Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/NormalizedNetworkEvents.json

399 строки
17 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Networking events (Normalized Networking table v1.0.0)\n\nThis workbook displays networking information across network appliances with parsers enabled to the normalized networking table in Sentinel. \nTo learn more about normalization in Sentinel, please visit the [Sentinel normalization documentation](https://aka.ms/sentinelnormalizationdocs)"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "64649b80-6857-4779-a918-bf69a5968ade",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = Network_MetaParser;\r\ndata\r\n| summarize Count = count() by EventVendor\r\n| join kind = inner\r\n(\r\n data\r\n | make-series Trend = count() default = 0 on TimeGenerated from ago(30d) to now() step 1d by EventVendor) on EventVendor\r\n | project-away EventVendor1, TimeGenerated\r\n | extend EventVendors = EventVendor\r\n | union ( data\r\n | summarize Count = count()\r\n | extend jkey = 1\r\n | join kind=inner\r\n (\r\n data\r\n | make-series Trend = count() default = 0 on TimeGenerated from ago(30d) to now() step 1d\r\n | extend jkey = 1\r\n )\r\n on jkey\r\n | extend EventVendor = 'All', EventVendors = '*' )\r\n | order by Count desc\r\n | take 10",
"size": 4,
"title": "Networking events, by device vendor",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "EventVendor",
"exportParameterName": "ReportingDeviceVendors",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "EventVendor",
"formatter": 1,
"formatOptions": {}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "blue"
}
},
"showBorder": false
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| make-series count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DvcAction\r\n",
"size": 0,
"title": "Device actions over time",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "50",
"name": "query - 5 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = Network_MetaParser\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\";\r\nlet countryData = data\r\n| summarize TotalCount = count() by EventVendor\r\n| join kind=inner\r\n(\r\n data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by EventVendor\r\n | project-away TimeGenerated\r\n)\r\non EventVendor\r\n| project EventVendor, TotalCount, Trend\r\n| order by TotalCount desc, EventVendor asc;\r\ndata\r\n| summarize TotalCount = count() by EventVendor, EventProduct\r\n| join kind=inner\r\n(\r\n data \r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by EventVendor, EventProduct\r\n | project-away TimeGenerated\r\n)\r\non EventVendor, EventProduct\r\n| order by TotalCount desc, EventVendor asc\r\n| project EventVendor, EventProduct,TotalCount, Trend\r\n| join kind=inner\r\n(\r\n countryData\r\n)\r\non EventVendor\r\n| project Id = EventProduct, Name = EventProduct, Type = 'Device Product', TotalCount, Trend, ParentId = EventVendor\r\n| union (countryData\r\n| project Id = EventVendor, Name = EventVendor, Type = 'Device Vendor', TotalCount, Trend, ParentId = 'root')\r\n| order by TotalCount desc, Name asc\r\n",
"size": 0,
"showAnalytics": true,
"title": "Device actions over time",
"timeContext": {
"durationMs": 86400000
},
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"showExpandCollapseGrid": true,
"gridSettings": {
"formatters": [
{
"columnMatch": "Id",
"formatter": 5,
"formatOptions": {}
},
{
"columnMatch": "TotalCount",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue",
"aggregation": "Sum"
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "purple"
}
},
{
"columnMatch": "ParentId",
"formatter": 5,
"formatOptions": {}
}
],
"hierarchySettings": {
"idColumn": "Id",
"parentColumn": "ParentId",
"treeType": 0,
"expanderColumn": "Name"
}
}
},
"customWidth": "50",
"name": "query - 5 - Copy - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Generic information - click on the items to filter the data",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| where SrcIpAddr != \"\"\r\n| summarize Count = count() by SourceIP = SrcIpAddr\r\n| order by Count",
"size": 0,
"showAnalytics": true,
"title": "Source IP addreses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "SourceIP",
"exportParameterName": "SourceIP",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "blueOrange"
}
}
],
"rowLimit": 10000,
"filter": true
}
},
"customWidth": "25",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where \"All\" == '{SourceIP}' or SrcIpAddr == '{SourceIP}'\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| where SrcIpAddr != \"\"\r\n| summarize Count = count() by DestinationIP = DstIpAddr\r\n| order by Count",
"size": 0,
"showAnalytics": true,
"title": "Destination IP addreses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "DestinationIP",
"exportParameterName": "DestinationIP",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "blueOrange"
}
}
],
"rowLimit": 10000,
"filter": true
}
},
"customWidth": "25",
"name": "query - 3 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where \"All\" == '{SourceIP}' or SrcIpAddr == '{SourceIP}'\r\n| where \"All\" == '{DestinationIP}' or DstIpAddr == '{DestinationIP}'\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| where SrcIpAddr != \"\"\r\n| summarize Count = count() by DestinationPort = DstPortNumber\r\n| order by Count",
"size": 0,
"showAnalytics": true,
"title": "Destination port",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "DestinationPort",
"exportParameterName": "DestinationPort",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "blueOrange"
}
}
],
"rowLimit": 10000,
"filter": true
}
},
"customWidth": "25",
"name": "query - 3 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where \"All\" == '{SourceIP}' or SrcIpAddr == '{SourceIP}'\r\n| where \"All\" == '{DestinationIP}' or DstIpAddr == '{DestinationIP}'\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| where \"All\" == '{DestinationPort}' or DstPortNumber == '{DestinationPort}'\r\n| where SrcIpAddr != \"\"\r\n| summarize Count = count() by ApplicationLayerProtocol = NetworkApplicationProtocol\r\n| order by Count",
"size": 0,
"showAnalytics": true,
"title": "Application protocol",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "ApplicationLayerProtocol",
"exportParameterName": "ApplicationLayerProtocol",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "blueOrange"
}
}
],
"rowLimit": 10000,
"filter": true
}
},
"customWidth": "25",
"name": "Application protocol"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Network_MetaParser\r\n| where \"All\" == '{SourceIP}' or SrcIpAddr == '{SourceIP}'\r\n| where \"All\" == '{DestinationIP}' or DstIpAddr == '{DestinationIP}'\r\n| where EventVendor == '{ReportingDeviceVendors}' or '{ReportingDeviceVendors}' == \"All\"\r\n| where \"All\" == '{DestinationPort}' or DstPortNumber == '{DestinationPort}'\r\n| where \"All\" == '{ApplicationLayerProtocol}' or NetworkApplicationProtocol == '{ApplicationLayerProtocol}'\r\n| summarize Count = count() by ReportingDeviceVendor = EventVendor, SourceIP = SrcIpAddr, DestinationIP = DstIpAddr, DestinationPort = DstPortNumber, ApplicationLayerProtocol = NetworkApplicationProtocol, NetworkProtocol = NetworkProtocol, DeviceAction = DvcAction\r\n| order by Count",
"size": 0,
"showAnalytics": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"rowLimit": 10000,
"filter": true
},
"sortBy": []
},
"name": "query - 3 - Copy"
}
]
},
"name": "Generic Filters"
}
],
"fromTemplateId": "sentinel-NetworkNormalization",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку