Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/Office365.json

612 строки
23 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "9dd762f8-8594-432f-b1dc-9561e0b799c6",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 7776000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
},
{
"id": "b3974da2-c8c3-4023-a7c4-a904f2daa904",
"version": "KqlParameterItem/1.0",
"name": "Workload",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "OfficeActivity\r\n| summarize Count= count() by OfficeWorkload\r\n| extend label = strcat(OfficeWorkload, \" - \", Count)\r\n| project OfficeWorkload, label",
"value": null,
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "b6db911d-6ecb-4a4f-812f-db1b1063813f",
"version": "KqlParameterItem/1.0",
"name": "UserType",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "OfficeActivity\r\n| summarize Count= count() by UserType\r\n| extend label = strcat(UserType, \" - \", Count)\r\n| project UserType, label",
"value": null,
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 1,
"content": {
"json": "# General overview"
},
"name": "text - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity\r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| summarize count() by OfficeWorkload, bin_at(TimeGenerated, 1h, now())",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Office activity, by workload",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"customWidth": "50",
"name": "office activity by workload"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity \r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| summarize count() by OfficeWorkload\r\n | sort by count_",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Activity, by workload",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "Activity by workload"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity \r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| where ItemType != '' \r\n| summarize count() by ItemType\r\n | sort by count_",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Activity, by type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "Activity by type"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity \r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| summarize count() by UserType\r\n | sort by count_",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Activity, by user type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "Activity by user type"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Admin operations ordered by number \r\nOfficeActivity \r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where UserType == 'Admin' \r\n| summarize count() by Operation \r\n| order by count_ \r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Admin activities, by type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "25",
"name": "Admin activities by type"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity\r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| summarize Update = countif(Operation contains 'update'), Create = countif(Operation contains 'create'), Delete = countif(Operation contains 'delete'), Add = countif(Operation contains 'add') by bin_at(TimeGenerated, 1d, now())",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Update, create, add, and delete activities",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "50",
"name": "activities over time per week"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity \r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| where TimeGenerated >= ago(14d) \r\n| where Operation contains 'group' \r\n| summarize count() by bin(TimeGenerated, 1d) \r\n| extend Week = iff(TimeGenerated>ago(7d), 'This Week', 'Last Week'), TimeGenerated = iff(TimeGenerated>ago(7d), TimeGenerated, TimeGenerated +7d)",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Group activities, per week",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "25",
"name": "group activities"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity \r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| where TimeGenerated >= ago(14d) \r\n| where Operation contains 'user' \r\n| summarize count() by bin(TimeGenerated, 1d) \r\n| extend Week = iff(TimeGenerated>ago(7d), 'This Week', 'Last Week'), TimeGenerated = iff(TimeGenerated>ago(7d), TimeGenerated, TimeGenerated +7d) \r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "User activities, per week",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "25",
"name": "User activities"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity \r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| where Operation contains 'Folder' \r\n| summarize count() by Operation\r\n | sort by count_",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Folder changes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "Folder changes"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity \r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| where Operation contains 'File' \r\n| summarize count() by Operation\r\n | sort by count_",
"size": 0,
"exportToExcelOptions": "visible",
"title": "File changes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "File changes"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity\r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| top 100 by TimeGenerated\r\n| project TimeGenerated, RecordType, Operation, UserType, UserKey, OfficeWorkload, UserId, Parameters, SourceSystem",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Recent activity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true,
"labelSettings": []
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = OfficeActivity\r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType});\r\nlet appData = data\r\n| summarize TotalCount = count() by UserId\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on bin(TimeGenerated, 1d) in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserId\r\n | project-away TimeGenerated) on UserId\r\n| order by TotalCount desc, UserId asc\r\n| project UserId, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by Operation , UserId\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on bin(TimeGenerated, 1d) in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserId, Operation\r\n | project-away TimeGenerated) on UserId, Operation\r\n| order by TotalCount desc, UserId asc\r\n| project UserId, Operation, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on UserId\r\n| project Id, Name = Operation, Type = 'Operation', ['Operation Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = UserId, Type = 'UserId', ['Operation Count'] = TotalCount, Trend )\r\n| order by ['Operation Count'] desc, Name asc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "User activities",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Id",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Name",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Operation Count",
"formatter": 3,
"formatOptions": {
"palette": "lightBlue",
"showIcon": true
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "lightBlue",
"showIcon": true
}
},
{
"columnMatch": "ParentId",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
}
],
"filter": true,
"hierarchySettings": {
"idColumn": "Id",
"parentColumn": "ParentId",
"treeType": 0,
"expanderColumn": "Name"
},
"labelSettings": []
}
},
"name": "Activity by users"
},
{
"type": 1,
"content": {
"json": "---\r\n# SharePoint & OneDrive"
},
"name": "text - 14"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top sharepoint client IPS\r\nOfficeActivity\r\n| where (\"*\" in ({Workload}) or OfficeWorkload in ({Workload})) and OfficeWorkload in ('OneDrive', 'SharePoint') \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| summarize Number = count() by Operation\r\n| top 10 by Number",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 10 activities",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "25",
"name": "Top 10 activities"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Files Downloaded by type\r\nOfficeActivity\r\n| where (\"*\" in ({Workload}) or OfficeWorkload in ({Workload})) and OfficeWorkload in ('OneDrive', 'SharePoint') \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| where Operation == 'FileDownloaded'\r\n| summarize count() by SourceFileExtension\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Files downloaded, by extension",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "Files downloaded by extension"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Files Uploaded by type \r\nOfficeActivity \r\n| where (\"*\" in ({Workload}) or OfficeWorkload in ({Workload})) and OfficeWorkload in ('OneDrive', 'SharePoint') \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| where Operation == 'FileUploaded' \r\n| summarize count() by SourceFileExtension\r\n | sort by count_",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Files uploaded, by extension",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "Files uploaded by extension"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top sharepoint sites \r\nOfficeActivity \r\n| where (\"*\" in ({Workload}) or OfficeWorkload in ({Workload})) and OfficeWorkload in ('OneDrive', 'SharePoint') \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| where Site_Url != ''\r\n| summarize Number = count() by Site_Url \r\n| top 10 by Number ",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 10 sites",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Site_Url",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Number",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "lightBlue",
"showIcon": true
}
}
],
"labelSettings": []
},
"tileSettings": {
"titleContent": {
"columnMatch": "Site_Url",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Number",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "query - 18"
},
{
"type": 1,
"content": {
"json": "---\r\n# Exchange"
},
"name": "text - 20"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Mailbox Logins by hour\r\nOfficeActivity\r\n| where OfficeWorkload == 'Exchange' and (\"*\" in ({UserType}) or UserType in ({UserType}))\r\n| where Operation == 'MailboxLogin'\r\n| summarize Logins = count() by bin_at(TimeGenerated, 1h, now())",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Mailbox logins, by hour",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "50",
"name": "Mailbox logins by hour"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Exchange operations that are performed by actors outside your organization - external\r\nOfficeActivity\r\n| where OfficeWorkload == 'Exchange' and \"*\" in ({UserType}) or UserType in ({UserType})\r\n| where ExternalAccess == 'True' \r\n| summarize count() by Operation\r\n | sort by count_",
"size": 0,
"exportToExcelOptions": "visible",
"title": "External access activities, by activities",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "External access activities"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity \r\n| where OfficeWorkload == 'Exchange' and \"*\" in ({UserType}) or UserType in ({UserType})\r\n| summarize count() by UserType \r\n | sort by count_",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Activities, by user type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "Activities by user type"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-Office365",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку