870 строки
29 KiB
JSON
870 строки
29 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Azure AD audit, sign-in and Azure Activity logs\n---\nThis workbook combines the following Azure Monitoring tables:\n* Azure Active Directory audit logs\n* Signin logs\n* Azure Activity logs\n\n\nEdit the parameter below to change the timerange used by the graphs"
|
|
},
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "d1983eba-6224-4c08-b792-4910eff535ad",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"description": "Select the time range that will be used for the query's",
|
|
"value": {
|
|
"durationMs": 604800000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "----\n## Signin Logs\n\nWith the SigninLogs we can give a security analyst insight into the different login statuses and locations <br>\n\nThese graphs give a quick representation of the Signin activity of the company's users. <br>\nA security team can easy view the Signin locations and most used applications"
|
|
},
|
|
"name": "text - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SigninLogs\n| extend ResultText = case(isnotempty(ResultDescription), ResultDescription, ResultType == 0 and isempty(ResultDescription), \"successful login\", \"unknown\") // Create readable result text to include succesfull logins\n| summarize dcount(CorrelationId) by ResultText // Signin results by unique CorrelationId\n| render piechart",
|
|
"size": 0,
|
|
"title": "Login events by result",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "ResultText",
|
|
"exportParameterName": "Selected_ResultText",
|
|
"exportDefaultValue": "",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"chartSettings": {
|
|
"group": "ResultText",
|
|
"createOtherGroup": null,
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "successful login",
|
|
"color": "green"
|
|
}
|
|
],
|
|
"ySettings": {
|
|
"unit": 17,
|
|
"min": null,
|
|
"max": null
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SigninLogs\n| extend ResultText = case(isnotempty(ResultDescription), ResultDescription, ResultType == 0 and isempty(ResultDescription), \"successful login\", \"unknown\")\n| summarize dcount(CorrelationId) by ResultText, bin(TimeGenerated,4h) // summarize the total Signin events per Description per hour (by unique CorrelationId's)",
|
|
"size": 0,
|
|
"title": "Count of login types per 4 hours",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "ResultText",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "dcount_CorrelationId",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SigninLogs\n| where isnotempty(LocationDetails['countryOrRegion']) and ResultType == 0// Where location details are available and login is successful\n| extend city = tostring(LocationDetails['city'])\n| summarize count() by city, Location // Summarize by city name\n| join (\nSigninLogs\n| extend city = tostring(LocationDetails['city'])\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by city \n) on city\n| project Location, city, [\"Total events\"] = count_, TrendLine = TrendList\n| top 10 by [\"Total events\"] desc",
|
|
"size": 0,
|
|
"title": "successful login locations",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Location",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "city",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total events",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TrendLine",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Events",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "id",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"hierarchySettings": {
|
|
"idColumn": "city",
|
|
"parentColumn": "Location",
|
|
"treeType": 0,
|
|
"expanderColumn": "city",
|
|
"expandTopLevel": false
|
|
}
|
|
},
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "city",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumFractionDigits": 2,
|
|
"maximumSignificantDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Events",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "LocationDetails",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"nodeIdField": "count_",
|
|
"sourceIdField": "Location",
|
|
"targetIdField": "city",
|
|
"nodeSize": null,
|
|
"staticNodeSize": 100,
|
|
"colorSettings": null,
|
|
"hivesMargin": 5
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"locInfoColumn": "GeoSelection",
|
|
"latitude": "latitude",
|
|
"longitude": "longitude",
|
|
"sizeSettings": "count_",
|
|
"sizeAggregation": "Sum",
|
|
"defaultSize": 0,
|
|
"labelSettings": "locationInfo",
|
|
"legendMetric": "count_",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "count_",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "redGreen"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SigninLogs\r\n| where ResultType == 0 and AppDisplayName != \"\"\r\n| summarize count() by AppDisplayName\r\n| join (\r\nSigninLogs\r\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \r\n) on AppDisplayName\r\n| top 10 by count_ desc",
|
|
"size": 4,
|
|
"title": "successful logins by application",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "AppDisplayName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "TrendList",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "AppDisplayName",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 14"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "----\n## AuditLogs\n\nThese tables give an Azure administrators the information they needs to make sure that the services and user operations are successfully executed. <br>\nIt also benefits the security operator by seeing which operations are perfomed by which users or services. Therefore he can act quickly on a suspicious operation."
|
|
},
|
|
"name": "text - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "\nAuditLogs\n| summarize Runs = count(), Success = countif(Result == 'success'), Fails = countif(Result != 'success') by OperationName // Summarize the total, successful and failed operations by name\n| extend SuccessRate = (Success * 100 / Runs) // Calculate the percentage of succesful operations against the total\n| join (\nAuditLogs\n| where Result == 'success'\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName \n) on OperationName\n| project OperationName, Runs, SuccessRate, TrendList\n| top 10 by Runs desc // Show the top 10 of most run operations",
|
|
"size": 0,
|
|
"title": "Top 10 operation by successrate",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "OperationName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Runs",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SuccessRate",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"max": 100,
|
|
"palette": "redGreen",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TrendList",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "\nAuditLogs\n| summarize Runs = count(), Success = countif(Result == 'success'), Fails = countif(Result != 'success') by OperationName // Summarize the total, successful and failed operations by name\n| extend SuccessRate = (Success * 100 / Runs) // Calculate the percentage of succesful operations against the total\n| project OperationName, Runs, SuccessRate, Fails\n| top 10 by SuccessRate asc // Show the 10 Operation by least SuccessRate",
|
|
"size": 0,
|
|
"title": "Top 10 most failed operations",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "OperationName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Runs",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SuccessRate",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"max": 100,
|
|
"palette": "redGreen",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Fails",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "redBright",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureActivity \n| union (AuditLogs) // Insert AuditLogs\n| extend CallerUserName = case( Type == 'AuditLogs' and notempty(InitiatedBy['user']), InitiatedBy['user']['userPrincipalName'], // Find best initiator for data source\n Type == 'AuditLogs' and InitiatedBy == \"{}\", Identity,\n Type == 'AzureActivity' ,Caller, 'Unknown')\n| extend TargetResource = case( Type == 'AuditLogs' and TargetResources[0]['type'] == 'User', strcat(TargetResources[0]['type'], \": \", TargetResources[0]['userPrincipalName']), // Find the best resource name for the data source\n Type == 'AuditLogs' and TargetResources[0]['type'] == 'Group', strcat(TargetResources[0]['type'], \": \", TargetResources[0]['displayName']),\n Type == 'AzureActivity' ,Resource, 'Unknown')\n| extend ResultStatus = case( Type == 'AuditLogs' and Result == 'failure', 'failed', // Change the result value to failure for the icon\n Type == 'AuditLogs' and Result == 'success', Result, // Only resutl that directly matches icon name\n Type == 'AzureActivity' and ActivityStatusValue == 'Started', 'info', // There is no started icon so using info instead.\n Type == 'AzureActivity' and ActivityStatusValue == 'Failed', 'failed', // change to failed\n Type == 'AzureActivity' and ActivityStatusValue == 'Succeeded', 'success', // Change to success\n 'unknown')\n| sort by TimeGenerated desc // Sort descending on TimeGenerated to see latest events\n| project Time = TimeGenerated, ['From data source'] = Type, Operation = OperationName, ['Initiated by'] = CallerUserName, TargetResource, ResultStatus\n",
|
|
"size": 0,
|
|
"title": "Latest operation from audit and activity logs",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Time",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Operation",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "InitiatedByName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Target",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Result",
|
|
"formatter": 11,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Time",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Time",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---\n## Azure Activity"
|
|
},
|
|
"name": "text - 13"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureActivity\r\n| summarize count() by ResourceProvider",
|
|
"size": 0,
|
|
"title": "Most activity by ResourceProvider",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "ResourceProvider",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TotalEvents",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ResourceProvider1",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Events",
|
|
"formatter": 19,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"timelineSettings": {
|
|
"timelineStartColumn": "TimeGenerated"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "ExtendedLocation",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "LoginEvents",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumFractionDigits": 2,
|
|
"maximumSignificantDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Events",
|
|
"formatter": 19,
|
|
"formatOptions": {
|
|
"palette": "blueOrange",
|
|
"showIcon": true,
|
|
"timelineSettings": {
|
|
"timelineStartColumn": "TimeGenerated",
|
|
"timestampIsEndTime": true
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false,
|
|
"sortCriteriaField": "TotalEvents",
|
|
"sortOrderField": 2
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "ResourceProvider",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "TotalEvents",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {}
|
|
},
|
|
"customWidth": "35",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureActivity\r\n| summarize Activities = count() by User = Caller",
|
|
"size": 0,
|
|
"title": "Activities by user",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table"
|
|
},
|
|
"customWidth": "25",
|
|
"name": "query - 16"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureActivity\n| extend ActivityType = case(OperationNameValue hassuffix \"delete\", \"Delete\",\n OperationNameValue hassuffix \"write\", \"Create or Update\",\"Other\")\n| summarize Succeeded = countif(ActivityStatusValue == \"Succeeded\"), Failed = countif(ActivityStatusValue == \"Failed\") by ResourceProvider, ActivityType\n| extend SuccesRate = Succeeded * 100 / (Succeeded + Failed)\n| where isnotempty(SuccesRate)\n| top 10 by SuccesRate asc \n| project ActivityType, ResourceProvider, SuccesRate, Succeeded, Failed ",
|
|
"size": 0,
|
|
"title": "Least successrate by Action and ResourceProvider",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "ActivityType",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ResourceProvider",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SuccesRate",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Succeeded",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Failed",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "redBright",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "OperationName",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Runs",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "40",
|
|
"name": "query - 13",
|
|
"styleSettings": {
|
|
"maxWidth": "100%"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureActivity\r\n| summarize count() by OperationName, bin(TimeGenerated, 4h)",
|
|
"size": 0,
|
|
"title": "Timechart count activitytypes by 4 hours",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 15"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureActivity\r\n//| where ActivityStatusValue == 'Succeeded'\r\n| summarize Actions = count() by OperationNameValue, Id = strcat(Caller, ' - ', CallerIpAddress)\r\n| extend Name = Id\r\n| union ( AzureActivity\r\n//| where ActivityStatusValue == 'Succeeded'\r\n| summarize Actions = count() by Id = OperationNameValue\r\n| extend Name = Id)\r\n| project Name, Actions, Id, OperationNameValue\r\n| order by Actions desc",
|
|
"size": 0,
|
|
"title": "Tree view for users by operations",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Name",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Actions",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Id",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OperationName",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"hierarchySettings": {
|
|
"idColumn": "Id",
|
|
"parentColumn": "OperationName",
|
|
"treeType": 0,
|
|
"expanderColumn": "Name",
|
|
"expandTopLevel": true
|
|
}
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 14"
|
|
}
|
|
],
|
|
"fromTemplateId": "AzureAuditActivityAndSigninWorkbook",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |