229 строки
7.5 KiB
JSON
229 строки
7.5 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Top 5 Web requested Domains with log severity equal to 6 (Medium)\n---"
|
|
},
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart",
|
|
"size": 3,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "RequestURL",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "RequestURL",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"sizeSettings": "Count",
|
|
"sizeAggregation": "Sum",
|
|
"legendMetric": "Count",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"type": "heatmap",
|
|
"colorAggregation": "Sum",
|
|
"nodeColorField": "Count",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Top 5 Web requested Domains with log severity equal to 9 (High)\n---"
|
|
},
|
|
"name": "text - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 9\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart",
|
|
"size": 3,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "RequestURL",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "RequestURL",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"sizeSettings": "Count",
|
|
"sizeAggregation": "Sum",
|
|
"legendMetric": "Count",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"type": "heatmap",
|
|
"colorAggregation": "Sum",
|
|
"nodeColorField": "Count",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 2 - Copy"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Top 5 Web Users with 'Action' equal to 'Blocked'\n---"
|
|
},
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity != \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart",
|
|
"size": 1,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0\n---"
|
|
},
|
|
"name": "text - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 1.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n",
|
|
"size": 1,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "categoricalbar",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "SourceIP",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "SourceUserName",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 5"
|
|
}
|
|
],
|
|
"fallbackResourceIds": [
|
|
"/subscriptions/42b86d52-1a90-43ad-ade0-3b43bdfdc113/resourcegroups/dlo-az-303/providers/microsoft.operationalinsights/workspaces/demo-csg-sentinel-dlo"
|
|
],
|
|
"fromTemplateId": "sentinel-ForcepointCloudSecuirtyGatewayworkbook",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |