953 строки
82 KiB
JSON
953 строки
82 KiB
JSON
{
|
|
"name": "SymantecFileThreatsOverviewDashboard_{Workspace_Name}",
|
|
"type": "Microsoft.Portal/dashboards",
|
|
"location": "{Dashboard_Location}",
|
|
"tags": {
|
|
"dashboardKey": "SymantecFileThreatsOverviewDashboard",
|
|
"hidden-title": "Symantec File Threats Overview Dashboard - {Workspace_Name}",
|
|
"version": "1.4",
|
|
"workspaceName": "{Workspace_Name}"
|
|
},
|
|
"properties": {
|
|
"lenses": {
|
|
"0": {
|
|
"order": 0,
|
|
"parts": {
|
|
"0": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 0,
|
|
"colSpan": 1,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "subscriptionId",
|
|
"value": "{Subscription_Id}"
|
|
},
|
|
{
|
|
"name": "resourceGroup",
|
|
"value": "{Resource_Group}"
|
|
},
|
|
{
|
|
"name": "workspaceName",
|
|
"value": "{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "dashboardName",
|
|
"value": "SymantecFileThreatsOverviewDashboard"
|
|
},
|
|
{
|
|
"name": "menuItemToOpen",
|
|
"value": "Dashboards"
|
|
}
|
|
],
|
|
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
|
|
"defaultMenuItemId": "0"
|
|
}
|
|
},
|
|
"1": {
|
|
"position": {
|
|
"x": 1,
|
|
"y": 0,
|
|
"colSpan": 15,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [],
|
|
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
|
"settings": {
|
|
"content": {
|
|
"settings": {
|
|
"content": "<div style='font-size:300%;'>Symantec File Threats Overview</div>",
|
|
"title": "",
|
|
"subtitle": ""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"2": {
|
|
"position": {
|
|
"x": 16,
|
|
"y": 0,
|
|
"colSpan": 2,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [],
|
|
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
|
"settings": {
|
|
"content": {
|
|
"settings": {
|
|
"content": "<img width='65' height='55' src='https://www.symantec.com/content/dam/symantec/images/about/logo-symantec-vertical.png '/> \n",
|
|
"title": "",
|
|
"subtitle": ""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"3": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 1,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "let typeMapTable = datatable(type_id_d:double, type_name:string)\n [\n 1, \"Application Log\",\n 2, \"Application Lifecycle\",\n 3, \"Update\",\n 6, \"Update Available\",\n 7, \"User Message\",\n 9, \"Registration\",\n 11, \"Commmand Activity\",\n 15, \"BitLocker\",\n 20, \"User Session Audit\",\n 21, \"Entity Audit\",\n 22, \"Policy Override Audit\",\n 40, \"Certificate Lifecycle\",\n 41, \"Certificate Expiry\",\n 30, \"License Lifecycle\",\n 31, \"License Expiry\",\n 32, \"License Count\",\n 1000, \"Status\",\n 1005, \"CPU Usage\",\n 1006, \"Memory Usage\",\n 1007, \"Throughput\",\n 8000, \"User Session Activity\",\n 8001, \"Process Activity\",\n 8002, \"Module Activity\",\n 8003, \"File Activity\",\n 8004, \"Directory Activity\",\n 8005, \"Registry Key Activity\",\n 8006, \"Registry Value Activity\",\n 8007, \"Host Network Activity\",\n 8008, \"Memory Activity\",\n 8009, \"Kernel Activity\",\n 8010, \"Network Activity\",\n 8011, \"Email Activity\",\n 8012, \"Email File Activity\",\n 8013, \"Email URL Activity\",\n 8014, \"Host Network Traffice Activity\",\n 8020, \"Scan\",\n 8021, \"Unscannable File\",\n 8025, \"Boot Record Detection\",\n 8026, \"User Session Detection\",\n 8027, \"Process Detection\",\n 8028, \"Module Detection\",\n 8029, \"Memory Detection\",\n 8030, \"Kernel Detection\",\n 8031, \"File Detection\",\n 8032, \"Registry Key Detection\",\n 8033, \"Registry Value Detection\",\n 8034, \"Email File Detection\",\n 8035, \"Email Detection\",\n 8036, \"Email URL Detection\",\n 8037, \"Host Network Traffic Detection\",\n 8038, \"Peripheral Device Detection\",\n 8040, \"Host Network Detection\",\n 8045, \"Process Response\",\n 8046, \"File Response\",\n 8047, \"Registry Key Response\",\n 8048, \"Registry Value Response\",\n 8050, \"Network Detection\",\n 8060, \"Monitored Source\",\n 8070, \"Compliance Scan\",\n 8071, \"Compliance\",\n 8080, \"User Session Query Result\",\n 8081, \"Process Query Result\",\n 8082, \"Module Query Result\",\n 8083, \"File Query Result\",\n 8084, \"Directory Query Result\",\n 8085, \"Registry Key Query Result\",\n 8086, \"Registry Value Query Result\",\n 8087, \"Network Query Result\",\n 8089, \"Kernel Object Query Result\",\n 8090, \"Service Query Result\",\n 8100, \"User Session Remediation\",\n 8101, \"Process Remediation\",\n 8102, \"Module Remediation\",\n 8103, \"File Remediation\",\n 8104, \"Directory Remediation\",\n 8105, \"Registry Key Remediation\",\n 8106, \"Registry Value Remediation\",\n 8107, \"Network Remediation\",\n 8109, \"Kernel Remediation\",\n 8110, \"Service Remediation\",\n 8119, \"Unsuccessful Remediation Result\",\n 9000, \"Content Detection\",\n 9001, \"File Content Detection\",\n 9002, \"Email Content Detection\",\n 9003, \"Instant Message Content Detection\"\n ];\nSymantecICDx_CL\n | where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| join kind = inner (typeMapTable) on type_id_d \n| summarize Event_Count=count() by Event_Type=type_name\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecSecurityOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "fecce713-f065-4fcb-90a7-43bd598b5095"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Number of file events",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "let typeMapTable = datatable(type_id_d:double, type_name:string)\n [\n 1, \"Application Log\",\n 2, \"Application Lifecycle\",\n 3, \"Update\",\n 6, \"Update Available\",\n 7, \"User Message\",\n 9, \"Registration\",\n 11, \"Commmand Activity\",\n 15, \"BitLocker\",\n 20, \"User Session Audit\",\n 21, \"Entity Audit\",\n 22, \"Policy Override Audit\",\n 40, \"Certificate Lifecycle\",\n 41, \"Certificate Expiry\",\n 30, \"License Lifecycle\",\n 31, \"License Expiry\",\n 32, \"License Count\",\n 1000, \"Status\",\n 1005, \"CPU Usage\",\n 1006, \"Memory Usage\",\n 1007, \"Throughput\",\n 8000, \"User Session Activity\",\n 8001, \"Process Activity\",\n 8002, \"Module Activity\",\n 8003, \"File Activity\",\n 8004, \"Directory Activity\",\n 8005, \"Registry Key Activity\",\n 8006, \"Registry Value Activity\",\n 8007, \"Host Network Activity\",\n 8008, \"Memory Activity\",\n 8009, \"Kernel Activity\",\n 8010, \"Network Activity\",\n 8011, \"Email Activity\",\n 8012, \"Email File Activity\",\n 8013, \"Email URL Activity\",\n 8014, \"Host Network Traffice Activity\",\n 8020, \"Scan\",\n 8021, \"Unscannable File\",\n 8025, \"Boot Record Detection\",\n 8026, \"User Session Detection\",\n 8027, \"Process Detection\",\n 8028, \"Module Detection\",\n 8029, \"Memory Detection\",\n 8030, \"Kernel Detection\",\n 8031, \"File Detection\",\n 8032, \"Registry Key Detection\",\n 8033, \"Registry Value Detection\",\n 8034, \"Email File Detection\",\n 8035, \"Email Detection\",\n 8036, \"Email URL Detection\",\n 8037, \"Host Network Traffic Detection\",\n 8038, \"Peripheral Device Detection\",\n 8040, \"Host Network Detection\",\n 8045, \"Process Response\",\n 8046, \"File Response\",\n 8047, \"Registry Key Response\",\n 8048, \"Registry Value Response\",\n 8050, \"Network Detection\",\n 8060, \"Monitored Source\",\n 8070, \"Compliance Scan\",\n 8071, \"Compliance\",\n 8080, \"User Session Query Result\",\n 8081, \"Process Query Result\",\n 8082, \"Module Query Result\",\n 8083, \"File Query Result\",\n 8084, \"Directory Query Result\",\n 8085, \"Registry Key Query Result\",\n 8086, \"Registry Value Query Result\",\n 8087, \"Network Query Result\",\n 8089, \"Kernel Object Query Result\",\n 8090, \"Service Query Result\",\n 8100, \"User Session Remediation\",\n 8101, \"Process Remediation\",\n 8102, \"Module Remediation\",\n 8103, \"File Remediation\",\n 8104, \"Directory Remediation\",\n 8105, \"Registry Key Remediation\",\n 8106, \"Registry Value Remediation\",\n 8107, \"Network Remediation\",\n 8109, \"Kernel Remediation\",\n 8110, \"Service Remediation\",\n 8119, \"Unsuccessful Remediation Result\",\n 9000, \"Content Detection\",\n 9001, \"File Content Detection\",\n 9002, \"Email Content Detection\",\n 9003, \"Instant Message Content Detection\"\n ];\nSymantecICDx_CL\n | where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| join kind = inner (typeMapTable) on type_id_d \n| summarize Event_Count=count() by Event_Type=type_name\n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"4": {
|
|
"position": {
|
|
"x": 6,
|
|
"y": 1,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "let typeMapTable = datatable(type_id_d:double, type_name:string) \n [ \n 1, \"Application Log\", \n 2, \"Application Lifecycle\", \n 3, \"Update\", \n 6, \"Update Available\", \n 7, \"User Message\", \n 9, \"Registration\", \n 11, \"Commmand Activity\", \n 15, \"BitLocker\", \n 20, \"User Session Audit\", \n 21, \"Entity Audit\", \n 22, \"Policy Override Audit\", \n 40, \"Certificate Lifecycle\", \n 41, \"Certificate Expiry\", \n 30, \"License Lifecycle\", \n 31, \"License Expiry\", \n 32, \"License Count\", \n 1000, \"Status\", \n 1005, \"CPU Usage\", \n 1006, \"Memory Usage\", \n 1007, \"Throughput\", \n 8000, \"User Session Activity\", \n 8001, \"Process Activity\", \n 8002, \"Module Activity\", \n 8003, \"File Activity\", \n 8004, \"Directory Activity\", \n 8005, \"Registry Key Activity\", \n 8006, \"Registry Value Activity\", \n 8007, \"Host Network Activity\", \n 8008, \"Memory Activity\", \n 8009, \"Kernel Activity\", \n 8010, \"Network Activity\", \n 8011, \"Email Activity\", \n 8012, \"Email File Activity\", \n 8013, \"Email URL Activity\", \n 8014, \"Host Network Traffice Activity\", \n 8020, \"Scan\", \n 8021, \"Unscannable File\", \n 8025, \"Boot Record Detection\", \n 8026, \"User Session Detection\", \n 8027, \"Process Detection\", \n 8028, \"Module Detection\", \n 8029, \"Memory Detection\", \n 8030, \"Kernel Detection\", \n 8031, \"File Detection\", \n 8032, \"Registry Key Detection\", \n 8033, \"Registry Value Detection\", \n 8034, \"Email File Detection\", \n 8035, \"Email Detection\", \n 8036, \"Email URL Detection\", \n 8037, \"Host Network Traffic Detection\", \n 8038, \"Peripheral Device Detection\", \n 8040, \"Host Network Detection\", \n 8045, \"Process Response\", \n 8046, \"File Response\", \n 8047, \"Registry Key Response\", \n 8048, \"Registry Value Response\", \n 8050, \"Network Detection\", \n 8060, \"Monitored Source\", \n 8070, \"Compliance Scan\", \n 8071, \"Compliance\", \n 8080, \"User Session Query Result\", \n 8081, \"Process Query Result\", \n 8082, \"Module Query Result\", \n 8083, \"File Query Result\", \n 8084, \"Directory Query Result\", \n 8085, \"Registry Key Query Result\", \n 8086, \"Registry Value Query Result\", \n 8087, \"Network Query Result\", \n 8089, \"Kernel Object Query Result\", \n 8090, \"Service Query Result\", \n 8100, \"User Session Remediation\", \n 8101, \"Process Remediation\", \n 8102, \"Module Remediation\", \n 8103, \"File Remediation\", \n 8104, \"Directory Remediation\", \n 8105, \"Registry Key Remediation\", \n 8106, \"Registry Value Remediation\", \n 8107, \"Network Remediation\", \n 8109, \"Kernel Remediation\", \n 8110, \"Service Remediation\", \n 8119, \"Unsuccessful Remediation Result\", \n 9000, \"Content Detection\", \n 9001, \"File Content Detection\", \n 9002, \"Email Content Detection\", \n 9003, \"Instant Message Content Detection\" \n ];\nSymantecICDx_CL\n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| join kind = inner (typeMapTable) on type_id_d \n| summarize Event_Count=count() by Event_Type=type_name\n| sort by Event_Count desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.Portal/dashboards/SymantecFileThreatsOverviewDashboard-{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "8bb4248a-bac1-4c2b-a00e-9eb17c492935"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": "{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Number of file events with file objects",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"5": {
|
|
"position": {
|
|
"x": 12,
|
|
"y": 1,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "let typeMapTable = datatable(type_id_d:double, type_name:string)\n [\n 1, \"Application Log\",\n 2, \"Application Lifecycle\",\n 3, \"Update\",\n 6, \"Update Available\",\n 7, \"User Message\",\n 9, \"Registration\",\n 11, \"Commmand Activity\",\n 15, \"BitLocker\",\n 20, \"User Session Audit\",\n 21, \"Entity Audit\",\n 22, \"Policy Override Audit\",\n 40, \"Certificate Lifecycle\",\n 41, \"Certificate Expiry\",\n 30, \"License Lifecycle\",\n 31, \"License Expiry\",\n 32, \"License Count\",\n 1000, \"Status\",\n 1005, \"CPU Usage\",\n 1006, \"Memory Usage\",\n 1007, \"Throughput\",\n 8000, \"User Session Activity\",\n 8001, \"Process Activity\",\n 8002, \"Module Activity\",\n 8003, \"File Activity\",\n 8004, \"Directory Activity\",\n 8005, \"Registry Key Activity\",\n 8006, \"Registry Value Activity\",\n 8007, \"Host Network Activity\",\n 8008, \"Memory Activity\",\n 8009, \"Kernel Activity\",\n 8010, \"Network Activity\",\n 8011, \"Email Activity\",\n 8012, \"Email File Activity\",\n 8013, \"Email URL Activity\",\n 8014, \"Host Network Traffice Activity\",\n 8020, \"Scan\",\n 8021, \"Unscannable File\",\n 8025, \"Boot Record Detection\",\n 8026, \"User Session Detection\",\n 8027, \"Process Detection\",\n 8028, \"Module Detection\",\n 8029, \"Memory Detection\",\n 8030, \"Kernel Detection\",\n 8031, \"File Detection\",\n 8032, \"Registry Key Detection\",\n 8033, \"Registry Value Detection\",\n 8034, \"Email File Detection\",\n 8035, \"Email Detection\",\n 8036, \"Email URL Detection\",\n 8037, \"Host Network Traffic Detection\",\n 8038, \"Peripheral Device Detection\",\n 8040, \"Host Network Detection\",\n 8045, \"Process Response\",\n 8046, \"File Response\",\n 8047, \"Registry Key Response\",\n 8048, \"Registry Value Response\",\n 8050, \"Network Detection\",\n 8060, \"Monitored Source\",\n 8070, \"Compliance Scan\",\n 8071, \"Compliance\",\n 8080, \"User Session Query Result\",\n 8081, \"Process Query Result\",\n 8082, \"Module Query Result\",\n 8083, \"File Query Result\",\n 8084, \"Directory Query Result\",\n 8085, \"Registry Key Query Result\",\n 8086, \"Registry Value Query Result\",\n 8087, \"Network Query Result\",\n 8089, \"Kernel Object Query Result\",\n 8090, \"Service Query Result\",\n 8100, \"User Session Remediation\",\n 8101, \"Process Remediation\",\n 8102, \"Module Remediation\",\n 8103, \"File Remediation\",\n 8104, \"Directory Remediation\",\n 8105, \"Registry Key Remediation\",\n 8106, \"Registry Value Remediation\",\n 8107, \"Network Remediation\",\n 8109, \"Kernel Remediation\",\n 8110, \"Service Remediation\",\n 8119, \"Unsuccessful Remediation Result\",\n 9000, \"Content Detection\",\n 9001, \"File Content Detection\",\n 9002, \"Email Content Detection\",\n 9003, \"Instant Message Content Detection\"\n ];\nSymantecICDx_CL\n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| join kind = inner (typeMapTable) on type_id_d \n| summarize count() by type_name\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "type_name",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "count_",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecSecurityOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "8991fd05-e36c-4581-a014-b0d041bcdf40"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Type distribution across events with file object",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "let typeMapTable = datatable(type_id_d:double, type_name:string)\n [\n 1, \"Application Log\",\n 2, \"Application Lifecycle\",\n 3, \"Update\",\n 6, \"Update Available\",\n 7, \"User Message\",\n 9, \"Registration\",\n 11, \"Commmand Activity\",\n 15, \"BitLocker\",\n 20, \"User Session Audit\",\n 21, \"Entity Audit\",\n 22, \"Policy Override Audit\",\n 40, \"Certificate Lifecycle\",\n 41, \"Certificate Expiry\",\n 30, \"License Lifecycle\",\n 31, \"License Expiry\",\n 32, \"License Count\",\n 1000, \"Status\",\n 1005, \"CPU Usage\",\n 1006, \"Memory Usage\",\n 1007, \"Throughput\",\n 8000, \"User Session Activity\",\n 8001, \"Process Activity\",\n 8002, \"Module Activity\",\n 8003, \"File Activity\",\n 8004, \"Directory Activity\",\n 8005, \"Registry Key Activity\",\n 8006, \"Registry Value Activity\",\n 8007, \"Host Network Activity\",\n 8008, \"Memory Activity\",\n 8009, \"Kernel Activity\",\n 8010, \"Network Activity\",\n 8011, \"Email Activity\",\n 8012, \"Email File Activity\",\n 8013, \"Email URL Activity\",\n 8014, \"Host Network Traffice Activity\",\n 8020, \"Scan\",\n 8021, \"Unscannable File\",\n 8025, \"Boot Record Detection\",\n 8026, \"User Session Detection\",\n 8027, \"Process Detection\",\n 8028, \"Module Detection\",\n 8029, \"Memory Detection\",\n 8030, \"Kernel Detection\",\n 8031, \"File Detection\",\n 8032, \"Registry Key Detection\",\n 8033, \"Registry Value Detection\",\n 8034, \"Email File Detection\",\n 8035, \"Email Detection\",\n 8036, \"Email URL Detection\",\n 8037, \"Host Network Traffic Detection\",\n 8038, \"Peripheral Device Detection\",\n 8040, \"Host Network Detection\",\n 8045, \"Process Response\",\n 8046, \"File Response\",\n 8047, \"Registry Key Response\",\n 8048, \"Registry Value Response\",\n 8050, \"Network Detection\",\n 8060, \"Monitored Source\",\n 8070, \"Compliance Scan\",\n 8071, \"Compliance\",\n 8080, \"User Session Query Result\",\n 8081, \"Process Query Result\",\n 8082, \"Module Query Result\",\n 8083, \"File Query Result\",\n 8084, \"Directory Query Result\",\n 8085, \"Registry Key Query Result\",\n 8086, \"Registry Value Query Result\",\n 8087, \"Network Query Result\",\n 8089, \"Kernel Object Query Result\",\n 8090, \"Service Query Result\",\n 8100, \"User Session Remediation\",\n 8101, \"Process Remediation\",\n 8102, \"Module Remediation\",\n 8103, \"File Remediation\",\n 8104, \"Directory Remediation\",\n 8105, \"Registry Key Remediation\",\n 8106, \"Registry Value Remediation\",\n 8107, \"Network Remediation\",\n 8109, \"Kernel Remediation\",\n 8110, \"Service Remediation\",\n 8119, \"Unsuccessful Remediation Result\",\n 9000, \"Content Detection\",\n 9001, \"File Content Detection\",\n 9002, \"Email Content Detection\",\n 9003, \"Instant Message Content Detection\"\n ];\nSymantecICDx_CL\n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| join kind = inner (typeMapTable) on type_id_d \n| summarize count() by type_name\n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"6": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 5,
|
|
"colSpan": 12,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "let typeMapTable = datatable(type_id_d:double, type_name:string)\n [\n 1, \"Application Log\",\n 2, \"Application Lifecycle\",\n 3, \"Update\",\n 6, \"Update Available\",\n 7, \"User Message\",\n 9, \"Registration\",\n 11, \"Commmand Activity\",\n 15, \"BitLocker\",\n 20, \"User Session Audit\",\n 21, \"Entity Audit\",\n 22, \"Policy Override Audit\",\n 40, \"Certificate Lifecycle\",\n 41, \"Certificate Expiry\",\n 30, \"License Lifecycle\",\n 31, \"License Expiry\",\n 32, \"License Count\",\n 1000, \"Status\",\n 1005, \"CPU Usage\",\n 1006, \"Memory Usage\",\n 1007, \"Throughput\",\n 8000, \"User Session Activity\",\n 8001, \"Process Activity\",\n 8002, \"Module Activity\",\n 8003, \"File Activity\",\n 8004, \"Directory Activity\",\n 8005, \"Registry Key Activity\",\n 8006, \"Registry Value Activity\",\n 8007, \"Host Network Activity\",\n 8008, \"Memory Activity\",\n 8009, \"Kernel Activity\",\n 8010, \"Network Activity\",\n 8011, \"Email Activity\",\n 8012, \"Email File Activity\",\n 8013, \"Email URL Activity\",\n 8014, \"Host Network Traffice Activity\",\n 8020, \"Scan\",\n 8021, \"Unscannable File\",\n 8025, \"Boot Record Detection\",\n 8026, \"User Session Detection\",\n 8027, \"Process Detection\",\n 8028, \"Module Detection\",\n 8029, \"Memory Detection\",\n 8030, \"Kernel Detection\",\n 8031, \"File Detection\",\n 8032, \"Registry Key Detection\",\n 8033, \"Registry Value Detection\",\n 8034, \"Email File Detection\",\n 8035, \"Email Detection\",\n 8036, \"Email URL Detection\",\n 8037, \"Host Network Traffic Detection\",\n 8038, \"Peripheral Device Detection\",\n 8040, \"Host Network Detection\",\n 8045, \"Process Response\",\n 8046, \"File Response\",\n 8047, \"Registry Key Response\",\n 8048, \"Registry Value Response\",\n 8050, \"Network Detection\",\n 8060, \"Monitored Source\",\n 8070, \"Compliance Scan\",\n 8071, \"Compliance\",\n 8080, \"User Session Query Result\",\n 8081, \"Process Query Result\",\n 8082, \"Module Query Result\",\n 8083, \"File Query Result\",\n 8084, \"Directory Query Result\",\n 8085, \"Registry Key Query Result\",\n 8086, \"Registry Value Query Result\",\n 8087, \"Network Query Result\",\n 8089, \"Kernel Object Query Result\",\n 8090, \"Service Query Result\",\n 8100, \"User Session Remediation\",\n 8101, \"Process Remediation\",\n 8102, \"Module Remediation\",\n 8103, \"File Remediation\",\n 8104, \"Directory Remediation\",\n 8105, \"Registry Key Remediation\",\n 8106, \"Registry Value Remediation\",\n 8107, \"Network Remediation\",\n 8109, \"Kernel Remediation\",\n 8110, \"Service Remediation\",\n 8119, \"Unsuccessful Remediation Result\",\n 9000, \"Content Detection\",\n 9001, \"File Content Detection\",\n 9002, \"Email Content Detection\",\n 9003, \"Instant Message Content Detection\"\n ];\nSymantecICDx_CL\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| join kind = inner (typeMapTable) on type_id_d \n| summarize Event_Count=count() by Event_Type=type_name, bin(TimeGenerated, 1h)\n| render timechart \n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "TimeGenerated",
|
|
"type": "DateTime"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "Event_Count",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [
|
|
{
|
|
"name": "Event_Type",
|
|
"type": "String"
|
|
}
|
|
],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecSecurityOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "c5f015d5-3a8b-4276-b0f9-9802c313698c"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsChart"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"value": "Line"
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "File events trend",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "let typeMapTable = datatable(type_id_d:double, type_name:string)\n [\n 1, \"Application Log\",\n 2, \"Application Lifecycle\",\n 3, \"Update\",\n 6, \"Update Available\",\n 7, \"User Message\",\n 9, \"Registration\",\n 11, \"Commmand Activity\",\n 15, \"BitLocker\",\n 20, \"User Session Audit\",\n 21, \"Entity Audit\",\n 22, \"Policy Override Audit\",\n 40, \"Certificate Lifecycle\",\n 41, \"Certificate Expiry\",\n 30, \"License Lifecycle\",\n 31, \"License Expiry\",\n 32, \"License Count\",\n 1000, \"Status\",\n 1005, \"CPU Usage\",\n 1006, \"Memory Usage\",\n 1007, \"Throughput\",\n 8000, \"User Session Activity\",\n 8001, \"Process Activity\",\n 8002, \"Module Activity\",\n 8003, \"File Activity\",\n 8004, \"Directory Activity\",\n 8005, \"Registry Key Activity\",\n 8006, \"Registry Value Activity\",\n 8007, \"Host Network Activity\",\n 8008, \"Memory Activity\",\n 8009, \"Kernel Activity\",\n 8010, \"Network Activity\",\n 8011, \"Email Activity\",\n 8012, \"Email File Activity\",\n 8013, \"Email URL Activity\",\n 8014, \"Host Network Traffice Activity\",\n 8020, \"Scan\",\n 8021, \"Unscannable File\",\n 8025, \"Boot Record Detection\",\n 8026, \"User Session Detection\",\n 8027, \"Process Detection\",\n 8028, \"Module Detection\",\n 8029, \"Memory Detection\",\n 8030, \"Kernel Detection\",\n 8031, \"File Detection\",\n 8032, \"Registry Key Detection\",\n 8033, \"Registry Value Detection\",\n 8034, \"Email File Detection\",\n 8035, \"Email Detection\",\n 8036, \"Email URL Detection\",\n 8037, \"Host Network Traffic Detection\",\n 8038, \"Peripheral Device Detection\",\n 8040, \"Host Network Detection\",\n 8045, \"Process Response\",\n 8046, \"File Response\",\n 8047, \"Registry Key Response\",\n 8048, \"Registry Value Response\",\n 8050, \"Network Detection\",\n 8060, \"Monitored Source\",\n 8070, \"Compliance Scan\",\n 8071, \"Compliance\",\n 8080, \"User Session Query Result\",\n 8081, \"Process Query Result\",\n 8082, \"Module Query Result\",\n 8083, \"File Query Result\",\n 8084, \"Directory Query Result\",\n 8085, \"Registry Key Query Result\",\n 8086, \"Registry Value Query Result\",\n 8087, \"Network Query Result\",\n 8089, \"Kernel Object Query Result\",\n 8090, \"Service Query Result\",\n 8100, \"User Session Remediation\",\n 8101, \"Process Remediation\",\n 8102, \"Module Remediation\",\n 8103, \"File Remediation\",\n 8104, \"Directory Remediation\",\n 8105, \"Registry Key Remediation\",\n 8106, \"Registry Value Remediation\",\n 8107, \"Network Remediation\",\n 8109, \"Kernel Remediation\",\n 8110, \"Service Remediation\",\n 8119, \"Unsuccessful Remediation Result\",\n 9000, \"Content Detection\",\n 9001, \"File Content Detection\",\n 9002, \"Email Content Detection\",\n 9003, \"Instant Message Content Detection\"\n ];\nSymantecICDx_CL\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| join kind = inner (typeMapTable) on type_id_d \n| summarize Event_Count=count() by Event_Type=type_name, bin(TimeGenerated, 1h)\n| render timechart \n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"7": {
|
|
"position": {
|
|
"x": 12,
|
|
"y": 5,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "let disptypeMap = datatable(disposition_type:string, Action:string)\n[\n\"1,20\", \"LOGON\",\n\"2,20\", \"LOGOFF\",\n\"1,21\", \"Create\",\n\"2,21\", \"Update\",\n\"3,21\", \"Delete\",\n\"10,22\", \"User rule override\",\n\"20,22\", \"Admin request\",\n\"30,22\", \"User policy override\",\n\"31,22\", \"User policy override extend time\",\n\"32,22\", \"User policy restore manual\",\n\"33,22\", \"User policy restore automatic\",\n\"40,22\", \"Execution block override\",\n\"41,22\", \"User policy override removed\",\n\"1,1000\", \"Log\",\n\"1,1005\", \"Normal\",\n\"2,1005\", \"Overload\",\n\"1,1006\", \"Normal\",\n\"2,1006\", \"Overload\",\n\"1,1007\", \"Normal\",\n\"2,1007\", \"Overload\",\n\"1,8025\", \"Blocked\",\n\"2,8025\", \"Allowed\",\n\"3,8025\", \"No Action\",\n\"4,8025\", \"Log\",\n\"5,8025\", \"Command Script\",\n\"6,8025\", \"Corrected\",\n\"7,8025\", \"Partially Corrected\",\n\"8,8025\", \"Uncorrected\",\n\"14,8025\", \"Detected\",\n\"1,8031\", \"Blocked\",\n\"2,8031\", \"Allowed\",\n\"3,8031\", \"No Action\",\n\"4,8031\", \"Log\",\n\"5,8031\", \"Command Script\",\n\"6,8031\", \"Corrected\",\n\"7,8031\", \"Partially Corrected\",\n\"8,8031\", \"Uncorrected\",\n\"10,8031\", \"Delayed (required reboot)\",\n\"11,8031\", \"Deleted\",\n\"12,8031\", \"Quarantined\",\n\"13,8031\", \"Restored\",\n\"14,8031\", \"Detected\",\n\"1,8030\", \"Blocked\",\n\"2,8030\", \"Allowed\",\n\"3,8030\", \"No Action\",\n\"4,8030\", \"Log\",\n\"5,8030\", \"Command Script\",\n\"8,8030\", \"Uncorrected\",\n\"10,8030\", \"Delayed (required reboot)\",\n\"11,8030\", \"Deleted\",\n\"14,8030\", \"Detected\",\n\"1,8029\", \"Blocked\",\n\"2,8029\", \"Allowed\",\n\"3,8029\", \"No Action\",\n\"4,8029\", \"Log\",\n\"5,8029\", \"Command Script\",\n\"6,8029\", \"Corrected\",\n\"7,8029\", \"Partially Corrected\",\n\"8,8029\", \"Uncorrected\",\n\"10,8029\", \"Delayed (required reboot)\",\n\"11,8029\", \"Deleted\",\n\"12,8029\", \"Quarantined\",\n\"13,8029\", \"Restored\",\n\"14,8029\", \"Detected\",\n\"1,8028\", \"Blocked\",\n\"2,8028\", \"Allowed\",\n\"3,8028\", \"No Action\",\n\"4,8028\", \"Log\",\n\"5,8028\", \"Command Script\",\n\"6,8028\", \"Corrected\",\n\"7,8028\", \"Partially Corrected\",\n\"8,8028\", \"Uncorrected\",\n\"10,8028\", \"Delayed (required reboot)\",\n\"11,8028\", \"Deleted\",\n\"12,8028\", \"Quarantined\",\n\"13,8028\", \"Restored\",\n\"14,8028\", \"Detected\",\n\"1,8027\", \"Blocked\",\n\"2,8027\", \"Allowed\",\n\"3,8027\", \"No Action\",\n\"4,8027\", \"Log\",\n\"5,8027\", \"Command Script\",\n\"6,8027\", \"Corrected\",\n\"7,8027\", \"Partially Corrected\",\n\"8,8027\", \"Uncorrected\",\n\"10,8027\", \"Delayed (required reboot)\",\n\"11,8027\", \"Deleted\",\n\"12,8027\", \"Quarantined\",\n\"13,8027\", \"Restored\",\n\"14,8027\", \"Detected\",\n\"15,8027\", \"Terminated\",\n\"1,8032\", \"Blocked\",\n\"2,8032\", \"Allowed\",\n\"3,8032\", \"No Action\",\n\"4,8032\", \"Log\",\n\"5,8032\", \"Command Script\",\n\"6,8032\", \"Corrected\",\n\"7,8032\", \"Partially Corrected\",\n\"8,8032\", \"Uncorrected\",\n\"10,8032\", \"Delayed (required reboot)\",\n\"11,8032\", \"Deleted\",\n\"13,8032\", \"Restored\",\n\"14,8032\", \"Detected\",\n\"1,8033\", \"Blocked\",\n\"2,8033\", \"Allowed\",\n\"3,8033\", \"No Action\",\n\"4,8033\", \"Log\",\n\"5,8033\", \"Command Script\",\n\"6,8033\", \"Corrected\",\n\"7,8033\", \"Partially Corrected\",\n\"8,8033\", \"Uncorrected\",\n\"10,8033\", \"Delayed (required reboot)\",\n\"11,8033\", \"Deleted\",\n\"13,8033\", \"Restored\",\n\"14,8033\", \"Detected\",\n\"1,8026\", \"Blocked\",\n\"2,8026\", \"Allowed\",\n\"3,8026\", \"No Action\",\n\"4,8026\", \"Log\",\n\"5,8026\", \"Command Script\",\n\"14,8026\", \"Detected\",\n\"15,8026\", \"Terminated\",\n\"4,8060\", \"Log\",\n\"1,8040\", \"Blocked\",\n\"2,8040\", \"Allowed\",\n\"3,8040\", \"No Action\",\n\"4,8040\", \"Log\",\n\"4,8045\", \"Log\",\n\"10,8045\", \"Delayed\",\n\"15,8045\", \"Terminated\",\n\"1,8047\", \"Blocked\",\n\"2,8047\", \"Allowed\",\n\"3,8047\", \"No Action\",\n\"4,8047\", \"Log\",\n\"5,8047\", \"Command Script\",\n\"6,8047\", \"Corrected\",\n\"7,8047\", \"Partially Corrected\",\n\"8,8047\", \"Uncorrected\",\n\"10,8047\", \"Delayed (required reboot)\",\n\"11,8047\", \"Deleted\",\n\"12,8047\", \"Quarantined\",\n\"13,8047\", \"Restored\",\n\"14,8047\", \"Detected\",\n\"1,8048\", \"Blocked\",\n\"2,8048\", \"Allowed\",\n\"3,8048\", \"No Action\",\n\"4,8048\", \"Log\",\n\"5,8048\", \"Command Script\",\n\"6,8048\", \"Corrected\",\n\"7,8048\", \"Partially Corrected\",\n\"8,8048\", \"Uncorrected\",\n\"10,8048\", \"Delayed (required reboot)\",\n\"11,8048\", \"Deleted\",\n\"12,8048\", \"Quarantined\",\n\"13,8048\", \"Restored\",\n\"14,8048\", \"Detected\",\n\"1,8020\", \"Started\",\n\"2,8020\", \"Completed\",\n\"3,8020\", \"Cancelled\",\n\"4,8020\", \"Duration Violation\",\n\"5,8020\", \"Pause Violation\",\n\"6,8020\", \"Error\",\n\"1,8021\", \"Permission\",\n\"2,8021\", \"Encrypted\",\n\"3,8021\", \"Size\",\n\"4,8021\", \"Error\",\n\"5,8021\", \"Malformed\",\n\"1,8034\", \"Blocked\",\n\"2,8034\", \"Allowed\",\n\"12,8034\", \"Quarantined\",\n\"1,8036\", \"Blocked\",\n\"2,8036\", \"Allowed\",\n\"1,8037\", \"Blocked\",\n\"2,8037\", \"Allowed\",\n\"3,8037\", \"No Action\",\n\"4,8037\", \"Log\",\n\"5,8037\", \"Command Script\",\n\"6,8037\", \"Corrected\",\n\"7,8037\", \"Partially Corrected\",\n\"8,8037\", \"Uncorrected\",\n\"10,8037\", \"Delayed (required reboot)\",\n\"11,8037\", \"Deleted\",\n\"12,8037\", \"Quarantined\",\n\"13,8037\", \"Restored\",\n\"14,8037\", \"Detected\",\n\"1,8038\", \"Blocked\",\n\"2,8038\", \"Allowed\",\n\"4,8045\", \"Log\",\n\"10,8045\", \"Delayed\",\n\"15,8045\", \"Terminated\",\n\"1,8\", \"Install\",\n\"2,8\", \"Remove\",\n\"3,8\", \"Update\",\n\"4,8\", \"Expire\",\n\"5,8\", \"Exceed\",\n\"6,8\", \"Report\",\n\"7,8\", \"Low Count\",\n\"8,8\", \"Expiring\",\n\"4,1\", \"Application Log\",\n\"1,2\", \"Install\",\n\"2,2\", \"Remove\",\n\"3,2\", \"Start\",\n\"4,2\", \"Stop\",\n\"5,2\", \"Heartbeat\",\n\"1,3\", \"Code\",\n\"2,3\", \"Content\",\n\"3,3\", \"Configuration\",\n\"4,3\", \"Policy\",\n\"1,6\", \"Code\",\n\"2,6\", \"Content\",\n\"3,6\", \"Configuration\",\n\"4,6\", \"Policy\",\n\"1,7\", \"E-mail\",\n\"2,7\", \"SMS\",\n\"1,9\", \"Register\",\n\"2,9\", \"Unregister\",\n\"1,11\", \"Submitted\",\n\"2,11\", \"Queued\",\n\"3,11\", \"Started\",\n\"4,11\", \"Cancel Requested\",\n\"5,11\", \"Completed\",\n\"6,11\", \"Canceled\",\n\"7,11\", \"Error\",\n\"8,11\", \"Rejected\",\n\"1,15\", \"Failure\",\n\"2,15\", \"Encryption Started\",\n\"3,15\", \"Encryption Finished\",\n\"10,15\", \"Recovery Key Recycled\",\n\"1,40\", \"Install\",\n\"2,40\", \"Remove\",\n\"3,40\", \"Update\",\n\"1,41\", \"Expiring\",\n\"2,41\", \"Expired\",\n\"1,8080\", \"Exists\",\n\"2,8080\", \"Partial\",\n\"1,8081\", \"Exists\",\n\"2,8081\", \"Partial\",\n\"1,8082\", \"Exists\",\n\"2,8082\", \"Partial\",\n\"1,8085\", \"Exists\",\n\"2,8085\", \"Partial\",\n\"1,8086\", \"Exists\",\n\"2,8086\", \"Partial\",\n\"1,8087\", \"Exists\",\n\"2,8087\", \"Partial\",\n\"1,8089\", \"Exists\",\n\"2,8089\", \"Partial\",\n\"1,8090\", \"Exists\",\n\"2,8090\", \"Partial\",\n\"1,8100\", \"Remediation Completed\",\n\"2,8100\", \"Partial Remediation\",\n\"1,8101\", \"Remediation Completed\",\n\"2,8101\", \"Partial Remediation\",\n\"1,8105\", \"Remediation Completed\",\n\"2,8105\", \"Partial Remediation\",\n\"1,8106\", \"Remediation Completed\",\n\"2,8106\", \"Partial Remediation\",\n\"1,8109\", \"Remediation Completed\",\n\"2,8109\", \"Partial Remediation\",\n\"1,8110\", \"Remediation Completed\",\n\"2,8110\", \"Partial Remediation\",\n\"3,8119\", \"Does Not Exists\",\n\"4,8119\", \"Error\",\n\"5,8119\", \"Unsupported\",\n\"1,8107\", \"Remediation Completed\",\n\"2,8107\", \"Partial Remediation\",\n\"1,8084\", \"Exists\",\n\"2,8084\", \"Partial\",\n\"1,8083\", \"Exists\",\n\"2,8083\", \"Partial\",\n\"1,8104\", \"Remediation Completed\",\n\"2,8104\", \"Partial Remediation\",\n\"1,8103\", \"Remediation Completed\",\n\"2,8103\", \"Partial Remediation\",\n\"1,8102\", \"Remediation Completed\",\n\"2,8102\", \"Partial Remediation\",\n\"1,8000\", \"Logon\",\n\"2,8000\", \"Logoff\",\n\"1,8004\", \"Create\",\n\"2,8004\", \"Delete\",\n\"4,8004\", \"Rename\",\n\"5,8004\", \"Modify\",\n\"6,8004\", \"Set Attributes\",\n\"7,8004\", \"Set Security\",\n\"8,8004\", \"Get Attributes\",\n\"9,8004\", \"Get Security\",\n\"10,8004\", \"Encrypt\",\n\"11,8004\", \"Decrypt\",\n\"12,8004\", \"Mount\",\n\"13,8004\", \"Unmount\",\n\"1,8005\", \"Create Key\",\n\"2,8005\", \"Delete Key\",\n\"3,8005\", \"Open Key\",\n\"4,8005\", \"Rename Key\",\n\"5,8005\", \"Set Key Security Descriptor\",\n\"6,8005\", \"Restore Key\",\n\"1,8006\", \"Get Value\",\n\"2,8006\", \"Set Value\",\n\"3,8006\", \"Delete Value\",\n\"1,8008\", \"Page Allocate\",\n\"2,8008\", \"Page