2040 строки
77 KiB
JSON
2040 строки
77 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "General",
|
|
"subTarget": "General",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Alerts and Incidents",
|
|
"subTarget": "Alerts",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Compliance and Posture",
|
|
"subTarget": "Compliance",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Endpoint Updates and Protection",
|
|
"subTarget": "EP",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Qualys",
|
|
"subTarget": "Qualys",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "File Integrity Monitoring",
|
|
"subTarget": "FIM",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 9"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "3218e2b0-1bcc-46d4-affa-d298e0cf90f6",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DefaultSubscription_Internal",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Subscription",
|
|
"type": 6,
|
|
"isRequired": true,
|
|
"query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "parameters - 10"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "6d2d5f84-767c-4d51-82d5-6981e96bacdc",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspace",
|
|
"type": 5,
|
|
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| order by name asc\r\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\r\n| mvexpand All limit 100\r\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"value": "/subscriptions/<subs_ID>/resourcegroups/<rg_name>/providers/microsoft.operationalinsights/workspaces/<workspace_name>",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "befbf593-c171-4129-b890-7e642265ed0c",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"resourceType": "microsoft.insights/components"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "parameters - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union withsource=Table_Name *\r\n| summarize Count=count() by Table_Name\r\n| render barchart",
|
|
"size": 0,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "General"
|
|
},
|
|
"name": "General"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityAlert \r\n| summarize AlertCount = count() by AlertSeverity",
|
|
"size": 1,
|
|
"title": "Alerts by Severity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityAlert \r\n| summarize AlertCount = count() by ProviderName, IsIncident",
|
|
"size": 1,
|
|
"title": "Alerts by Provider",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 9"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "43415fb7-83e4-4b71-9e69-59c3acb598e3",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "ProductSelection",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "SecurityAlert \r\n| where isnotempty(ProductName)\r\n| summarize count() by ProductName\r\n| order by count_ desc",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "903503cc-f549-4d2c-bd6e-adebb0d91799",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SeveritySelect",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "SecurityAlert \r\n| where isnotempty(AlertSeverity)\r\n| summarize by AlertSeverity",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "parameters - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityAlert\r\n| where ProductName in ( {ProductSelection} )\r\n| where AlertSeverity in ({SeveritySelect})\r\n| extend HostName = tostring(parse_json(Entities)[0].HostName) \r\n| summarize AlertCount = count() by AlertSeverity, VendorName, ProductName, SystemAlertId, ResourceId, AlertType, StartTime, EndTime, RemediationSteps, AlertLink",
|
|
"size": 0,
|
|
"title": "Alert Details for {TimeRange:label}",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "AlertSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "AlertLink",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkIsContextBlade": true,
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityAlert\r\n| make-series count() default=0 on StartTime from {TimeRange:start} to {TimeRange:end} step 1d by ProductName",
|
|
"size": 0,
|
|
"title": "Alert Count by Product Over '{TimeRange:label}'",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeBrushParameterName": "TimeBrush",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "timechart"
|
|
},
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityAlert\r\n| project TimeGenerated, DisplayName, AlertSeverity, ProductName, ResourceId, Entities, RemediationSteps, AlertLink\r\n| sort by TimeGenerated",
|
|
"size": 0,
|
|
"title": "Alerts Between '{TimeBrush:label}'",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "AlertSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "yellow",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Informational",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "AlertLink",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkIsContextBlade": true,
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated"
|
|
},
|
|
{
|
|
"columnId": "DisplayName",
|
|
"label": "Alert Name"
|
|
},
|
|
{
|
|
"columnId": "AlertSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "ProductName",
|
|
"label": "Product"
|
|
},
|
|
{
|
|
"columnId": "ResourceId",
|
|
"label": "Resource"
|
|
},
|
|
{
|
|
"columnId": "Entities"
|
|
},
|
|
{
|
|
"columnId": "RemediationSteps",
|
|
"label": "Remediation Steps"
|
|
},
|
|
{
|
|
"columnId": "AlertLink",
|
|
"label": "Link"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 5"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Alerts"
|
|
},
|
|
"name": "Alerts"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "securityresources\r\n | where type == \"microsoft.security/assessments\"\r\n | where * contains \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\"\r\n | summarize by assessmentKey=name //the ID of the assessment\r\n | join kind=inner (\r\n securityresources\r\n | where type == \"microsoft.security/assessments/subassessments\"\r\n | extend assessmentKey = extract(\".*assessments/(.+?)/.*\",1, id)\r\n ) on assessmentKey\r\n| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId\r\n| extend description = properties.description,\r\n displayName = properties.displayName,\r\n resourceId = properties.resourceDetails.id,\r\n resourceSource = properties.resourceDetails.source,\r\n category = properties.category,\r\n severity = properties.status.severity,\r\n code = properties.status.code,\r\n timeGenerated = properties.timeGenerated,\r\n remediation = properties.remediation,\r\n impact = properties.impact,\r\n vulnId = properties.id,\r\n additionalData = properties.additionalData\r\n| summarize count() by tostring(severity), tostring(category)",
|
|
"size": 0,
|
|
"title": "Severity",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "securityresources\r\n | where type == \"microsoft.security/assessments\"\r\n | where * contains \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\"\r\n | summarize by assessmentKey=name //the ID of the assessment\r\n | join kind=inner (\r\n securityresources\r\n | where type == \"microsoft.security/assessments/subassessments\"\r\n | extend assessmentKey = extract(\".*assessments/(.+?)/.*\",1, id)\r\n ) on assessmentKey\r\n| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId\r\n| extend description = properties.description,\r\n displayName = properties.displayName,\r\n resourceId = properties.resourceDetails.id,\r\n resourceSource = properties.resourceDetails.source,\r\n category = properties.category,\r\n severity = properties.status.severity,\r\n code = properties.status.code,\r\n timeGenerated = properties.timeGenerated,\r\n remediation = properties.remediation,\r\n impact = properties.impact,\r\n vulnId = properties.id,\r\n additionalData = properties.additionalData\r\n| summarize count() by tostring(category)",
|
|
"size": 0,
|
|
"title": "Category",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "7f84ceda-dbeb-48da-b90e-e595824197cf",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Severity",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "securityresources\r\n | where type == \"microsoft.security/assessments\"\r\n | where * contains \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\"\r\n | summarize by assessmentKey=name //the ID of the assessment\r\n | join kind=inner (\r\n securityresources\r\n | where type == \"microsoft.security/assessments/subassessments\"\r\n | extend assessmentKey = extract(\".*assessments/(.+?)/.*\",1, id)\r\n ) on assessmentKey\r\n| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId\r\n| extend severity = tostring(properties.status.severity)\r\n| distinct severity\r\n| order by severity asc\r\n",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"value": [],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"name": "parameters - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "securityresources\r\n | where type == \"microsoft.security/assessments\"\r\n | where * contains \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\"\r\n | summarize by assessmentKey=name //the ID of the assessment\r\n | join kind=inner (\r\n securityresources\r\n | where type == \"microsoft.security/assessments/subassessments\"\r\n | extend assessmentKey = extract(\".*assessments/(.+?)/.*\",1, id)\r\n ) on assessmentKey\r\n| parse id with * \"/virtualMachines/\" strCompName \"/providers\" * \r\n| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId, strCompName\r\n| extend description = properties.description,\r\n displayName = properties.displayName,\r\n resourceId = properties.resourceDetails.id,\r\n resourceSource = properties.resourceDetails.source,\r\n category = properties.category,\r\n severity = properties.status.severity,\r\n code = properties.status.code,\r\n timeGenerated = properties.timeGenerated,\r\n remediation = properties.remediation,\r\n impact = properties.impact,\r\n vulnId = properties.id,\r\n additionalData = properties.additionalData,\r\n assessedResourceType = tostring(properties.additionalData.assessedResourceType),\r\n\t\t vendorReferences = tostring(properties.additionalData.vendorReferences),\r\n\t\t patchable\t\t = tostring(properties.additionalData.patchable),\r\n\t\t atype \t\t = tostring(properties.additionalData.type),\r\n\t\t threat \t\t = tostring(properties.additionalData.threat)\r\n//| project severity, '{Severity:name}'\r\n| where severity in ({Severity})\r\n| summarize by Severity = tostring(severity), ['Computer Name']=strCompName, Description = tostring(displayName) , Category = tostring(category) , tostring(remediation), tostring(impact), tostring(vulnId), assessedResourceType, vendorReferences, patchable, Type=atype, threat\r\n\r\n",
|
|
"size": 0,
|
|
"showExportToExcel": true,
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "green",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "patchable",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "green",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "false",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 3"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Qualys"
|
|
},
|
|
"name": "Qualys"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards\"\r\n| extend \r\n\tpassedControls = trim (' ', tostring(properties.passedControls)), \r\n\tfailedControls = trim(' ',tostring(properties.failedControls)), \r\n\tstate \t\t = trim(' ', tostring(properties.state)), \r\n\tunsupportedControls = trim(' ', tostring(properties.unsupportedControls)), \r\n\tskippedControls = trim(' ', tostring(properties.skippedControls))\r\n| project name, passedControls, failedControls, unsupportedControls, skippedControls , subscriptionId\r\n| order by passedControls desc",
|
|
"size": 0,
|
|
"title": "Current Compliance Details",
|
|
"showExportToExcel": true,
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "passedControls",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "hotCold",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "failedControls",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "unsupportedControls",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "skippedControls",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 12"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "dd8f4188-2076-4696-ba56-8418a3fcc6f5",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SelectCompliance",
|
|
"type": 5,
|
|
"query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards\"\r\n| project name\r\n",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"value": "ISO-27001",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "bd9c3eae-84af-42b5-8c93-e281788948d7",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "selectState",
|
|
"type": 5,
|
|
"query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\"\r\n | extend state \t\t = trim(' ', tostring(properties.state))\r\n| summarize by state",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"value": "Failed",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"name": "parameters - 13"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\"\r\n| parse id with *\"/regulatoryComplianceStandards/\" strControlName \"/regulatory\"*\r\n | extend \r\n\t state \t\t = trim(' ', tostring(properties.state))\r\n\t,description = trim(' ', tostring(properties.description))\r\n| where strControlName startswith '{SelectCompliance}'\r\n| extend isState = iif(isempty('{selectState}'),\"All states\",'{selectState}')\r\n//| where isSstate == '{selectState}'\r\n| summarize by ControlName = strControlName, name, Status = isState, description\r\n",
|
|
"size": 0,
|
|
"showExportToExcel": true,
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Status",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "failed",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Failed",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Passed",
|
|
"representation": "green",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Unsupported",
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
},
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 14"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityRecommendation\r\n| where RecommendationState contains 'unhealthy'\r\n| summarize count() by RecommendationSeverity\r\n| render piechart",
|
|
"size": 4,
|
|
"title": "Security Recommendations By Severity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "Low",
|
|
"color": "blue"
|
|
},
|
|
{
|
|
"seriesName": "Medium",
|
|
"color": "yellow"
|
|
},
|
|
{
|
|
"seriesName": "High",
|
|
"color": "redBright"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityRecommendation\r\n| make-series count() default=0 on DiscoveredTimeUTC from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationSeverity",
|
|
"size": 0,
|
|
"title": "Security Recommendation Severity For Past 30 Days",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeBrushParameterName": "TimeBrush",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "timechart",
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "Low",
|
|
"color": "blue"
|
|
},
|
|
{
|
|
"seriesName": "Medium",
|
|
"color": "yellow"
|
|
},
|
|
{
|
|
"seriesName": "High",
|
|
"color": "redBright"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityRecommendation\r\n| where RecommendationState contains 'unhealthy'\r\n| extend Resource = AssessedResourceId\r\n| summarize count() by Resource, RecommendationState\r\n| project-away RecommendationState\r\n| sort by count_ desc\r\n",
|
|
"size": 0,
|
|
"title": "Resources with Recommendations in '{TimeBrush:label}'",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeBrush",
|
|
"exportMultipleValues": true,
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "Resource",
|
|
"parameterName": "Resource",
|
|
"delimiter": "",
|
|
"quote": "\""
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"filter": true,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Resource"
|
|
},
|
|
{
|
|
"columnId": "count_",
|
|
"label": "Number of Logs"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"customWidth": "30",
|
|
"showPin": false,
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let Resource_ = dynamic({Resource});\r\nSecurityRecommendation\r\n| where RecommendationState contains 'unhealthy'\r\n| where AssessedResourceId contains tostring(Resource_)\r\n| extend Link = strcat(\"https://\", RecommendationLink)\r\n| project TimeGenerated, Resource_, RecommendationName, Link, RecommendationSeverity\r\n| summarize arg_max(TimeGenerated, *) by RecommendationName\r\n\r\n",
|
|
"size": 0,
|
|
"title": "Recommendations for Selected Resource",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeBrush",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Resource_",
|
|
"formatter": 13,
|
|
"formatOptions": {
|
|
"linkTarget": "Resource",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Link",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "Url",
|
|
"linkIsContextBlade": false,
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "RecommendationSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "yellow",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Informational",
|
|
"representation": "gray",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "RecommendationLink",
|
|
"formatter": 13,
|
|
"formatOptions": {
|
|
"linkTarget": "Url",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "RecommendationName",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "RecommendationName",
|
|
"label": "Recommendation"
|
|
},
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time Generated"
|
|
},
|
|
{
|
|
"columnId": "Resource_",
|
|
"label": "Resource"
|
|
},
|
|
{
|
|
"columnId": "RecommendationSeverity",
|
|
"label": "Severity"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "RecommendationName",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"customWidth": "70",
|
|
"name": "query - 4",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let Resource_ = dynamic({Resource});\r\nSecurityAlert\r\n| where ResourceId contains tostring(Resource_)\r\n| project TimeGenerated, Resource_, AlertName, AlertSeverity, ProductName\r\n| summarize arg_max(TimeGenerated, *) by TimeGenerated\r\n| project-away TimeGenerated1",
|
|
"size": 0,
|
|
"title": "Related Alerts to Resource in '{TimeBrush:label})",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeBrush",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Resource_",
|
|
"formatter": 13,
|
|
"formatOptions": {
|
|
"linkTarget": "Resource",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "AlertSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "yellow",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "low",
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Informational",
|
|
"representation": "gray",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ResourceId",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated"
|
|
},
|
|
{
|
|
"columnId": "Resource_",
|
|
"label": "Resource Impacted"
|
|
},
|
|
{
|
|
"columnId": "AlertName",
|
|
"label": "Alert Title"
|
|
},
|
|
{
|
|
"columnId": "AlertSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "ProductName",
|
|
"label": "Product"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [],
|
|
"graphSettings": {
|
|
"type": 0
|
|
}
|
|
},
|
|
"name": "query - 6",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Compliance"
|
|
},
|
|
"name": "Compliance"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProtectionStatus\r\n| extend Protection = iff(ThreatStatusRank == 150, \"Protected\", \"Security Event Should Be Addressed\")\r\n| extend Resource = Computer\r\n| project TimeGenerated, Resource, TypeofProtection, Protection, ThreatStatus ,ProtectionStatus, SignatureVersion\r\n| summarize arg_max(TimeGenerated,*) by Resource\r\n",
|
|
"size": 1,
|
|
"showAnalytics": true,
|
|
"title": "Endpoint Protection Status",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportMultipleValues": true,
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "Resource",
|
|
"parameterName": "Resource",
|
|
"parameterType": 1,
|
|
"delimiter": ""
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "ThreatStatus",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time Generated"
|
|
},
|
|
{
|
|
"columnId": "TypeofProtection",
|
|
"label": "Endpoint Protection"
|
|
},
|
|
{
|
|
"columnId": "Protection",
|
|
"label": "Protection Status"
|
|
},
|
|
{
|
|
"columnId": "ThreatStatus",
|
|
"label": "Threat Status"
|
|
},
|
|
{
|
|
"columnId": "ProtectionStatus",
|
|
"label": "Protection Status"
|
|
},
|
|
{
|
|
"columnId": "SignatureVersion",
|
|
"label": "Signature Version"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "ThreatStatus",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let Resource_ = dynamic({Resource});\r\nProtectionStatus\r\n| where ThreatStatusRank != 150\r\n| where Computer contains tostring(Resource_)\r\n| project TimeGenerated, Resource_, ThreatStatus, ProtectionStatus, Threat, ThreatStatusDetails",
|
|
"size": 1,
|
|
"title": "Threats Over Last '{TimeRange:label}'",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "ThreatStatusDetails",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time Generated"
|
|
},
|
|
{
|
|
"columnId": "Resource_",
|
|
"label": "Resource"
|
|
},
|
|
{
|
|
"columnId": "ThreatStatus",
|
|
"label": "Action Taken"
|
|
},
|
|
{
|
|
"columnId": "ProtectionStatus",
|
|
"label": "Event Summary"
|
|
},
|
|
{
|
|
"columnId": "Threat",
|
|
"label": "Malicious Artifact",
|
|
"comment": "File or Process"
|
|
},
|
|
{
|
|
"columnId": "ThreatStatusDetails",
|
|
"label": "Details"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "ThreatStatusDetails",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProtectionStatus\r\n| where ProtectionStatusRank != 150\r\n| extend Protection = case( ProtectionStatusRank == 250, \"Signatures out of date\"\r\n , ProtectionStatusRank == 270, \"No real-time protction detected\"\r\n , ProtectionStatusRank == 470, \"No endpoint protection detected\"\r\n , ProtectionStatusRank == 550, \"Threat detected\"\r\n , \"No threats detected\"\r\n )\r\n| summarize count() by DeviceName, Protection\r\n| sort by count_ desc ",
|
|
"size": 0,
|
|
"title": "Most Vulnerable Machines",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"filter": true,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device"
|
|
},
|
|
{
|
|
"columnId": "Protection",
|
|
"label": "Endpoint Protection"
|
|
},
|
|
{
|
|
"columnId": "count_",
|
|
"label": "Trend Over Last 30 Days"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityBaseline\r\n| where AnalyzeResult != 'Passed'\r\n| extend Resource = ResourceId\r\n| summarize count() by Resource\r\n| sort by count_ desc",
|
|
"size": 0,
|
|
"title": "Resources with Failed Baselines Within '{TimeRange:label}'",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportMultipleValues": true,
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "Resource",
|
|
"parameterName": "Resource",
|
|
"parameterType": 1,
|
|
"delimiter": ""
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"filter": true,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Resource"
|
|
},
|
|
{
|
|
"columnId": "count_",
|
|
"label": "Number of Logs"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "25",
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let Resource_ = dynamic({Resource});\r\nSecurityBaseline\r\n| where AnalyzeResult != 'Passed'\r\n| where ResourceId contains tostring(Resource_)\r\n| project TimeGenerated, Description, BaselineType, CceId, RuleSeverity, Resource_, AnalyzeResult",
|
|
"size": 0,
|
|
"title": "Failed Security Baselines for Machine",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Resource_",
|
|
"formatter": 13,
|
|
"formatOptions": {
|
|
"linkTarget": null,
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "RuleSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Critical",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Warning",
|
|
"representation": "yellow",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Informational",
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time Generated"
|
|
},
|
|
{
|
|
"columnId": "Description"
|
|
},
|
|
{
|
|
"columnId": "BaselineType",
|
|
"label": "OS"
|
|
},
|
|
{
|
|
"columnId": "CceId"
|
|
},
|
|
{
|
|
"columnId": "RuleSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "Resource_",
|
|
"label": "Resource"
|
|
},
|
|
{
|
|
"columnId": "AnalyzeResult",
|
|
"label": "Status"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "75",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let Resource_ = dynamic({Resource});\r\nSecurityBaselineSummary\r\n| project TimeGenerated, Resource_, OSName, TotalAssessedRules, PercentageOfPassedRules, CriticalFailedRules, WarningFailedRules, InformationalFailedRules\r\n| summarize arg_max(TimeGenerated, *)",
|
|
"size": 4,
|
|
"title": "Resource Security Baselines Summary",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Resource_",
|
|
"formatter": 13,
|
|
"formatOptions": {
|
|
"linkTarget": null,
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "PercentageOfPassedRules",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "<",
|
|
"thresholdValue": "90",
|
|
"representation": "yellow",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "<",
|
|
"thresholdValue": "80",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": ">",
|
|
"thresholdValue": "90",
|
|
"representation": "green",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
},
|
|
"numberFormat": {
|
|
"unit": 1,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "CriticalFailedRules",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": ">",
|
|
"thresholdValue": "5",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "<",
|
|
"thresholdValue": "5",
|
|
"representation": "green",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "WarningFailedRules",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": ">",
|
|
"thresholdValue": "10",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "<",
|
|
"thresholdValue": "10",
|
|
"representation": "green",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "InformationalFailedRules",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "<",
|
|
"thresholdValue": "10",
|
|
"representation": "green",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": ">",
|
|
"thresholdValue": "10",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time Generated"
|
|
},
|
|
{
|
|
"columnId": "Resource_",
|
|
"label": "Resource"
|
|
},
|
|
{
|
|
"columnId": "OSName",
|
|
"label": "OS"
|
|
},
|
|
{
|
|
"columnId": "TotalAssessedRules",
|
|
"label": "Total Assessed Rules"
|
|
},
|
|
{
|
|
"columnId": "PercentageOfPassedRules",
|
|
"label": "Percent Passed"
|
|
},
|
|
{
|
|
"columnId": "CriticalFailedRules",
|
|
"label": "Critical Failed"
|
|
},
|
|
{
|
|
"columnId": "WarningFailedRules",
|
|
"label": "Warning Failed"
|
|
},
|
|
{
|
|
"columnId": "InformationalFailedRules",
|
|
"label": "Informational Failed"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Update\r\n| where UpdateState != 'Installed'\r\n| extend Resource = Computer\r\n| summarize count() by Resource\r\n| sort by count_ desc",
|
|
"size": 0,
|
|
"title": "Resources with Updates within '{TimeRange:label}'",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportMultipleValues": true,
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "Resource",
|
|
"parameterName": "Resource",
|
|
"parameterType": 1,
|
|
"delimiter": ""
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Resource",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Resource"
|
|
},
|
|
{
|
|
"columnId": "count_",
|
|
"label": "Number of Logs"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Resource",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"customWidth": "25",
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let Resource_ = dynamic({Resource});\r\nUpdate\r\n| where UpdateState != 'Installed'\r\n| where Computer contains tostring(Resource_)\r\n| project TimeGenerated, Product, Classification, Title, KBID, Resource_, UpdateState\r\n",
|
|
"size": 0,
|
|
"title": "Updates Needed for Resource",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Classification",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Updates",
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Feature Packs",
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Definition Packs",
|
|
"representation": "yellow",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "contains",
|
|
"thresholdValue": "Security",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Others",
|
|
"representation": "gray",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time Generated"
|
|
},
|
|
{
|
|
"columnId": "Product"
|
|
},
|
|
{
|
|
"columnId": "Classification"
|
|
},
|
|
{
|
|
"columnId": "Resource_",
|
|
"label": "Resouce"
|
|
},
|
|
{
|
|
"columnId": "UpdateState",
|
|
"label": "Update Status"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "75",
|
|
"name": "query - 9"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "EP"
|
|
},
|
|
"name": "Endpoint"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ConfigurationChange\r\n| extend Resource = Computer\r\n| summarize count() by Resource, ChangeCategory, ConfigChangeType\r\n| order by count_ desc ",
|
|
"size": 0,
|
|
"title": "Events Per Resource within '{TimeRange:label}'",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportMultipleValues": true,
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "Resource",
|
|
"parameterName": "Resource",
|
|
"parameterType": 1,
|
|
"delimiter": ""
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"filter": true,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "ChangeCategory",
|
|
"label": "Action"
|
|
},
|
|
{
|
|
"columnId": "ConfigChangeType",
|
|
"label": "Area"
|
|
},
|
|
{
|
|
"columnId": "count_",
|
|
"label": "Count"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"showPin": true,
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let Resource_ = dynamic({Resource});\r\nConfigurationChange\r\n| where Computer contains tostring(Resource_)\r\n| project Resource_, ChangeCategory, ConfigChangeType, RegistryKey, ValueName, FileSystemPath",
|
|
"size": 0,
|
|
"title": "Events for Resource",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "RegistryKey",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkTarget": "Resource",
|
|
"linkIsContextBlade": false,
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "66",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ConfigurationChange\r\n| summarize count() by ChangeCategory, bin (TimeGenerated, 1d)",
|
|
"size": 0,
|
|
"title": "File Integrity Monitor Events By Action",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ConfigurationChange\r\n| summarize count() by ConfigChangeType, bin (TimeGenerated, 1d)",
|
|
"size": 0,
|
|
"title": "File Integrity Monitor Logs By Location",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "linechart",
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "Files",
|
|
"color": "yellow"
|
|
},
|
|
{
|
|
"seriesName": "Registry",
|
|
"color": "redBright"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 7"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "FIM"
|
|
},
|
|
"name": "FIM"
|
|
}
|
|
],
|
|
"styleSettings": {},
|
|
"fromTemplateId": "ASC-ComplianceandProtection",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|