700 строки
27 KiB
JSON
700 строки
27 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": ">**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/CiscoUmbrella/Cisco_Umbrella) to create the Kusto function alias **Cisco_Umbrella**."
|
|
},
|
|
"name": "Text"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"id": "464b6899-a8de-4f01-84a6-d4e3ecc7f282",
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Cisco Umbrella Main Dashboard",
|
|
"subTarget": "cisco_umbrella_main_dashboard",
|
|
"preText": "Cisco Umbrella Main Dashboard",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "a3798d8a-a610-475c-9cbf-7252301dab7e",
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Cisco Umbrella Dns Dashboard",
|
|
"subTarget": "cisco_umbrella_dns_dashboard",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "80bcf252-bcf6-4736-993d-59da0a8e4c76",
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Cisco Umbrella Proxy Dashboard",
|
|
"subTarget": "cisco_umbrella_proxy_dashboard",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "f536a1e9-362e-4d98-bdd1-0f7dfb23901a",
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Cisco Umbrella Firewall Dashboard",
|
|
"subTarget": "cisco_umbrella_firewall_dashboard",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "Links"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "37b91baf-6272-4709-a028-1370823249d4",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 5184000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "Parameters1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| summarize Count=count() by EventType\n| render barchart",
|
|
"size": 3,
|
|
"title": "Events Count by EventType",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "EventType",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "EventType",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_main_dashboard"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "EventsCountByEventType"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType;",
|
|
"size": 0,
|
|
"title": "Events over time",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_main_dashboard"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "EventsOverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where DvcAction contains \"block\"\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
|
|
"size": 0,
|
|
"title": "Blocks over time",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_main_dashboard"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let CU_Total_Requests =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| summarize count()\n| extend evttype=\"Total Requests\";\n\nlet CU_Total_Blocked =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where DvcAction contains \"block\"\n| summarize count()\n| extend evttype=\"Total Blocked\";\n\nlet CU_Security_Blocked =\nCisco_Umbrella \n| where TimeGenerated {TimeRange} \n| where DvcAction contains \"block\"\n| where isnotempty(ThreatCategory)\n| summarize count()\n| extend evttype=\"Security Blocked\";\n\nunion CU_Security_Blocked,CU_Total_Blocked,CU_Total_Requests",
|
|
"size": 3,
|
|
"title": "Network Breakdown Statistic",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "evttype",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false,
|
|
"size": "auto"
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_main_dashboard"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "NetworkBreakdownStatistic"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| summarize count() by DvcAction",
|
|
"size": 3,
|
|
"title": "DNS - Events count by Action",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "DvcAction",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_dns_dashboard"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "DNSEventsCountByAction"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| summarize Count=count() by DnsQueryTypeName | sort by Count",
|
|
"size": 0,
|
|
"title": "DNS - Events count by QueryType",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "categoricalbar"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_dns_dashboard"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "DNSEventsCountByQueryType"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where EventType == \"dnslogs\"\n| where TimeGenerated {TimeRange} \n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| summarize Count=count() by tostring(Threat_Category)\n| sort by Count \n| join kind = inner (\nCisco_Umbrella\n| where EventType == \"dnslogs\"\n| where isnotempty(ThreatCategory)\n| where TimeGenerated {TimeRange} \n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Threat_Category))\n on Threat_Category\n | project-away Threat_Category1, TimeGenerated\n | project Threat_Category, Count, Trend\n | order by Count\n| take 10",
|
|
"size": 0,
|
|
"title": "DNS - Events by Threat Category",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blueGreen"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Trend",
|
|
"formatter": 10,
|
|
"formatOptions": {
|
|
"palette": "turquoise"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_dns_dashboard"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "DNSEventsByThreatCategory"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| summarize Count=count() by tostring(Url_Category)\n| sort by Count\n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Url_Category))\n on Url_Category\n | project-away Url_Category1, TimeGenerated\n | project Url_Category, Count, Trend\n | order by Count\n| take 10",
|
|
"size": 0,
|
|
"title": "DNS - Events by Url Category",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blueGreen"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Trend",
|
|
"formatter": 10,
|
|
"formatOptions": {
|
|
"palette": "turquoise"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_dns_dashboard"
|
|
},
|
|
"customWidth": "35",
|
|
"name": "DNSEventsByUrlCategory"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let list_IP = Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n|summarize Count=count() by SrcIpAddr | top 10 by Count\n| summarize makelist(SrcIpAddr);\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n|summarize Count=count() by SrcIpAddr \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n| where SrcIpAddr in (list_IP)\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcIpAddr)\n on SrcIpAddr\n | project-away SrcIpAddr1, TimeGenerated\n | project SrcIpAddr, Count, Trend\n | order by Count\n| take 10\n\n",
|
|
"size": 0,
|
|
"title": "DNS - Top 10 SrcIp with Blocked Action",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blueGreen"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Trend",
|
|
"formatter": 10,
|
|
"formatOptions": {
|
|
"palette": "turquoise"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_dns_dashboard"
|
|
},
|
|
"customWidth": "35",
|
|
"name": "DNSTop10SrcIpBlockedAction"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange}\n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n| summarize Count=count() by DnsQueryName, UrlCategory \n| top 10 by Count\n",
|
|
"size": 0,
|
|
"title": "DNS - Top 10 Blocked Url ",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_dns_dashboard"
|
|
},
|
|
"name": "DNSTop10BlockedUrl "
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| summarize count() by DvcAction",
|
|
"size": 3,
|
|
"title": "Proxy - Events count by Action",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_proxy_dashboard"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "ProxyEventsCountByAction"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let CU_proxy_outcoming_traffic =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| extend TrafficType = \"Outcoming\", Bytes = SrcBytes\n| project TrafficType, Bytes, TimeGenerated;\n\nlet CU_proxy_incoming_traffic =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| extend TrafficType = \"Incoming\", Bytes = DstBytes\n| project TrafficType, Bytes, TimeGenerated;\n\n\nunion CU_proxy_outcoming_traffic, CU_proxy_incoming_traffic\n| make-series TotalGbytes = round(sum(Bytes/(1024*1024*1024)),2) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by TrafficType\n",
|
|
"size": 0,
|
|
"title": "Proxy - Traffic timechart, GB",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_proxy_dashboard"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "ProxyTrafficTimechart"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| summarize Count=count() by tostring(Url_Category)\n| sort by Count\n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Url_Category))\n on Url_Category\n | project-away Url_Category1, TimeGenerated\n | project Url_Category, Count, Trend\n | order by Count\n| take 10",
|
|
"size": 0,
|
|
"title": "Proxy - Events by Url Category",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blueGreen"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Trend",
|
|
"formatter": 10,
|
|
"formatOptions": {
|
|
"palette": "turquoise"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_proxy_dashboard"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "ProxyEventsByUrlCategory"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let list_IP = Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n|summarize Count=count() by SrcIpAddr | top 10 by Count\n| summarize makelist(SrcIpAddr);\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n|summarize Count=count() by SrcIpAddr \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n| where SrcIpAddr in (list_IP)\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcIpAddr)\n on SrcIpAddr\n | project-away SrcIpAddr1, TimeGenerated\n | project SrcIpAddr, Count, Trend\n | order by Count\n| take 10\n\n",
|
|
"size": 0,
|
|
"title": "Proxy - Top 10 Source IP with Blocked Action",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blueGreen"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Trend",
|
|
"formatter": 10,
|
|
"formatOptions": {
|
|
"palette": "turquoise"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_proxy_dashboard"
|
|
},
|
|
"customWidth": "35",
|
|
"name": "ProxyTop10SourceIPBlockedAction"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| summarize Count=count() by tostring(Threat_Category)\n| sort by Count \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Threat_Category))\n on Threat_Category\n | project-away Threat_Category1, TimeGenerated\n | project Threat_Category, Count, Trend\n | order by Count\n| take 10",
|
|
"size": 0,
|
|
"title": "Proxy - Events by Threat Category",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blueGreen"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Trend",
|
|
"formatter": 10,
|
|
"formatOptions": {
|
|
"palette": "turquoise"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_proxy_dashboard"
|
|
},
|
|
"customWidth": "35",
|
|
"name": "ProxyEventsByThreatCategory"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange}\n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n| summarize Count=count() by UrlOriginal, UrlCategory \n| top 10 by Count\n",
|
|
"size": 0,
|
|
"title": "Proxy - Top 10 Blocked Url ",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_proxy_dashboard"
|
|
},
|
|
"name": "ProxyTop10BlockedUrl "
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"cloudfirewalllogs\"\n| summarize count() by DvcAction",
|
|
"size": 3,
|
|
"title": "Firewall - Events count by Action",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "DvcAction",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_firewall_dashboard"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "FirewallEventsCountByAction"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"cloudfirewalllogs\"\n| make-series Packets = sum(toint(NetworkPackets)) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by NetworkDirection",
|
|
"size": 0,
|
|
"title": "Firewall - Traffic over time, Packets",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_firewall_dashboard"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "FirewallTrafficOverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Cisco_Umbrella\n|where EventType == \"cloudfirewalllogs\"\n| where DvcAction contains \"BLOCK\"\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
|
|
"size": 0,
|
|
"title": "Firewall - Block Events over time",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cisco_umbrella_firewall_dashboard"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 19"
|
|
}
|
|
],
|
|
"fallbackResourceIds": [
|
|
"/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourcegroups/socprime/providers/microsoft.operationalinsights/workspaces/azuresocprimesentinel"
|
|
],
|
|
"fromTemplateId": "sentinel-CiscoUmbrella",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |