract('Event Name: (.*?),',1,SyslogMessage ) \n| summarize EventCount= count() by EventName\n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"20": {
"position": {
"x": 0,
"y": 0,
"colSpan": 1,
"rowSpan": 1
},
"metadata": {
"inputs": [
{
"name": "subscriptionId",
"value": "{Subscription_Id}"
},
{
"name": "resourceGroup",
"value": "{Resource_Group}"
},
{
"name": "workspaceName",
"value": "{Workspace_Name}"
},
{
"name": "dashboardName",
"value": "CylanceDashboard"
},
{
"name": "menuItemToOpen",
"value": "Dashboards"
}
],
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
"defaultMenuItemId": "0"
}
}
}
}
}
}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку