Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/InvestigationInsights.json

5667 строки
285 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"value::all"
],
"parameters": [
{
"id": "903a0628-df2f-4a7d-93ac-80fbf48032ec",
"version": "KqlParameterItem/1.0",
"name": "InternalWSs",
"type": 1,
"isRequired": true,
"query": "where type =~ \"Microsoft.OperationsManagement/solutions\"\r\n| where name startswith \"SecurityInsights\"\r\n| parse id with * '(' WSName ')' *\r\n| take 1\r\n| project WSName",
"crossComponentResources": [
"value::all"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 2592000000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "8c7b9fc5-b87f-44d7-9cc8-bec025faf2c2",
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
"crossComponentResources": [
"value::selected"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "f046681a-d502-4370-9a04-736042ed7e47",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"query": "resources\r\n| summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
"crossComponentResources": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "ef68dc9e-94e2-47c9-bfc8-8206537418a8",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"query": "//resources\r\n//| where type =~ 'microsoft.operationalinsights/workspaces'\r\n//| project id\r\n\r\nwhere type =~ 'microsoft.operationalinsights/workspaces'\r\n| project value =id, label = name, selected = iff(name =~ '{InternalWSs}', true, false)",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": null
},
{
"id": "f9f6427d-1903-4ebc-9c48-86846ec36119",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 900000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "ddb7df85-73e6-4a6a-9201-a82c08739c98",
"version": "KqlParameterItem/1.0",
"name": "investigateBy",
"label": "Investigate By",
"type": 10,
"description": "Investigate Incidents or Entities",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[\r\n { \"value\": \"Incident\", \"label\": \"Incident\", \"selected\":true},\r\n { \"value\": \"Bookmark\", \"label\": \"Bookmark\"},\r\n {\"value\": \"Entity\", \"label\": \"Entity\" }\r\n]\r\n"
},
{
"version": "KqlParameterItem/1.0",
"name": "IncidentView",
"label": "Show Incident Trend",
"type": 10,
"description": "Show incident view or not?",
"isRequired": true,
"query": "datatable(IncidentView:string, InvestigateBy:string)\r\n\t[\"Yes\", \"Incident\",\r\n\t\"No\", \"Incident\"]\r\n| where InvestigateBy =~ \"{investigateBy}\" or IncidentView == \"No\"\r\n| project IncidentView",
"crossComponentResources": [
"{Workspace}"
],
"value": "No",
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"id": "5c093daf-515c-45be-a1e4-4b14d211c0eb"
},
{
"id": "44663fe5-5c34-4620-b87c-78fd566ebc2c",
"version": "KqlParameterItem/1.0",
"name": "Help",
"type": 10,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]"
},
{
"id": "080aebcf-c127-49ea-af49-cdc32888ee08",
"version": "KqlParameterItem/1.0",
"name": "DefaultUPNSuffix",
"type": 1,
"description": "When extracting the account entity from an alert, if no UPN suffix is included, this suffix will be assumed.",
"value": "",
"isHiddenWhenLocked": true
},
{
"id": "19a40f6a-2429-480f-bc34-067b602d1fa8",
"version": "KqlParameterItem/1.0",
"name": "AlertID",
"type": 1,
"description": "This parameter should be left blank",
"isHiddenWhenLocked": true
},
{
"id": "0c774c1b-f434-480d-ae82-078f7665f11d",
"version": "KqlParameterItem/1.0",
"name": "EntityData",
"type": 1,
"description": "This parameter should be left blank",
"isHiddenWhenLocked": true
},
{
"id": "d663ab0d-fc80-40a5-9d76-71a7401d7324",
"version": "KqlParameterItem/1.0",
"name": "EntityType",
"type": 1,
"description": "This parameter should be left blank",
"isHiddenWhenLocked": true
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "GlobalParameters"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "75399fba-c502-401d-9d4c-ca2e3ec6bd70",
"version": "KqlParameterItem/1.0",
"name": "GlobalCustomTabName",
"type": 1,
"description": "Enter a tab name if you wish to add a customizable section to the Global tab list. This customizable section can be used to link to your own workbook to embed additional content. Otherwise, leave this parameter blank so the tab is hidden.",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "ae1a3f68-8153-41d1-9fa2-c4ead5649a77",
"version": "KqlParameterItem/1.0",
"name": "IPCustomTabName",
"type": 1,
"description": "Enter a tab name if you wish to add a customizable section to the IP tab list. This customizable section can be used to link to your own workbook to embed additional content. Otherwise, leave this parameter blank so the tab is hidden.",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "4b8d0ad0-14f4-4083-99de-2b5d4573ad7a",
"version": "KqlParameterItem/1.0",
"name": "AccountCustomTabName",
"type": 1,
"description": "Enter a tab name if you wish to add a customizable section to the Account tab list. This customizable section can be used to link to your own workbook to embed additional content. Otherwise, leave this parameter blank so the tab is hidden.",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "9150e8c7-bf5d-42ea-b0cf-52499b43fa17",
"version": "KqlParameterItem/1.0",
"name": "HostCustomTabName",
"type": 1,
"description": "Enter a tab name if you wish to add a customizable section to the Host tab list. This customizable section can be used to link to your own workbook to embed additional content. Otherwise, leave this parameter blank so the tab is hidden.",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "071760ec-c549-481f-b22f-93be5b8a11fe",
"version": "KqlParameterItem/1.0",
"name": "URLCustomTabName",
"type": 1,
"description": "Enter a tab name if you wish to add a customizable section to the URL tab list. This customizable section can be used to link to your own workbook to embed additional content. Otherwise, leave this parameter blank so the tab is hidden.",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "a9100608-ef9e-4c8d-81f9-119e7c8fc134",
"version": "KqlParameterItem/1.0",
"name": "FileHashCustomTabName",
"type": 1,
"description": "Enter a tab name if you wish to add a customizable section to the File Hash tab list. This customizable section can be used to link to your own workbook to embed additional content. Otherwise, leave this parameter blank so the tab is hidden.",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "customParameters"
},
{
"type": 1,
"content": {
"json": "# Investigation Insights"
},
"name": "text - 21"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "### Change Log\r\nBrian Delaney, Clive Watson, Jon Shectman - Microsoft\r\n\t\r\n\tVersion v1.4\r\n\tFixing issue in table names in FullSearch output\r\n\tAdding open external query/export to excel to FullSearch Results\r\n\t\r\n\tVersion v1.2\r\n\tAdded Tag based filters to Incident View\r\n\tAdded Incident Number filter to Incident View\r\n\tAdded Application Consent to User IOCs\r\n\tAdded Logon Type filter for User Account Logons\r\n\tAdded Defender ATP DeviceLogonEvents to User Account Logons table\r\n\tEnabled support for nesting custom workbooks\r\n\tImproved samAccountName detection using IdentityInfo table\r\n\tImproved Location Anomalies map to color datapoints based on distance\r\n\tOther minor improvements\r\n\t\r\n\tVersion v1.1\r\n\tAdded Investigate by Bookmark\r\n\tAdded Related Bookmarks to each Investigation type\r\n\tAdded Investigate FileHash\r\n\tAdded BehaviorAnalytics for Account Investigation\r\n\tAdded MFA Fraud Query for Account Investigation\r\n\tAdded Owner and Status Filters to Incident View\r\n\tAdded Normalized Network Schema view\r\n\tUpdated Entity Parsing to add additional entity types\r\n\tUpdated Incident Timeline to be based on CreatedTime of Incident\r\n\tOther minor improvements\r\n\t\r\n\t\r\n\tVersion v1.0\r\n\tInitial Release",
"style": "info"
},
"customWidth": "50",
"name": "text - 20"
}
]
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Change Log"
},
"name": "ChangeLogGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Investigation Insights Help\r\n\r\n### Overview\r\n\r\nThe Investigation Insights Workbook is designed to assist in investigations of Azure Sentinel Incidents or individual IP/Account/Host/URL entities. The workbook leverages multiple data sources to provide detailed views of frequently used information during the analysis of an incident.\r\n\r\nDetailed help on this workbook is maintained at the [Azure Sentinel Github Wiki](https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview).\r\n\r\nThe workbook is broken up into 2 main sections, Incident Insights and Entity Insights.\r\n\r\n#### Incident Insights\r\n\r\nThe Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick access to their associated metadata including alerts and entity information.\r\n\r\n#### Entity Insights\r\n\r\nThe Entity Insights allows the analyst to take entity data either from an incident or through manual entry and explore related information about that entity. This workbook presently provides view of the following entity types:\r\n- IP Address\r\n- Account\r\n- Host\r\n- URL\r\n- FileHash\r\n\r\n### Workbook Setup\r\n\r\nThis workbook can be configured using the parameters at the top of the workbook. Some of these parameters are only available in Edit mode.\r\n\r\n\r\n| Parameter | Description |\r\n|---|---|\r\n|Subscription |Select the Azure subscription where your Azure Sentinel instance resides |\r\n|Workspace|Select the Azure Log Analytics workspace where your Azure Sentinel data resides|\r\n|TimeRange|Select the time window you want to Investigate|\r\n|Investigate by|Investigate by Incident allows you to view Sentinel incident data and investigate by entity, Investigate by Entity allows you to proceed directly to entering the entity data manually for your investigation |\r\n| Show Incident Trend |Use this toggle, to see additonal data about the Trends over the past (TimeRange), compared to the last 24hours.|\r\n|Help|Turn on/off this help data, Turn on/off the change log|\r\n|DefaultUPNSuffix|This parameter is used when the entity data does not include a UPN suffix, the value of this parameter will be the assumed suffix|\r\n|AlertID|This parameter should be left blank and is hidden when using the workbook|\r\n|EntityData|This parameter should be left blank and is hidden when using the workbook|\r\n|EntityType|This parameter should be left blank and is hidden when using the workbook|\r\n\r\n#### Data Sources\r\n\r\nThis workbook leverages a number of different data sources. Most of these data sources are not required for this workbook to function but elements of the workbook may not function if data sources are missing. Our detailed help located on [GitHub](https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview) includes additional information about which data sources are required for specific capabilities of this workbook.\r\n\r\n|Data Source|Type|Data Connector|\r\n|---|---|\r\n| Azure Resource Graph |api| Not Applicable|\r\n| AuditLogs | table| Azure Active Directory |\r\n| AWSCloudTrail | table| Amazon Web Services |\r\n| AzureActivity |table| Azure Activity | \r\n| BehaviorAnalytics | table | Entity Behavior Analytics |\r\n| CommonSecurityLog |table| Multiple Connectors |\r\n| DeviceLogonEvents |table| Defender ATP |\r\n| DnsEvents |table| DNS |\r\n| IdentityInfo | table | Entity Behavior Analytics |\r\n| OfficeActivity |table| Office 365 |\r\n| ProtectionStatus |table| Azure Security Center with Microsoft Monitoring Agent |\r\n| SecurityAlert |table| Multiple Connectors |\r\n| SecurityBaseline | table | Azure Security Center with Microsoft Monitoring Agent |\r\n| SecurityBaselineSummary | table | Azure Security Center with Microsoft Monitoring Agent |\r\n| SecurityEvent |table| Security Events |\r\n| SecurtityIncident | table| Not Applicable |\r\n| SigninLogs |table|Azure Active Directory |\r\n| ThreatIntelligenceIndicator |table| Threat Intelligence (Platforms and/or TAXII)|\r\n| UpdateSummary |table| Azure Security Center with Microsoft Monitoring Agent |\r\n| Update | table | Azure Security Center with Microsoft Monitoring Agent |\r\n| VMConnection | table | Azure Monitor VM Insights |\r\n| W3CIISLog | table | Microsoft Monitoring Agent |\r\n| WindowsFirewall | table | Windows Firewall |\r\n\r\n",
"style": "info"
},
"name": "text - 19"
}
]
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "HelpGroup"
},
{
"type": 1,
"content": {
"json": "### Incident Insights\n---\n\n"
},
"conditionalVisibility": {
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Incident"
},
"name": "IncidentHeader"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "e3e3e2b2-4e83-43a2-b65b-59f1cdd1d30c",
"version": "KqlParameterItem/1.0",
"name": "SelectSeverity",
"label": "Incident Severity",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "let SortOrder = datatable(Value:string, SortOrder:int)\r\n[\"High\", 1, \"Medium\", 2, \"Low\", 3, \"Informational\", 4];\r\nSecurityIncident\r\n| where CreatedTime {TimeRange:value}\r\n| summarize arg_max(TimeGenerated,*) by IncidentNumber\r\n| summarize Count=dcount(IncidentNumber) by Severity\r\n| extend Label = strcat(Severity,\" [\",Count,\"]\")\r\n| project Label, Value=Severity\r\n| distinct Value, Label\r\n| join kind=leftouter SortOrder on Value\r\n| project Value, Label",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "2be7af21-dc71-45af-bbac-f4a6a9140390",
"version": "KqlParameterItem/1.0",
"name": "Status",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityIncident\r\n| where CreatedTime {TimeRange:value}\r\n| where Severity in ({SelectSeverity})\r\n| distinct Status\r\n| sort by Status asc",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "53c5d5c8-5ea1-4df9-81af-63dc3e80254c",
"version": "KqlParameterItem/1.0",
"name": "Owner",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityIncident\r\n| where CreatedTime {TimeRange:value}\r\n| where Status in ({Status})\r\n| where Severity in ({SelectSeverity})\r\n| project Owner=tostring(Owner.userPrincipalName)\r\n| sort by Owner asc\r\n| extend Owner = iff(isnotempty( Owner), Owner, \"Unassigned\")\r\n| distinct Owner",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "88a6775c-d6de-45b1-a027-3a43731c1d93",
"version": "KqlParameterItem/1.0",
"name": "Tags",
"label": "",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityIncident\r\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\r\n| mv-expand Labels\r\n| project Tags=tostring(Labels.labelName)\r\n| distinct Tags\r\n| sort by Tags asc\r\n| union (datatable(Tags:string)[\"Untagged\"])",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "e68521f2-ba48-4df5-bad2-0b434aa8de07",
"version": "KqlParameterItem/1.0",
"name": "IncidentNumber",
"label": "Incident Number",
"type": 1,
"value": ""
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Incident"
},
"customWidth": "45",
"name": "parameters - 19 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n//| summarize IncidentCount=count() by TimeGenerated\r\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\r\n| where IncidentNumber == \"{IncidentNumber}\" or isempty(\"{IncidentNumber}\")\r\n| where CreatedTime {TimeRange:value}\r\n| where Status in ({Status})\r\n| where Severity in ({SelectSeverity})\r\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \"Unassigned\" in ({Owner}))\r\n| summarize IncidentCount=dcount(IncidentNumber) by bin(CreatedTime, {TimeRange:grain})\r\n",
"size": 1,
"title": "Incident Timeline",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart",
"sortBy": [],
"chartSettings": {
"ySettings": {
"min": 0
}
}
},
"conditionalVisibility": {
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Incident"
},
"customWidth": "55",
"name": "IncidentByTime - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "### Incident Trending at a Glance\r\n---"
},
"conditionalVisibilities": [
{
"parameterName": "IncidentView",
"comparison": "isEqualTo",
"value": "Yes"
},
{
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Incident"
}
],
"name": "IncidentHeader - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "// lookup all Severities seen in last month \r\nlet pastMonth = SecurityIncident | where TimeGenerated > startofday(ago(30d)) | summarize by Severity;\r\n SecurityIncident\r\n// lookup Severities from today only\r\n| where TimeGenerated > ago(1d)\r\n| summarize todayCount=count() by Severity\r\n| join kind=fullouter (pastMonth) on Severity\r\n| join (\r\n SecurityIncident \r\n // from oldest suplied parameter until this time Yesterday \r\n | where TimeGenerated between (startofday({TimeRange:start}) .. ago(1d))\r\n // get avg from oldest date to this time yesterday\r\n | summarize count() by Severity , bin(TimeGenerated,1d)\r\n | summarize historyCount = round(avg(count_),1) by Severity\r\n | extend low = iif(Severity == \"Low\",\"a\",\"\"),\r\n med = iif(Severity == \"Medium\",\"b\",\"\"),\r\n high = iif(Severity == \"High\",\"c\",\"\"),\r\n info = iif(Severity == \"Informational\",\"d\",\"\")\r\n ) on $left.Severity1 == $right.Severity\r\n | extend todayCount = iif(isempty(todayCount),0,todayCount)\r\n | extend trendIs = case(\r\n todayCount > historyCount,\"Trending Up\",\r\n todayCount == historyCount,\"Equal\",\r\n todayCount < historyCount,\"Trending Down\",\r\n Severity2\r\n )\r\n| project Severity2, todayCount, historyCount, trendIs, low, med, high, info\r\n| order by high, med, low, info",
"size": 1,
"title": "Incident Severity Trend - Average count from {TimeRange:label} vs. Last 24hr Count",
"exportFieldName": "Severity",
"exportParameterName": "Severity",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"gridSettings": {
"sortBy": [
{
"itemKey": "historyCount",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "historyCount",
"sortOrder": 2
}
],
"tileSettings": {
"titleContent": {
"columnMatch": "Severity2",
"formatter": 1
},
"subtitleContent": {
"columnMatch": "historyCount",
"tooltipFormat": {
"tooltip": "Average Count"
}
},
"leftContent": {
"columnMatch": "trendIs",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Trending Up",
"representation": "trendup",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Trending Down",
"representation": "trenddown",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Equal",
"representation": "Normal",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": ""
}
]
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
"secondaryContent": {
"columnMatch": "todayCount",
"formatter": 12,
"formatOptions": {
"palette": "blue"
},
"tooltipFormat": {
"tooltip": "Today's Count"
}
},
"showBorder": true
}
},
"customWidth": "59",
"conditionalVisibility": {
"parameterName": "IncidentView",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "IncidentBySev - Incident Trend "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SortOrder = datatable(Severity:string, SortOrder:int)[\"High\", 1, \"Medium\", 2, \"Low\", 3, \"Informational\", 4,];\r\nSecurityIncident\r\n| join kind=leftouter SortOrder on Severity\r\n| make-series count() on bin(TimeGenerated,1d) from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Severity\r\n\r\n\r\n",
"size": 1,
"title": "Incident Severity Trend - Average count from {TimeRange:label} ",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Severity",
"exportParameterName": "Severity",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 9,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 5
}
],
"labelSettings": [
{
"columnId": "Severity"
},
{
"columnId": "count_",
"label": "Trend"
},
{
"columnId": "TimeGenerated"
}
]
},
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "Severity2",
"formatter": 1
},
"subtitleContent": {
"columnMatch": "historyCount",
"tooltipFormat": {
"tooltip": "Average Count"
}
},
"leftContent": {
"columnMatch": "trendIs",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Trending Up",
"representation": "trendup",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Trending Down",
"representation": "trenddown",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Equal",
"representation": "Normal",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": ""
}
]
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
"secondaryContent": {
"columnMatch": "todayCount",
"formatter": 12,
"formatOptions": {
"palette": "blue"
},
"tooltipFormat": {
"tooltip": "Today's Count"
}
},
"showBorder": true
}
},
"customWidth": "39",
"conditionalVisibility": {
"parameterName": "IncidentView",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "IncidentBySev - Incident Trend - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "// lookup all Status states seen in last month \r\nlet pastMonth = SecurityIncident | where TimeGenerated > startofday(ago(30d)) | summarize by Status;\r\n SecurityIncident\r\n// lookup Status states, from today only\r\n| where TimeGenerated > ago(1d)\r\n| summarize todayCount=count() by Status\r\n| join kind=fullouter (pastMonth) on Status\r\n| join (\r\n SecurityIncident \r\n // from oldest suplied parameter until 24hrs ago \r\n | where TimeGenerated between (startofday({TimeRange:start}) .. ago(1d))\r\n // get avg from oldest date to this time yesterday\r\n | summarize count() by Status , bin(TimeGenerated,1d)\r\n | summarize historyCount = round(avg(count_),2) by Status\r\n ) on $left.Status1 == $right.Status\r\n| extend todayCount = iif(isempty(todayCount),0,todayCount)\r\n | extend trendIs = case(\r\n todayCount > historyCount,\"Trending Up\",\r\n todayCount == historyCount,\"Equal\",\r\n todayCount < historyCount,\"Trending Down\",\r\n Status2\r\n )\r\n| project Status2, todayCount, historyCount, trendIs ",
"size": 1,
"title": "Incident Status Trend - Average count from {TimeRange:label} vs. Last 24hr Count",
"exportFieldName": "Severity",
"exportParameterName": "Severity",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"gridSettings": {
"sortBy": [
{
"itemKey": "historyCount",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "historyCount",
"sortOrder": 2
}
],
"tileSettings": {
"titleContent": {
"columnMatch": "Status2",
"formatter": 1
},
"subtitleContent": {
"columnMatch": "historyCount",
"tooltipFormat": {
"tooltip": "Average Count"
}
},
"leftContent": {
"columnMatch": "trendIs",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Trending Up",
"representation": "trendup",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Trending Down",
"representation": "trenddown",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Equal",
"representation": "Normal",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": ""
}
]
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
"secondaryContent": {
"columnMatch": "todayCount",
"formatter": 12,
"formatOptions": {
"palette": "greenRed"
},
"tooltipFormat": {
"tooltip": "Today's Count"
}
},
"showBorder": true
}
},
"customWidth": "59",
"conditionalVisibility": {
"parameterName": "IncidentView",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "IncidentBySev - Incident Trend - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n| make-series count() on bin(TimeGenerated,1d) from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Status\r\n\r\n\r\n",
"size": 1,
"title": "Incident Status Trend - Average count from {TimeRange:label} ",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Severity",
"exportParameterName": "Severity",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 9,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 5
}
],
"labelSettings": [
{
"columnId": "Status"
},
{
"columnId": "count_",
"label": "Trend"
},
{
"columnId": "TimeGenerated"
}
]
},
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "Severity2",
"formatter": 1
},
"subtitleContent": {
"columnMatch": "historyCount",
"tooltipFormat": {
"tooltip": "Average Count"
}
},
"leftContent": {
"columnMatch": "trendIs",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Trending Up",
"representation": "trendup",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Trending Down",
"representation": "trenddown",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Equal",
"representation": "Normal",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": ""
}
]
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
"secondaryContent": {
"columnMatch": "todayCount",
"formatter": 12,
"formatOptions": {
"palette": "blue"
},
"tooltipFormat": {
"tooltip": "Today's Count"
}
},
"showBorder": true
}
},
"customWidth": "39",
"conditionalVisibility": {
"parameterName": "IncidentView",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "IncidentBySev - Incident Trend - Copy - Copy"
}
]
},
"name": "customGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Security Table Anomalies",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "a04e32b1-ffbe-47b6-96bf-4d77891fe3d9",
"version": "KqlParameterItem/1.0",
"name": "AnomaliesTimeRange",
"type": 4,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "bec01a6d-0c4e-4510-ba14-9297ca422da9",
"version": "KqlParameterItem/1.0",
"name": "SampleInterval",
"type": 2,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[{ \"value\": \"5m\", \"label\": \"5m\" }, { \"value\": \"1h\", \"label\": \"1h\" }, { \"value\": \"1d\", \"label\": \"1d\" , \"selected\":true }, { \"value\": \"7d\", \"label\": \"7d\" , \"selected\":true },{ \"value\": \"14d\", \"label\": \"14d\"}]",
"timeContext": {
"durationMs": 86400000
},
"value": "1h"
},
{
"id": "345e2087-decb-4751-b800-5bba202d65f7",
"version": "KqlParameterItem/1.0",
"name": "PositiveAlertThreshold",
"type": 1,
"isRequired": true,
"value": "0",
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "8a8384a1-c192-41c5-83e6-57dd59a24bfa",
"version": "KqlParameterItem/1.0",
"name": "NegativeAlertThreshold",
"type": 1,
"isRequired": true,
"value": "0.0",
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 3"
},
{
"type": 1,
"content": {
"json": "### Security Anomalies "
},
"name": "text - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=TableName1 SecurityIncident, SecurityAlert, SecurityEvent, CommonSecurityLog, Syslog\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by TableName1\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n//| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project TableName1, expectedCounts=baseline[-1], actualCount=count_[-1], Score = score[-1]",
"size": 4,
"title": "Security Tables detected anomalies: {AnomaliesTimeRange:label}, step {SampleInterval:value} ",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "AnomaliesTimeRange",
"exportFieldName": "TableName1",
"exportParameterName": "TableName1",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 2
}
}
},
{
"columnMatch": "actualCount",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumSignificantDigits": 2
}
}
},
{
"columnMatch": "Score",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumSignificantDigits": 3
}
}
}
]
},
"sortBy": []
},
"customWidth": "50",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=TableName1 *\r\n| where TableName1 == '{TableName1}'\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value}\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| project-away anomalies, score\r\n",
"size": 1,
"title": "Anomaly graph for the selected table",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "timechart"
},
"customWidth": "50",
"name": "query - 4"
}
]
},
"conditionalVisibility": {
"parameterName": "Hide",
"comparison": "isEqualTo",
"value": "EnableAfterMVP"
},
"name": "group - Security Anomalies"
}
]
},
"conditionalVisibilities": [
{
"parameterName": "IncidentView",
"comparison": "isEqualTo",
"value": "Yes"
},
{
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Incident"
}
],
"name": "incidentTrending",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let selectedTags = dynamic([{Tags}]);\r\nSecurityIncident\r\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\r\n| where IncidentNumber == \"{IncidentNumber}\" or isempty(\"{IncidentNumber}\")\r\n| where Severity in ({SelectSeverity})\r\n| where Status in ({Status})\r\n| where Labels has_any(selectedTags) or (selectedTags has_any(\"Untagged\") and array_length(Labels) == 0)\r\n| extend Alerts = extract(\"\\\\[(.*?)\\\\]\", 1, tostring(AlertIds))\r\n| mv-expand AlertIds to typeof(string)\r\n| join \r\n(\r\n SecurityAlert\r\n | extend AlertEntities = parse_json(Entities)\r\n | mv-expand AlertEntities\r\n | extend sortOrder = case \r\n ( \r\n AlertEntities.Type == \"account\",1, AlertEntities.Type == \"host\",2, AlertEntities.Type == \"ip\",3, AlertEntities.Type == \"url\",4, 99\r\n ) \r\n | order by sortOrder asc \r\n) on $left.AlertIds == $right.SystemAlertId\r\n| summarize AlertCount=dcount(AlertIds), entityList=make_set(tostring(AlertEntities.Type)) by IncidentNumber, Status, Severity, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , Tactics =tostring(AdditionalData.tactics)\r\n| where Owner in ({Owner}) or (isempty(Owner) and \"Unassigned\" in ({Owner}))\r\n// set column order\r\n| project IncidentNumber, Severity, Status, AlertCount,Owner, Title, Alerts, entityList, Tactics, IncidentUrl\r\n| order by IncidentNumber desc",
"size": 2,
"title": "Incident Details - {TimeRange:label} ",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportedParameters": [
{
"fieldName": "Alerts",
"parameterName": "Alerts",
"defaultValue": "\"None\""
},
{
"fieldName": "IncidentNumber",
"parameterName": "INexport",
"parameterType": 1,
"defaultValue": "None"
},
{
"parameterType": 1
}
],
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Severity",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High",
"representation": "3",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "down",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "info",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "unknown",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "New",
"representation": "gray",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Active",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "AlertCount",
"formatter": 0,
"formatOptions": {
"aggregation": "Sum"
}
},
{
"columnMatch": "Owner",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25ch"
}
},
{
"columnMatch": "Alerts",
"formatter": 5
},
{
"columnMatch": "IncidentUrl",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkLabel": "Open Incident in the Azure Sentinel Portal"
}
},
{
"columnMatch": "Entities",
"formatter": 1
},
{
"columnMatch": "alertCount",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "redBright"
}
},
{
"columnMatch": "count_AlertCount",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
}
],
"rowLimit": 500,
"filter": true,
"labelSettings": [
{
"columnId": "IncidentNumber"
},
{
"columnId": "Status"
},
{
"columnId": "Owner"
},
{
"columnId": "Title"
},
{
"columnId": "IncidentUrl"
}
]
},
"sortBy": []
},
"customWidth": "75",
"conditionalVisibility": {
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Incident"
},
"name": "IncidentDetailsView - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n| where IncidentNumber == '{INexport}' \r\n| summarize arg_max(TimeGenerated,CreatedTime,Status, Severity, Owner, AdditionalData, IncidentUrl, Comments, Classification, ClassificationComment,Labels, Title, AlertIds) by IncidentNumber\r\n| extend Tactics = todynamic(AdditionalData.tactics)\r\n| extend Owner = todynamic(Owner.assignedTo), IncidentCreated = format_datetime(CreatedTime,'yy-MM-dd HH:mm')\r\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \r\n| extend Tags = extract_all('labelName\":\"(.*?)\"',tostring(Labels))\r\n| extend Owner = case(Owner==\"\", \"Unassigned\",Owner), Products = strcat_array(AdditionalData.alertProductNames, \", \"), Alerts = tostring(AdditionalData.alertsCount), Bookmarks = tostring(AdditionalData.bookmarksCount), Comments = tostring(AdditionalData.commentsCount), Tactics = strcat_array(AdditionalData.tactics, \", \"), Labels = strcat_array(Tags, \", \")\r\n| mvexpand AlertIds to typeof(string)\r\n| join kind=leftouter\r\n(SecurityAlert\r\n| summarize arg_max(TimeGenerated,AlertName, Description, AlertType, Entities)by SystemAlertId) on $left.AlertIds == $right.SystemAlertId\r\n| summarize AlertName = makelist(AlertName), AlertType = makelist(AlertType) by Comments, Labels, Title, Products, AlertsCount = Alerts, Bookmarks, Status, Severity, Owner, IncidentCreated \r\n| extend AlertNames = strcat_array(AlertName, \", \"), AlertTypes = strcat_array(AlertType, \", \")\r\n| project packed = pack_all()\r\n| mv-expand packed\r\n| parse tostring(packed) with * '\"' Field '\":\"' Value '\"}'\r\n| where Field in ('Severity', 'Owner','Status','Comments', 'AlertsCount','Products','Title', 'IncidentCreated', 'Labels','Bookmarks', 'AlertNames', 'AlertsType')\r\n| extend Order = case(Field==\"Title\", 1,Field==\"IncidentCreated\", 2,Field==\"Severity\", 3,Field==\"Status\", 4,Field==\"Owner\", 5,Field==\"Products\", 6,Field==\"AlertsType\",6,Field==\"AlertsCount\", 7,Field==\"Bookmarks\", 8, Field==\"Labels\", 9, 100)\r\n",
"size": 3,
"title": "Incident Summary: {INexport}",
"noDataMessage": "Select an Incident to show Summary",
"noDataMessageStyle": 2,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Field",
"formatter": 1
},
"rightContent": {
"columnMatch": "Value"
},
"showBorder": true,
"sortCriteriaField": "Order",
"size": "auto"
}
},
"customWidth": "25",
"conditionalVisibility": {
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Incident"
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where SystemAlertId in ({Alerts})\r\n| summarize by DisplayName, ProductName, StartTime, EndTime, SystemAlertId, ProviderName\r\n| sort by EndTime desc",
"size": 1,
"title": "Alerts",
"noDataMessage": "Select an incident to show Alerts",
"noDataMessageStyle": 2,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "SystemAlertId",
"exportParameterName": "AlertID",
"exportDefaultValue": "None",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "SystemAlertId",
"formatter": 5
}
]
},
"sortBy": []
},
"customWidth": "75",
"conditionalVisibilities": [
{
"parameterName": "Alerts",
"comparison": "isNotEqualTo",
"value": ""
},
{
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Incident"
}
],
"name": "AlertsByIncident"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AlertEntities = SecurityAlert\r\n| where SystemAlertId == \"{AlertID}\"\r\n| where TimeGenerated {TimeRange}\r\n| extend AlertEntities = parse_json(Entities)\r\n| mv-expand AlertEntities\r\n| where isnotempty(AlertEntities)\r\n| project AlertEntities;\r\nlet filehashEntities = AlertEntities\r\n| where AlertEntities.Type =~ \"filehash\"\r\n| extend Entity = tostring(AlertEntities.Value)\r\n| extend EntityType = strcat(tostring(AlertEntities.Type), \"-\", tostring(AlertEntities.Algorithm))\r\n| distinct Entity, EntityType;\r\nlet fileEntities = AlertEntities\r\n| where AlertEntities.Type == \"file\"\r\n| extend Entity = strcat(tostring(AlertEntities.Directory), \"\\\\\", tostring(AlertEntities.Name))\r\n| extend EntityType = tostring(AlertEntities.Type)\r\n| distinct Entity, EntityType;\r\nlet nestedFileHashEntities = AlertEntities\r\n| where AlertEntities.Type =~ \"file\"\r\n| where isnotempty(AlertEntities.FileHashes)\r\n| mv-expand hashes=AlertEntities.FileHashes\r\n| extend Entity = tostring(hashes.Value)\r\n| extend EntityType = strcat(tostring(hashes.Type), \"-\", tostring(hashes.Algorithm))\r\n| distinct Entity, EntityType;\r\nlet IPEntities = AlertEntities\r\n| where AlertEntities.Type == \"ip\"\r\n| extend Entity = tostring(AlertEntities.Address)\r\n| extend EntityType = tostring(AlertEntities.Type)\r\n| distinct Entity, EntityType;\r\nlet AccountEntities = AlertEntities\r\n| where AlertEntities.Type == \"account\"\r\n| extend Entity = iff(isnotempty(AlertEntities.UPNSuffix), strcat(AlertEntities.Name, '@', AlertEntities.UPNSuffix), AlertEntities.Name)\r\n| extend EntityType = tostring(AlertEntities.Type)\r\n| distinct Entity, EntityType;\r\nlet HostEntities = AlertEntities\r\n| where AlertEntities.Type == \"host\"\r\n| extend Entity = iff(isnotempty(AlertEntities.DnsDomain), strcat(AlertEntities.HostName, '.', AlertEntities.DnsDomain), AlertEntities.HostName)\r\n| extend EntityType = tostring(AlertEntities.Type)\r\n| distinct Entity, EntityType;\r\nlet appEntities = AlertEntities\r\n| where AlertEntities.Type == \"cloud-application\"\r\n| extend Entity = tostring(AlertEntities.Name)\r\n| extend EntityType = tostring(AlertEntities.Type)\r\n| distinct Entity, EntityType;\r\nlet azresEntities = AlertEntities\r\n| where AlertEntities.Type == \"azure-resource\"\r\n| extend Entity = tostring(AlertEntities.ResourceId)\r\n| extend EntityType = tostring(AlertEntities.Type)\r\n| distinct Entity, EntityType;\r\nlet malwareEntities = AlertEntities\r\n| where AlertEntities.Type == \"malware\"\r\n| extend Entity = tostring(AlertEntities.Name)\r\n| extend EntityType = tostring(AlertEntities.Type)\r\n| distinct Entity, EntityType;\r\nlet domResIdEntities = AlertEntities\r\n| where AlertEntities.Type == \"DomainResourceIdentifier\"\r\n| extend Entity = tostring(AlertEntities.ResourceName)\r\n| extend EntityType = tostring(AlertEntities.Type)\r\n| distinct Entity, EntityType;\r\nlet dnsEntities = AlertEntities\r\n| where AlertEntities.Type == \"dns\"\r\n| extend Entity = tostring(AlertEntities.DomainName)\r\n| extend EntityType = tostring(AlertEntities.Type)\r\n| distinct Entity, EntityType;\r\nAlertEntities\r\n| where AlertEntities.Type == \"url\"\r\n| extend Entity = tostring(AlertEntities.Url)\r\n| extend EntityType = tostring(AlertEntities.Type)\r\n| distinct Entity, EntityType\r\n| union IPEntities, AccountEntities, HostEntities, filehashEntities, fileEntities, nestedFileHashEntities, appEntities, azresEntities, malwareEntities, domResIdEntities, dnsEntities\r\n| where isnotempty(Entity)\r\n| order by EntityType asc",
"size": 1,
"title": "Entities",
"noDataMessage": "Select an alert to show Entities",
"noDataMessageStyle": 2,
"exportedParameters": [
{
"fieldName": "Entity",
"parameterName": "EntityData",
"defaultValue": "None"
},
{
"fieldName": "EntityType",
"parameterName": "EntityType",
"parameterType": 1
}
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "25",
"conditionalVisibilities": [
{
"parameterName": "Alerts",
"comparison": "isNotEqualTo"
},
{
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Incident"
}
],
"name": "EntitiesByIncident"
}
],
"exportParameters": true
},
"conditionalVisibility": {
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Incident"
},
"name": "IncidentGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "### Bookmark Insights\r\n---\r\n\r\n"
},
"name": "text - 20"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "947f6af6-e8c1-4f6b-b457-693af446156a",
"version": "KqlParameterItem/1.0",
"name": "CreatedBy",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "HuntingBookmark\r\n| extend Entities = parse_json(QueryResultRow).__entityMapping\r\n| summarize arg_max(TimeGenerated, CreatedBy) by BookmarkId\r\n| extend CreatedBy = tostring(parse_json(CreatedBy).Email)\r\n| distinct CreatedBy\r\n| sort by CreatedBy asc",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "288cf7d8-a8c8-411d-b913-e9f21429a5ff",
"version": "KqlParameterItem/1.0",
"name": "LastModifiedBy",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "HuntingBookmark\r\n| extend Entities = parse_json(QueryResultRow).__entityMapping\r\n| summarize arg_max(TimeGenerated, UpdatedBy) by BookmarkId\r\n| extend UpdatedBy = tostring(parse_json(UpdatedBy).Email)\r\n| distinct UpdatedBy\r\n| sort by UpdatedBy asc",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "BookmarkParam"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "HuntingBookmark\r\n| extend Entities = parse_json(QueryResultRow).__entityMapping\r\n| summarize arg_max(TimeGenerated, BookmarkName, CreatedBy, UpdatedBy, CreatedTime, Notes, Tags) by BookmarkId\r\n| extend CreatedBy = tostring(parse_json(CreatedBy).Email)\r\n| extend UpdatedBy = tostring(parse_json(UpdatedBy).Email)\r\n| where CreatedBy in ({CreatedBy})\r\n| where UpdatedBy in ({LastModifiedBy})\r\n| sort by TimeGenerated desc\r\n| project BookmarkName, CreatedBy, UpdatedBy, Notes, Tags, BookmarkId",
"size": 0,
"title": "Bookmarks",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "BookmarkId",
"exportParameterName": "BookmarkId",
"exportDefaultValue": "None",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "BookmarkId",
"formatter": 5
}
]
}
},
"customWidth": "75",
"name": "query - 21"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "HuntingBookmark\r\n//| where TimeGenerated > ago(14d)\r\n| where BookmarkId == \"{BookmarkId}\"\r\n| extend Entities = parse_json(QueryResultRow).__entityMapping\r\n| summarize arg_max(TimeGenerated, Entities) by BookmarkId\r\n| extend splitEntities = split(replace(@'[\"{}]', '', tostring(Entities)),',')\r\n| mv-expand splitEntities\r\n| extend splitEntity = split(splitEntities, ':')\r\n| extend EntityType = tolower(splitEntity[1]), Entity = splitEntity[0]\r\n| where isnotempty(Entity)\r\n| project Entity, EntityType",
"size": 0,
"title": "Entities",
"noDataMessage": "Select a bookmark to see entities.",
"noDataMessageStyle": 2,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportedParameters": [
{
"fieldName": "Entity",
"parameterName": "EntityData",
"parameterType": 1
},
{
"fieldName": "EntityType",
"parameterName": "EntityType",
"parameterType": 1
}
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "25",
"name": "query - 21 - Copy"
}
],
"exportParameters": true
},
"conditionalVisibility": {
"parameterName": "investigateBy",
"comparison": "isEqualTo",
"value": "Bookmark"
},
"name": "BookmarkGroup"
},
{
"type": 1,
"content": {
"json": "### Entity Insights\r\n---\r\nChoose an Entity Type to investigate by."
},
"name": "InvestigationHeader"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "2d86a4e0-881d-475f-9bfb-0baf99010471",
"cellValue": "InvestigationType",
"linkTarget": "parameter",
"linkLabel": "Investigate IP Address",
"subTarget": "IP",
"style": "link"
},
{
"id": "5cfe0f82-d29c-4a9a-b7dd-f329fb7b988b",
"cellValue": "InvestigationType",
"linkTarget": "parameter",
"linkLabel": "Investigate Account",
"subTarget": "Account",
"style": "link"
},
{
"id": "e8b98a6c-26b9-4ab8-a6c3-cfae76da70a9",
"cellValue": "InvestigationType",
"linkTarget": "parameter",
"linkLabel": "Investigate Host",
"subTarget": "Host",
"style": "link"
},
{
"id": "1f808e56-e32f-436b-8154-b9b78fece9e6",
"cellValue": "InvestigationType",
"linkTarget": "parameter",
"linkLabel": "Investigate URL",
"subTarget": "URL",
"style": "link"
},
{
"id": "cb986821-e409-4938-98d1-8e33e7478145",
"cellValue": "InvestigationType",
"linkTarget": "parameter",
"linkLabel": "Investigate File Hash",
"subTarget": "FileHash",
"style": "link"
},
{
"id": "7720a8f8-10e8-4be3-b980-fe6d6bb45b6d",
"cellValue": "InvestigationType",
"linkTarget": "parameter",
"linkLabel": "Full Search",
"subTarget": "Search",
"style": "link"
},
{
"id": "0ba1e996-2122-44c4-8794-423ddbecba02",
"cellValue": "InvestigationType",
"linkTarget": "parameter",
"linkLabel": "{GlobalCustomTabName}",
"subTarget": "Custom",
"style": "link"
}
]
},
"name": "InvestigationLinks"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "d492cada-966f-484b-b527-d41ba2ddd1a3",
"version": "KqlParameterItem/1.0",
"name": "IPAddress",
"type": 1,
"isRequired": true,
"query": "datatable(Entity:string, EntityType:string)\r\n\t[\"{EntityData}\",\"{EntityType}\"]\r\n| where EntityType =~ \"ip\"\r\n| project Entity",
"crossComponentResources": [
"{Workspace}"
],
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": ""
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "IP"
},
"name": "parameters - 8"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "d3818dec-355b-49b0-a2ba-e119da14844a",
"cellValue": "IPNav",
"linkTarget": "parameter",
"linkLabel": "Active Accounts",
"subTarget": "Accounts",
"preText": "",
"style": "link"
},
{
"id": "c4a505ba-ae31-4fa6-bbbc-659d0b27d036",
"cellValue": "IPNav",
"linkTarget": "parameter",
"linkLabel": "Network",
"subTarget": "Network",
"preText": "",
"style": "link"
},
{
"id": "ca04718e-3a80-42bd-b6c5-e5acadbc0a1d",
"cellValue": "IPNav",
"linkTarget": "parameter",
"linkLabel": "Normalized Network (Preview)",
"subTarget": "NormalizedNetwork",
"style": "link"
},
{
"id": "08336f47-fe4b-4ba4-989c-d265aff3207d",
"cellValue": "IPNav",
"linkTarget": "parameter",
"linkLabel": "IOCs",
"subTarget": "IOC",
"style": "link"
},
{
"id": "c96ba98d-c211-419b-8abf-ea25772ab122",
"cellValue": "IPNav",
"linkTarget": "parameter",
"linkLabel": "Related Alerts & Bookmarks",
"subTarget": "Related",
"style": "link"
},
{
"id": "de7adc45-b859-4753-a05f-58fb2b00e434",
"cellValue": "IPNav",
"linkTarget": "parameter",
"linkLabel": "{IPCustomTabName}",
"subTarget": "Custom",
"style": "link"
}
]
},
"name": "links - 4"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Office = OfficeActivity\r\n| where TimeGenerated {TimeRange}\r\n| where ClientIP == \"{IPAddress}\"\r\n| extend UPN = tolower(UserId)\r\n| summarize Count=count() by UPN;\r\nlet AAD = SigninLogs\r\n| where TimeGenerated {TimeRange}\r\n| where IPAddress == \"{IPAddress}\"\r\n| extend UPN = tolower(UserPrincipalName)\r\n| project UPN\r\n| summarize Count=count() by UPN;\r\nAzureActivity\r\n| where TimeGenerated {TimeRange}\r\n| where CallerIpAddress == \"{IPAddress}\"\r\n| extend UPN = tolower(Caller)\r\n| project UPN\r\n| summarize Count=count() by UPN\r\n| union AAD, Office\r\n| summarize Count=sum(Count) by UPN\r\n| sort by Count desc",
"size": 4,
"title": "Accounts Active from IP",
"exportFieldName": "UPN",
"exportParameterName": "UPN",
"exportDefaultValue": "AllUPNs",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "UPN",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "IP"
},
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where TimeGenerated {TimeRange}\r\n| where IPAddress == \"{IPAddress}\"\r\n| where UserPrincipalName =~ \"{UPN}\" or \"AllUPNs\" == \"{UPN}\"\r\n| summarize Count=count() by AppDisplayName",
"size": 1,
"title": "AAD Signin",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "33",
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "IP"
},
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity\r\n| where TimeGenerated {TimeRange}\r\n| where ClientIP == \"{IPAddress}\"\r\n| where UserId =~ \"{UPN}\" or \"AllUPNs\" == \"{UPN}\"\r\n| summarize Count=count() by Operation",
"size": 1,
"title": "Office Activity",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "33",
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "IP"
},
"name": "query - 10 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity\r\n| where TimeGenerated {TimeRange}\r\n| where CallerIpAddress == \"{IPAddress}\"\r\n| where Caller =~ \"{UPN}\" or \"AllUPNs\" == \"{UPN}\"\r\n| summarize Count=count() by OperationNameValue",
"size": 1,
"title": "Azure Activity",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table"
},
"customWidth": "33",
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "IP"
},
"name": "query - 10 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Office = OfficeActivity\r\n| where UserId =~ \"{UPN}\" or \"AllUPNs\" == \"{UPN}\"\r\n| where ClientIP == \"{IPAddress}\"\r\n| extend UPN = tolower(UserId)\r\n| project TimeGenerated, ResultType=ResultStatus, UPN, AppOrAction=Operation, Details=Parameters, Source=\"OfficeActivity\";\r\nlet AAD = SigninLogs\r\n| where UserPrincipalName =~ \"{UPN}\" or \"AllUPNs\" == \"{UPN}\"\r\n| where IPAddress == \"{IPAddress}\"\r\n| extend UPN = tolower(UserPrincipalName)\r\n| project TimeGenerated, ResultType, UPN, AppOrAction=AppDisplayName, Details=ResultDescription, Source=\"SigninLogs\";\r\nAzureActivity\r\n| where Caller =~ \"{UPN}\" or \"AllUPNs\" == \"{UPN}\"\r\n| where CallerIpAddress == \"{IPAddress}\"\r\n| extend UPN = tolower(Caller)\r\n| project TimeGenerated, ResultType=ActivityStatus, UPN, AppOrAction=OperationNameValue, Details=ResourceId, Source=\"AzureActivity\"\r\n| union AAD, Office\r\n| sort by TimeGenerated desc",
"size": 0,
"showAnalytics": true,
"title": "Activity Detail",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 4"
}
]
},
"conditionalVisibility": {
"parameterName": "IPNav",
"comparison": "isEqualTo",
"value": "Accounts"
},
"name": "IPAccounts"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let IPList = dynamic([\"{IPAddress}\"]);\r\n(union isfuzzy=true\r\n(CommonSecurityLog //Final\r\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\r\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\r\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Computer, CommunicationDirection, FirewallAction=DeviceAction, Protocol, SourceIP, DestinationIP, tostring(DestinationPort), IPMatch, Type),\r\n(VMConnection //Final\r\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \r\n| where SourceIp in (IPList) or DestinationIp in (IPList) \r\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Computer, CommunicationDirection=Direction, Protocol, SourceIP=SourceIp, DestinationIP=DestinationIp, tostring(DestinationPort), IPMatch, Type\r\n),\r\n(WindowsFirewall //Final\r\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \r\n| where SourceIP in (IPList) or DestinationIP in (IPList) \r\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Computer, CommunicationDirection, FirewallAction, Protocol, SourceIP, DestinationIP, tostring(DestinationPort), IPMatch, Type\r\n),\r\n(W3CIISLog //Final\r\n| where isnotempty(cIP)\r\n| where cIP in (IPList) or sIP in (IPList)\r\n| extend IPMatch = case( cIP in (IPList), \"SourceIP\", sIP in (IPList), \"DestinationIP\", \"None\") \r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Computer, CommunicationDirection=\"Inbound\", SourceIP=cIP, DestinationIP=sIP, DestinationPort=tostring(sPort), IPMatch, Type\r\n)\r\n)\r\n| summarize Count=sum(Count) by Type\r\n| sort by Count desc",
"size": 4,
"title": "Network Activity",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Type",
"exportParameterName": "LogType",
"exportDefaultValue": "None",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Type",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "Network Overview"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let IPList = dynamic([\"{IPAddress}\"]);\r\n(union isfuzzy=true\r\n(CommonSecurityLog //Final\r\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\r\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\r\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \r\n| summarize Count=count() by IPMatch),\r\n(VMConnection //Final\r\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \r\n| where SourceIp in (IPList) or DestinationIp in (IPList) \r\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \r\n| summarize Count=count() by IPMatch\r\n),\r\n(WindowsFirewall //Final\r\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \r\n| where SourceIP in (IPList) or DestinationIP in (IPList) \r\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \r\n| summarize Count=count() by IPMatch\r\n),\r\n(W3CIISLog //Final\r\n| where isnotempty(cIP)\r\n| where cIP in (IPList) or sIP in (IPList)\r\n| extend IPMatch = case( cIP in (IPList), \"SourceIP\", sIP in (IPList), \"DestinationIP\", \"None\") \r\n| summarize Count=count() by IPMatch\r\n)\r\n)\r\n| summarize Count=sum(Count) by IPMatch\r\n| sort by Count desc",
"size": 4,
"title": "IPMatch",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "IPMatch",
"exportParameterName": "IPMatch",
"exportDefaultValue": "None",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "IPMatch",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "IP Match"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let IPList = dynamic([\"{IPAddress}\"]);\r\n(union isfuzzy=true\r\n(CommonSecurityLog //Final\r\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\r\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\r\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \r\n| where IPMatch =~ \"{IPMatch}\" or \"{IPMatch}\" =~ \"None\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Computer, CommunicationDirection, FirewallAction=DeviceAction, Protocol, SourceIP, DestinationIP, tostring(DestinationPort), IPMatch, Type),\r\n(VMConnection //Final\r\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \r\n| where SourceIp in (IPList) or DestinationIp in (IPList) \r\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \r\n| where IPMatch =~ \"{IPMatch}\" or \"{IPMatch}\" =~ \"None\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Computer, CommunicationDirection=Direction, Protocol, SourceIP=SourceIp, DestinationIP=DestinationIp, tostring(DestinationPort), IPMatch, Type\r\n),\r\n(WindowsFirewall //Final\r\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \r\n| where SourceIP in (IPList) or DestinationIP in (IPList) \r\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \r\n| where IPMatch =~ \"{IPMatch}\" or \"{IPMatch}\" =~ \"None\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Computer, CommunicationDirection, FirewallAction, Protocol, SourceIP, DestinationIP, tostring(DestinationPort), IPMatch, Type\r\n),\r\n(W3CIISLog //Final\r\n| where isnotempty(cIP)\r\n| where cIP in (IPList) or sIP in (IPList)\r\n| extend IPMatch = case( cIP in (IPList), \"SourceIP\", sIP in (IPList), \"DestinationIP\", \"None\") \r\n| where IPMatch =~ \"{IPMatch}\" or \"{IPMatch}\" =~ \"None\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Computer, CommunicationDirection=\"Inbound\", SourceIP=cIP, DestinationIP=sIP, DestinationPort=tostring(sPort), IPMatch, Type\r\n)\r\n)\r\n| where Type =~ \"{LogType}\" or \"{LogType}\" =~ \"None\"\r\n| sort by LastOccurance desc",
"size": 0,
"showAnalytics": true,
"title": "Network Activity Details",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "Network"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DnsEvents\r\n| where ResultCode == 0\r\n| where IPAddresses contains \"{IPAddress}\" or ClientIP =~ \"{IPAddress}\"\r\n| extend IPMatch = iff(ClientIP =~ \"{IPAddress}\", \"DNSClientIP\", \"IPAddressAnswer\")\r\n| summarize Count=count() by IPMatch\r\n| sort by Count desc",
"size": 4,
"title": "DNS Query Details",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "IPMatch",
"exportParameterName": "DNSIPMatch",
"exportDefaultValue": "None",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "IPMatch",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = DnsEvents\r\n| where ResultCode == 0\r\n| where IPAddresses contains \"{IPAddress}\" or ClientIP =~ \"{IPAddress}\"\r\n| extend IPMatch = iff(ClientIP =~ \"{IPAddress}\", \"DNSClientIP\", \"IPAddressAnswer\")\r\n| where IPMatch =~ \"{DNSIPMatch}\" or \"{DNSIPMatch}\" =~ \"None\"\r\n| extend queryID = strcat(Computer, ClientIP, IPAddresses, Name, QueryType);\r\ndata\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by DNSServer=Computer, DNSClientIP=ClientIP, IPAddressAnswer=IPAddresses, Name, QueryType, IPMatch, queryID\r\n| join kind = inner (data\r\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by queryID) on queryID \r\n| project-away TimeGenerated, queryID, queryID1\r\n| project DNSServer, DNSClientIP, IPAddressAnswer, Name, QueryType, IPMatch, Trend, FirstOccurance, LastOccurance, Count\r\n| sort by LastOccurance desc",
"size": 1,
"showAnalytics": true,
"title": "DNS Query Details",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"name": "DNSQueryDetails"
}
]
},
"conditionalVisibility": {
"parameterName": "IPNav",
"comparison": "isEqualTo",
"value": "Network"
},
"name": "IPNetwork"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "#### Network normalization\r\n\r\nThis section of the workbook uses a normalized schema for network and requires the installation of parsers in your workspace to function. Please use the references below to setup the Network Normalization parsers.\r\n\r\n- [Normalization in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/normalization)\r\n- [GitHub - Normalized Schema - Networking](https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/Normalized%20Schema%20-%20Networking%20&#40;v1.0.0&#41;)",
"style": "info"
},
"name": "text - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where SrcIpAddr == \"{IPAddress}\" or DstIpAddr == \"{IPAddress}\"\r\n| extend IPMatch = iff(SrcIpAddr == \"{IPAddress}\", \"Source IP Match\", \"Destination IP Match\")\r\n| summarize Count = count() by IPMatch\r\n| order by Count",
"size": 4,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "IPMatch",
"exportParameterName": "IPMatch",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "IPMatch",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where SrcIpAddr == \"{IPAddress}\" or DstIpAddr == \"{IPAddress}\"\r\n| extend IPMatch = iff(SrcIpAddr == \"{IPAddress}\", \"Source IP Match\", \"Destination IP Match\")\r\n| where IPMatch == \"{IPMatch}\" or \"{IPMatch}\" == \"All\"\r\n| summarize Count = count() by FirewallAction=DvcAction\r\n| order by Count",
"size": 0,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "FirewallAction",
"exportParameterName": "FirewallAction",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "blue",
"compositeBarSettings": {
"labelText": "",
"columnSettings": []
}
}
}
]
}
},
"customWidth": "25",
"name": "FirewallActionQuery"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where SrcIpAddr == \"{IPAddress}\" or DstIpAddr == \"{IPAddress}\"\r\n| where DvcAction == \"{FirewallAction}\" or \"{FirewallAction}\" == \"All\"\r\n| extend IPMatch = iff(SrcIpAddr == \"{IPAddress}\", \"Source IP Match\", \"Destination IP Match\")\r\n| where IPMatch == \"{IPMatch}\" or \"{IPMatch}\" == \"All\"\r\n| summarize Count = count() by SourceIP = SrcIpAddr\r\n| order by Count",
"size": 0,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "SourceIP",
"exportParameterName": "SourceIP",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "25",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where SrcIpAddr == \"{IPAddress}\" or DstIpAddr == \"{IPAddress}\"\r\n| where DvcAction == \"{FirewallAction}\" or \"{FirewallAction}\" == \"All\"\r\n| where SrcIpAddr == \"{SourceIP}\" or \"{SourceIP}\" == \"All\"\r\n| extend IPMatch = iff(SrcIpAddr == \"{IPAddress}\", \"Source IP Match\", \"Destination IP Match\")\r\n| where IPMatch == \"{IPMatch}\" or \"{IPMatch}\" == \"All\"\r\n| summarize Count = count() by DestinationIP = DstIpAddr\r\n| order by Count",
"size": 0,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DestinationIP",
"exportParameterName": "DestinationIP",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "25",
"name": "query - 0 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where SrcIpAddr == \"{IPAddress}\" or DstIpAddr == \"{IPAddress}\"\r\n| where DvcAction == \"{FirewallAction}\" or \"{FirewallAction}\" == \"All\"\r\n| where SrcIpAddr == \"{SourceIP}\" or \"{SourceIP}\" == \"All\"\r\n| where DstIpAddr == \"{DestinationIP}\" or \"{DestinationIP}\" == \"All\"\r\n| extend IPMatch = iff(SrcIpAddr == \"{IPAddress}\", \"Source IP Match\", \"Destination IP Match\")\r\n| where IPMatch == \"{IPMatch}\" or \"{IPMatch}\" == \"All\"\r\n| summarize Count = count() by DestinationPort = DstPortNumber\r\n| order by Count",
"size": 0,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DestinationPort",
"exportParameterName": "DestinationPort",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "25",
"name": "query - 0 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where SrcIpAddr == \"{IPAddress}\" or DstIpAddr == \"{IPAddress}\"\r\n| where DvcAction == \"{FirewallAction}\" or \"{FirewallAction}\" == \"All\"\r\n| where SrcIpAddr == \"{SourceIP}\" or \"{SourceIP}\" == \"All\"\r\n| where DstIpAddr == \"{DestinationIP}\" or \"{DestinationIP}\" == \"All\"\r\n| where DstPortNumber == \"{DestinationPort}\" or \"{DestinationPort}\" == \"All\"\r\n| extend IPMatch = iff(SrcIpAddr == \"{IPAddress}\", \"Source IP Match\", \"Destination IP Match\")\r\n| where IPMatch == \"{IPMatch}\" or \"{IPMatch}\" == \"All\"\r\n| summarize Count = count() by ReportingProdcut = EventProduct, SourceIP = SrcIpAddr, DestinationIP = DstIpAddr, DestinationPort = DstPortNumber, ApplicationLayerProtocol = NetworkApplicationProtocol, NetworkProtocol = NetworkProtocol, DeviceAction = DvcAction\r\n| order by Count",
"size": 0,
"showAnalytics": true,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"name": "query - 4"
}
]
},
"conditionalVisibility": {
"parameterName": "IPNav",
"comparison": "isEqualTo",
"value": "NormalizedNetwork"
},
"name": "NormalizedNetworkGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated > ago(180d)\r\n| where NetworkIP == \"{IPAddress}\"\r\n| summarize arg_max(TimeGenerated, Active) by IndicatorId, SourceSystem, Description, ThreatType\r\n| project SourceSystem, Description, ThreatType, Active",
"size": 4,
"title": "IP Threat Intelligence",
"noDataMessage": "No Threat Intelligence was found for the selected IP.",
"noDataMessageStyle": 3,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "IP"
},
"name": "query - 13"
}
]
},
"conditionalVisibility": {
"parameterName": "IPNav",
"comparison": "isEqualTo",
"value": "IOC"
},
"name": "IPIOC"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where TimeGenerated {TimeRange}\r\n| where Entities contains \"\"\"IP\"\"\"\r\n| extend AllEntities = parse_json(Entities)\r\n| mv-expand AllEntities\r\n| where AllEntities.Type == \"ip\" and AllEntities.Address == \"{IPAddress}\"\r\n| project AlertSeverity, AlertName=DisplayName, ProviderName, AlertDetails=Entities, SystemAlertId",
"size": 4,
"title": "Related Security Alerts",
"noDataMessage": "No Security Alerts were found for the selected IP.",
"noDataMessageStyle": 3,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "SystemAlertId",
"formatter": 5
}
]
}
},
"customWidth": "50",
"name": "query - 13 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "HuntingBookmark\r\n| where TimeGenerated {TimeRange}\r\n| extend Entities = parse_json(QueryResultRow).__entityMapping\r\n| where Entities contains \"\"\"ip\"\"\" //Entity Type to match\r\n| summarize arg_max(TimeGenerated, BookmarkName, Notes, Tags, Entities) by BookmarkId\r\n| extend splitEntities = split(replace(@'[\"{}]', '', tostring(Entities)),',')\r\n| mv-expand splitEntities\r\n| extend splitEntity = split(splitEntities, ':')\r\n| where splitEntity[1] =~ \"ip\"\r\n| where splitEntity[0] =~ \"{IPAddress}\"\r\n| project BookmarkName, Notes, Tags",
"size": 4,
"title": "Related Bookmarks",
"noDataMessage": "No Bookmarks were found for the selected IP.",
"noDataMessageStyle": 3,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "SystemAlertId",
"formatter": 5
}
]
}
},
"customWidth": "50",
"name": "query - 13 - Copy - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "IPNav",
"comparison": "isEqualTo",
"value": "Related"
},
"name": "IPRelated"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "## To use this custom group, switch the group type from \"Editable\" to \"From Template\" and enter the ID of your custom workbook"
},
"name": "text - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "IPNav",
"comparison": "isEqualTo",
"value": "Custom"
},
"name": "CustomGroupIP"
}
]
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "IP"
},
"name": "IPGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "7d4ef622-5d81-47ef-b07a-13624db7dda2",
"version": "KqlParameterItem/1.0",
"name": "UPN",
"type": 1,
"isRequired": true,
"query": "datatable(Entity:string, EntityType:string)\r\n\t[\"{EntityData}\",\"{EntityType}\"]\r\n| where EntityType =~ \"account\"\r\n| extend Entity = iff(Entity contains \"@\", Entity, strcat(Entity, \"@\", \"{DefaultUPNSuffix}\"))\r\n| project Entity",
"crossComponentResources": [
"{Workspace}"
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "d6455f34-39bd-479a-937e-96f69e6c85b1",
"version": "KqlParameterItem/1.0",
"name": "samAccountName",
"type": 1,
"query": "(union isfuzzy=true\r\n(datatable(UPN:string, Priority:int)\r\n\t[\"{UPN}\", 1]\r\n| extend samAccountName = split(UPN, \"@\", 0)\r\n| project samAccountName=tostring(samAccountName[0]), Priority),\r\n(IdentityInfo\r\n| where TimeGenerated > ago(180d)\r\n| where AccountUPN =~ \"{UPN}\"\r\n| summarize arg_max(TimeGenerated, *) by AccountUPN\r\n| project samAccountName=AccountName, Priority=toint(2)))\r\n| top 1 by Priority desc\r\n| project-away Priority",
"crossComponentResources": [
"{Workspace}"
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "a3c1474c-0fe4-4105-8928-38dc9ceffb34",
"cellValue": "UserNav",
"linkTarget": "parameter",
"linkLabel": "Location Anomalies",
"subTarget": "Location",
"style": "link"
},
{
"id": "997a8794-1da5-4bf0-94cc-952977f1e2ef",
"cellValue": "UserNav",
"linkTarget": "parameter",
"linkLabel": "Computer Logons",
"subTarget": "Logons",
"style": "link"
},
{
"id": "65ef8c1a-12a1-475d-8c80-ae1950d2b82c",
"cellValue": "UserNav",
"linkTarget": "parameter",
"linkLabel": "Conditional Access Analysis",
"subTarget": "CAP",
"style": "link"
},
{
"id": "b3237117-0e48-46c0-827e-dfbeb8cb6b1c",
"cellValue": "UserNav",
"linkTarget": "parameter",
"linkLabel": "IOCs",
"subTarget": "IOC",
"style": "link"
},
{
"id": "54e10cc1-6fa7-4458-bcdf-4d42196298a1",
"cellValue": "UserNav",
"linkTarget": "parameter",
"linkLabel": "Related Alerts & Bookmarks",
"subTarget": "Alerts",
"style": "link"
},
{
"id": "01c23b0f-e0be-4f72-a933-fe64d55b6b85",
"cellValue": "UserNav",
"linkTarget": "parameter",
"linkLabel": "{AccountCustomTabName}",
"subTarget": "Custom",
"style": "link"
}
]
},
"name": "links - 5"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let UPN = \"{UPN}\";\r\nlet CommonLocation = SigninLogs\r\n| where UserPrincipalName =~ UPN\r\n| extend LAT = round(todouble(LocationDetails.geoCoordinates.latitude), 1)\r\n| extend LONG = round(todouble(LocationDetails.geoCoordinates.longitude), 1)\r\n| summarize Count=count() by LAT, LONG\r\n| top 1 by Count;\r\nlet CommonLAT = toscalar(CommonLocation\r\n| project LAT);\r\nlet CommonLONG = toscalar(CommonLocation\r\n| project LONG);\r\nSigninLogs\r\n| where UserPrincipalName =~ UPN\r\n| extend LAT = round(todouble(LocationDetails.geoCoordinates.latitude), 1)\r\n| extend LONG = round(todouble(LocationDetails.geoCoordinates.longitude), 1)\r\n| extend KmFromTypicalLocation = geo_distance_2points(CommonLONG, CommonLAT, LONG, LAT) / 1000\r\n| summarize Count=count() by IPAddress, KmFromTypicalLocation, AppDisplayName, ResultDescription\r\n| sort by KmFromTypicalLocation desc\r\n",
"size": 0,
"title": "Distance from Typical Signin Location",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "IPAddress",
"exportParameterName": "IP",
"exportDefaultValue": "None",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "KmFromTypicalLocation",
"formatter": 8,
"formatOptions": {
"min": 100,
"max": 1000,
"palette": "greenRed",
"aggregation": "Average"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"aggregation": "Sum"
}
}
]
}
},
"customWidth": "50",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let UPN = \"{UPN}\";\r\nlet CommonLocation = SigninLogs\r\n| where UserPrincipalName =~ UPN\r\n| extend LAT = round(todouble(LocationDetails.geoCoordinates.latitude), 1)\r\n| extend LONG = round(todouble(LocationDetails.geoCoordinates.longitude), 1)\r\n| summarize Count=count() by LAT, LONG\r\n| top 1 by Count;\r\nlet CommonLAT = toscalar(CommonLocation\r\n| project LAT);\r\nlet CommonLONG = toscalar(CommonLocation\r\n| project LONG);\r\nSigninLogs\r\n| where UserPrincipalName =~ UPN\r\n| extend LAT = round(todouble(LocationDetails.geoCoordinates.latitude), 1)\r\n| extend LONG = round(todouble(LocationDetails.geoCoordinates.longitude), 1)\r\n| extend KmFromTypicalLocation = geo_distance_2points(CommonLONG, CommonLAT, LONG, LAT) / 1000\r\n| extend LocationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\r\n| summarize Count=count() by IPAddress, KmFromTypicalLocation, LAT, LONG, LocationString\r\n",
"size": 0,
"title": "Signin Map",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "map",
"mapSettings": {
"locInfo": "LatLong",
"latitude": "LAT",
"longitude": "LONG",
"sizeSettings": "Count",
"sizeAggregation": "Sum",
"labelSettings": "LocationString",
"legendMetric": "Count",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "KmFromTypicalLocation",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed",
"heatmapMin": 100,
"heatmapMax": 1000
}
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where UserPrincipalName =~ \"{UPN}\"\r\n| where IPAddress == \"{IP}\"\r\n| extend ResultDetail = iff(ResultType == 0, \"Success\", ResultDescription)\r\n| parse AuthenticationDetails with * '[' AuthDetails ']' *\r\n| project TimeGenerated, AppDisplayName, ResourceDisplayName, ResultDetail, ClientAppUsed, ConditionalAccessStatus, AuthDetails, DeviceDetail, LocationDetails, IPAddress, RiskDetail, RiskState\r\n",
"size": 0,
"showAnalytics": true,
"title": "Signin Details",
"noDataMessage": "Select a Signin from the grid to see additional details",
"noDataMessageStyle": 2,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AuthDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "DeviceDetail",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "LocationDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
}
]
}
},
"name": "query - 6"
}
]
},
"conditionalVisibility": {
"parameterName": "UserNav",
"comparison": "isEqualTo",
"value": "Location"
},
"name": "LocationAnomalies"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "bdcb9616-6e17-4694-a76a-49fb9de8ae2a",
"version": "KqlParameterItem/1.0",
"name": "SigninStatus",
"type": 2,
"isRequired": true,
"value": ">= 0",
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n {\r\n \"label\": \"Successful Logons\",\r\n \"value\": \"== 0\"\r\n },\r\n {\r\n \"label\": \"Failed Logons\",\r\n \"value\": \"<> 0\"\r\n },\r\n {\r\n \"label\": \"All Logons\",\r\n \"value\": \">= 0\"\r\n }\r\n]",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange"
},
{
"id": "17a6b0e5-3d86-4ba2-94ac-795bdd692378",
"version": "KqlParameterItem/1.0",
"name": "PolicyName",
"type": 2,
"isRequired": true,
"query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| distinct tostring(ConditionalAccessPolicies.displayName)",
"crossComponentResources": [
"{Workspace}"
],
"value": "value::1",
"typeSettings": {
"additionalResourceOptions": [
"value::1"
]
},
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "d880b501-931f-4659-a360-94d5c519ddc4",
"version": "KqlParameterItem/1.0",
"name": "PolicyResult",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| distinct tostring(ConditionalAccessPolicies.result)",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FilteredSignin = SigninLogs\r\n| where TimeGenerated {TimeRange}\r\n| where Status.errorCode {SigninStatus}\r\n| where UserPrincipalName =~ \"{UPN}\"\r\n| mv-expand ConditionalAccessPolicies\r\n| where ConditionalAccessPolicies.displayName =~ \"{PolicyName}\" or \"{PolicyName:label}\" =~ \"Any one\"\r\n| where ConditionalAccessPolicies.result in ({PolicyResult})\r\n| distinct Id;\r\nSigninLogs\r\n| where Id in (FilteredSignin)\r\n| extend errorCode = Status.errorCode\r\n| extend SigninStatus = case(errorCode == 0, \"Success\", errorCode == 50058, \"Pending user action\",errorCode == 50140, \"Pending user action\", errorCode == 51006, \"Pending user action\", errorCode == 50059, \"Pending user action\",errorCode == 65001, \"Pending user action\", errorCode == 52004, \"Pending user action\", errorCode == 50055, \"Pending user action\", errorCode == 50144, \"Pending user action\", errorCode == 50072, \"Pending user action\", errorCode == 50074, \"Pending user action\", errorCode == 16000, \"Pending user action\", errorCode == 16001, \"Pending user action\", errorCode == 16003, \"Pending user action\", errorCode == 50127, \"Pending user action\", errorCode == 50125, \"Pending user action\", errorCode == 50129, \"Pending user action\", errorCode == 50143, \"Pending user action\", errorCode == 81010, \"Pending user action\", errorCode == 81014, \"Pending user action\", errorCode == 81012 ,\"Pending user action\", \"Failure\")\r\n| extend LocationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\r\n| project TimeGenerated, Location=LocationString, IPAddress, AppDisplayName, ResourceDisplayName, ResultDescription, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), Id\r\n| sort by TimeGenerated desc",
"size": 0,
"title": "AAD Signins",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Id",
"exportParameterName": "SigninId",
"exportDefaultValue": "None",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Id",
"formatter": 5
},
{
"columnMatch": "DeviceDetail",
"formatter": 1
}
]
}
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where TimeGenerated {TimeRange}\r\n| where Status.errorCode {SigninStatus}\r\n| where UserPrincipalName =~ \"{UPN}\"\r\n| where Id == \"{SigninId}\"\r\n| extend errorCode = Status.errorCode\r\n| extend SigninStatus = case(errorCode == 0, \"Success\", errorCode == 50058, \"Pending user action\",errorCode == 50140, \"Pending user action\", errorCode == 51006, \"Pending user action\", errorCode == 50059, \"Pending user action\",errorCode == 65001, \"Pending user action\", errorCode == 52004, \"Pending user action\", errorCode == 50055, \"Pending user action\", errorCode == 50144, \"Pending user action\", errorCode == 50072, \"Pending user action\", errorCode == 50074, \"Pending user action\", errorCode == 16000, \"Pending user action\", errorCode == 16001, \"Pending user action\", errorCode == 16003, \"Pending user action\", errorCode == 50127, \"Pending user action\", errorCode == 50125, \"Pending user action\", errorCode == 50129, \"Pending user action\", errorCode == 50143, \"Pending user action\", errorCode == 81010, \"Pending user action\", errorCode == 81014, \"Pending user action\", errorCode == 81012 ,\"Pending user action\", \"Failure\")\r\n| extend LocationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\r\n| project TimeGenerated, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ResultDescription, Id\r\n| sort by TimeGenerated asc",
"size": 4,
"title": "AAD Signin Sequence",
"noDataMessage": "Select a Signin to see the Logon Sequence",
"noDataMessageStyle": 2,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Id",
"formatter": 5
},
{
"columnMatch": "DeviceDetail",
"formatter": 1
}
]
}
},
"customWidth": "50",
"name": "query - 5 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where TimeGenerated {TimeRange}\r\n| where Status.errorCode {SigninStatus}\r\n| where UserPrincipalName =~ \"{UPN}\"\r\n| where Id == \"{SigninId}\"\r\n| distinct tostring(DeviceDetail), UserAgent",
"size": 4,
"title": "Device and UserAgent Detail",
"noDataMessage": "Select a Signin to see Device and UserAgent Details",
"noDataMessageStyle": 2,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceDetail",
"formatter": 1
}
]
}
},
"customWidth": "50",
"name": "query - 5 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where TimeGenerated {TimeRange}\r\n| where Status.errorCode {SigninStatus}\r\n| where UserPrincipalName =~ \"{UPN}\"\r\n| where Id =~ \"{SigninId}\"\r\n| mv-expand ConditionalAccessPolicies\r\n| where ConditionalAccessPolicies.displayName =~ \"{PolicyName}\" or \"{PolicyName:label}\" =~ \"Any one\"\r\n| where ConditionalAccessPolicies.result in ({PolicyResult})\r\n| extend errorCode = Status.errorCode\r\n| extend SigninStatus = case(errorCode == 0, \"Success\", errorCode == 50058, \"Pending user action\",errorCode == 50140, \"Pending user action\", errorCode == 51006, \"Pending user action\", errorCode == 50059, \"Pending user action\",errorCode == 65001, \"Pending user action\", errorCode == 52004, \"Pending user action\", errorCode == 50055, \"Pending user action\", errorCode == 50144, \"Pending user action\", errorCode == 50072, \"Pending user action\", errorCode == 50074, \"Pending user action\", errorCode == 16000, \"Pending user action\", errorCode == 16001, \"Pending user action\", errorCode == 16003, \"Pending user action\", errorCode == 50127, \"Pending user action\", errorCode == 50125, \"Pending user action\", errorCode == 50129, \"Pending user action\", errorCode == 50143, \"Pending user action\", errorCode == 81010, \"Pending user action\", errorCode == 81014, \"Pending user action\", errorCode == 81012 ,\"Pending user action\", \"Failure\")\r\n| project TimeGenerated, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), GrantControl=ConditionalAccessPolicies.enforcedGrantControls, ConditionalAccessPolicyName=ConditionalAccessPolicies.displayName, ConditionalAccessResult=ConditionalAccessPolicies.result, MfaDetail\r\n| sort by TimeGenerated asc",
"size": 0,
"title": "Conditional Access Policy Details",
"noDataMessage": "Select a Login to see Conditional Access Details",
"noDataMessageStyle": 2,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "DeviceDetail",
"formatter": 1
}
]
}
},
"name": "query - 5 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "UserNav",
"comparison": "isEqualTo",
"value": "CAP"
},
"name": "ConditionalAccess"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let eStatus = dynamic([\"0xC000006A\", \"0xC0000234\", \"0x18\"]);\r\nlet secEventID = dynamic([4771, 4625, 4776]);\r\nlet secEvents = SecurityEvent\r\n| where TargetUserName =~ \"{samAccountName}\"\r\n| where EventID in (secEventID)\r\n| where Level == 16\r\n| where (EventID == 4625 and SubStatus in~ (eStatus)) or (EventID == 4771 and Status in~ (eStatus)) or (EventID == 4776 and Status in~ (eStatus))\r\n| extend ResultStatus = case(EventID == 4625, SubStatus, Status)\r\n| extend SourceNameorIP = case(EventID == 4776, Workstation, (EventID == 4625 and isnotempty(WorkstationName)), WorkstationName, IpAddress)\r\n| extend ResultDescription = case(EventID == 4625, strcat(Activity, ' Logon type: ', LogonTypeName), Activity)\r\n| summarize FirstOccurance = min(TimeGenerated), LastOccurance = max(TimeGenerated), FailedSigninCount=count(), LocationCount=dcount(SourceNameorIP) by TargetUserName, SourceNameorIP, ResultDescription, StatusCode=ResultStatus\r\n| extend LogSource = \"SecurityEvent\";\r\nSigninLogs\r\n| where UserPrincipalName =~ \"{UPN}\"\r\n// Error codes that we want to look at as they are related to the use of incorrect password.\r\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\r\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \r\n| extend LocationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\r\n| summarize FirstOccurance = min(TimeGenerated), LastOccurance = max(TimeGenerated), FailedSigninCount=count(), LocationCount=dcount(LocationString) by TargetUserName=UserPrincipalName, SourceNameorIP=IPAddress, LocationString, AppDisplayName, ResultDescription, tostring(Browser), tostring(OS), StatusCode=ResultType\r\n| extend LogSource = \"SigninLogs\"\r\n| union secEvents\r\n| project TargetUserName, SourceNameorIP, ResultDescription, StatusCode, LocationString, AppDisplayName, Browser, OS, FirstOccurance, LastOccurance, FailedSigninCount, LocationCount, LogSource",
"size": 1,
"showAnalytics": true,
"title": "Failed Signin - Bad Password",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "(union isfuzzy=true\r\n(SecurityEvent\r\n| where EventID in (\"4723\",\"4724\")\r\n| where TargetUserName =~ \"{samAccountName}\" or SubjectUserName =~ \"{samAccountName}\"\r\n| extend Result = case(Level==8, \"success\", Level==16, \"failure\", \"unknown\")\r\n| project TimeGenerated, InitiatedBy=SubjectUserName, Username=TargetUserName, OperationName=Activity, Result\r\n),\r\n(AuditLogs\r\n| where OperationName contains \"password\"\r\n| sort by TimeGenerated desc\r\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| extend Username = tostring(TargetResources[0].userPrincipalName)\r\n| where Username =~ \"{UPN}\" or InitiatedBy =~ \"{UPN}\"\r\n| project TimeGenerated, InitiatedBy, Username, OperationName, Result\r\n))\r\n| sort by TimeGenerated desc",
"size": 1,
"showAnalytics": true,
"title": "Password Change and Resets",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "Passwords"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "(union isfuzzy=true\r\n(AuditLogs \r\n| where OperationName =~ \"Disable Strong Authentication\"\r\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \r\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \r\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\r\n| extend Targetprop = todynamic(TargetResources)\r\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \r\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\r\n),\r\n(AWSCloudTrail\r\n| where EventName in~ (\"DeactivateMFADevice\", \"DeleteVirtualMFADevice\") \r\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\r\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\r\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\r\n)\r\n)\r\n| where User =~ \"{UPN}\" or InitiatedByUser =~ \"{UPN}\"",
"size": 4,
"showAnalytics": true,
"title": "Disabled MFA",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where UserPrincipalName =~ \"{UPN}\"\r\n| where Status.errorCode == 500121\r\n| where Status.additionalDetails contains \"fraud\"\r\n| project TimeGenerated, AppDisplayName, IPAddress, Status=Status.additionalDetails, AuthenticationDetails, DeviceDetail, LocationDetails",
"size": 4,
"showAnalytics": true,
"title": "MFA Fraud Reports",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AuthenticationDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "DeviceDetail",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "LocationDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
}
]
}
},
"customWidth": "50",
"name": "query - 1 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AuditLogs\r\n| where TimeGenerated > ago(90d)\r\n| where OperationName == \"Consent to application\"\r\n| where Category == \"ApplicationManagement\"\r\n| extend UserPrincipalName = InitiatedBy.user.userPrincipalName\r\n| where UserPrincipalName =~ \"{UPN}\"\r\n| mv-expand TargetResources\r\n| extend ModifiedProperties = TargetResources.modifiedProperties\r\n| mv-apply ModifiedProperties on (\r\n summarize Consent = make_bag(pack(tostring(ModifiedProperties.displayName), ModifiedProperties.newValue)))\r\n| project TimeGenerated, ActivityDisplayName, UserPrincipalName, isAdminConsent=Consent.['ConsentContext.IsAdminConsent'], isAppOnly=Consent.['ConsentContext.IsAppOnly'], OnBehalfOfAll=Consent.['ConsentContext.OnBehalfOfAll'], ResourceServicePrincipalName=Consent.['TargetId.ServicePrincipalNames'], ResourceDisplayName=TargetResources.displayName, Permissions=Consent.['ConsentAction.Permissions']",
"size": 4,
"showAnalytics": true,
"title": "Application Consent",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - Consent"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "(union isfuzzy=true\r\n(OfficeActivity \r\n| where UserId =~ \"{UPN}\"\r\n| where Operation =~ \"Set-Mailbox\" \r\n| extend parsed = parse_json(Parameters) \r\n| extend FieldType = tostring(parsed[1].Name)\r\n| where FieldType =~ \"ForwardTo\" or FieldType =~ \"ForwardingSmtpAddress\" \r\n| extend ForwardTo = tostring(parsed[1].Value)\r\n| extend ForwardType = tostring(parsed[2].Name)\r\n| project TimeGenerated, UserId, ClientIP=split(ClientIP, \":\", 0)[0], ForwardTo, ForwardType\r\n),\r\n(OfficeActivity \r\n| where UserId =~ \"{UPN}\"\r\n| where Operation =~ \"New-InboxRule\"\r\n| mv-expand parse_json(Parameters)\r\n| extend ParamType = tostring(Parameters.Name)\r\n| where ParamType =~ \"ForwardTo\"\r\n| extend ForwardTo = tostring(Parameters.Value)\r\n| project TimeGenerated, UserId, ClientIP=split(ClientIP, \":\", 0)[0], ForwardTo, ForwardType=\"InboxRule\"\r\n))\r\n| sort by TimeGenerated desc",
"size": 4,
"showAnalytics": true,
"title": "Mailbox Forwarding Rules",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BehaviorAnalytics\r\n| where UserPrincipalName =~ \"{UPN}\"\r\n| where InvestigationPriority > 0\r\n| project TimeGenerated, InvestigationPriority, ActivityType, ActionType, SourceIPLocation, UsersInsights, DevicesInsights, ActivityInsights\r\n| sort by InvestigationPriority desc",
"size": 0,
"title": "UEBA Investigation Priorities",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "UsersInsights",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "DevicesInsights",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "ActivityInsights",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
}
]
}
},
"name": "query - 4"
}
]
},
"conditionalVisibility": {
"parameterName": "UserNav",
"comparison": "isEqualTo",
"value": "IOC"
},
"name": "UserIOCs"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where TimeGenerated {TimeRange}\r\n| where Entities contains \"\"\"account\"\"\"\r\n| extend AllEntities = parse_json(Entities)\r\n| mv-expand AllEntities\r\n| where AllEntities.Type == \"account\"\r\n| extend AccountEntity = iff(isnotempty(AllEntities.UPNSuffix), strcat(AllEntities.Name, '@', AllEntities.UPNSuffix), AllEntities.Name)\r\n| where AccountEntity =~ \"{UPN}\" or AccountEntity =~ \"{samAccountName}\"\r\n| project AlertSeverity, AlertName=DisplayName, ProviderName, AlertDetails=Entities, SystemAlertId",
"size": 0,
"title": "Related Security Alerts",
"noDataMessage": "No Security Alerts were found for the selected Account.",
"noDataMessageStyle": 3,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "SystemAlertId",
"formatter": 5
}
]
}
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "HuntingBookmark\r\n| where TimeGenerated {TimeRange}\r\n| extend Entities = parse_json(QueryResultRow).__entityMapping\r\n| where Entities contains \"\"\"account\"\"\" //Entity Type to match\r\n| summarize arg_max(TimeGenerated, BookmarkName, Notes, Tags, Entities) by BookmarkId\r\n| extend splitEntities = split(replace(@'[\"{}]', '', tostring(Entities)),',')\r\n| mv-expand splitEntities\r\n| extend splitEntity = split(splitEntities, ':')\r\n| where splitEntity[1] =~ \"account\"\r\n| where splitEntity[0] =~ \"{UPN}\" or splitEntity[0] =~ \"{samAccountName}\"\r\n| project BookmarkName, Notes, Tags",
"size": 0,
"title": "Related Bookmarks",
"noDataMessage": "No Bookmarks were found for the selected Account.",
"noDataMessageStyle": 3,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "SystemAlertId",
"formatter": 5
}
]
}
},
"customWidth": "50",
"name": "query - 4 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "UserNav",
"comparison": "isEqualTo",
"value": "Alerts"
},
"name": "RelatedAlerts"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "805e76ac-979e-4247-a304-f3897fa71be6",
"version": "KqlParameterItem/1.0",
"name": "LogonType",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "let events = dynamic([4624, 4625, 4768, 4771]);\r\nlet kerbevents = dynamic([4768, 4771]);\r\n(union isfuzzy=true\r\n(SigninLogs\r\n| take 1\r\n| project LogonType=\"AAD/HDJ\"),\r\n(SecurityEvent\r\n| where EventID in (events)\r\n| where TargetUserName =~ \"{samAccountName}\"\r\n| extend LogonType = iff(EventID in (kerbevents), \"Kerberos TGT\", LogonTypeName)\r\n| distinct LogonType),\r\n(DeviceLogonEvents\r\n| where AccountName =~ \"{samAccountName}\"\r\n| distinct LogonType))\r\n| sort by LogonType asc",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let events = dynamic([4624, 4625, 4768, 4771]);\r\nlet kerbevents = dynamic([4768, 4771]);\r\n(union isfuzzy=true \r\n(SigninLogs\r\n| where UserPrincipalName =~ \"{UPN}\"\r\n| where AppDisplayName == \"Windows Sign In\"\r\n| extend LogonResult = iff(ResultType == 0, \"Success\", \"Failure\")\r\n| summarize Count=count(), FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated) by LogonComputerOrIP=tostring(DeviceDetail.displayName), LogonResult, LogonType=\"AAD/HDJ\", ErrorCode=ResultType, DataSource=Type),\r\n(SecurityEvent\r\n| where EventID in (events)\r\n| where TargetUserName =~ \"{samAccountName}\"\r\n| extend LogonResult = iff(Level == 8, \"Success\", \"Failure\")\r\n| extend LogonType = iff(EventID in (kerbevents), \"Kerberos TGT\", LogonTypeName)\r\n| extend LogonComputerOrIP = iff(EventID == 4768, IpAddress, Computer)\r\n| extend ErrorCode = iff(EventID in (kerbevents), Status, SubStatus)\r\n| summarize Count=count(), FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated) by LogonComputerOrIP, LogonResult, LogonType, ErrorCode, DataSource=Type),\r\n(DeviceLogonEvents\r\n| where AccountName =~ \"{samAccountName}\"\r\n| summarize Count=count(), FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated) by LogonComputerOrIP=DeviceName, LogonResult=ActionType, LogonType, DataSource=Type))\r\n| where LogonType in ({LogonType})\r\n| sort by Count desc",
"size": 0,
"showAnalytics": true,
"title": "Computer Logons",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "Computer Logons"
}
]
},
"conditionalVisibility": {
"parameterName": "UserNav",
"comparison": "isEqualTo",
"value": "Logons"
},
"name": "UserLogons"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "## To use this custom group, switch the group type from \"Editable\" to \"From Template\" and enter the ID of your custom workbook"
},
"name": "text - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "UserNav",
"comparison": "isEqualTo",
"value": "Custom"
},
"name": "CustomGroupAccount"
}
]
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Account"
},
"name": "AccountGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "8ae96068-86fb-4713-9497-6424e724251f",
"version": "KqlParameterItem/1.0",
"name": "Host",
"label": "Host FQDN",
"type": 1,
"isRequired": true,
"query": "datatable(Entity:string, EntityType:string)\r\n\t[\"{EntityData}\",\"{EntityType}\"]\r\n| where EntityType =~ \"Host\"\r\n| project Entity",
"crossComponentResources": [
"{Workspace}"
],
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Host"
},
"name": "parameters - 17"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "5a523135-ffeb-4217-9a78-5db3af6e0292",
"cellValue": "HostNav",
"linkTarget": "parameter",
"linkLabel": "New Processes",
"subTarget": "hostAnomaly",
"style": "link"
},
{
"id": "c0a3eb1f-186c-4e14-8559-aa17385eba12",
"cellValue": "HostNav",
"linkTarget": "parameter",
"linkLabel": "Account Logons",
"subTarget": "accountLogons",
"style": "link"
},
{
"id": "622de805-7326-42e5-9b9a-f26f9ce7bbce",
"cellValue": "HostNav",
"linkTarget": "parameter",
"linkLabel": "Security Baseline",
"subTarget": "securityBaseline",
"style": "link"
},
{
"id": "3435d945-dd0b-4b7f-9a38-4a915eecebbf",
"cellValue": "HostNav",
"linkTarget": "parameter",
"linkLabel": "Suspicious Changes",
"subTarget": "suspiciousChanges",
"style": "link"
},
{
"id": "d914883d-4e94-4b23-ae39-0b9516d7248b",
"cellValue": "HostNav",
"linkTarget": "parameter",
"linkLabel": "Related Alerts & Bookmarks",
"subTarget": "relatedAlerts",
"style": "link"
},
{
"id": "2868ddcc-a4e9-4e19-a5d0-602cd8e5b6d7",
"cellValue": "HostNav",
"linkTarget": "parameter",
"linkLabel": "{HostCustomTabName}",
"subTarget": "Custom",
"style": "link"
}
]
},
"name": "links - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "7506e1db-61f7-43d4-827b-b0a7e4d96ccb",
"version": "KqlParameterItem/1.0",
"name": "HostAnomalies",
"label": "Choose Host Anomaly",
"type": 10,
"description": "Toggle New Logons and Rare Processes",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { \"value\": \"Rare Procs\", \"label\": \"Rare Procs\"},\r\n {\"value\": \"New Logons\", \"label\": \"New Logons\", \"selected\":true }\r\n]",
"timeContext": {
"durationMs": 86400000
},
"value": "Rare Procs"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibilities": [
{
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Host"
},
{
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "hostAnomaly"
},
{
"parameterName": "Fake",
"comparison": "isEqualTo",
"value": "True"
}
],
"name": "parameters - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let starttime = ({TimeRange:seconds}s + 90d);\r\nlet endtime = {TimeRange:seconds}s;\r\nlet ProcessCreationEvents=() {\r\nlet processEvents=SecurityEvent\r\n| where EventID==4688\r\n| where Computer =~ \"{Host}\"\r\n| where TimeGenerated >= ago(starttime) \r\n| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName, ProcessPath=NewProcessName, FileName=tostring(split(NewProcessName, '\\\\')[(-1)]), ProcessCommandLine = CommandLine, InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine='',InitiatingProcessParentFileName='';\r\nprocessEvents};\r\nlet allHostsProcessEvents = SecurityEvent\r\n| where EventID==4688\r\n| where TimeGenerated >= ago(starttime) \r\n| summarize AllHostsWhereProcessObserved=make_set(Computer), UniqueHosts=dcount(Computer) by FileName=tostring(split(NewProcessName, '\\\\')[(-1)]);\r\nProcessCreationEvents\r\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\r\n| summarize count(), arg_max(TimeGenerated, ProcessPath) by FileName\r\n| join kind=rightanti (\r\n ProcessCreationEvents\r\n | where TimeGenerated >= ago(endtime)\r\n | summarize FirstOccurance = min(TimeGenerated), LastOccurance = arg_max(TimeGenerated, ProcessPath) by FileName\r\n) on FileName\r\n| project FileName, ProcessPath, FirstOccurance, LastOccurance\r\n| join kind=leftouter allHostsProcessEvents on FileName\r\n| project FileName, ProcessPath, FirstOccurance, LastOccurance, AllHostsWhereProcessObserved, UniqueHosts\r\n\r\n",
"size": 0,
"title": "New Processes on Host {Host} observed during {TimeRange:label}",
"exportFieldName": "FileName",
"exportParameterName": "process",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true,
"sortBy": [
{
"itemKey": "FileName",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "FileName",
"label": "File Name"
}
]
},
"sortBy": [
{
"itemKey": "FileName",
"sortOrder": 2
}
]
},
"conditionalVisibilities": [
{
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "hostAnomaly"
},
{
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Host"
},
{
"parameterName": "HostAnomalies",
"comparison": "isEqualTo",
"value": "Rare Procs"
}
],
"name": "query - 12"
},
{
"type": 1,
"content": {
"json": "*A New Logon is defined as a Logon to the Host from an Account for the first time in seven days.*"
},
"conditionalVisibilities": [
{
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "hostAnomaly"
},
{
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Host"
},
{
"parameterName": "HostAnomalies",
"comparison": "isEqualTo",
"value": "New Logons"
}
],
"name": "text - 17"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Replace this with Brian's query and description\r\nlet starttime = 7d;\r\nlet endtime = 1d;\r\nlet LogonEvents=() { \r\nlet logonSuccess=SecurityEvent \r\n| where EventID==4624\r\n| where tolower(Computer) contains tolower(\"{Host}\")\r\n| where TargetUserName !endswith \"$\"\r\n| where TargetUserName !contains \"NETWORK SERVICE\"\r\n| where TargetUserName !contains \"LOCAL SERVICE\"\r\n| where TargetUserName != \"SYSTEM\"\r\n| project TimeGenerated, ComputerName=Computer, AccountName=TargetUserName, AccountDomain=TargetDomainName, IpAddress, ActionType='Logon';\r\nlet logonFail=SecurityEvent \r\n| where EventID==4625\r\n| where tolower(Computer) contains tolower(\"{Host}\")\r\n| where TargetUserName !endswith \"$\"\r\n| where TargetUserName !contains \"NETWORK SERVICE\"\r\n| where TargetUserName !contains \"LOCAL SERVICE\"\r\n| where TargetUserName != \"SYSTEM\"\r\n| project TimeGenerated, ComputerName=Computer, AccountName=TargetUserName, AccountDomain=TargetDomainName, IpAddress, ActionType='LogonFailure';\r\nlogonFail \r\n| union logonSuccess\r\n};\r\nLogonEvents \r\n| where TimeGenerated > ago(endtime) \r\n| where ActionType == 'Logon' \r\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by ComputerName, AccountName \r\n| join kind=leftanti ( \r\nLogonEvents \r\n| where TimeGenerated between(ago(starttime)..ago(endtime)) \r\n| where ActionType == 'Logon' \r\n| summarize count() by ComputerName, AccountName \r\n) on ComputerName, AccountName \r\n//| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), HostCount=dcount(ComputerName), HostSet=makeset(ComputerName, 10) by AccountName, ComputerName\r\n| summarize count() by AccountName\r\n//| extend timestamp = StartTimeUtc, AccountCustomEntity = AccountName\r\n",
"size": 3,
"title": "Click to filter by Account",
"timeContext": {
"durationMs": 86400000
},
"exportFieldName": "AccountName",
"exportParameterName": "Account",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "AccountName",
"formatter": 1
},
"showBorder": false
},
"chartSettings": {
"group": "AccountName",
"createOtherGroup": 10
}
},
"conditionalVisibilities": [
{
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "hostAnomaly"
},
{
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Host"
},
{
"parameterName": "HostAnomalies",
"comparison": "isEqualTo",
"value": "New Logons"
}
],
"name": "query - 16 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let starttime = 7d;\r\nlet endtime = 1d;\r\nlet LogonEvents=() { \r\nlet logonSuccess=SecurityEvent\r\n| where EventID==4624\r\n| where tolower(Computer) contains tolower(\"{Host}\")\r\n| where tolower(Account) endswith tolower(\"{Account}\")\r\n| where TargetUserName !endswith \"$\"\r\n| where TargetUserName !contains \"NETWORK SERVICE\"\r\n| where TargetUserName !contains \"LOCAL SERVICE\"\r\n| where TargetUserName != \"SYSTEM\"\r\n| project TimeGenerated, Activity, ComputerName=Computer, AccountName=TargetUserName, AccountDomain=TargetDomainName, IpAddress, ActionType='Logon';\r\nlet logonFail=SecurityEvent \r\n| where EventID==4625\r\n| where tolower(Computer) contains tolower(\"{Host}\")\r\n| where tolower(Account) endswith tolower(\"{Account}\")\r\n| where TargetUserName !endswith \"$\"\r\n| where TargetUserName !contains \"NETWORK SERVICE\"\r\n| where TargetUserName !contains \"LOCAL SERVICE\"\r\n| where TargetUserName != \"SYSTEM\"\r\n| project TimeGenerated, Activity, ComputerName=Computer, AccountName=TargetUserName, AccountDomain=TargetDomainName, IpAddress, ActionType='LogonFailure';\r\nlogonFail \r\n| union logonSuccess\r\n};\r\nLogonEvents \r\n| where TimeGenerated > ago(endtime) \r\n| where ActionType == 'Logon' \r\n| summarize FirsttOccurance = min(TimeGenerated), LastOccurance = max(TimeGenerated), count() by ComputerName, AccountName, Activity \r\n| join kind=leftanti ( \r\nLogonEvents \r\n| where TimeGenerated between(ago(starttime)..ago(endtime)) \r\n| where ActionType == 'Logon' \r\n| summarize count() by ComputerName, AccountName \r\n) on ComputerName, AccountName\r\n| summarize FirsttOccurance = min(FirsttOccurance), LastOccurance = max(LastOccurance), Count=dcount(AccountName) by AccountName, Activity",
"size": 1,
"title": "New logons to Host Filtered by Account",
"noDataMessage": "Click on an Account above to perform the query.",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"sortBy": [],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "AccountName",
"formatter": 1
},
"leftContent": {
"columnMatch": "HostCount",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "AccountName",
"formatter": 1
},
"centerContent": {
"columnMatch": "HostCount",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "HostCount",
"sizeAggregation": "Sum",
"legendMetric": "HostCount",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "HostCount",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibilities": [
{
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "hostAnomaly"
},
{
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Host"
},
{
"parameterName": "HostAnomalies",
"comparison": "isEqualTo",
"value": "New Logons"
}
],
"name": "query - 16 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "hostAnomaly"
},
"name": "HostAnomaly"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let starttime = 7d;\r\nlet endtime = 1d;\r\nlet LogonEvents=() { \r\nlet logonSuccess=SecurityEvent\r\n| where EventID==4624\r\n| where tolower(Computer) contains tolower(\"{Host}\")\r\n| where TargetUserName !endswith \"$\"\r\n| where TargetUserName !contains \"NETWORK SERVICE\"\r\n| where TargetUserName !contains \"LOCAL SERVICE\"\r\n| where TargetUserName != \"SYSTEM\"\r\n| project TimeGenerated, Activity, ComputerName=Computer, AccountName=TargetUserName, AccountDomain=TargetDomainName, IpAddress, ActionType='Logon';\r\nlet logonFail=SecurityEvent \r\n| where EventID==4625\r\n| where tolower(Computer) contains tolower(\"{Host}\")\r\n| where TargetUserName !endswith \"$\"\r\n| where TargetUserName !contains \"NETWORK SERVICE\"\r\n| where TargetUserName !contains \"LOCAL SERVICE\"\r\n| where TargetUserName != \"SYSTEM\"\r\n| project TimeGenerated, Activity, ComputerName=Computer, AccountName=TargetUserName, AccountDomain=TargetDomainName, IpAddress, ActionType='LogonFailure';\r\nlogonFail \r\n| union logonSuccess\r\n};\r\nLogonEvents \r\n| where TimeGenerated > ago(endtime) \r\n| where ActionType == 'Logon' \r\n| summarize FirstOccurance = min(TimeGenerated), LastOccurance = max(TimeGenerated), count() by ComputerName, AccountName, Activity \r\n| join kind=leftanti ( \r\nLogonEvents \r\n| where TimeGenerated between(ago(starttime)..ago(endtime)) \r\n| where ActionType == 'Logon' \r\n| summarize count() by ComputerName, AccountName \r\n) on ComputerName, AccountName\r\n| summarize FirstOccurance = min(FirstOccurance), LastOccurance = max(LastOccurance), Count=dcount(AccountName) by AccountName, Activity",
"size": 0,
"showAnalytics": true,
"title": "Details of New Logons to Host",
"timeContext": {
"durationMs": 86400000
},
"exportFieldName": "AccountName",
"exportParameterName": "Account",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"showExpandCollapseGrid": true,
"gridSettings": {
"filter": true,
"labelSettings": [
{
"columnId": "AccountName",
"label": "Account Name"
},
{
"columnId": "Activity"
},
{
"columnId": "FirstOccurance",
"label": "First Occurance"
},
{
"columnId": "LastOccurance",
"label": "Last Occurance"
},
{
"columnId": "Count"
}
]
},
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "AccountName",
"formatter": 1
},
"showBorder": false
},
"chartSettings": {
"group": "AccountName",
"createOtherGroup": 10
}
},
"conditionalVisibilities": [
{
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Host"
},
{
"parameterName": "HostAnomalies",
"comparison": "isEqualTo",
"value": "New Logons"
},
{
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "hostAnomaly"
}
],
"name": "query - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let events = dynamic([4624, 4625, 4768, 4771]);\r\nlet kerbevents = dynamic([4768, 4771]);\r\nlet aadSignIns = SigninLogs\r\n| where TimeGenerated > ago(7d)\r\n| where AppDisplayName == \"Windows Sign In\"\r\n| extend HostShort = split(\"{Host}\", \".\", 0)[0]\r\n| where DeviceDetail.displayName contains HostShort\r\n| extend LogonResult = iff(ResultType == 0, \"Success\", \"Failure\")\r\n| summarize Count=count(), FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated) by Account=Identity, LogonResult, LogonType=\"AAD/HDJ\", ErrorCode=ResultType;\r\nSecurityEvent\r\n| where EventID in (events)\r\n| extend LogonResult = iff(Level == 8, \"Success\", \"Failure\")\r\n| extend LogonType = iff(EventID in (kerbevents), \"Kerberos TGT\", LogonTypeName)\r\n| extend LogonComputerOrIP = iff(EventID == 4768, IpAddress, Computer)\r\n| where Account !contains @\"Window Manager\\DWM\"\r\n| extend ErrorCode = iff(EventID in (kerbevents), Status, SubStatus)\r\n| where TargetAccount !endswith \"$\"\r\n| where TargetAccount !contains \"NT AUTHORITY\"\r\n| where Computer contains \"{Host}\"\r\n| summarize Count=count(), FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated) by Account, LogonResult, LogonType, ErrorCode\r\n| union aadSignIns\r\n| sort by Count",
"size": 0,
"showAnalytics": true,
"title": "Account Logons",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true,
"labelSettings": [
{
"columnId": "Account"
},
{
"columnId": "LogonResult",
"label": "Logon Result"
},
{
"columnId": "LogonType",
"label": "Logon Type"
},
{
"columnId": "ErrorCode",
"label": "Error Code"
},
{
"columnId": "Count"
},
{
"columnId": "FirstOccurance",
"label": "First Occurance"
},
{
"columnId": "LastOccurance",
"label": "Last Occurance"
}
]
}
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Host"
},
"name": "query - 13"
}
]
},
"conditionalVisibility": {
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "accountLogons"
},
"name": "AccountLogon"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "7491e67e-bdbd-4f0a-8819-45b65104137d",
"version": "KqlParameterItem/1.0",
"name": "securityBaselineOptions",
"label": "Choose Security Check",
"type": 10,
"description": "Choose which security check to perform",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { \"value\": \"Updates\", \"label\": \"Updates\", \"selected\":true },\r\n { \"value\": \"Security Baseline\", \"label\": \"Security Baseline\" },\r\n { \"value\": \"Protection Status\", \"label\": \"Protection Status\" }\r\n]",
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "securityBaseline"
},
"name": "parameters - 15"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let lastRun = toscalar(UpdateSummary\r\n| where Computer =~ \"{Host}\"\r\n| summarize max(TimeGenerated));\r\nUpdateSummary\r\n| where tolower(Computer) == tolower(\"{Host}\")\r\n| where TimeGenerated between((lastRun-5m)..lastRun)\r\n//| project CriticalUpdatesMissing, SecurityUpdatesMissing, OtherUpdatesMissing\r\n| project TimeGenerated, Computer, CriticalUpdatesMissing, SecurityUpdatesMissing, OtherUpdatesMissing, TotalUpdatesMissing, RestartPending, ComputerEnvironment",
"size": 4,
"title": "Update Summary filtered by Update Check",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "CriticalUpdatesMissing",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": ">",
"thresholdValue": "0",
"representation": "red",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "SecurityUpdatesMissing",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": ">",
"text": "{0}{1}"
},
{
"thresholdValue": "0",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "OtherUpdatesMissing",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": ">",
"text": "{0}{1}"
},
{
"thresholdValue": "0",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "TotalUpdatesMissing",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": ">",
"thresholdValue": "0",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "green",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "RestartPending",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"text": "{0}{1}"
}
]
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "TimeGenerated",
"label": "Time Generated"
},
{
"columnId": "Computer"
},
{
"columnId": "CriticalUpdatesMissing",
"label": "Critical Updates Missing"
},
{
"columnId": "SecurityUpdatesMissing",
"label": "Security Updates Missing"
},
{
"columnId": "OtherUpdatesMissing",
"label": "Other Updates Missing"
},
{
"columnId": "TotalUpdatesMissing",
"label": "Total Updates Missing"
},
{
"columnId": "RestartPending",
"label": "Restart Pending"
},
{
"columnId": "ComputerEnvironment",
"label": "Computer Environment"
}
]
},
"tileSettings": {
"titleContent": {
"formatter": 1
},
"leftContent": {
"columnMatch": "CriticalUpdatesMissing",
"formatter": 12,
"formatOptions": {
"min": 1,
"palette": "redBright"
}
},
"rightContent": {
"columnMatch": "SecurityUpdatesMissing",
"formatter": 12,
"formatOptions": {
"min": 1,
"palette": "purpleRed"
}
},
"secondaryContent": {
"columnMatch": "OtherUpdatesMissing",
"formatter": 12,
"formatOptions": {
"palette": "yellow"
}
},
"showBorder": false,
"size": "auto"
}
},
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let lastRun = toscalar(Update\r\n| where Computer =~ \"{Host}\"\r\n| summarize max(TimeGenerated));\r\nUpdate\r\n| where Computer =~ \"{Host}\"\r\n| where TimeGenerated between((lastRun-5m)..lastRun)\r\n| where UpdateState != \"Installed\"\r\n| where Classification != \"Feature Packs\"\r\n| project TimeGenerated, Computer, SourceSystem, Title, Classification, PublishedDate, UpdateState, Product, ResourceId, ResourceGroup, RebootBehavior",
"size": 1,
"title": "Required Updates Missing in the Latest Check",
"noDataMessage": "No missing updates.",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"rowLimit": 500,
"filter": true,
"labelSettings": [
{
"columnId": "TimeGenerated",
"label": "Time Generated"
},
{
"columnId": "Computer"
},
{
"columnId": "SourceSystem",
"label": "Source System"
},
{
"columnId": "Title"
},
{
"columnId": "Classification"
},
{
"columnId": "PublishedDate",
"label": "Published Date"
},
{
"columnId": "UpdateState",
"label": "Update State"
},
{
"columnId": "Product"
},
{
"columnId": "ResourceId",
"label": "Resource ID"
},
{
"columnId": "ResourceGroup",
"label": "Resource Group"
},
{
"columnId": "RebootBehavior",
"label": "Reboot Behavior"
}
]
}
},
"name": "query - 2"
}
]
},
"conditionalVisibilities": [
{
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "securityBaseline"
},
{
"parameterName": "securityBaselineOptions",
"comparison": "isEqualTo",
"value": "Updates"
}
],
"name": "updateSummary"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let lastRun = toscalar(SecurityBaselineSummary\r\n| where tolower(Computer) == tolower(\"{Host}\")\r\n| summarize max(TimeGenerated));\r\nSecurityBaselineSummary\r\n| where tolower(Computer) == tolower(\"{Host}\")\r\n| where TimeGenerated == lastRun\r\n| project TimeGenerated, Computer, TotalAssessedRules, Type, PercentageOfPassedRules, CriticalFailedRules, WarningFailedRules, InformationalFailedRules",
"size": 4,
"title": "Security Baseline Summary",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true,
"labelSettings": [
{
"columnId": "TimeGenerated",
"label": "Time Generated"
},
{
"columnId": "Computer"
},
{
"columnId": "TotalAssessedRules",
"label": "Total Assessed Rules"
},
{
"columnId": "Type"
},
{
"columnId": "PercentageOfPassedRules",
"label": "Percentage of Passed Rules"
},
{
"columnId": "CriticalFailedRules",
"label": "Critical Failed Rules"
},
{
"columnId": "WarningFailedRules",
"label": "Warning Failed Rules"
},
{
"columnId": "InformationalFailedRules",
"label": "Informational Failed Rules"
}
]
}
},
"name": "query - 0"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "91e6ebb4-6719-47ac-a49b-9f71cf52b5c3",
"version": "KqlParameterItem/1.0",
"name": "ruleSeverity",
"label": "Failed Rule Severity Level",
"type": 2,
"description": "Choose severity level of failed rules to display",
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityBaseline\r\n| where Computer =~ \"{Host}\"\r\n| where AnalyzeResult == \"Failed\"\r\n| where TimeGenerated > ago(24h)\r\n| summarize by RuleSeverity",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let currentAssessmentId = toscalar(SecurityBaseline\r\n| where Computer =~ \"{Host}\"\r\n| summarize arg_max(TimeGenerated, AssessmentId)\r\n| project AssessmentId);\r\nSecurityBaseline\r\n| where AssessmentId == currentAssessmentId\r\n| where AnalyzeResult == \"Failed\"\r\n| where Computer =~ \"{Host}\"\r\n| where RuleSeverity in ({ruleSeverity})\r\n| project TimeGenerated, Computer, BaselineType, RuleSeverity, Description, ActualResult, ExpectedResult, AnalyzeOperation\r\n| sort by TimeGenerated desc",
"size": 0,
"title": "Failed Security Baselines in the latest check",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"rowLimit": 500,
"filter": true,
"labelSettings": [
{
"columnId": "TimeGenerated",
"label": "Time Generated"
},
{
"columnId": "Computer"
},
{
"columnId": "BaselineType",
"label": "Baseline Type"
},
{
"columnId": "RuleSeverity",
"label": "Rule Severity"
},
{
"columnId": "Description"
},
{
"columnId": "ActualResult",
"label": "Actual Result"
},
{
"columnId": "ExpectedResult",
"label": "Expected Result"
},
{
"columnId": "AnalyzeOperation",
"label": "Analyze Operation"
}
]
}
},
"name": "query - 17"
}
]
},
"conditionalVisibility": {
"parameterName": "securityBaselineOptions",
"comparison": "isEqualTo",
"value": "Security Baseline"
},
"name": "baseline"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ProtectionStatus\r\n| where Computer =~ \"{Host}\"\r\n| summarize Count = count() by ThreatStatus",
"size": 1,
"title": "Host Threat Protection Status - click to filter",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "ThreatStatus",
"exportParameterName": "TS",
"exportDefaultValue": "AllStatus",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "ThreatStatus",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"showBorder": false
}
},
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ProtectionStatus\r\n| where tolower(Computer) == tolower(\"{Host}\")\r\n| where ThreatStatus == \"{TS}\" or \"{TS}\" == \"AllStatus\"\r\n| project ThreatStatus, Resource, ScanDate, TypeofProtection, AMProductVersion, ProtectionStatus, ProtectionStatusDetails\r\n| sort by ScanDate",
"size": 0,
"showAnalytics": true,
"title": "Host Protection Status Details - filtered by Threat Status",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true,
"labelSettings": [
{
"columnId": "ThreatStatus",
"label": "Threat Status"
},
{
"columnId": "Resource"
},
{
"columnId": "ScanDate",
"label": "Scan Date"
},
{
"columnId": "TypeofProtection",
"label": "Type of Protection"
},
{
"columnId": "AMProductVersion",
"label": "AM Product Version"
},
{
"columnId": "ProtectionStatus",
"label": "Protection Status"
},
{
"columnId": "ProtectionStatusDetails",
"label": "Protection Status Details"
}
]
}
},
"name": "query - 1"
}
]
},
"conditionalVisibilities": [
{
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "securityBaseline"
},
{
"parameterName": "securityBaselineOptions",
"comparison": "isEqualTo",
"value": "Protection Status"
}
],
"name": "protectionStatus"
}
]
},
"conditionalVisibility": {
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "securityBaseline"
},
"name": "securityBaseline"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "0e998788-617f-412a-a435-386106f4ec23",
"version": "KqlParameterItem/1.0",
"name": "suspiciousChanges",
"label": "Suspicious Changes",
"type": 10,
"description": "Toggle Audit Policy Change and Security Log Clear",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n{ \"value\": \"Audit Policy Change\", \"label\": \"AuditPolChange\", \"selected\":true},\r\n{ \"value\": \"Security Log Clear\", \"label\": \"SecLogClear\"},\r\n{ \"value\": \"User Changes\", \"label\": \"User/GroupChanges\"}\r\n]"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 17"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == \"1102\"\r\n| where tolower(Computer) == tolower(\"{Host}\")\r\n| parse EventData with * 'SubjectUserName>' SubjectUserName '<' *\r\n| parse EventData with * 'SubjectDomainName>' SubjectDomainName '<' *\r\n| parse EventData with * 'SubjectLogonId>' SubjectLogonId '<' *\r\n| project TimeGenerated, SubjectDomainName, SubjectUserName, Computer, SubjectLogonId",
"size": 0,
"title": "Security Log Clear Details",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true,
"labelSettings": [
{
"columnId": "TimeGenerated",
"label": "Time Generated"
},
{
"columnId": "SubjectDomainName",
"label": "Subject Domain Name"
},
{
"columnId": "SubjectUserName",
"label": "Subject User Name"
},
{
"columnId": "Computer"
},
{
"columnId": "SubjectLogonId",
"label": "Subject Logon ID"
}
]
}
},
"conditionalVisibility": {
"parameterName": "suspiciousChanges",
"comparison": "isEqualTo",
"value": "Security Log Clear"
},
"name": "query - 15 - Copy"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "97f331c1-33a9-47c5-8fec-d70ea27ef58d",
"version": "KqlParameterItem/1.0",
"name": "AuditPolicyChangeType",
"label": "Audit Policy Change Type",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityEvent\r\n| where EventID == \"4719\"\r\n| where tolower(Computer) == tolower(\"{Host}\")\r\n| where AccountType != \"Machine\"\r\n| extend AuditPolicyChange = case(AuditPolicyChanges == \"%%8448\", \"Success:disable\", AuditPolicyChanges == \"%%8449\", \"Success:enable\", AuditPolicyChanges == \"%%8450\", \"Failure:disable\", AuditPolicyChanges == \"%%8451\", \"Failure:enable\", \"Failed to Return\")\r\n| summarize by AuditPolicyChange",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 604800000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibilities": [
{
"parameterName": "suspiciousChanges",
"comparison": "isEqualTo",
"value": "Audit Policy Change"
},
{
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "suspiciousChanges"
}
],
"name": "parameters - 17"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == \"4719\"\r\n| where tolower(Computer) == tolower(\"{Host}\")\r\n| extend AuditSubcategory = case(SubcategoryGuid == \"0cce9213-69ae-11d9-bed3-505054503030\", \"IPSec Driver\", SubcategoryGuid == \"0cce9212-69ae-11d9-bed3-505054503030\", \"System Integrity\", SubcategoryGuid == \"0cce923f-69ae-11d9-Bed3-505054503030\", \"Credential Valication\", SubcategoryGuid == \"0cce9241-69ae-11d9-bed3-505054503030\", \"Other Account Logon Events\", SubcategoryGuid == \"0cce9211-69ae-11d9-bed3-505054503030\", \"Security System Extension\", SubcategoryGuid == \"0cce9210-69ae-11d9-bed3-505054503030\", \"Security State Change\", SubcategoryGuid == \"0cce9214-69ae-11d9-bed3-505054503030\", \"Other System Events\", SubcategoryGuid == \"0cce9243-69ae-11d9-bed3-505054503030\", \"Network Policy Server\", SubcategoryGuid == \"0cce921c-69ae-11d9-bed3-505054503030\", \"Other Logon/Logoff\", SubcategoryGuid == \"0cce921b-69ae-11d9-bed3-505054503030\", \"Special Logon\", SubcategoryGuid == \"0cce921a-69ae-11d9-bed3-505054503030\", \"IPsec Extended Mode\", SubcategoryGuid == \"0cce9219-69ae-11d9-bed3-505054503030\", \"IPsec Quick Mode\", SubcategoryGuid == \"0cce9218-69ae-11d9-bed3-505054503030\", \"IPsec Main Mode\", SubcategoryGuid == \"0cce9217-69ae-11d9-bed3-505054503030\", \"Account Lockout\", SubcategoryGuid == \"0cce9216-69ae-11d9-bed3-505054503030\", \"Logoff\", SubcategoryGuid == \"0cce9215-69ae-11d9-bed3-505054503030\", \"Logon\", SubcategoryGuid == \"0cce9223-69ae-11d9-bed3-505054503030\", \"Handle Manipulation\", SubcategoryGuid == \"0cce9244-69ae-11d9-bed3-505054503030\", \"Detailed File Share\", SubcategoryGuid == \"0cce9227-69ae-11d9-bed3-505054503030\", \"Other Object Access\", SubcategoryGuid == \"0cce9226-69ae-11d9-bed3-505054503030\", \"FIltering Platform Connection\", SubcategoryGuid == \"0cce9225-69ae-11d9-bed3-505054503030\", \"FIltering Platform Packet Drop\", SubcategoryGuid == \"0cce9224-69ae-11d9-bed3-505054503030\", \"File Share\", SubcategoryGuid == \"0cce9222-69ae-11d9-bed3-505054503030\", \"Application Generated\", SubcategoryGuid == \"0cce9221-69ae-11d9-bed3-505054503030\", \"Certificaiton Services\", SubcategoryGuid == \"0cce9220-69ae-11d9-bed3-505054503030\", \"SAM\", SubcategoryGuid == \"0cce921f-69ae-11d9-bed3-505054503030\", \"Kernel Object\", SubcategoryGuid == \"0cce921e-69ae-11d9-bed3-505054503030\", \"Registry\", SubcategoryGuid == \"0cce921d-69ae-11d9-bed3-505054503030\", \"File System\", SubcategoryGuid == \"0cce9229-69ae-11d9-bed3-505054503030\", \"Non Sensitive Privilege Use\", SubcategoryGuid == \"0cce922a-69ae-11d9-bed3-505054503030\" , \"Other Privilege Use Events\", SubcategoryGuid == \"0cce9228-69ae-11d9-bed3-505054503030\", \"Sensitive Privilege Use\", SubcategoryGuid == \"0cce922d-69ae-11d9-bed3-505054503030\", \"DPAPI Activity\", SubcategoryGuid == \"0cce922c-69ae-11d9-bed3-505054503030\", \"Process Termination\", SubcategoryGuid == \"0cce922b-69ae-11d9-bed3-505054503030\", \"Process Creation\", SubcategoryGuid == \"0cce922e-69ae-11d9-bed3-505054503030\", \"RPC Events\", SubcategoryGuid == \"0cce9232-69ae-11d9-bed3-505054503030\", \"MPSSVC Rule-Level Policy Change\", SubcategoryGuid == \"0cce9234-69ae-11d9-bed3-505054503030\", \"Other Policy Change Events\", SubcategoryGuid == \"0cce9233-69ae-11d9-bed3-505054503030\", \"Filtering Platform Policy Change\", SubcategoryGuid == \"0cce922f-69ae-11d9-bed3-505054503030\", \"Audit Policy Change\", SubcategoryGuid == \"0cce9231-69ae-11d9-bed3-505054503030\", \"Authorization Policy Change\", SubcategoryGuid == \"0cce9230-69ae-11d9-bed3-505054503030\", \"Authentication Policy Change\", SubcategoryGuid == \"0cce923a-69ae-11d9-bed3-505054503030\", \"Other Account Management Events\", SubcategoryGuid == \"0cce9239-69ae-11d9-bed3-505054503030\", \"Application Group Management\", SubcategoryGuid == \"0cce9238-69ae-11d9-bed3-505054503030\", \"Distribution Group Management\", SubcategoryGuid == \"0cce9237-69ae-11d9-bed3-505054503030\", \"Security Group Management\", SubcategoryGuid == \"0cce9236-69ae-11d9-bed3-505054503030\", \"Computer Account Mangement\", SubcategoryGuid == \"0cce9235-69ae-11d9-bed3-505054503030\", \"User Account Mangement\", SubcategoryGuid == \"0cce923e-69ae-11d9-bed3-505054503030\", \"Detailed Directory Service Replication\", SubcategoryGuid == \"0cce923b-69ae-11d9-bed3-505054503030\", \"Directory Service Access\", SubcategoryGuid == \"0cce923d-69ae-11d9-bed3-505054503030\", \"Directory Service Replication\", SubcategoryGuid == \"0cce923c-69ae-11d9-bed3-505054503030\", \"Directory Service Changes\", SubcategoryGuid == \"0cce9240-69ae-11d9-bed3-505054503030\", \"Kerberos Service Ticket Operations\", SubcategoryGuid == \"0cce923f-69ae-11d9-bed3-505054503030\", \"Credential Validation\", SubcategoryGuid == \"0cce9242-69ae-11d9-bed3-505054503030\", \"Kerberos Authentication Service\", SubcategoryGuid == \"0cce9245-69ae-11d9-bed3-505054503030\", \"Removable Storage\", SubcategoryGuid == \"0cce9246-69ae-11d9-bed3-505054503030\", \"Central Access Policy Staging\", SubcategoryGuid == \"0cce9247-69ae-11d9-bed3-505054503030\", \"User/Device Claims\", SubcategoryGuid == \"0cce9248-69ae-11d9-Bed3-505054503030\", \"PNP Activity\", SubcategoryGuid == \"0cce9249-69ae-11d9-bed3-505054503030\", \"Group Membership\", \"Failed to Return\")\r\n| extend AuditPolicyChange = case(AuditPolicyChanges == \"%%8448\", \"Success:disable\", AuditPolicyChanges == \"%%8449\", \"Success:enable\", AuditPolicyChanges == \"%%8450\", \"Failure:disable\", AuditPolicyChanges == \"%%8451\", \"Failure:enable\", \"Failed to Return\")\r\n| where AccountType != \"Computer\"\r\n| where 'AuditPolicyChange'==\"All\" or AuditPolicyChange in ({AuditPolicyChangeType})\r\n| project TimeGenerated, AuditSubcategory, AuditPolicyChange, Account, SubjectLogonId\r\n| order by TimeGenerated desc ",
"size": 0,
"title": "Audit Policy Change Details",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true,
"labelSettings": [
{
"columnId": "TimeGenerated",
"label": "Time Generated"
},
{
"columnId": "AuditSubcategory",
"label": "Audit Subcategory"
},
{
"columnId": "AuditPolicyChange",
"label": "Audit Policy Change"
},
{
"columnId": "Account"
},
{
"columnId": "SubjectLogonId",
"label": "Subject Logon ID"
}
]
}
},
"conditionalVisibilities": [
{
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "suspiciousChanges"
},
{
"parameterName": "suspiciousChanges",
"comparison": "isEqualTo",
"value": "Audit Policy Change"
}
],
"name": "query - 17 - Copy - Copy"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "d16f4b45-af6e-4529-b380-77cf46eb8df6",
"version": "KqlParameterItem/1.0",
"name": "ChangeMaker",
"label": "Change Maker",
"type": 2,
"isRequired": true,
"query": "let OnPremEvents = dynamic([4720, 4731, 4732, 4733, 4734, 4735, 4764, 4727, 4737, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758]);\r\nSecurityEvent\r\n| where tolower(Computer) == tolower(\"{Host}\")\r\n| where EventID in (OnPremEvents)\r\n| summarize by Account",
"crossComponentResources": [
"{Workspace}"
],
"value": null,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 604800000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "suspiciousChanges",
"comparison": "isEqualTo",
"value": "User Changes"
},
"name": "parameters - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4720\r\n| where tolower(Computer) == tolower(\"{Host}\")\r\n| where Account == \"{ChangeMaker:escape}\"//@ or :escape escapes problematic characters\r\n//| where Computer == \"{Host}\"\r\n| parse EventData with * 'TargetUserName>' SubjectUserName '<' *\r\n| extend AccountType = iff(HomePath == \"%%1793\", \"Local\", \"AD\")\r\n| project TimeGenerated, Account, Computer, CreatedAccount=TargetUserName, AccountType\r\n| order by TimeGenerated desc",
"size": 1,
"showAnalytics": true,
"title": "Account Creation Details",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true,
"labelSettings": [
{
"columnId": "TimeGenerated",
"label": "Time Generated"
},
{
"columnId": "CreatedAccount",
"label": "Created Account"
},
{
"columnId": "AccountType",
"label": "Account Type"
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "suspiciousChanges",
"comparison": "isEqualTo",
"value": "User Changes"
},
"name": "query - 17"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let OnPremEvents = dynamic([4731, 4732, 4733, 4734, 4735, 4764, 4727, 4737, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758]);\r\nSecurityEvent\r\n| where tolower(Computer) == tolower(\"{Host}\")\r\n| where Account == \"{ChangeMaker:escape}\"//@ or :escape escapes problematic characters\r\n| where EventID in (OnPremEvents)\r\n| extend ImpactedAccount = iff(MemberName == \"-\", MemberSid, MemberName)\r\n| project TimeGenerated, Activity, ChangeMaker=Account, AccountType, Computer, ImpactedAccount, Group=TargetAccount\r\n\r\n//Activity, Account, AccountType, Computer, ChangeMaker=SubjectAccount, TargetGroup=TargetAccount;",
"size": 0,
"showAnalytics": true,
"title": "Group Changes Details",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "suspiciousChanges",
"comparison": "isEqualTo",
"value": "User Changes"
},
"name": "query - 17 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "suspiciousChanges"
},
"name": "SuspiciousChanges"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where Entities contains \"\"\"host\"\"\"\r\n| extend AllEntities = parse_json(Entities)\r\n| mv-expand AllEntities\r\n| where AllEntities.Type == \"host\"\r\n| extend HostEntity = tostring(AllEntities.HostName)\r\n| where HostEntity =~ split(\"{Host}\", \".\", 0)[0]\r\n| project AlertSeverity, AlertName=DisplayName, ProviderName, AlertDetails=Entities, SystemAlertId",
"size": 0,
"title": "Related Alerts",
"noDataMessage": "No Security Alerts were found for the selected IP",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "SystemAlertId",
"formatter": 5
}
]
}
},
"customWidth": "50",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "HuntingBookmark\r\n| where TimeGenerated {TimeRange}\r\n| extend Entities = parse_json(QueryResultRow).__entityMapping\r\n| where Entities contains \"\"\"host\"\"\" //Entity Type to match\r\n| summarize arg_max(TimeGenerated, BookmarkName, Notes, Tags, Entities) by BookmarkId\r\n| extend splitEntities = split(replace(@'[\"{}]', '', tostring(Entities)),',')\r\n| mv-expand splitEntities\r\n| extend splitEntity = split(splitEntities, ':')\r\n| where splitEntity[1] =~ \"host\"\r\n| where splitEntity[0] =~ \"{Host}\"\r\n| project BookmarkName, Notes, Tags",
"size": 0,
"title": "Related Bookmarks",
"noDataMessage": "No Bookmarks were found for the selected IP",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "SystemAlertId",
"formatter": 5
}
]
}
},
"customWidth": "50",
"name": "query - 0 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "relatedAlerts"
},
"name": "RelatedAlerts"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "## To use this custom group, switch the group type from \"Editable\" to \"From Template\" and enter the ID of your custom workbook"
},
"name": "text - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "HostNav",
"comparison": "isEqualTo",
"value": "Custom"
},
"name": "CustomGroupAccountHost"
}
]
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Host"
},
"name": "HostGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "d492cada-966f-484b-b527-d41ba2ddd1a3",
"version": "KqlParameterItem/1.0",
"name": "URL",
"type": 1,
"isRequired": true,
"query": "datatable(Entity:string, EntityType:string)\r\n\t[\"{EntityData}\",\"{EntityType}\"]\r\n| where EntityType =~ \"url\" or EntityType =~ \"dns\"\r\n| project Entity",
"crossComponentResources": [
"{Workspace}"
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 8 - Copy"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "bc8ae0b0-4f42-4582-8728-79bc9ff857cb",
"cellValue": "URLNav",
"linkTarget": "parameter",
"linkLabel": "IOCs",
"subTarget": "IOC",
"style": "link"
},
{
"id": "327484a8-4f88-4d2f-b063-8f5e047d41ae",
"cellValue": "URLNav",
"linkTarget": "parameter",
"linkLabel": "{URLCustomTabName}",
"subTarget": "Custom",
"style": "link"
}
]
},
"name": "links - 5"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated > ago(180d)\r\n| where Url contains \"{URL}\"\r\n| summarize arg_max(TimeGenerated, Active) by IndicatorId, SourceSystem, Description, ThreatType, Url\r\n| project SourceSystem, Description, Url, ThreatType, Active",
"size": 0,
"title": "URL Threat Intelligence",
"noDataMessage": "No Threat Intelligence was found for the selected URL.",
"noDataMessageStyle": 3,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 13 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where TimeGenerated {TimeRange}\r\n| where Entities contains \"\"\"url\"\"\"\r\n| extend AllEntities = parse_json(Entities)\r\n| mv-expand AllEntities\r\n| where AllEntities.Type == \"url\" and AllEntities.Url contains \"{URL}\"\r\n| project AlertSeverity, AlertName=DisplayName, ProviderName, AlertDetails=Entities, SystemAlertId",
"size": 0,
"title": "Related Alerts",
"noDataMessage": "No Security Alerts were found for the selected URL",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "SystemAlertId",
"formatter": 5
}
]
}
},
"customWidth": "50",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "HuntingBookmark\r\n| where TimeGenerated {TimeRange}\r\n| extend Entities = parse_json(QueryResultRow).__entityMapping\r\n| where Entities contains \"\"\"url\"\"\" //Entity Type to match\r\n| summarize arg_max(TimeGenerated, BookmarkName, Notes, Tags, Entities) by BookmarkId\r\n| extend splitEntities = split(replace(@'[{}]', '', tostring(Entities)),',')\r\n| mv-expand splitEntities\r\n| parse splitEntities with * '\"' Url '\":\"' EntityType '\"'\r\n| where EntityType =~ \"url\"\r\n| where Url contains \"{URL}\"\r\n| project BookmarkName, Notes, Tags",
"size": 0,
"title": "Related Bookmarks",
"noDataMessage": "No Bookmarks were found for the selected URL",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "SystemAlertId",
"formatter": 5
}
]
}
},
"customWidth": "50",
"name": "query - 2 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "URLNav",
"comparison": "isEqualTo",
"value": "IOC"
},
"name": "URLIOCGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "## To use this custom group, switch the group type from \"Editable\" to \"From Template\" and enter the ID of your custom workbook"
},
"name": "text - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "URLNav",
"comparison": "isEqualTo",
"value": "Custom"
},
"name": "CustomGroupAccountURL"
}
]
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "URL"
},
"name": "URLGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "c10a08a4-2969-41d3-84ba-660bfbe7e621",
"version": "KqlParameterItem/1.0",
"name": "FileHash",
"type": 1,
"isRequired": true,
"query": "datatable(Entity:string, EntityType:string)\r\n\t[\"{EntityData}\",\"{EntityType}\"]\r\n| where EntityType startswith \"filehash\"\r\n| project Entity",
"crossComponentResources": [
"{Workspace}"
],
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "56b045e3-0340-4b11-b591-93632bd54cad",
"version": "KqlParameterItem/1.0",
"name": "HashType",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated > ago(180d)\r\n| where isnotempty(FileHashValue )\r\n| distinct FileHashType",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "82a6c876-22a4-4c80-a96c-41862e58f8b0",
"cellValue": "FileHashNav",
"linkTarget": "parameter",
"linkLabel": "IOCs",
"subTarget": "IOC",
"style": "link"
},
{
"id": "a62f4068-88e7-40ba-a2c4-779169446660",
"cellValue": "FileHashNav",
"linkTarget": "parameter",
"linkLabel": "{FileHashCustomTabName}",
"subTarget": "Custom",
"style": "link"
}
]
},
"name": "links - 4"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated > ago(180d)\r\n| where FileHashValue =~ \"{FileHash}\"\r\n| where FileHashType in ({HashType})\r\n| summarize arg_max(TimeGenerated, Active) by IndicatorId, SourceSystem, Description, ThreatType, FileHashValue, FileHashType\r\n| project SourceSystem, Description, FileHashValue, FileHashType, ThreatType, Active",
"size": 0,
"title": "File Hash Threat Intelligence",
"noDataMessage": "No Threat Intelligence was found for the selected File Hash.",
"noDataMessageStyle": 3,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where TimeGenerated {TimeRange}\r\n| where Entities contains \"{FileHash}\"\r\n| project AlertSeverity, AlertName=DisplayName, ProviderName, AlertDetails=Entities, SystemAlertId",
"size": 0,
"title": "Related Alerts",
"noDataMessage": "No Security Alerts were found for the selected FileHash",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertDetails",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "View",
"linkIsContextBlade": true
}
},
{
"columnMatch": "SystemAlertId",
"formatter": 5
}
]
}
},
"customWidth": "50",
"name": "query - 2"
}
]
},
"conditionalVisibility": {
"parameterName": "FileHashNav",
"comparison": "isEqualTo",
"value": "IOC"
},
"name": "FileHashIOCGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "## To use this custom group, switch the group type from \"Editable\" to \"From Template\" and enter the ID of your custom workbook"
},
"name": "text - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "FileHashNav",
"comparison": "isEqualTo",
"value": "Custom"
},
"name": "CustomGroupAccountHash"
}
]
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "FileHash"
},
"name": "FileHashGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "2c1b6b11-5831-4548-90f1-99ddf942a45a",
"version": "KqlParameterItem/1.0",
"name": "SearchString",
"type": 1,
"isRequired": true,
"value": "",
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "dcb0013b-5235-4aa8-a1ad-5a693409af74",
"version": "KqlParameterItem/1.0",
"name": "IncludeString",
"type": 1,
"description": "This filter applies after the SearchString to include records that also contain this string value.",
"value": ""
},
{
"id": "ce0fde61-f7a3-46c6-8647-9cc7c2563af4",
"version": "KqlParameterItem/1.0",
"name": "ExcludeString",
"type": 1,
"description": "This filter applies after the SearchString to exclude records that also contain this string value."
},
{
"id": "4c157722-42dc-4ceb-97d4-7c772f287aba",
"version": "KqlParameterItem/1.0",
"name": "Table",
"type": 2,
"multiSelect": true,
"quote": "",
"delimiter": ",",
"query": "Usage\r\n| distinct DataType\r\n| sort by DataType asc",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "search in ({Table}) \"{SearchString}\"\r\n| where * contains \"{IncludeString:label}\" or \"{IncludeString:label}\" == \"<unset>\"\r\n| where * !contains \"{ExcludeString:label}\" or \"{ExcludeString:label}\" == \"<unset>\"\r\n| summarize Count=count() by Type\r\n| sort by Count desc",
"size": 1,
"title": "Search Results by Table",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Type",
"exportParameterName": "SelectedTable",
"exportDefaultValue": "Usage",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Type",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "search in ({SelectedTable}) \"{SearchString}\"\r\n| where * contains \"{IncludeString:label}\" or \"{IncludeString:label}\" == \"<unset>\"\r\n| where * !contains \"{ExcludeString:label}\" or \"{ExcludeString:label}\" == \"<unset>\"\r\n| project-away TenantId, $table\r\n| sort by TimeGenerated desc",
"size": 0,
"showAnalytics": true,
"noDataMessage": "Select a tile to see detailed results.",
"noDataMessageStyle": 2,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"sortBy": []
},
"name": "query - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Search"
},
"name": "Search"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "## To use this custom group, switch the group type from \"Editable\" to \"From Template\" and enter the ID of your custom workbook"
},
"name": "text - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "InvestigationType",
"comparison": "isEqualTo",
"value": "Custom"
},
"name": "CustomGroup"
}
],
"fallbackResourceIds": [
"azure monitor"
],
"fromTemplateId": "Community-Workbooks/Azure Sentinel - Workbooks/Investigation Insights",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку