881 строка
27 KiB
JSON
881 строка
27 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Application gateway firewall events"
|
|
},
|
|
"name": "text - 10"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"query": "",
|
|
"crossComponentResources": [],
|
|
"parameters": [
|
|
{
|
|
"id": "49e2f511-592f-4d7f-8fda-d686803f3dbf",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
},
|
|
{
|
|
"id": "d54c1639-d46c-4655-9d76-d5416926a453",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "WAF",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| summarize Count=count() by Resource\r\n| order by Count desc, Resource asc\r\n| project Value = Resource, Lable = strcat(Resource, \" - \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All"
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" and (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| where action_s == \"Blocked\" or action_s == \"Detected\" \r\n| summarize count() by requestUri_s \r\n| top 10 by count_ desc ",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Blocked URL addresses",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" and (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| summarize number = count() by action_s",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "WAF actions",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayFirewall\" \r\n| summarize number = count() by instanceId_s, TimeGenerated\r\n| where instanceId_s contains \"role\"\r\n| extend roulenumber = extract(\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\", 1, instanceId_s) \r\n| project roulenumber , number , TimeGenerated \r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Role use, by time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"customWidth": "40",
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where \"{WAF:lable}\" == \"All\" or Resource in ({WAF})\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| summarize count() by Message\r\n| top 10 by count_ \r\n",
|
|
"size": 0,
|
|
"exportFieldName": "Message",
|
|
"exportParameterName": "Selected",
|
|
"exportDefaultValue": "*",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Event trigger",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Message",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Message"
|
|
},
|
|
{
|
|
"columnId": "count_",
|
|
"label": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 12"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where \"{WAF:lable}\" == \"All\" or Resource in ({WAF})\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| where ('{Selected}' == Message) or '{Selected}'==\"*\"\r\n| summarize count() by Message, TimeGenerated",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Messages, by time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Message",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 13"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where \"{WAF:lable}\" == \"All\" or Resource in ({WAF})\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| where '{Selected}' == Message or '{Selected}' == \"*\"\r\n| extend Role = extract(\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\",1,instanceId_s) \r\n| project Message, TimeGenerated, SourceSystem, hostname_s, ResourceId, ResourceGroup, ResourceProvider, Category, Role, action_s, site_s, details_message_s, details_file_s, clientIp_s, requestUri_s\r\n| sort by TimeGenerated\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Message, full details",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table"
|
|
},
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---"
|
|
},
|
|
"name": "text - 12"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" and (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| where Message contains \"attack\"\r\n| extend Role = extract(\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\",1,instanceId_s) \r\n| summarize Amount = count() by Message, bin(TimeGenerated, 1h), hostName = hostname_s, ResourceId, Category, Role\r\n| project Amount, Message, TimeGenerated, hostName, ResourceId, Category, Role\r\n| order by Amount desc",
|
|
"size": 0,
|
|
"exportFieldName": "",
|
|
"exportParameterName": "MessageFilter",
|
|
"exportDefaultValue": "{\"Message\":\"*\"}",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Attacks events, by messages",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Amount",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Message",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "hostName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ResourceId",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Category",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Role",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "$gen_group",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TenantId",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceSystem",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "MG",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ManagementGroupName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Computer",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ruleGroup_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "transactionId_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "originalHost_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "_schema_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "error_code_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "error_message_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "instanceId_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "clientIp_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "clientPort_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "requestUri_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ruleSetType_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ruleSetVersion_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ruleId_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "action_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "site_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "details_message_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "details_data_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "details_file_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "details_line_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "hostname_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "clientIP_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "clientPort_d",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "httpMethod_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "requestQuery_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "userAgent_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "httpStatus_d",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "httpVersion_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "receivedBytes_d",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "sentBytes_d",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "timeTaken_d",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "sslEnabled_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "host_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "correlation_clientTrackingId_g",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "tags__type_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "msg_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "resource_originRunId_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "resource_actionName_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "correlation_actionTrackingId_g",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "workflowId_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Level",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OperationName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "status_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "tags_LogicAppsCategory_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "resource_resourceGroupName_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "resource_workflowName_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "resource_runId_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "resource_location_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "resource_triggerName_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SubscriptionId",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ResourceGroup",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ResourceProvider",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Resource",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ResourceType",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "code_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "correlation_clientTrackingId_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "resource_subscriptionId_g",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "resource_workflowId_g",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "startTime_t",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "endTime_t",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Type",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "_ResourceId",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"hierarchySettings": {
|
|
"treeType": 1,
|
|
"groupBy": [
|
|
"Message"
|
|
],
|
|
"expandTopLevel": false
|
|
},
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"name": "query - 16"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.childRows; // Used to choose a group of messages - redirects to the message which was grouped\r\nAzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" and (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where OperationName == \"ApplicationGatewayFirewall\"\r\n| where Message contains \"attack\"\r\n| where SelectedMS.Message == Message or SelectedMS.Message == \"*\" or Message == Child[0].Message\r\n| summarize count() by Message, TimeGenerated",
|
|
"size": 0,
|
|
"exportParameterName": "Message",
|
|
"exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Attack events, by time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "query - 14"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" and (\"{WAF:lable}\" == \"All\" or Resource in ({WAF}))\r\n| where Message contains \"SQL Injection\" \r\n| summarize count() by hostname_s, Message\r\n| order by count_ desc ",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "SQL injection, by host name",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 15"
|
|
}
|
|
],
|
|
"styleSettings": {},
|
|
"fromTemplateId": "sentinel-WebApplicationFirewallFirewallEvents",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |