1218 строки
37 KiB
JSON
1218 строки
37 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Messages",
|
|
"subTarget": "Messages",
|
|
"style": "link",
|
|
"workbookContext": {},
|
|
"templateRunContext": {},
|
|
"alertRuleContext": {}
|
|
},
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Clicks",
|
|
"subTarget": "Clicks",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 4"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "326a3767-8597-43ee-a116-44fc7280c63a",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"value": {
|
|
"durationMs": 5184000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"resourceType": "microsoft.insights/components",
|
|
"label": "Time Range"
|
|
},
|
|
{
|
|
"id": "59948c5e-ab41-4b57-85f0-5e65966dd98e",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Classification",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "union ProofPointTAPMessagesBlocked_CL, ProofPointTAPMessagesDelivered_CL\n| mv-expand todynamic(threatsInfoMap_s)\n| extend classification = tostring(threatsInfoMap_s.classification)\n| distinct classification",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "503a952f-d169-4c5a-bf2e-5e74672bd9d4",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "ThreatType",
|
|
"label": "Threat Type",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "union ProofPointTAPMessagesBlocked_CL, ProofPointTAPMessagesDelivered_CL\n| mv-expand todynamic(threatsInfoMap_s)\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\n| distinct threatType_",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.insights/components"
|
|
},
|
|
"name": "parameters - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union ProofPointTAPMessagesBlocked_CL, ProofPointTAPMessagesDelivered_CL\r\n| mv-expand todynamic(threatsInfoMap_s)\r\n| extend classification = tostring(threatsInfoMap_s.classification)\r\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\r\n| where classification in ({Classification}) or '*' in ({Classification})\r\n| where threatType_ in ({ThreatType}) or '*' in ({ThreatType})\r\n| summarize phish = countif(classification == 'phish'), malware = countif(classification == \"malware\"), impostor = countif(classification == \"impostor\"), spam = countif(classification == \"spam\") by bin(TimeGenerated, {TimeRange:grain})",
|
|
"size": 0,
|
|
"title": "Message Events by Classification",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart",
|
|
"tileSettings": {
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "classification",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "phish",
|
|
"color": "blue"
|
|
},
|
|
{
|
|
"seriesName": "malware",
|
|
"color": "red"
|
|
},
|
|
{
|
|
"seriesName": "impostor",
|
|
"color": "green"
|
|
},
|
|
{
|
|
"seriesName": "spam",
|
|
"color": "magenta"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Messages"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 2 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union ProofPointTAPClicksBlocked_CL, ProofPointTAPClicksPermitted_CL\r\n| where classification_s in ({Classification}) or '*' in ({Classification})\r\n| summarize phish = countif(classification_s == \"phish\"), malware = countif(classification_s == \"malware\"), spam = countif(classification_s == \"spam\") by bin(TimeGenerated, {TimeRange:grain})",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Click Events by Classification",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "unstackedbar",
|
|
"tileSettings": {
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "classification",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "phish",
|
|
"color": "blue"
|
|
},
|
|
{
|
|
"seriesName": "malware",
|
|
"color": "redBright"
|
|
},
|
|
{
|
|
"seriesName": "spam",
|
|
"color": "magenta"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Clicks"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 2 - Clicks"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union ProofPointTAPClicksBlocked_CL, ProofPointTAPClicksPermitted_CL\r\n| where classification_s in ({Classification}) or '*' in ({Classification})\r\n| summarize ClicksBlocked = countif(Type == \"ProofPointTAPClicksBlocked_CL\"), ClicksPermitted = countif(Type == \"ProofPointTAPClicksPermitted_CL\") by bin(TimeGenerated, {TimeRange:grain})",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Clicks Blocked vs. Permitted",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart",
|
|
"tileSettings": {
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "classification",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "phish",
|
|
"color": "blue"
|
|
},
|
|
{
|
|
"seriesName": "malware",
|
|
"color": "redBright"
|
|
},
|
|
{
|
|
"seriesName": "spam",
|
|
"color": "magenta"
|
|
},
|
|
{
|
|
"seriesName": "ClicksBlocked",
|
|
"color": "redBright"
|
|
},
|
|
{
|
|
"seriesName": "ClicksPermitted",
|
|
"color": "green"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Clicks"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 2 - Clicks - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union ProofPointTAPMessagesBlocked_CL, ProofPointTAPMessagesDelivered_CL\r\n| mv-expand todynamic(threatsInfoMap_s)\r\n| extend classification = tostring(threatsInfoMap_s.classification)\r\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\r\n| where classification in ({Classification}) or '*' in ({Classification})\r\n| where threatType_ in ({ThreatType}) or '*' in ({ThreatType})\r\n| mv-expand todynamic(recipient_s)\r\n| summarize MessagesBlocked = countif(Type == \"ProofPointTAPMessagesBlocked_CL\"), MessagesDelivered = countif(Type == \"ProofPointTAPMessagesDelivered_CL\") by bin(TimeGenerated, {TimeRange:grain})",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Messages Blocked vs. Delivered",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart",
|
|
"tileSettings": {
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "classification",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "MessagesBlocked",
|
|
"color": "red"
|
|
},
|
|
{
|
|
"seriesName": "MessagesDelivered",
|
|
"color": "green"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Messages"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 2 -"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPClicksBlocked_CL\r\n| extend URL = extract(@\"\\/\\/(www.)?([a-zA-Z0-9-_.]+)(\\/|$)\",2,url_s)\r\n| where classification_s in ({Classification}) or '*' in ({Classification})\r\n| summarize phish = countif(classification_s == \"phish\"), malware = countif(classification_s == \"malware\"), spam = countif(classification_s == \"spam\"), count() by URL\r\n| project-rename Total = count_\r\n| top 10 by Total",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Top 10 Clicks Blocked by Domain",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "URL",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "blueOrange",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "classification",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "phish",
|
|
"color": "blue"
|
|
},
|
|
{
|
|
"seriesName": "malware",
|
|
"color": "redBright"
|
|
},
|
|
{
|
|
"seriesName": "impostor",
|
|
"color": "magenta"
|
|
},
|
|
{
|
|
"seriesName": "spam",
|
|
"color": "green"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Clicks"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query_clicks_top10clicksblockedbydomain"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPClicksPermitted_CL\r\n| extend URL = extract(@\"\\/\\/(www.)?([a-zA-Z0-9-_.]+)(\\/|$)\",2,url_s)\r\n| where classification_s in ({Classification}) or '*' in ({Classification})\r\n| summarize phish = countif(classification_s == \"phish\"), malware = countif(classification_s == \"malware\"), spam = countif(classification_s == \"spam\"), count() by URL\r\n| project-rename Total = count_\r\n| top 10 by Total",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Top 10 Clicks Permitted by Domain",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "URL",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "blueOrange",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Type",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_heatmap_phish_1",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_heatmap_phish_1",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"tileSettings": {
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "classification",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "phish",
|
|
"color": "blue"
|
|
},
|
|
{
|
|
"seriesName": "malware",
|
|
"color": "redBright"
|
|
},
|
|
{
|
|
"seriesName": "impostor",
|
|
"color": "magenta"
|
|
},
|
|
{
|
|
"seriesName": "spam",
|
|
"color": "green"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Clicks"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query_clicks_top10clickspermittedbydomain"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPClicksBlocked_CL\r\n| extend URL = extract(@\"\\/\\/(www.)?([a-zA-Z0-9-_.]+)(\\/|$)\",2,url_s)\r\n| where classification_s in ({Classification}) or '*' in ({Classification})\r\n| summarize phish = countif(classification_s == \"phish\"), malware = countif(classification_s == \"malware\"), spam = countif(classification_s == \"spam\"), count() by senderIP_s\r\n| project-rename Total = count_, SenderIP = senderIP_s\r\n| top 10 by Total",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Top 10 Clicks Blocked by Sender IP",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "SenderIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "purple",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "blueOrange",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "URL",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "SenderIP",
|
|
"label": "Sender IP"
|
|
},
|
|
{
|
|
"columnId": "phish"
|
|
},
|
|
{
|
|
"columnId": "malware"
|
|
},
|
|
{
|
|
"columnId": "spam"
|
|
},
|
|
{
|
|
"columnId": "Total"
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "classification",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "phish",
|
|
"color": "blue"
|
|
},
|
|
{
|
|
"seriesName": "malware",
|
|
"color": "redBright"
|
|
},
|
|
{
|
|
"seriesName": "impostor",
|
|
"color": "magenta"
|
|
},
|
|
{
|
|
"seriesName": "spam",
|
|
"color": "green"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Clicks"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query_clicks_top10clicksblockedbysenderIP"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPClicksPermitted_CL\r\n| extend URL = extract(@\"\\/\\/(www.)?([a-zA-Z0-9-_.]+)(\\/|$)\",2,url_s)\r\n| where classification_s in ({Classification}) or '*' in ({Classification})\r\n| summarize phish = countif(classification_s == \"phish\"), malware = countif(classification_s == \"malware\"), spam = countif(classification_s == \"spam\"), count() by clickIP_s\r\n| project-rename Total = count_, ClickIP = clickIP_s\r\n| top 10 by Total",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Top 10 Clicks Permitted by Click IP",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "ClickIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "purple",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "blueOrange",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "URL",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Type",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_heatmap_phish_1",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "ClickIP",
|
|
"label": "Click IP"
|
|
},
|
|
{
|
|
"columnId": "phish"
|
|
},
|
|
{
|
|
"columnId": "malware"
|
|
},
|
|
{
|
|
"columnId": "spam"
|
|
},
|
|
{
|
|
"columnId": "Total"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_heatmap_phish_1",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"tileSettings": {
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "classification",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "phish",
|
|
"color": "blue"
|
|
},
|
|
{
|
|
"seriesName": "malware",
|
|
"color": "redBright"
|
|
},
|
|
{
|
|
"seriesName": "impostor",
|
|
"color": "magenta"
|
|
},
|
|
{
|
|
"seriesName": "spam",
|
|
"color": "green"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Clicks"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query_clicks_top10clickspermittedbyclickip"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPMessagesBlocked_CL\n| mv-expand todynamic(threatsInfoMap_s)\n| extend classification = tostring(threatsInfoMap_s.classification)\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\n| where classification in ({Classification}) or '*' in ({Classification})\n| where threatType_ in ({ThreatType}) or '*' in ({ThreatType})\n| mv-expand todynamic(recipient_s)\n| summarize phish = countif(classification == \"phish\"), malware = countif(classification == \"malware\"), impostor = countif(classification == \"impostor\"), spam = countif(classification == \"spam\"), count() by sender_s \n| project-rename Total = count_, SourceAddress = sender_s \n| top 10 by Total",
|
|
"size": 0,
|
|
"title": "Top 10 Blocked Sender Address",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "SourceAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "impostor",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "green",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Messages"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "query - 5 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPMessagesBlocked_CL\n| mv-expand todynamic(threatsInfoMap_s)\n| extend classification = tostring(threatsInfoMap_s.classification)\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\n| where classification in ({Classification}) or '*' in ({Classification})\n| where threatType_ in ({ThreatType}) or '*' in ({ThreatType})\n| mv-expand todynamic(recipient_s)\n| summarize count() by threatType_ ",
|
|
"size": 0,
|
|
"title": "Threat Type",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"chartSettings": {}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Messages"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPMessagesBlocked_CL\n| mv-expand todynamic(threatsInfoMap_s)\n| extend classification = tostring(threatsInfoMap_s.classification)\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\n| where classification in ({Classification}) or '*' in ({Classification})\n| where threatType_ in ({ThreatType}) or '*' in ({ThreatType})\n| mv-expand todynamic(recipient_s)\n| summarize phish = countif(classification == \"phish\"), malware = countif(classification == \"malware\"), impostor = countif(classification == \"impostor\"), spam = countif(classification == \"spam\"), count() by senderIP_s\n| top 10 by count_",
|
|
"size": 0,
|
|
"title": "Top 10 Blocked Sender IP ",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "senderIP_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "impostor",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "green",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "senderIP_s",
|
|
"label": "Sender IP"
|
|
},
|
|
{
|
|
"columnId": "phish"
|
|
},
|
|
{
|
|
"columnId": "malware"
|
|
},
|
|
{
|
|
"columnId": "impostor"
|
|
},
|
|
{
|
|
"columnId": "spam"
|
|
},
|
|
{
|
|
"columnId": "count_",
|
|
"label": "Total"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Messages"
|
|
},
|
|
"customWidth": "45",
|
|
"name": "query - 5 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ProofPointTAPMessagesBlocked_CL\n| mv-expand todynamic(threatsInfoMap_s)\n| extend classification = tostring(threatsInfoMap_s.classification)\n| extend threatType_ = tostring(threatsInfoMap_s.threatType)\n| where classification in ({Classification}) or '*' in ({Classification})\n| where threatType_ in ({ThreatType}) or '*' in ({ThreatType})\n| mv-expand todynamic(recipient_s)\n| summarize phish = countif(classification == \"phish\"), malware = countif(classification == \"malware\"), impostor = countif(classification == \"impostor\"), spam = countif(classification == \"spam\"), count() by tostring(recipient_s)\n| project-rename Total = count_, Recipient = recipient_s\n| top 10 by Total",
|
|
"size": 0,
|
|
"title": "Top 10 Recipients",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "SourceIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "phish",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "malware",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "impostor",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "green",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "spam",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "magenta",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Messages"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5 - Copy - Copy"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-ProofPointTAPWorkbook",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |