Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/Okta Single Sign-On/Workbooks/OktaSingleSignOn.json

1006 строки
33 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "23197862-8ab5-4aa4-8e78-bb26fbf1a6bc",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 2419200000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
},
{
"id": "9df846cc-3ff1-4608-ac3a-7dddc6c709a7",
"version": "KqlParameterItem/1.0",
"name": "Domain",
"type": 2,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "OktaSSO\n| summarize by domain_s",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::1"
],
"showDefault": false
},
"defaultValue": "value::1",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Administrative",
"subTarget": "General",
"preText": "Session/User Analysis",
"style": "link"
},
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Application",
"subTarget": "Application",
"style": "link"
},
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Session/User Analysis",
"subTarget": "Analysis",
"preText": "Session/User Analysis",
"style": "link"
}
]
},
"name": "links - 13"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "fc39a4b9-f38a-4a3e-bf83-845441828fb8",
"version": "KqlParameterItem/1.0",
"name": "ApplicationList",
"label": "Application",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "OktaSSO\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| distinct tostring(target_s.alternateId)\r\n| sort by target_s_alternateId asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Application"
},
"name": "parameters - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| where eventType_s == \"user.session.start\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| summarize Count = count() by Results = outcome_result_s, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Console Login by Result",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Results",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "FAILURE",
"color": "red"
},
{
"seriesName": "SUCCESS",
"color": "green"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| where eventType_s == \"user.session.start\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where outcome_result_s == \"FAILURE\"\r\n| summarize Total = count() by User = actor_alternateId_s\r\n| top 10 by Total",
"size": 0,
"title": "Top 10 Failed Console Logins by User",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "coldHot"
}
}
]
},
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Results",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "FAILURE",
"color": "red"
},
{
"seriesName": "SUCCESS",
"color": "green"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 5 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| where eventType_s == \"user.authentication.auth_via_mfa\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where outcome_result_s == \"FAILURE\"\r\n| summarize count() by actor_alternateId_s\r\n| top 10 by count_",
"size": 0,
"title": "Top 10 Failed MFA Authentications by User",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "coldHot"
}
}
],
"labelSettings": [
{
"columnId": "actor_alternateId_s",
"label": "User"
},
{
"columnId": "count_",
"label": "Total"
}
]
},
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Results",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "FAILURE",
"color": "red"
},
{
"seriesName": "SUCCESS",
"color": "green"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 5 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| where eventType_s == \"user.authentication.auth_via_mfa\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| summarize Count=count() by Results = outcome_result_s, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "MFA Authentications by Result",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Results",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "SUCCESS",
"color": "green"
},
{
"seriesName": "FAILURE",
"color": "red"
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 5 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| summarize count() by tostring(target_s.displayName)\r\n| top 10 by count_",
"size": 0,
"title": "Active Applications",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Users",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| summarize count() by tostring(target_s.displayName), bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Active Applications",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Users",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "Events by Application"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| where eventType_s == \"application.user_membership.add\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| extend TargetUser = tostring(parse_json(target_s)[0].alternateId)\r\n| extend Application = tostring(parse_json(target_s)[1].alternateId)\r\n| summarize count() by ['Event Time'] = column_ifexists('published_t', now()), ['Source User'] = actor_alternateId_s, Application, ['Target User'] = TargetUser\r\n| project-away count_\r\n| sort by ['Event Time'] desc",
"size": 0,
"title": "Users Added to Application",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 18"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| where eventType_s == \"application.user_membership.remove\"\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| extend TargetUser = tostring(parse_json(target_s)[0].alternateId)\r\n| extend Application = tostring(parse_json(target_s)[1].alternateId)\r\n| summarize count() by column_ifexists('published_t', now()), SourceUser = actor_alternateId_s, Application, TargetUser\r\n| project-away count_\r\n| sort by column_ifexists('published_t', now()) desc\r\n",
"size": 0,
"title": "Users Removed from Application",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "General"
},
"customWidth": "50",
"name": "query - 18 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| mv-expand todynamic(target_s)\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where target_s.type == \"AppInstance\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| summarize count() by tostring(target_s.alternateId), bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Total Events by Application",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Application"
},
"customWidth": "50",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| mv-expand todynamic(target_s)\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where target_s.type == \"AppInstance\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| where eventType_s has \"authentication\"\r\n| where outcome_result_s == \"FAILURE\"\r\n| summarize count() by tostring(target_s.alternateId), bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Failed Logins by Application",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Application"
},
"customWidth": "50",
"name": "query - 12 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| mv-expand todynamic(target_s)\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where target_s.type == \"AppInstance\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| summarize Total = count() by Application = tostring(target_s.alternateId)\r\n| top 10 by Total",
"size": 0,
"title": "Top 10 Event Count by Application",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Application"
},
"customWidth": "50",
"name": "query - 12 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| mv-expand todynamic(target_s)\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where target_s.type == \"AppInstance\"\r\n| where eventType_s has \"authentication\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| summarize SUCCESS = countif(outcome_result_s == \"SUCCESS\"), FAILURE = countif(outcome_result_s == \"FAILURE\"), Total = count() by User = actor_alternateId_s\r\n| top 10 by Total\r\n",
"size": 0,
"title": "Top 10 User Authentications",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "SUCCESS",
"formatter": 8,
"formatOptions": {
"palette": "red"
}
},
{
"columnMatch": "FAILURE",
"formatter": 8,
"formatOptions": {
"palette": "green"
}
},
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "coldHot"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Application"
},
"customWidth": "50",
"name": "query - 12 - Copy - Copy"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "427470db-f8f8-461c-adc7-47fe5202b5d1",
"version": "KqlParameterItem/1.0",
"name": "SessionID",
"label": "Session ID",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "OktaSSO\r\n| where actor_alternateId_s !in (\"system@okta.com\")\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| distinct authenticationContext_externalSessionId_s\r\n| sort by authenticationContext_externalSessionId_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "939a52ae-0662-4483-a52b-35287b151074",
"version": "KqlParameterItem/1.0",
"name": "User",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "OktaSSO\r\n| where actor_alternateId_s !in (\"system@okta.com\")\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| distinct actor_alternateId_s\r\n| sort by actor_alternateId_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "059ad6dc-5f2f-490d-941a-d9f87cf71723",
"version": "KqlParameterItem/1.0",
"name": "EventTypes",
"label": "Event Type",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "OktaSSO\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| distinct eventType_s\r\n| sort by eventType_s asc",
"value": [
"user.session.start"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Analysis"
},
"name": "parameters - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where authenticationContext_externalSessionId_s in ({SessionID})\r\n| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\','')\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize count(eventType_s) by actor_alternateId_s, bin(column_ifexists('published_t', now()), {TimeRange:grain})",
"size": 0,
"showAnnotations": true,
"title": "User Events Timeline",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"gridSettings": {
"sortBy": [
{
"itemKey": "actor_alternateId_s",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "actor_alternateId_s",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Analysis"
},
"customWidth": "50",
"name": "query - 8 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| where authenticationContext_externalSessionId_s in ({SessionID})\r\n| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\','')\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize count() by authenticationContext_externalSessionId_s, column_ifexists('published_t', now()), eventType_s, actor_alternateId_s\r\n| sort by authenticationContext_externalSessionId_s asc, column_ifexists('published_t', now()) asc",
"size": 0,
"title": "User Event Details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"sortBy": [
{
"itemKey": "actor_alternateId_s",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "authenticationContext_externalSessionId_s",
"label": "Session ID"
},
{
"columnId": "published_t",
"label": "Event Time"
},
{
"columnId": "eventType_s",
"label": "Event Type"
},
{
"columnId": "actor_alternateId_s",
"label": "User"
},
{
"columnId": "count_",
"label": "Total"
}
]
},
"sortBy": [
{
"itemKey": "actor_alternateId_s",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Analysis"
},
"customWidth": "50",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where eventType_s has \"authentication\"\r\n| where authenticationContext_externalSessionId_s in ({SessionID})\r\n| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\','')\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize SUCCESS = countif(outcome_result_s == \"SUCCESS\"), FAILURE = countif(outcome_result_s == \"FAILURE\"), Total = count() by actor_alternateId_s, tostring(target_s.alternateId)\r\n| sort by actor_alternateId_s asc, target_s_alternateId asc\r\n\r\n",
"size": 0,
"title": "Application Authentications",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "SUCCESS",
"formatter": 8,
"formatOptions": {
"palette": "green"
}
},
{
"columnMatch": "FAILURE",
"formatter": 8,
"formatOptions": {
"palette": "red"
}
},
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
}
],
"labelSettings": [
{
"columnId": "actor_alternateId_s",
"label": "User"
},
{
"columnId": "target_s_alternateId",
"label": "Application"
},
{
"columnId": "SUCCESS"
},
{
"columnId": "FAILURE"
},
{
"columnId": "Total"
}
]
},
"sortBy": []
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Analysis"
},
"customWidth": "50",
"name": "query - 8 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OktaSSO\r\n| where domain_s in ({Domain}) or '*' in ({Domain})\r\n//| where authenticationContext_externalSessionId_s in ({SessionID})\r\n//| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\','')\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n//| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize count(eventType_s) by \tCity = client_geographicalContext_city_s, actor_alternateId_s, Country = client_geographicalContext_country_s, latitude = client_geographicalContext_geolocation_lat_d, longitude = client_geographicalContext_geolocation_lon_d, Results = outcome_result_s",
"size": 0,
"title": "User Events by Geo-Location",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Users",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"latitude": "latitude",
"longitude": "longitude",
"sizeSettings": "count_eventType_s",
"sizeAggregation": "Sum",
"labelSettings": "actor_alternateId_s",
"legendMetric": "count_eventType_s",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "count_eventType_s",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Analysis"
},
"customWidth": "50",
"name": "query - 3 - Copy - Copy"
}
],
"fromTemplateId": "sentinel-SSOWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку