348 строки
16 KiB
JSON
348 строки
16 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Security Alerts Dashboard\n---\n\nThis dashboard shows Azure Sentinel Security Alerts data by various views.\n\nNote: Not all Security Alerts are Incidients\n"
|
|
},
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "08f97f34-6264-4fa3-90b5-16b89422d285",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 1209600000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "cd98a9c7-5dbd-4f92-a967-7ed1c781132a",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "AlertSeverity",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "SecurityAlert\r\n| summarize Count = count() by AlertSeverity\r\n| order by Count desc, AlertSeverity asc\r\n| project Value = AlertSeverity, Label = strcat(AlertSeverity, ' - ', Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "df0fbc31-ade1-4488-9109-a4f647ad8fe2",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "ProductName",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "SecurityAlert\r\n| summarize Count = count() by ProductName\r\n| order by Count desc, ProductName asc\r\n| project Value = ProductName, Label = strcat(ProductName, ' - ', Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = SecurityAlert\n| where \"{AlertSeverity:lable}\" == \"All\" or AlertSeverity in ({AlertSeverity})\n| where \"{ProductName:lable}\" == \"All\" or ProductName in ({ProductName});\ndata\n| summarize Count = count() by AlertSeverity\n| join kind = inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by AlertSeverity)\n on AlertSeverity\n | project-away TimeGenerated\n| extend AlertSeveritys = AlertSeverity\n| union (\n data \n | summarize Count = count() \n | extend jkey = 1\n | join kind=inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\n | extend jkey = 1) on jkey\n | extend AlertSeverity = 'All', AlertSeveritys = '*' \n)\n| extend Severity = iif(AlertSeverity == \"All\", 0,iif(AlertSeverity == \"High\", 1, iif(AlertSeverity == \"Medium\", 2, iif(AlertSeverity == \"Low\", 3, 4))))\n| order by Severity asc\n",
|
|
"size": 3,
|
|
"title": "Security Alerts by Severity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "AlertSeverity",
|
|
"exportParameterName": "AlertSeverityPicker",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "AlertSeverity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumFractionDigits": 2,
|
|
"maximumSignificantDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false,
|
|
"sortOrderField": 1
|
|
}
|
|
},
|
|
"name": "SecurityAlertsbySeverity"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = SecurityAlert\r\n| where \"{AlertSeverity:lable}\" == \"All\" or AlertSeverity in ({AlertSeverity})\r\n| where \"{ProductName:lable}\" == \"All\" or ProductName in ({ProductName})\r\n| where AlertSeverity == '{AlertSeverityPicker}' or '{AlertSeverityPicker}' == \"All\";\r\ndata\r\n| summarize Count = count() by ProductName\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ProductName)\r\n on ProductName\r\n | project-away TimeGenerated\r\n| extend ProductNames = ProductName\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend ProductName = 'All', ProductNames = '*' \r\n)\r\n| order by Count desc\r\n",
|
|
"size": 3,
|
|
"title": "Security Alerts by Product",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "ProductName",
|
|
"exportParameterName": "ProductNamePicker",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "ProductName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "SecurityAlertsbyProduct"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityAlert\r\n| where \"{AlertSeverity:lable}\" == \"All\" or AlertSeverity in ({AlertSeverity})\r\n| where \"{ProductName:lable}\" == \"All\" or ProductName in ({ProductName})\r\n| where AlertSeverity == '{AlertSeverityPicker}' or '{AlertSeverityPicker}' == \"All\"\r\n| where ProductName == '{ProductNamePicker}' or '{ProductNamePicker}' == \"All\"\r\n| summarize count() by AlertSeverity, bin(TimeGenerated, 1d)",
|
|
"size": 3,
|
|
"title": "Security Alerts Over Time by Severity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart",
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "Medium",
|
|
"color": "orange"
|
|
},
|
|
{
|
|
"seriesName": "Low",
|
|
"color": "yellow"
|
|
},
|
|
{
|
|
"seriesName": "Informational",
|
|
"color": "gray"
|
|
},
|
|
{
|
|
"seriesName": "High",
|
|
"color": "red"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "SecurityAlertsOverTimebySeverity"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityAlert\r\n| where \"{AlertSeverity:lable}\" == \"All\" or AlertSeverity in ({AlertSeverity})\r\n| where \"{ProductName:lable}\" == \"All\" or ProductName in ({ProductName})\r\n| where AlertSeverity == '{AlertSeverityPicker}' or '{AlertSeverityPicker}' == \"All\"\r\n| where ProductName == '{ProductNamePicker}' or '{ProductNamePicker}' == \"All\"\r\n| summarize count() by ProductName, bin(TimeGenerated, 1d)",
|
|
"size": 3,
|
|
"title": "Security Alerts Over Time by Product",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "unstackedbar",
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "Medium",
|
|
"color": "orange"
|
|
},
|
|
{
|
|
"seriesName": "Low",
|
|
"color": "yellow"
|
|
},
|
|
{
|
|
"seriesName": "Informational",
|
|
"color": "gray"
|
|
},
|
|
{
|
|
"seriesName": "High",
|
|
"color": "red"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "SecurityAlertsOverTimebyProduct"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityAlert\r\n| where \"{AlertSeverity:lable}\" == \"All\" or AlertSeverity in ({AlertSeverity})\r\n| where \"{ProductName:lable}\" == \"All\" or ProductName in ({ProductName})\r\n| where AlertSeverity == '{AlertSeverityPicker}' or '{AlertSeverityPicker}' == \"All\"\r\n| where ProductName == '{ProductNamePicker}' or '{ProductNamePicker}' == \"All\"\r\n| extend Entities = iff(isempty(Entities), todynamic('[{\"dummy\" : \"\"}]'), todynamic(Entities))\r\n| mvexpand Entities\r\n| evaluate bag_unpack(Entities, \"Entity_\")\r\n| extend Entity_Type = columnifexists(\"Entity_Type\", \"\")\r\n| extend Entity_Name = columnifexists(\"Entity_Name\", \"\")\r\n| extend Entity_ResourceId = columnifexists(\"Entity_ResourceId\", \"\")\r\n| extend Entity_Directory = columnifexists(\"Entity_Directory\", \"\")\r\n| extend Entity_Value = columnifexists(\"Entity_Value\", \"\")\r\n| extend Entity_HostName = columnifexists(\"Entity_HostName\", \"\")\r\n| extend Entity_Address = columnifexists(\"Entity_Address\", \"\")\r\n| extend Entity_ProcessId = columnifexists(\"Entity_ProcessId\", \"\")\r\n| extend Entity_Url = columnifexists(\"Entity_Url\", \"\")\r\n| extend Target = iif(Entity_Type == \"account\", Entity_Name, iif(Entity_Type == \"azure-resource\", Entity_ResourceId, iif(Entity_Type == \"cloud-application\", Entity_Name, iif(Entity_Type == \"dns\", Entity_Name, iif(Entity_Type == \"file\", strcat(Entity_Directory, \"\\\\\", Entity_Name), iif(Entity_Type == \"filehash\", Entity_Value, iif(Entity_Type == \"host\", Entity_HostName, iif(Entity_Type == \"ip\" , Entity_Address, iif(Entity_Type == \"malware\", Entity_HostName, iif(Entity_Type == \"network-connection\", Entity_Name, iif(Entity_Type == \"process\", Entity_ProcessId, iif(Entity_Type == \"registry-key\", Entity_Name, iif(Entity_Type == \"registry-value\", Entity_Name, iif(Entity_Type == \"security-group\", Entity_Name, iif(Entity_Type == \"url\", Entity_Url, \"NoTarget\")))))))))))))))\r\n| where Entity_Type in (\"account\", \"host\", \"ip\", \"url\", \"azure-resource\", \"cloud-application\", \"dns\", \"file\", \"filehash\", \"malware\", \"network-connection\", \"process\", \"registry-key\", \"registry-value\", \"security-group\")\r\n| summarize count() by bin(TimeGenerated, 1d), Target, Entity_Type\r\n| project-away TimeGenerated\r\n| order by count_ desc\r\n\r\n",
|
|
"size": 0,
|
|
"title": "Top Entities in Security Alerts",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "TopEntitiesinSecurityAlerts"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityAlert\r\n| where \"{AlertSeverity:lable}\" == \"All\" or AlertSeverity in ({AlertSeverity})\r\n| where \"{ProductName:lable}\" == \"All\" or ProductName in ({ProductName})\r\n| where AlertSeverity == '{AlertSeverityPicker}' or '{AlertSeverityPicker}' == \"All\"\r\n| where ProductName == '{ProductNamePicker}' or '{ProductNamePicker}' == \"All\"\r\n| extend Entities = iff(isempty(Entities), todynamic('[{\"dummy\" : \"\"}]'), todynamic(Entities))\r\n| mvexpand Entities\r\n| evaluate bag_unpack(Entities, \"Entity_\")\r\n| extend Entity_Type = columnifexists(\"Entity_Type\", \"\")\r\n| where Entity_Type in (\"account\", \"alerts\", \"azure-resource\", \"cloud-application\", \"dns\", \"file\", \"filehash\", \"host\", \"host-logon-session\", \"ip\", \"malware\", \"network-connection\", \"process\", \"registry-key\", \"registry-value\", \"security-group\", \"SrvSvcSessionEntry\", \"url\")\r\n| summarize count() by Entity_Type\r\n| order by count_ desc",
|
|
"size": 0,
|
|
"title": "Count of Entities in Security Alerts by Type",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "unstackedbar"
|
|
},
|
|
"name": "CountofEntitiesinSecurityAlertsbyType"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-AzureSentinelSecurityAlerts",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|