Modify\",\n\"3,8008\", \"Page Delete\",\n\"4,8008\", \"Buffer Overflow\",\n\"1,8009\", \"Create\",\n\"2,8009\", \"Read\",\n\"3,8009\", \"Delete\",\n\"5,8010\", \"System Activity\",\n\"5,8011\", \"System Activity\",\n\"5,8012\", \"System Activity\",\n\"5,8013\", \"System Activity\",\n\"1,8003\", \"Create\",\n\"2,8003\", \"Delete\",\n\"3,8003\", \"Open\",\n\"4,8003\", \"Rename\",\n\"5,8003\", \"Modify\",\n\"6,8003\", \"Set Attributes\",\n\"7,8003\", \"Set Security\",\n\"8,8003\", \"Get Attributes\",\n\"9,8003\", \"Get Security\",\n\"10,8003\", \"Encrypt\",\n\"11,8003\", \"Decrypt\",\n\"1,8002\", \"Load\",\n\"2,8002\", \"Unload\",\n\"1,8035\", \"Blocked\",\n\"2,8035\", \"Allowed\",\n\"3,8035\", \"No Action\",\n\"4,8035\", \"Log\",\n\"5,8035\", \"Command Script\",\n\"6,8035\", \"Corrected\",\n\"7,8035\", \"Partially Corrected\",\n\"8,8035\", \"Uncorrected\",\n\"10,8035\", \"Delayed (required reboot)\",\n\"11,8035\", \"Deleted\",\n\"12,8035\", \"Quarantined\",\n\"13,8035\", \"Restored\",\n\"14,8035\", \"Detected\",\n\"1,8050\", \"Blocked\",\n\"2,8050\", \"Allowed\",\n\"3,8050\", \"Dropped\",\n\"4,8050\", \"Deleted\",\n\"5,8050\", \"Isolated\",\n\"1,8070\", \"Passed\",\n\"2,8070\", \"Failed\",\n\"3,8070\", \"Soft Fail\",\n\"4,8070\", \"Log\",\n\"1,8071\", \"Compliance Check\",\n\"2,8071\", \"Remediation Check\",\n\"1,8001\", \"Launch\",\n\"2,8001\", \"Terminate\",\n\"3,8001\", \"Open\",\n\"4,8001\", \"Inject\",\n\"1,8007\", \"Connect\",\n\"2,8007\", \"Disconnect\",\n\"1,30\", \"Install\",\n\"2,30\", \"Remove\",\n\"3,30\", \"Update\",\n\"1,31\", \"Expiring\",\n\"2,31\", \"Expired\",\n\"1,32\", \"Low Count\",\n\"2,32\", \"Exceeded\",\n\"1,9000\", \"Blocked\",\n\"2,9000\", \"Allowed\",\n\"1,9001\", \"Blocked\",\n\"2,9001\", \"Allowed\",\n\"12,9001\", \"Quarantined\",\n\"1,9002\", \"Blocked\",\n\"2,9002\", \"Allowed\",\n\"12,9002\", \"Quarantined\",\n\"20,9002\", \"Approved\",\n\"21,9002\", \"Custom Action\",\n\"22,9002\", \"Expunged\",\n\"1,9003\", \"Blocked\",\n\"2,9003\", \"Allowed\"\n];\nSymantecICDx_CL\n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| extend disposition_type = strcat(toint(id_d), \",\", toint(type_id_d)) \n| join kind = inner (disptypeMap) on disposition_type\n| summarize Action_Count=count() by Action\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "Action",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "Action_Count",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecSecurityOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "12d00e18-0ae5-4992-aab7-ae257a2433a9"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Disposition distribution across events with file object",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "let disptypeMap = datatable(disposition_type:string, Action:string)\n[\n\"1,20\", \"LOGON\",\n\"2,20\", \"LOGOFF\",\n\"1,21\", \"Create\",\n\"2,21\", \"Update\",\n\"3,21\", \"Delete\",\n\"10,22\", \"User rule override\",\n\"20,22\", \"Admin request\",\n\"30,22\", \"User policy override\",\n\"31,22\", \"User policy override extend time\",\n\"32,22\", \"User policy restore manual\",\n\"33,22\", \"User policy restore automatic\",\n\"40,22\", \"Execution block override\",\n\"41,22\", \"User policy override removed\",\n\"1,1000\", \"Log\",\n\"1,1005\", \"Normal\",\n\"2,1005\", \"Overload\",\n\"1,1006\", \"Normal\",\n\"2,1006\", \"Overload\",\n\"1,1007\", \"Normal\",\n\"2,1007\", \"Overload\",\n\"1,8025\", \"Blocked\",\n\"2,8025\", \"Allowed\",\n\"3,8025\", \"No Action\",\n\"4,8025\", \"Log\",\n\"5,8025\", \"Command Script\",\n\"6,8025\", \"Corrected\",\n\"7,8025\", \"Partially Corrected\",\n\"8,8025\", \"Uncorrected\",\n\"14,8025\", \"Detected\",\n\"1,8031\", \"Blocked\",\n\"2,8031\", \"Allowed\",\n\"3,8031\", \"No Action\",\n\"4,8031\", \"Log\",\n\"5,8031\", \"Command Script\",\n\"6,8031\", \"Corrected\",\n\"7,8031\", \"Partially Corrected\",\n\"8,8031\", \"Uncorrected\",\n\"10,8031\", \"Delayed (required reboot)\",\n\"11,8031\", \"Deleted\",\n\"12,8031\", \"Quarantined\",\n\"13,8031\", \"Restored\",\n\"14,8031\", \"Detected\",\n\"1,8030\", \"Blocked\",\n\"2,8030\", \"Allowed\",\n\"3,8030\", \"No Action\",\n\"4,8030\", \"Log\",\n\"5,8030\", \"Command Script\",\n\"8,8030\", \"Uncorrected\",\n\"10,8030\", \"Delayed (required reboot)\",\n\"11,8030\", \"Deleted\",\n\"14,8030\", \"Detected\",\n\"1,8029\", \"Blocked\",\n\"2,8029\", \"Allowed\",\n\"3,8029\", \"No Action\",\n\"4,8029\", \"Log\",\n\"5,8029\", \"Command Script\",\n\"6,8029\", \"Corrected\",\n\"7,8029\", \"Partially Corrected\",\n\"8,8029\", \"Uncorrected\",\n\"10,8029\", \"Delayed (required reboot)\",\n\"11,8029\", \"Deleted\",\n\"12,8029\", \"Quarantined\",\n\"13,8029\", \"Restored\",\n\"14,8029\", \"Detected\",\n\"1,8028\", \"Blocked\",\n\"2,8028\", \"Allowed\",\n\"3,8028\", \"No Action\",\n\"4,8028\", \"Log\",\n\"5,8028\", \"Command Script\",\n\"6,8028\", \"Corrected\",\n\"7,8028\", \"Partially Corrected\",\n\"8,8028\", \"Uncorrected\",\n\"10,8028\", \"Delayed (required reboot)\",\n\"11,8028\", \"Deleted\",\n\"12,8028\", \"Quarantined\",\n\"13,8028\", \"Restored\",\n\"14,8028\", \"Detected\",\n\"1,8027\", \"Blocked\",\n\"2,8027\", \"Allowed\",\n\"3,8027\", \"No Action\",\n\"4,8027\", \"Log\",\n\"5,8027\", \"Command Script\",\n\"6,8027\", \"Corrected\",\n\"7,8027\", \"Partially Corrected\",\n\"8,8027\", \"Uncorrected\",\n\"10,8027\", \"Delayed (required reboot)\",\n\"11,8027\", \"Deleted\",\n\"12,8027\", \"Quarantined\",\n\"13,8027\", \"Restored\",\n\"14,8027\", \"Detected\",\n\"15,8027\", \"Terminated\",\n\"1,8032\", \"Blocked\",\n\"2,8032\", \"Allowed\",\n\"3,8032\", \"No Action\",\n\"4,8032\", \"Log\",\n\"5,8032\", \"Command Script\",\n\"6,8032\", \"Corrected\",\n\"7,8032\", \"Partially Corrected\",\n\"8,8032\", \"Uncorrected\",\n\"10,8032\", \"Delayed (required reboot)\",\n\"11,8032\", \"Deleted\",\n\"13,8032\", \"Restored\",\n\"14,8032\", \"Detected\",\n\"1,8033\", \"Blocked\",\n\"2,8033\", \"Allowed\",\n\"3,8033\", \"No Action\",\n\"4,8033\", \"Log\",\n\"5,8033\", \"Command Script\",\n\"6,8033\", \"Corrected\",\n\"7,8033\", \"Partially Corrected\",\n\"8,8033\", \"Uncorrected\",\n\"10,8033\", \"Delayed (required reboot)\",\n\"11,8033\", \"Deleted\",\n\"13,8033\", \"Restored\",\n\"14,8033\", \"Detected\",\n\"1,8026\", \"Blocked\",\n\"2,8026\", \"Allowed\",\n\"3,8026\", \"No Action\",\n\"4,8026\", \"Log\",\n\"5,8026\", \"Command Script\",\n\"14,8026\", \"Detected\",\n\"15,8026\", \"Terminated\",\n\"4,8060\", \"Log\",\n\"1,8040\", \"Blocked\",\n\"2,8040\", \"Allowed\",\n\"3,8040\", \"No Action\",\n\"4,8040\", \"Log\",\n\"4,8045\", \"Log\",\n\"10,8045\", \"Delayed\",\n\"15,8045\", \"Terminated\",\n\"1,8047\", \"Blocked\",\n\"2,8047\", \"Allowed\",\n\"3,8047\", \"No Action\",\n\"4,8047\", \"Log\",\n\"5,8047\", \"Command Script\",\n\"6,8047\", \"Corrected\",\n\"7,8047\", \"Partially Corrected\",\n\"8,8047\", \"Uncorrected\",\n\"10,8047\", \"Delayed (required reboot)\",\n\"11,8047\", \"Deleted\",\n\"12,8047\", \"Quarantined\",\n\"13,8047\", \"Restored\",\n\"14,8047\", \"Detected\",\n\"1,8048\", \"Blocked\",\n\"2,8048\", \"Allowed\",\n\"3,8048\", \"No Action\",\n\"4,8048\", \"Log\",\n\"5,8048\", \"Command Script\",\n\"6,8048\", \"Corrected\",\n\"7,8048\", \"Partially Corrected\",\n\"8,8048\", \"Uncorrected\",\n\"10,8048\", \"Delayed (required reboot)\",\n\"11,8048\", \"Deleted\",\n\"12,8048\", \"Quarantined\",\n\"13,8048\", \"Restored\",\n\"14,8048\", \"Detected\",\n\"1,8020\", \"Started\",\n\"2,8020\", \"Completed\",\n\"3,8020\", \"Cancelled\",\n\"4,8020\", \"Duration Violation\",\n\"5,8020\", \"Pause Violation\",\n\"6,8020\", \"Error\",\n\"1,8021\", \"Permission\",\n\"2,8021\", \"Encrypted\",\n\"3,8021\", \"Size\",\n\"4,8021\", \"Error\",\n\"5,8021\", \"Malformed\",\n\"1,8034\", \"Blocked\",\n\"2,8034\", \"Allowed\",\n\"12,8034\", \"Quarantined\",\n\"1,8036\", \"Blocked\",\n\"2,8036\", \"Allowed\",\n\"1,8037\", \"Blocked\",\n\"2,8037\", \"Allowed\",\n\"3,8037\", \"No Action\",\n\"4,8037\", \"Log\",\n\"5,8037\", \"Command Script\",\n\"6,8037\", \"Corrected\",\n\"7,8037\", \"Partially Corrected\",\n\"8,8037\", \"Uncorrected\",\n\"10,8037\", \"Delayed (required reboot)\",\n\"11,8037\", \"Deleted\",\n\"12,8037\", \"Quarantined\",\n\"13,8037\", \"Restored\",\n\"14,8037\", \"Detected\",\n\"1,8038\", \"Blocked\",\n\"2,8038\", \"Allowed\",\n\"4,8045\", \"Log\",\n\"10,8045\", \"Delayed\",\n\"15,8045\", \"Terminated\",\n\"1,8\", \"Install\",\n\"2,8\", \"Remove\",\n\"3,8\", \"Update\",\n\"4,8\", \"Expire\",\n\"5,8\", \"Exceed\",\n\"6,8\", \"Report\",\n\"7,8\", \"Low Count\",\n\"8,8\", \"Expiring\",\n\"4,1\", \"Application Log\",\n\"1,2\", \"Install\",\n\"2,2\", \"Remove\",\n\"3,2\", \"Start\",\n\"4,2\", \"Stop\",\n\"5,2\", \"Heartbeat\",\n\"1,3\", \"Code\",\n\"2,3\", \"Content\",\n\"3,3\", \"Configuration\",\n\"4,3\", \"Policy\",\n\"1,6\", \"Code\",\n\"2,6\", \"Content\",\n\"3,6\", \"Configuration\",\n\"4,6\", \"Policy\",\n\"1,7\", \"E-mail\",\n\"2,7\", \"SMS\",\n\"1,9\", \"Register\",\n\"2,9\", \"Unregister\",\n\"1,11\", \"Submitted\",\n\"2,11\", \"Queued\",\n\"3,11\", \"Started\",\n\"4,11\", \"Cancel Requested\",\n\"5,11\", \"Completed\",\n\"6,11\", \"Canceled\",\n\"7,11\", \"Error\",\n\"8,11\", \"Rejected\",\n\"1,15\", \"Failure\",\n\"2,15\", \"Encryption Started\",\n\"3,15\", \"Encryption Finished\",\n\"10,15\", \"Recovery Key Recycled\",\n\"1,40\", \"Install\",\n\"2,40\", \"Remove\",\n\"3,40\", \"Update\",\n\"1,41\", \"Expiring\",\n\"2,41\", \"Expired\",\n\"1,8080\", \"Exists\",\n\"2,8080\", \"Partial\",\n\"1,8081\", \"Exists\",\n\"2,8081\", \"Partial\",\n\"1,8082\", \"Exists\",\n\"2,8082\", \"Partial\",\n\"1,8085\", \"Exists\",\n\"2,8085\", \"Partial\",\n\"1,8086\", \"Exists\",\n\"2,8086\", \"Partial\",\n\"1,8087\", \"Exists\",\n\"2,8087\", \"Partial\",\n\"1,8089\", \"Exists\",\n\"2,8089\", \"Partial\",\n\"1,8090\", \"Exists\",\n\"2,8090\", \"Partial\",\n\"1,8100\", \"Remediation Completed\",\n\"2,8100\", \"Partial Remediation\",\n\"1,8101\", \"Remediation Completed\",\n\"2,8101\", \"Partial Remediation\",\n\"1,8105\", \"Remediation Completed\",\n\"2,8105\", \"Partial Remediation\",\n\"1,8106\", \"Remediation Completed\",\n\"2,8106\", \"Partial Remediation\",\n\"1,8109\", \"Remediation Completed\",\n\"2,8109\", \"Partial Remediation\",\n\"1,8110\", \"Remediation Completed\",\n\"2,8110\", \"Partial Remediation\",\n\"3,8119\", \"Does Not Exists\",\n\"4,8119\", \"Error\",\n\"5,8119\", \"Unsupported\",\n\"1,8107\", \"Remediation Completed\",\n\"2,8107\", \"Partial Remediation\",\n\"1,8084\", \"Exists\",\n\"2,8084\", \"Partial\",\n\"1,8083\", \"Exists\",\n\"2,8083\", \"Partial\",\n\"1,8104\", \"Remediation Completed\",\n\"2,8104\", \"Partial Remediation\",\n\"1,8103\", \"Remediation Completed\",\n\"2,8103\", \"Partial Remediation\",\n\"1,8102\", \"Remediation Completed\",\n\"2,8102\", \"Partial Remediation\",\n\"1,8000\", \"Logon\",\n\"2,8000\", \"Logoff\",\n\"1,8004\", \"Create\",\n\"2,8004\", \"Delete\",\n\"4,8004\", \"Rename\",\n\"5,8004\", \"Modify\",\n\"6,8004\", \"Set Attributes\",\n\"7,8004\", \"Set Security\",\n\"8,8004\", \"Get Attributes\",\n\"9,8004\", \"Get Security\",\n\"10,8004\", \"Encrypt\",\n\"11,8004\", \"Decrypt\",\n\"12,8004\", \"Mount\",\n\"13,8004\", \"Unmount\",\n\"1,8005\", \"Create Key\",\n\"2,8005\", \"Delete Key\",\n\"3,8005\", \"Open Key\",\n\"4,8005\", \"Rename Key\",\n\"5,8005\", \"Set Key Security Descriptor\",\n\"6,8005\", \"Restore Key\",\n\"1,8006\", \"Get Value\",\n\"2,8006\", \"Set Value\",\n\"3,8006\", \"Delete Value\",\n\"1,8008\", \"Page Allocate\",\n\"2,8008\", \"Page Modify\",\n\"3,8008\", \"Page Delete\",\n\"4,8008\", \"Buffer Overflow\",\n\"1,8009\", \"Create\",\n\"2,8009\", \"Read\",\n\"3,8009\", \"Delete\",\n\"5,8010\", \"System Activity\",\n\"5,8011\", \"System Activity\",\n\"5,8012\", \"System Activity\",\n\"5,8013\", \"System Activity\",\n\"1,8003\", \"Create\",\n\"2,8003\", \"Delete\",\n\"3,8003\", \"Open\",\n\"4,8003\", \"Rename\",\n\"5,8003\", \"Modify\",\n\"6,8003\", \"Set Attributes\",\n\"7,8003\", \"Set Security\",\n\"8,8003\", \"Get Attributes\",\n\"9,8003\", \"Get Security\",\n\"10,8003\", \"Encrypt\",\n\"11,8003\", \"Decrypt\",\n\"1,8002\", \"Load\",\n\"2,8002\", \"Unload\",\n\"1,8035\", \"Blocked\",\n\"2,8035\", \"Allowed\",\n\"3,8035\", \"No Action\",\n\"4,8035\", \"Log\",\n\"5,8035\", \"Command Script\",\n\"6,8035\", \"Corrected\",\n\"7,8035\", \"Partially Corrected\",\n\"8,8035\", \"Uncorrected\",\n\"10,8035\", \"Delayed (required reboot)\",\n\"11,8035\", \"Deleted\",\n\"12,8035\", \"Quarantined\",\n\"13,8035\", \"Restored\",\n\"14,8035\", \"Detected\",\n\"1,8050\", \"Blocked\",\n\"2,8050\", \"Allowed\",\n\"3,8050\", \"Dropped\",\n\"4,8050\", \"Deleted\",\n\"5,8050\", \"Isolated\",\n\"1,8070\", \"Passed\",\n\"2,8070\", \"Failed\",\n\"3,8070\", \"Soft Fail\",\n\"4,8070\", \"Log\",\n\"1,8071\", \"Compliance Check\",\n\"2,8071\", \"Remediation Check\",\n\"1,8001\", \"Launch\",\n\"2,8001\", \"Terminate\",\n\"3,8001\", \"Open\",\n\"4,8001\", \"Inject\",\n\"1,8007\", \"Connect\",\n\"2,8007\", \"Disconnect\",\n\"1,30\", \"Install\",\n\"2,30\", \"Remove\",\n\"3,30\", \"Update\",\n\"1,31\", \"Expiring\",\n\"2,31\", \"Expired\",\n\"1,32\", \"Low Count\",\n\"2,32\", \"Exceeded\",\n\"1,9000\", \"Blocked\",\n\"2,9000\", \"Allowed\",\n\"1,9001\", \"Blocked\",\n\"2,9001\", \"Allowed\",\n\"12,9001\", \"Quarantined\",\n\"1,9002\", \"Blocked\",\n\"2,9002\", \"Allowed\",\n\"12,9002\", \"Quarantined\",\n\"20,9002\", \"Approved\",\n\"21,9002\", \"Custom Action\",\n\"22,9002\", \"Expunged\",\n\"1,9003\", \"Blocked\",\n\"2,9003\", \"Allowed\"\n];\nSymantecICDx_CL\n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| extend disposition_type = strcat(toint(id_d), \",\", toint(type_id_d)) \n| join kind = inner (disptypeMap) on disposition_type\n| summarize Action_Count=count() by Action\n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"8": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 9,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "SymantecICDx_CL \n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n | summarize Count=count() by product_name_s\n | sort by Count desc \n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "product_name_s",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "Count",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecSecurityOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "0230f382-14f3-445e-a9c2-3ec9a076a9d4"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsChart"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"value": "Bar"
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Product distribution across events with file objects",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "SymantecICDx_CL \n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n | summarize Count=count() by product_name_s\n | sort by Count desc \n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"9": {
|
|
"position": {
|
|
"x": 6,
|
|
"y": 9,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "let severityMapTable = datatable(severity_id_d:double, severity_name:string)\n [\n 0, \"Unknown\",\n 1, \"Informational\",\n 2, \"Warning\",\n 3, \"Minor\",\n 4, \"Major\",\n 5, \"Critical\",\n 6, \"Fatal\"\n];\nSymantecICDx_CL \n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| join kind = inner (severityMapTable) on severity_id_d \n| summarize Count=count() by Severity_Type=severity_name\n| sort by Count desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "Severity_Type",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "Count",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecSecurityOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "1ecba5df-4876-43d1-b0f0-0d289cb8334b"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsChart"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"value": "Bar"
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Severity distribution across events with file object",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "let severityMapTable = datatable(severity_id_d:double, severity_name:string)\n [\n 0, \"Unknown\",\n 1, \"Informational\",\n 2, \"Warning\",\n 3, \"Minor\",\n 4, \"Major\",\n 5, \"Critical\",\n 6, \"Fatal\"\n];\nSymantecICDx_CL \n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| join kind = inner (severityMapTable) on severity_id_d \n| summarize Count=count() by Severity_Type=severity_name\n| sort by Count desc\n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"10": {
|
|
"position": {
|
|
"x": 12,
|
|
"y": 9,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "SymantecICDx_CL \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n | extend username = iff(user_name_s <> \"\", user_name_s , \"Unknown\")\n | summarize Count=count() by User_Name=username \n | sort by Count desc\n | top 25 by Count desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "User_Name",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "Count",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecSecurityOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "4cb9e5cd-2a77-49d4-90ab-65d143c6728d"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Top 25 users across events with file object",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "SymantecICDx_CL \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n | extend username = iff(user_name_s <> \"\", user_name_s , \"Unknown\")\n | summarize Count=count() by User_Name=username \n | sort by Count desc\n | top 25 by Count desc\n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"11": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 13,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "let threatTypeMap = datatable(threat_type_id_d:double, threat_category:string)\n [\n 1, \"Malware\",\n 2, \"Behavioural\",\n 3, \"Potentially Unwanted Applications\",\n 4, \"Exploit (pep)\",\n 5, \"Heuristic\",\n 6, \"Security Risk\"\n ];\nSymantecICDx_CL\n| where file_name_s <> \"\"\n| join kind = inner (threatTypeMap) on threat_type_id_d \n| extend threat_category_fnl = iff(threat_category <> \"\", threat_category, \"Unknown\")\n| summarize Count=count() by Threat_Category=threat_category_fnl\n| sort by Count desc\n| top 25 by Count desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "Threat_Category",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "Count",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecSecurityOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "fbf0d6c9-036a-46a3-b279-8a7f11de4ddd"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Threat categories across events with file object",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "let threatTypeMap = datatable(threat_type_id_d:double, threat_category:string)\n [\n 1, \"Malware\",\n 2, \"Behavioural\",\n 3, \"Potentially Unwanted Applications\",\n 4, \"Exploit (pep)\",\n 5, \"Heuristic\",\n 6, \"Security Risk\"\n ];\nSymantecICDx_CL\n| where file_name_s <> \"\"\n| join kind = inner (threatTypeMap) on threat_type_id_d \n| extend threat_category_fnl = iff(threat_category <> \"\", threat_category, \"Unknown\")\n| summarize Count=count() by Threat_Category=threat_category_fnl\n| sort by Count desc\n| top 25 by Count desc\n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"12": {
|
|
"position": {
|
|
"x": 6,
|
|
"y": 13,
|
|
"colSpan": 12,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "SymantecICDx_CL\n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| extend threatname = iff(threat_name_s <> \"\", threat_name_s , \"Unknown\")\n| summarize Event_Count=count() by File_Name=file_name_s, Threat_Name=threatname, Product_Name=product_name_s\n| sort by Event_Count desc\n| top 25 by Event_Count desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecSecurityOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "fa099e61-3786-4af1-b3fe-8ae070c70b5f"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Top 25 files with threat",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "SymantecICDx_CL\n| where file_name_s <> \"\"\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 5 and (type_id_d==8004 or type_id_d==8003 or type_id_d==8002)) or\n (category_id_d == 7 and (type_id_d==8084 or type_id_d==8083 or type_id_d==8082 or type_id_d==8104 or type_id_d==8103 or type_id_d==8102))\n| extend threatname = iff(threat_name_s <> \"\", threat_name_s , \"Unknown\")\n| summarize Event_Count=count() by File_Name=file_name_s, Threat_Name=threatname, Product_Name=product_name_s\n| sort by Event_Count desc\n| top 25 by Event_Count desc\n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|