Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/AzureAuditActivityAndSignin...

870 строки
29 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Azure AD audit, sign-in and Azure Activity logs\n---\nThis workbook combines the following Azure Monitoring tables:\n* Azure Active Directory audit logs\n* Signin logs\n* Azure Activity logs\n\n\nEdit the parameter below to change the timerange used by the graphs"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "d1983eba-6224-4c08-b792-4910eff535ad",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"description": "Select the time range that will be used for the query's",
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters"
},
{
"type": 1,
"content": {
"json": "----\n## Signin Logs\n\nWith the SigninLogs we can give a security analyst insight into the different login statuses and locations <br>\n\nThese graphs give a quick representation of the Signin activity of the company's users. <br>\nA security team can easy view the Signin locations and most used applications"
},
"name": "text - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\n| extend ResultText = case(isnotempty(ResultDescription), ResultDescription, ResultType == 0 and isempty(ResultDescription), \"successful login\", \"unknown\") // Create readable result text to include succesfull logins\n| summarize dcount(CorrelationId) by ResultText // Signin results by unique CorrelationId\n| render piechart",
"size": 0,
"title": "Login events by result",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "ResultText",
"exportParameterName": "Selected_ResultText",
"exportDefaultValue": "",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"chartSettings": {
"group": "ResultText",
"createOtherGroup": null,
"seriesLabelSettings": [
{
"seriesName": "successful login",
"color": "green"
}
],
"ySettings": {
"unit": 17,
"min": null,
"max": null
}
}
},
"customWidth": "33",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\n| extend ResultText = case(isnotempty(ResultDescription), ResultDescription, ResultType == 0 and isempty(ResultDescription), \"successful login\", \"unknown\")\n| summarize dcount(CorrelationId) by ResultText, bin(TimeGenerated,4h) // summarize the total Signin events per Description per hour (by unique CorrelationId's)",
"size": 0,
"title": "Count of login types per 4 hours",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "ResultText",
"formatter": 1
},
"leftContent": {
"columnMatch": "dcount_CorrelationId",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {}
},
"customWidth": "33",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\n| where isnotempty(LocationDetails['countryOrRegion']) and ResultType == 0// Where location details are available and login is successful\n| extend city = tostring(LocationDetails['city'])\n| summarize count() by city, Location // Summarize by city name\n| join (\nSigninLogs\n| extend city = tostring(LocationDetails['city'])\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by city \n) on city\n| project Location, city, [\"Total events\"] = count_, TrendLine = TrendList\n| top 10 by [\"Total events\"] desc",
"size": 0,
"title": "successful login locations",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Location",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "city",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Total events",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "TrendLine",
"formatter": 9,
"formatOptions": {
"palette": "greenRed",
"showIcon": true
}
},
{
"columnMatch": "Events",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "id",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
}
],
"hierarchySettings": {
"idColumn": "city",
"parentColumn": "Location",
"treeType": 0,
"expanderColumn": "city",
"expandTopLevel": false
}
},
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "city",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Events",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "LocationDetails",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "count_",
"sourceIdField": "Location",
"targetIdField": "city",
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": null,
"hivesMargin": 5
},
"mapSettings": {
"locInfo": "LatLong",
"locInfoColumn": "GeoSelection",
"latitude": "latitude",
"longitude": "longitude",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"defaultSize": 0,
"labelSettings": "locationInfo",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "count_",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "redGreen"
}
}
},
"customWidth": "33",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ResultType == 0 and AppDisplayName != \"\"\r\n| summarize count() by AppDisplayName\r\n| join (\r\nSigninLogs\r\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \r\n) on AppDisplayName\r\n| top 10 by count_ desc",
"size": 4,
"title": "successful logins by application",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "AppDisplayName",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "TrendList",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "AppDisplayName",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 14"
},
{
"type": 1,
"content": {
"json": "----\n## AuditLogs\n\nThese tables give an Azure administrators the information they needs to make sure that the services and user operations are successfully executed. <br>\nIt also benefits the security operator by seeing which operations are perfomed by which users or services. Therefore he can act quickly on a suspicious operation."
},
"name": "text - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "\nAuditLogs\n| summarize Runs = count(), Success = countif(Result == 'success'), Fails = countif(Result != 'success') by OperationName // Summarize the total, successful and failed operations by name\n| extend SuccessRate = (Success * 100 / Runs) // Calculate the percentage of succesful operations against the total\n| join (\nAuditLogs\n| where Result == 'success'\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName \n) on OperationName\n| project OperationName, Runs, SuccessRate, TrendList\n| top 10 by Runs desc // Show the top 10 of most run operations",
"size": 0,
"title": "Top 10 operation by successrate",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "OperationName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Runs",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "SuccessRate",
"formatter": 8,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redGreen",
"showIcon": true
}
},
{
"columnMatch": "TrendList",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
}
]
}
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "\nAuditLogs\n| summarize Runs = count(), Success = countif(Result == 'success'), Fails = countif(Result != 'success') by OperationName // Summarize the total, successful and failed operations by name\n| extend SuccessRate = (Success * 100 / Runs) // Calculate the percentage of succesful operations against the total\n| project OperationName, Runs, SuccessRate, Fails\n| top 10 by SuccessRate asc // Show the 10 Operation by least SuccessRate",
"size": 0,
"title": "Top 10 most failed operations",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "OperationName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Runs",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "SuccessRate",
"formatter": 8,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redGreen",
"showIcon": true
}
},
{
"columnMatch": "Fails",
"formatter": 8,
"formatOptions": {
"palette": "redBright",
"showIcon": true
}
}
]
}
},
"customWidth": "50",
"name": "query - 5 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity \n| union (AuditLogs) // Insert AuditLogs\n| extend CallerUserName = case( Type == 'AuditLogs' and notempty(InitiatedBy['user']), InitiatedBy['user']['userPrincipalName'], // Find best initiator for data source\n Type == 'AuditLogs' and InitiatedBy == \"{}\", Identity,\n Type == 'AzureActivity' ,Caller, 'Unknown')\n| extend TargetResource = case( Type == 'AuditLogs' and TargetResources[0]['type'] == 'User', strcat(TargetResources[0]['type'], \": \", TargetResources[0]['userPrincipalName']), // Find the best resource name for the data source\n Type == 'AuditLogs' and TargetResources[0]['type'] == 'Group', strcat(TargetResources[0]['type'], \": \", TargetResources[0]['displayName']),\n Type == 'AzureActivity' ,Resource, 'Unknown')\n| extend ResultStatus = case( Type == 'AuditLogs' and Result == 'failure', 'failed', // Change the result value to failure for the icon\n Type == 'AuditLogs' and Result == 'success', Result, // Only resutl that directly matches icon name\n Type == 'AzureActivity' and ActivityStatusValue == 'Started', 'info', // There is no started icon so using info instead.\n Type == 'AzureActivity' and ActivityStatusValue == 'Failed', 'failed', // change to failed\n Type == 'AzureActivity' and ActivityStatusValue == 'Succeeded', 'success', // Change to success\n 'unknown')\n| sort by TimeGenerated desc // Sort descending on TimeGenerated to see latest events\n| project Time = TimeGenerated, ['From data source'] = Type, Operation = OperationName, ['Initiated by'] = CallerUserName, TargetResource, ResultStatus\n",
"size": 0,
"title": "Latest operation from audit and activity logs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Time",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Operation",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "InitiatedByName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Target",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Result",
"formatter": 11,
"formatOptions": {
"showIcon": true
}
}
],
"sortBy": [
{
"itemKey": "Time",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "Time",
"sortOrder": 1
}
]
},
"name": "query - 2"
},
{
"type": 1,
"content": {
"json": "---\n## Azure Activity"
},
"name": "text - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity\r\n| summarize count() by ResourceProvider",
"size": 0,
"title": "Most activity by ResourceProvider",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "ResourceProvider",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TotalEvents",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ResourceProvider1",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Events",
"formatter": 19,
"formatOptions": {
"showIcon": true,
"timelineSettings": {
"timelineStartColumn": "TimeGenerated"
}
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
]
},
"tileSettings": {
"titleContent": {
"columnMatch": "ExtendedLocation",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "LoginEvents",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Events",
"formatter": 19,
"formatOptions": {
"palette": "blueOrange",
"showIcon": true,
"timelineSettings": {
"timelineStartColumn": "TimeGenerated",
"timestampIsEndTime": true
}
}
},
"showBorder": false,
"sortCriteriaField": "TotalEvents",
"sortOrderField": 2
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "ResourceProvider",
"formatter": 1
},
"centerContent": {
"columnMatch": "TotalEvents",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {}
},
"customWidth": "35",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity\r\n| summarize Activities = count() by User = Caller",
"size": 0,
"title": "Activities by user",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"customWidth": "25",
"name": "query - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity\n| extend ActivityType = case(OperationNameValue hassuffix \"delete\", \"Delete\",\n OperationNameValue hassuffix \"write\", \"Create or Update\",\"Other\")\n| summarize Succeeded = countif(ActivityStatusValue == \"Succeeded\"), Failed = countif(ActivityStatusValue == \"Failed\") by ResourceProvider, ActivityType\n| extend SuccesRate = Succeeded * 100 / (Succeeded + Failed)\n| where isnotempty(SuccesRate)\n| top 10 by SuccesRate asc \n| project ActivityType, ResourceProvider, SuccesRate, Succeeded, Failed ",
"size": 0,
"title": "Least successrate by Action and ResourceProvider",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "ActivityType",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ResourceProvider",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "SuccesRate",
"formatter": 8,
"formatOptions": {
"palette": "greenRed",
"showIcon": true
}
},
{
"columnMatch": "Succeeded",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Failed",
"formatter": 8,
"formatOptions": {
"palette": "redBright",
"showIcon": true
}
}
]
},
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "OperationName",
"formatter": 1
},
"leftContent": {
"columnMatch": "Runs",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "40",
"name": "query - 13",
"styleSettings": {
"maxWidth": "100%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity\r\n| summarize count() by OperationName, bin(TimeGenerated, 4h)",
"size": 0,
"title": "Timechart count activitytypes by 4 hours",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"customWidth": "50",
"name": "query - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity\r\n//| where ActivityStatusValue == 'Succeeded'\r\n| summarize Actions = count() by OperationNameValue, Id = strcat(Caller, ' - ', CallerIpAddress)\r\n| extend Name = Id\r\n| union ( AzureActivity\r\n//| where ActivityStatusValue == 'Succeeded'\r\n| summarize Actions = count() by Id = OperationNameValue\r\n| extend Name = Id)\r\n| project Name, Actions, Id, OperationNameValue\r\n| order by Actions desc",
"size": 0,
"title": "Tree view for users by operations",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Name",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Actions",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Id",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "OperationName",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
}
],
"hierarchySettings": {
"idColumn": "Id",
"parentColumn": "OperationName",
"treeType": 0,
"expanderColumn": "Name",
"expandTopLevel": true
}
},
"sortBy": []
},
"customWidth": "50",
"name": "query - 14"
}
],
"fromTemplateId": "AzureAuditActivityAndSigninWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку