Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/AzureActivity.json

331 строка
12 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "52bfbd84-1639-480c-bda5-bfc87fd81832",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
}
},
{
"id": "eeb5dcf9-e898-46af-9c12-d91d97e13cd3",
"version": "KqlParameterItem/1.0",
"name": "Caller",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "AzureActivity\r\n| summarize by Caller",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "All"
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "46375a76-7ae1-4d7e-9082-4191531198a9",
"version": "KqlParameterItem/1.0",
"name": "ResourceGroup",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "AzureActivity\r\n| summarize by ResourceGroup",
"value": [
"value::all"
],
"typeSettings": {
"resourceTypeFilter": {
"microsoft.resources/resourcegroups": true
},
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "All"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup});\r\ndata\r\n| summarize Count = count() by ResourceGroup\r\n| join kind = fullouter (datatable(ResourceGroup:string)['Medium', 'high', 'low']) on ResourceGroup\r\n| project ResourceGroup = iff(ResourceGroup == '', ResourceGroup1, ResourceGroup), Count = iff(ResourceGroup == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ResourceGroup)\r\n on ResourceGroup\r\n| project-away ResourceGroup1, TimeGenerated\r\n| extend ResourceGroups = ResourceGroup\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend ResourceGroup = 'All', ResourceGroups = '*' \r\n)\r\n| order by Count desc\r\n| take 10",
"size": 4,
"exportToExcelOptions": "visible",
"title": "Top 10 active resource groups",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "ResourceGroup",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blueOrange",
"showIcon": true
}
},
"showBorder": false
}
},
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue hassuffix \"delete\"), creations = countif(OperationNameValue hassuffix \"write\"), updates = countif(OperationNameValue hassuffix \"write\"), Activities = count(OperationNameValue) by bin_at(TimeGenerated, 1h, now())\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Activities over time",
"color": "gray",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart",
"graphSettings": {
"type": 0
}
},
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue hassuffix \"Delete\"), creations = countif(OperationNameValue hassuffix \"write\"), updates = countif(OperationNameValue hassuffix \"write\"), Activities = count() by Caller\r\n",
"size": 1,
"exportToExcelOptions": "visible",
"title": "Caller activities",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Caller",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "deletions",
"formatter": 4,
"formatOptions": {
"showIcon": true,
"aggregation": "Count"
}
},
{
"columnMatch": "creations",
"formatter": 4,
"formatOptions": {
"palette": "purple",
"showIcon": true,
"aggregation": "Count"
}
},
{
"columnMatch": "updates",
"formatter": 4,
"formatOptions": {
"palette": "gray",
"showIcon": true,
"aggregation": "Count"
}
},
{
"columnMatch": "Activities",
"formatter": 4,
"formatOptions": {
"palette": "greenDark",
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true,
"aggregation": "Count",
"workbookContext": {
"componentIdSource": "workbook",
"resourceIdsSource": "workbook",
"templateIdSource": "static",
"templateId": "https://go.microsoft.com/fwlink/?linkid=874159&resourceId=%2Fsubscriptions%2F44e4eff8-1fcb-4a22-a7d6-992ac7286382%2FresourceGroups%2FSOC&featureName=Workbooks&itemId=%2Fsubscriptions%2F44e4eff8-1fcb-4a22-a7d6-992ac7286382%2Fresourcegroups%2Fsoc%2Fproviders%2Fmicrosoft.insights%2Fworkbooks%2F4c195aec-747f-40bb-addb-934acb3ec646&name=CiscoASA&func=NavigateToPortalFeature&type=workbook",
"typeSource": "workbook",
"gallerySource": "workbook"
}
}
}
],
"sortBy": [
{
"itemKey": "$gen_bar_updates_3",
"sortOrder": 2
}
],
"labelSettings": []
}
},
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity \r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize Informational = countif(Level == \"Informational\"), Warning = countif(Level == \"Warning\"), Error = countif(Level == \"Error\") by bin_at(TimeGenerated, 1h, now())\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"color": "redBright",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "scatterchart",
"tileSettings": {
"showBorder": false
},
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "Error",
"formatter": 12,
"formatOptions": {
"showIcon": true
}
},
"hivesContent": {
"columnMatch": "TimeGenerated",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"nodeIdField": "Error",
"sourceIdField": "Error",
"targetIdField": "Error",
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": null,
"groupByField": "TimeGenerated",
"hivesMargin": 5
}
},
"name": "query - 4"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-AzureActivity",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку