273 строки
8.6 KiB
JSON
273 строки
8.6 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## pfSense\n---"
|
|
},
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "cb8a6a65-1237-4d20-be53-03207a5f9cf3",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 86400000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange"
|
|
},
|
|
{
|
|
"id": "bbdbe4f4-ac36-4cdc-8e79-2e70b3e2e2bb",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Interface",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\r\n| summarize Count = count() by DeviceInboundInterface\r\n| order by Count desc, DeviceInboundInterface asc\r\n| project Value = DeviceInboundInterface, Label = strcat(DeviceInboundInterface, ' - ', Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\n| where \"{Interface:lable}\" == \"All\" or DeviceInboundInterface in ({Interface})\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\n| summarize Total = count()",
|
|
"size": 3,
|
|
"title": "Total Firewall Events",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "card",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "TenantId",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "DestinationPort",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"textSettings": {
|
|
"style": "bignumber"
|
|
}
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where \"{Interface:lable}\" == \"All\" or DeviceInboundInterface in ({Interface})\r\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\r\n| summarize Count = count() by bin(TimeGenerated, {TimeRange:grain}), DeviceInboundInterface",
|
|
"size": 3,
|
|
"title": "Events by Interface",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where \"{Interface:lable}\" == \"All\" or DeviceInboundInterface in ({Interface})\r\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\r\n| where DeviceAction == \"block\"\r\n| summarize Count = count() by SourceIP\r\n| sort by Count desc\r\n| take 10",
|
|
"size": 0,
|
|
"title": "Top 10 Blocked IPs",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 4",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where \"{Interface:lable}\" == \"All\" or DeviceInboundInterface in ({Interface})\r\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\r\n| where DeviceAction == \"pass\"\r\n| summarize Count = count() by SourceIP\r\n| sort by Count desc\r\n| take 10",
|
|
"size": 3,
|
|
"title": "Top 10 Allowed IPs",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where \"{Interface:lable}\" == \"All\" or DeviceInboundInterface in ({Interface})\r\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\r\n| summarize Count = count() by SourcePort, Protocol\r\n| project Protocol = strcat(Protocol,'-',SourcePort), Count \r\n| sort by Count desc",
|
|
"size": 3,
|
|
"title": "Protocol and Port",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Protocol",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "Protocol",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 6",
|
|
"styleSettings": {
|
|
"maxWidth": "50"
|
|
}
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-pfsense",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|