1235 строки
41 KiB
JSON
1235 строки
41 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [{
|
|
"id": "ed7c208b-4c5c-42df-9682-84e58d3dd306",
|
|
"cellValue": "tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "ProofPoint Global Email Statistics",
|
|
"subTarget": "pp_email_summary",
|
|
"preText": "ProofPoint Global Email Statistics",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "a0ebd655-dbe4-4267-98d3-2fceafbe04f2",
|
|
"cellValue": "tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "ProofPoint TAP Message Insights",
|
|
"subTarget": "pp_tap",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "47438e06-3d8d-4620-ad72-4c3b39e2efc0",
|
|
"cellValue": "tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "ProofPoint TAP Clicks Insights",
|
|
"subTarget": "pp_tapclicks",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "8b084f62-2a3a-46d8-8b63-eb095c8a990f",
|
|
"cellValue": "tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "ProofPoint User Lookup",
|
|
"subTarget": "pp_userlookup",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "215faaf3-51c4-460d-be69-fee958c2b98c",
|
|
"cellValue": "tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "ProofPoint Log Overview",
|
|
"subTarget": "pp_logs",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "tab"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [{
|
|
"id": "04038fa3-af96-49d0-87a3-1948072729d7",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"label": "Time Range",
|
|
"type": 4,
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "parameters - 2",
|
|
"styleSettings": {
|
|
"maxWidth": "20"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofpointPOD\r\n| where TimeGenerated {TimeRange}\r\n| where EventType == \"message\" \r\n| summarize TotalEmails=countif(isempty(FilterDisposition) or isempty(FilterQuarantineFolder)),RejectedEmails=countif(FilterDisposition == \"discard\" or FilterDisposition == \"reject\"), QuarantinedEmails=countif(isnotempty(FilterQuarantineFolder)) by bin(TimeGenerated, 8h)",
|
|
"size": 1,
|
|
"showAnalytics": true,
|
|
"title": "Total Email Received (Time Brush enabled)",
|
|
"timeBrushParameterName": "timeBrushPeriod",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "categoricalbar"
|
|
},
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let email_security_total_messages_processed =\r\nProofpointPOD\r\n| where EventType == \"message\"\r\n| where TimeGenerated {timeBrushPeriod} \r\n| summarize Count=dcount(MsgHeaderMessageId) \r\n| extend title=\"Total Messages Processed\";\r\n\r\nlet email_security_inbound_messages_processed =\r\nProofpointPOD\r\n| where EventType == \"message\"\r\n| where TimeGenerated {timeBrushPeriod} \r\n| where NetworkDirection == \"inbound\"\r\n| summarize Count=dcount(MsgHeaderMessageId) \r\n| extend title=\"Inbound Messages Processed\";\r\n\r\nlet email_security_outbound_messages_processed =\r\nProofpointPOD\r\n| where EventType == \"message\"\r\n| where TimeGenerated {timeBrushPeriod} \r\n| where NetworkDirection == \"outbound\"\r\n| summarize Count=dcount(MsgHeaderMessageId) \r\n| extend title=\"Outbound Messages Processed\";\r\n\r\nlet email_security_total_blocked_messages =\r\nProofpointPOD\r\n| where EventType == \"message\" \r\n| where TimeGenerated {timeBrushPeriod}\r\n| where FilterDisposition == \"discard\" or FilterDisposition == \"reject\"\r\n| summarize Count=dcount(MsgHeaderMessageId) \r\n| extend title=\"Total Blocked Messages\";\r\n\r\nlet email_security_total_quarantined_messages = \r\nProofpointPOD\r\n| where EventType == \"message\"\r\n| where TimeGenerated {timeBrushPeriod}\r\n| where isnotempty(FilterQuarantineFolder)\r\n| summarize Count=dcount(MsgHeaderMessageId) \r\n| extend title = \"Quarantined Messages\";\r\n\r\nlet email_security_result_table = union email_security_total_messages_processed, email_security_inbound_messages_processed,email_security_outbound_messages_processed,email_security_total_blocked_messages,email_security_total_quarantined_messages; \r\nemail_security_result_table \r\n| sort by Count",
|
|
"size": 4,
|
|
"title": "Total Email Processed",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "title",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofpointPOD\r\n| where EventType == \"message\"\r\n| where TimeGenerated {timeBrushPeriod} \r\n| where isnotempty(FilterModulesSpamTriggeredClassifier)\r\n| summarize Count = dcount(MsgNormalizedHeaderMessageId) by FilterModulesSpamTriggeredClassifier",
|
|
"size": 3,
|
|
"title": "Top AntiSpam Results",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofpointPOD\r\n| where EventType == \"message\"\r\n| where TimeGenerated {timeBrushPeriod} \r\n| where isnotempty(FilterQuarantineRule)\r\n| summarize Count = dcount(MsgNormalizedHeaderMessageId) by FilterQuarantineRule",
|
|
"size": 3,
|
|
"title": "Quarantine Rules Hits",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 2",
|
|
"styleSettings": {
|
|
"margin": "35"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofpointPOD\r\n| where EventType == \"message\"\r\n| where NetworkDirection == \"inbound\"\r\n| where TimeGenerated {timeBrushPeriod}\r\n| where isnotempty(SrcGeoCountry) and SrcGeoCountry != \"**\"\r\n| summarize Country=count()by SrcGeoCountry\r\n| sort by Country desc\r\n| take 5\r\n| render piechart ",
|
|
"size": 3,
|
|
"title": "Top countries sending email",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofpointPOD\r\n| where EventType == \"message\"\r\n| where FilterDisposition == \"discard\" or FilterDisposition == \"reject\" or isnotempty(FilterQuarantineFolder)\r\n| where TimeGenerated {timeBrushPeriod} \r\n| extend Recipient = todynamic(DstUserUpn) \r\n| mv-expand Recipient\r\n| summarize Count = dcount(MsgNormalizedHeaderMessageId) by tostring(Recipient) | top 10 by Count",
|
|
"size": 0,
|
|
"title": "Recipients with most blocked messages",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta"
|
|
}
|
|
}]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofpointPOD\r\n| where EventType == \"message\"\r\n| where TimeGenerated {timeBrushPeriod} \r\n| extend Sender = todynamic(SrcUserUpn) \r\n| mv-expand Sender\r\n| where isnotempty(Sender)\r\n| summarize Count = dcount(MsgNormalizedHeaderMessageId) by tostring(Sender) | top 10 by Count",
|
|
"size": 0,
|
|
"title": "Top 10 accounts sending email",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
}]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 6"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "pp_email_summary"
|
|
},
|
|
"name": "Email"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [{
|
|
"id": "ac23d6d4-b80a-4c2f-864b-04c0daf20a2b",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"label": "Time Range",
|
|
"type": 4,
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union ProofPointTAPMessagesBlocked_CL, ProofPointTAPMessagesDelivered_CL\r\n| where TimeGenerated {TimeRange}\r\n| mv-expand todynamic(threatsInfoMap_s)\r\n| extend classification = tostring(threatsInfoMap_s.classification)\r\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\r\n| where isnotempty(classification)\r\n| where isnotempty(threatType_)\r\n| summarize phish = countif(classification == 'phish'), malware = countif(classification == \"malware\"), impostor = countif(classification == \"impostor\"), spam = countif(classification == \"spam\") by bin(TimeGenerated, 8h)",
|
|
"size": 1,
|
|
"title": "Total Threats (Time Brush enabled)",
|
|
"timeBrushParameterName": "timeBrushPeriod",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPMessagesBlocked_CL\r\n| where TimeGenerated {timeBrushPeriod}\r\n| mv-expand todynamic(threatsInfoMap_s)\r\n| extend classification = tostring(threatsInfoMap_s.classification)\r\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\r\n| where isnotempty(classification)\r\n| where isnotempty(threatType_)\r\n| mv-expand todynamic(recipient_s)\r\n| summarize count() by threatType_ ",
|
|
"size": 3,
|
|
"showAnalytics": true,
|
|
"title": "Threat Type",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPMessagesBlocked_CL\r\n| where TimeGenerated {timeBrushPeriod}\r\n| mv-expand todynamic(threatsInfoMap_s)\r\n| extend classification = tostring(threatsInfoMap_s.classification)\r\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\r\n| where isnotempty(classification) \r\n| where isnotempty(threatType_)\r\n| mv-expand todynamic(recipient_s)\r\n| summarize phish = countif(classification == \"phish\"), malware = countif(classification == \"malware\"), impostor = countif(classification == \"impostor\"), spam = countif(classification == \"spam\"), count() by tostring(recipient_s)\r\n| project-rename Total = count_, Recipient = recipient_s\r\n| top 10 by Total",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Top 10 users targeted by threat type",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "impostor",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "green"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "40",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPMessagesBlocked_CL\r\n| where TimeGenerated {timeBrushPeriod}\r\n| mv-expand todynamic(threatsInfoMap_s)\r\n| extend classification = tostring(threatsInfoMap_s.classification)\r\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\r\n| where isnotempty(classification)\r\n| where isnotempty(threatType_)\r\n| mv-expand todynamic(recipient_s)\r\n| summarize phish = countif(classification == \"phish\"), malware = countif(classification == \"malware\"), impostor = countif(classification == \"impostor\"), spam = countif(classification == \"spam\"), count() by sender_s \r\n| project-rename Total = count_, SourceAddress = sender_s \r\n| top 10 by Total",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Top 10 senders by threat type",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "impostor",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "green"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "40",
|
|
"name": "query - 4"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "pp_tap"
|
|
},
|
|
"name": "TAP"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [{
|
|
"id": "3b72da79-389d-4129-98d3-d2b0cfe52b69",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"label": "Time Range",
|
|
"type": 4,
|
|
"typeSettings": {
|
|
"selectableValues": [{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"value": {
|
|
"durationMs": 2419200000
|
|
}
|
|
}],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "parameters - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union withsource=_TableName Proof*\r\n| where TimeGenerated {TimeRange}\r\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by _TableName, _IsBillable\r\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\r\n ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\r\n| order by ['Table Size'] desc",
|
|
"size": 0,
|
|
"title": "ProofPoint Log Summary",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "Table Size",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "purpleRed",
|
|
"customColumnWidthSetting": "24%"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 2,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Entries",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "grayBlue",
|
|
"customColumnWidthSetting": "24%"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 2,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Size per Entry",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "turquoise",
|
|
"customColumnWidthSetting": "24%"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 2,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "IsBillable",
|
|
"formatter": 1
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union withsource = _TableName Proof*\r\n| where TimeGenerated > ago (30d)\r\n| summarize last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by _TableName\r\n| project ['Table Name'] = _TableName, ['Last Record Received'] = last_log \r\n | order by ['Last Record Received'] asc",
|
|
"size": 0,
|
|
"title": "ProofPoint Last Log Received",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "Last Record Received",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "orangeRed"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 24,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
}]
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union withsource=_TableName ProofpointPOD*\r\n| where TimeGenerated {TimeRange}\r\n| summarize count(), Size = sum(_BilledSize) by bin(_TimeReceived, 1m), Type, _IsBillable\r\n| extend counttemp =count_ / 60\r\n| summarize \r\n ['Average Events per Second (eps)'] = avg(counttemp), ['Minimum eps']=min (counttemp),\r\n ['Maximum eps']=max(counttemp)\r\n by ['Table Name']=Type\r\n| order by ['Average Events per Second (eps)'] desc",
|
|
"size": 0,
|
|
"title": "ProofPoint POD EPS",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "Average Events per Second (eps)",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "greenBlue",
|
|
"customColumnWidthSetting": "25%"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": true
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Minimum eps",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "greenBlue",
|
|
"customColumnWidthSetting": "25%"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Maximum eps",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "greenBlue",
|
|
"customColumnWidthSetting": "25%"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "67",
|
|
"name": "query - 5"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "pp_logs"
|
|
},
|
|
"name": "Logs"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [{
|
|
"id": "867b76e5-ca95-4186-9dbb-246cca82a160",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"label": "Time Range",
|
|
"type": 4,
|
|
"value": {
|
|
"durationMs": 5184000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
},
|
|
{
|
|
"id": "d9aafb3a-3c9d-45f0-8762-c530a1d34e43",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "UsersEmail",
|
|
"label": "Users Email Address",
|
|
"type": 1,
|
|
"value": "user@example.com",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "parameters - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofpointPOD\r\n| where EventType == \"message\"\r\n| extend SenderJSON = tostring(parse_json(MsgParsedAddressesFrom)[0])\r\n| extend RecipientJson = tostring(parse_json(MsgParsedAddressesTo)[0])\r\n| project-rename Direction = NetworkDirection, Sender = SenderJSON, Recipient = RecipientJson, Subject = MsgHeaderSubject, Outcome = FilterDisposition\r\n| project TimeGenerated, Direction, Sender, Recipient, Subject, Outcome, MsgNormalizedHeaderMessageId\r\n| where TimeGenerated {TimeRange}\r\n| where Sender == \"{UsersEmail}\" or Recipient == \"{UsersEmail}\"\r\n| summarize EmailSentOutbound=countif(Direction == \"outbound\"),ExternalEmailReceived=countif(Direction == \"inbound\"), InternalEmail=countif(Direction == \"internal\") by bin(TimeGenerated, 8h)\r\n| render timechart ",
|
|
"size": 1,
|
|
"title": "All Email Activity (Time Brush enabled)",
|
|
"timeBrushParameterName": "timeBrushPeriod",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPMessagesBlocked_CL\r\n| where TimeGenerated {timeBrushPeriod}\r\n| where recipient_s contains \"{UsersEmail}\"\r\n| mv-expand todynamic(threatsInfoMap_s)\r\n| extend classification = tostring(threatsInfoMap_s.classification)\r\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\r\n| where isnotempty(classification)\r\n| where isnotempty(threatType_)\r\n| mv-expand todynamic(recipient_s)\r\n| summarize count() by threatType_ ",
|
|
"size": 3,
|
|
"title": "Threat Summary",
|
|
"noDataMessage": "This user has not been targeted during the time period.",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPMessagesBlocked_CL\r\n| where TimeGenerated {timeBrushPeriod}\r\n| extend RecipientString = tostring(parse_json(recipient_s)[0])\r\n| mv-expand todynamic(threatsInfoMap_s)\r\n| extend classification = tostring(threatsInfoMap_s.classification)\r\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\r\n| where isnotempty(classification) \r\n| where isnotempty(threatType_)\r\n| where RecipientString == \"{UsersEmail}\"\r\n| mv-expand todynamic(RecipientString)\r\n| summarize\r\n phish = countif(classification == \"phish\"),\r\n malware = countif(classification == \"malware\"),\r\n impostor = countif(classification == \"impostor\"),\r\n spam = countif(classification == \"spam\"),\r\n count()\r\n by tostring(RecipientString)\r\n| project-rename Total = count_, Recipient = RecipientString",
|
|
"size": 0,
|
|
"title": "Threats stopped by ProofPoint TAP by threat type",
|
|
"noDataMessage": "The user had no clicks blocked during the time period.",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "impostor",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "green"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPMessagesBlocked_CL\r\n| where TimeGenerated {timeBrushPeriod}\r\n| extend RecipientString = tostring(parse_json(recipient_s)[0])\r\n| where RecipientString == \"{UsersEmail}\"\r\n| mv-expand todynamic(threatsInfoMap_s)\r\n| extend classification = tostring(threatsInfoMap_s.classification)\r\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\r\n| where isnotempty(classification)\r\n| where isnotempty(threatType_)\r\n| mv-expand todynamic(RecipientString)\r\n| summarize phish = countif(classification == \"phish\"), malware = countif(classification == \"malware\"), impostor = countif(classification == \"impostor\"), spam = countif(classification == \"spam\"), count() by sender_s \r\n| project-rename Total = count_, SourceAddress = sender_s \r\n| top 10 by Total",
|
|
"size": 0,
|
|
"title": "Top senders attacking this user by threat type",
|
|
"noDataMessage": "This user has not been targeted during the time period.",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "green"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "impostor",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofpointPOD\r\n| where EventType == \"message\"\r\n| where FilterDisposition == \"discard\" or FilterDisposition == \"reject\" or isnotempty(FilterQuarantineFolder)\r\n| where TimeGenerated {timeBrushPeriod}\r\n| extend Recipient = tostring(parse_json(MsgNormalizedHeaderTo)[0])\r\n| extend Sender = tostring(parse_json(MsgParsedAddressesFrom)[0])\r\n| where Recipient == \"{UsersEmail}\"\r\n| summarize EmailCount=count()by Sender \r\n| top 10 by EmailCount",
|
|
"size": 0,
|
|
"title": "Top senders blocked sending to this user",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "EmailCount",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "yellowOrangeRed"
|
|
}
|
|
}]
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 5",
|
|
"styleSettings": {
|
|
"margin": "3"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPClicksBlocked_CL\r\n| where TimeGenerated {timeBrushPeriod}\r\n| where isnotempty(classification_s)\r\n| where recipient_s == \"{UsersEmail}\"\r\n| project TimeGenerated, URL=url_s, ThreatType=classification_s\r\n| sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "ProofPoint TAP clicks blocked for this user",
|
|
"noDataMessage": "This user has not had any clicks blocked in the time period.",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPClicksPermitted_CL\r\n| where TimeGenerated {timeBrushPeriod}\r\n| where isnotempty(classification_s)\r\n| where recipient_s == \"{UsersEmail}\"\r\n| project TimeGenerated, URL=url_s, ThreatType=classification_s\r\n| sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "ProofPoint TAP clicks permitted for this user",
|
|
"noDataMessage": "This user has not had any clicks permitted in the time period.",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 7"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "pp_userlookup"
|
|
},
|
|
"name": "group - 4"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [{
|
|
"id": "ed88e591-0922-49bb-b149-4c54c8376b41",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"label": "Time Range",
|
|
"type": 4,
|
|
"value": {
|
|
"durationMs": 1209600000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "80",
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union ProofPointTAPClicksBlocked_CL, ProofPointTAPClicksPermitted_CL\r\n| where TimeGenerated {TimeRange}\r\n| where isnotempty(classification_s)\r\n| summarize count()by Type, bin (TimeGenerated, 4h)",
|
|
"size": 1,
|
|
"title": "Total clicks blocked or permitted",
|
|
"noDataMessage": "No clicks were blocked or permitted in the time period.",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart",
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "Type",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [{
|
|
"seriesName": "ProofPointTAPClicksPermitted_CL",
|
|
"color": "red"
|
|
},
|
|
{
|
|
"seriesName": "ProofPointTAPClicksBlocked_CL",
|
|
"color": "green"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "100",
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPClicksBlocked_CL\r\n| where TimeGenerated {TimeRange}\r\n| extend URL = extract(@\"\\/\\/(www.)?([a-zA-Z0-9-_.]+)(\\/|$)\",2,url_s)\r\n| where isnotempty(classification_s)\r\n| summarize phish = countif(classification_s == \"phish\"), malware = countif(classification_s == \"malware\"), spam = countif(classification_s == \"spam\"), count() by URL\r\n| project-rename Total = count_\r\n| top 10 by Total",
|
|
"size": 0,
|
|
"title": "Top 10 clicks blocked by domain",
|
|
"noDataMessage": "No clicks were blocked in the time period.",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "blueOrange"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPClicksPermitted_CL\r\n| where TimeGenerated {TimeRange}\r\n| extend URL = extract(@\"\\/\\/(www.)?([a-zA-Z0-9-_.]+)(\\/|$)\",2,url_s)\r\n| where isnotempty(classification_s)\r\n| summarize phish = countif(classification_s == \"phish\"), malware = countif(classification_s == \"malware\"), spam = countif(classification_s == \"spam\"), count() by URL\r\n| project-rename Total = count_\r\n| top 10 by Total",
|
|
"size": 0,
|
|
"title": "Top 10 clicks permitted by domain",
|
|
"noDataMessage": "No clicks were permitted in the time period.",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "green"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "blueOrange"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union ProofPointTAPClicksBlocked_CL, ProofPointTAPClicksPermitted_CL\r\n| where TimeGenerated {TimeRange}\r\n| where isnotempty(classification_s)\r\n| where Type == \"ProofPointTAPClicksPermitted_CL\"\r\n| summarize PermitCount=count()by recipient_s\r\n| project Recipient=recipient_s, PermitCount\r\n| sort by PermitCount\r\n| take 15",
|
|
"size": 0,
|
|
"title": "Top Users with Permitted Clicks",
|
|
"noDataMessage": "No clicks were permitted in the time period.",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "PermitCount",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "yellowOrangeRed"
|
|
}
|
|
}]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union ProofPointTAPClicksBlocked_CL, ProofPointTAPClicksPermitted_CL\r\n| where TimeGenerated {TimeRange}\r\n| where isnotempty(classification_s)\r\n| where Type == \"ProofPointTAPClicksBlocked_CL\"\r\n| summarize BlockCount=count()by recipient_s\r\n| project Recipient=recipient_s, BlockCount\r\n| sort by BlockCount\r\n| take 15",
|
|
"size": 0,
|
|
"title": "Top users with blocked clicks",
|
|
"noDataMessage": "No clicks were blocked in the time period.",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [{
|
|
"columnMatch": "BlockCount",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "yellowOrangeRed"
|
|
}
|
|
}]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "pp_tapclicks"
|
|
},
|
|
"name": "TAPClicks"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-ProofPointThreatDashboard",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |