Azure-Sentinel/Workbooks/M365SecurityPosture.json

957 строки
35 KiB
JSON

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "Microsoft Security Posture",
"style": "info"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"value::selected"
],
"parameters": [
{
"id": "3218e2b0-1bcc-46d4-affa-d298e0cf90f6",
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
"crossComponentResources": [
"value::selected"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
"crossComponentResources": [
"value::selected"
],
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"customWidth": "33",
"name": "parameters - 10"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "befbf593-c171-4129-b890-7e642265ed0c",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "parameters - 8"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "d4aa2831-0ab8-4977-a80e-359420e7d5f7",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Azure Security Center",
"subTarget": "ASC",
"style": "link"
},
{
"id": "797538b2-ca75-48ad-85b2-e12d9d59fb08",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Microsoft 365",
"subTarget": "M365",
"style": "link"
},
{
"id": "d4f75516-6286-4660-8294-395da6b9c29a",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Defender for Endpoint",
"subTarget": "D4E",
"style": "link"
},
{
"id": "96141225-a0ad-43ca-bf96-e701c64318ce",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Microsoft Cloud App Security",
"subTarget": "MCAS",
"style": "link"
}
]
},
"name": "links - 6"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityResources \r\n| where type == 'microsoft.security/securescores'\r\n| extend Name = properties.displayName, CurrentScore = properties.score.current, MaximumScore = properties.score.max, Percentage1 = todouble(properties.score.percentage)\r\n| project Name, CurrentScore, MaximumScore, Percentage = round(Percentage1*100,2), subscriptionId",
"size": 4,
"aggregation": 5,
"title": "Azure Security Center Secure Score",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Percentage",
"formatter": 0,
"numberFormat": {
"unit": 1,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
]
}
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityResources \r\n| where type == 'microsoft.security/securescores/securescorecontrols'\r\n| extend SecureControl = properties.displayName, unhealthy = properties.unhealthyResourceCount, currentscore = properties.score.current, maxscore = properties.score.max\r\n| where maxscore != 0\r\n| project SecureControl , unhealthy, currentscore, maxscore",
"size": 0,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "SecureControl",
"formatter": 1
},
{
"columnMatch": "unhealthy",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "!=",
"thresholdValue": "0",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "0",
"representation": "greenDark",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "currentscore",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "0",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "greenDark",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "maxscore",
"formatter": 1
}
]
}
},
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards\"\r\n| extend \r\n\tpassedControls = trim (' ', tostring(properties.passedControls)), \r\n\tfailedControls = trim(' ',tostring(properties.failedControls)), \r\n\tstate \t\t = trim(' ', tostring(properties.state)), \r\n\tunsupportedControls = trim(' ', tostring(properties.unsupportedControls)), \r\n\tskippedControls = trim(' ', tostring(properties.skippedControls))\r\n| project name, passedControls, failedControls, unsupportedControls, skippedControls , subscriptionId\r\n| order by passedControls desc",
"size": 1,
"title": "Regulatory compliance",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "passedControls",
"formatter": 3,
"formatOptions": {
"palette": "greenDark"
}
},
{
"columnMatch": "failedControls",
"formatter": 3,
"formatOptions": {
"palette": "redBright"
}
},
{
"columnMatch": "unsupportedControls",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
],
"compositeBarSettings": {
"labelText": "",
"columnSettings": []
}
}
},
{
"columnMatch": "skippedControls",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "gray",
"text": "{0}{1}"
}
]
}
}
]
}
},
"name": "query - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "bc9db514-ebcc-4e47-bf23-a0dfe8cb1594",
"version": "KqlParameterItem/1.0",
"name": "SelectCompliance",
"label": "Control",
"type": 2,
"isRequired": true,
"query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards\"\r\n| project name\r\n",
"crossComponentResources": [
"{Subscription}"
],
"value": "Azure-Security-Benchmark",
"typeSettings": {
"additionalResourceOptions": [
"value::1"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "385b8e2e-be15-416d-8ed0-730f6dd34737",
"version": "KqlParameterItem/1.0",
"name": "selectState",
"label": "State",
"type": 2,
"isRequired": true,
"query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\"\r\n | extend state \t\t = trim(' ', tostring(properties.state))\r\n| summarize by state",
"crossComponentResources": [
"{Subscription}"
],
"value": "Failed",
"typeSettings": {
"additionalResourceOptions": [
"value::1"
]
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\"\r\n| parse id with *\"/regulatoryComplianceStandards/\" strControlName \"/regulatory\"*\r\n | extend \r\n\t state \t\t = trim(' ', tostring(properties.state))\r\n\t,description = trim(' ', tostring(properties.description))\r\n| where strControlName startswith '{SelectCompliance}'\r\n| extend isState = iif(isempty('{selectState}'),\"All states\",'{selectState}')\r\n//| where isSstate == '{selectState}'\r\n| summarize by ControlName = strControlName, name, Status = isState, description",
"size": 0,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Passed",
"representation": "greenDark",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failed",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Skipped",
"representation": "gray",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Unsupported",
"representation": "blue",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
}
]
}
},
"name": "query - 3"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "ASC"
},
"name": "ASC"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "M365SecureScore_CL \r\n| extend ActiveUsers=activeUserCount_d, \r\n CurrentScore=currentScore_d, \r\n MaximumScore=maxScore_d, \r\n TenanatID=azureTenantId_g \r\n| summarize by round(CurrentScore), bin(TimeGenerated, 1d)",
"size": 0,
"aggregation": 5,
"timeContext": {
"durationMs": 2419200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"tileSettings": {
"showBorder": false
},
"graphSettings": {
"type": 0
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "M365SecureScore_CL \r\n| project TimeGenerated, \r\n ActiveUsers=activeUserCount_d, \r\n CurrentScore=currentScore_d, \r\n MaximumScore=maxScore_d, \r\n TenanatID=azureTenantId_g \r\n| sort by TimeGenerated desc",
"size": 1,
"title": "Microsoft 365 Secure Score",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 2",
"styleSettings": {
"showBorder": true
}
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "7c67a766-4287-4a07-a256-4ef237151489",
"version": "KqlParameterItem/1.0",
"name": "Category",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "M365SecureScoreControls_CL \r\n| project RecommendationCategory=controlCategory_s \r\n| distinct RecommendationCategory",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 2419200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "M365SecureScoreControls_CL \r\n| where TimeGenerated >= ago(7d) \r\n| extend RecommendationCategory=controlCategory_s \r\n| where RecommendationCategory in ({Category}) \r\n| project RecommendationCategory, \r\n ControlName=controlName_s, \r\n Recommendation=description_s, \r\n ImplementationStatus=implementationStatus_s",
"size": 1,
"title": "Microsoft 365 Secure Score Recommendations",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "M365"
},
"name": "M365"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDfESecureScore_CL \r\n| summarize by SecureScore=score_d, bin(TimeGenerated, 1d)\r\n| union ( MDfEExposureScore_CL\r\n| summarize by ExposureScore=round(score_d), bin(TimeGenerated, 1d))",
"size": 0,
"aggregation": 5,
"timeContext": {
"durationMs": 2419200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDfESecureScore_CL \r\n| project TimeGenerated, CurrentScore=score_d\r\n| sort by TimeGenerated desc",
"size": 1,
"title": "Microsoft Defender for Endpoint Secure Score",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - 3",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDfEExposureScore_CL\r\n| project TimeGenerated, CurrentScore=round(score_d)\r\n| sort by TimeGenerated desc",
"size": 1,
"title": "Microsoft Defender for Endpoint Exposure Score",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDfERecommendations_CL \r\n| where TimeGenerated >= ago(7d)\r\n| project TimeGenerated, Vendor=vendor_s, ProductName=relatedComponent_s, RecommendationName=recommendationName_s, \r\n Weaknesses=weaknesses_d, PublicExploit=publicExploit_b, ConfigScoreImpact=configScoreImpact_d, \r\n ExposureScoreImpact=round(exposureImpact_d), NumberOfExposedMachines=exposedMachinesCount_d, \r\n TotalNumberOfMachines=totalMachineCount_d, RecommendationCategory=recommendationCategory_s, \r\n SubCategory=subCategory_s, RemediationType=remediationType_s",
"size": 0,
"title": "Microsoft Defender for Endpoint Recommendations",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "PublicExploit",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "redBright",
"text": "True"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
}
],
"sortBy": [
{
"itemKey": "TimeGenerated",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "TimeGenerated",
"sortOrder": 1
}
]
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDfEVulnerabilitiesList_CL\r\n| where isnotempty(name_s) and exposedMachines_d > 0 \r\n| where TimeGenerated > ago(7d)\r\n| project Name=name_s, Description=description_s, Severity=severity_s, ExposedMachines=exposedMachines_d, CVSS=cvssV3_d,\r\n PublicExploit=publicExploit_b, ExploitVerified=exploitVerified_b, ExploitType=exploitTypes_s, ExploitURL=exploitUris_s, \r\n PublishedOn=publishedOn_t, UpdatedOn=updatedOn_t",
"size": 0,
"title": "Microsoft Defender for Endpoint Vulnerabilities",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Severity",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High",
"representation": "redBright",
"text": "High"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "yellow",
"text": "Medium"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "PublicExploit",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "redBright",
"text": "True"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "ExploitVerified",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "redBright",
"text": "True"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
}
]
}
},
"name": "query - 3"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "D4E"
},
"name": "D4E"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "McasShadowItReporting\r\n| summarize count() by AppName, AppCategory, tostring(AppTags), AppScore\r\n| order by AppScore asc",
"size": 0,
"title": "Microsoft Cloud App Security - Detected Applications",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "AppTags",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "[]",
"representation": "yellow",
"text": "uncategorized"
},
{
"operator": "==",
"thresholdValue": "[\"unsanctioned\"]",
"representation": "redBright",
"text": "unsanctioned"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "sanctioned"
}
]
}
},
{
"columnMatch": "AppScore",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "<=",
"thresholdValue": "7",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
}
]
}
},
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "McasShadowItReporting\r\n| summarize avg(AppScore) by TimeGenerated\r\n| project AverageAppScore = round(avg_AppScore, 2), format_datetime(TimeGenerated, \"yyyy-MM-dd\")\r\n| sort by TimeGenerated asc",
"size": 0,
"title": "Daily Average App Score",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "TimeGenerated",
"formatter": 1
},
"leftContent": {
"columnMatch": "AverageAppScore",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "TimeGenerated",
"formatter": 1
},
"centerContent": {
"columnMatch": "AverageAppScore",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "McasShadowItReporting\r\n| summarize by AppId, AppScore, bin(TimeGenerated, 1d)",
"size": 0,
"aggregation": 5,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "MCAS"
},
"name": "group - 6"
}
],
"fallbackResourceIds": [
"{Subscription}"
],
"styleSettings": {},
"fromTemplateId": "M365-SecurityPosture",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}