1507 строки
64 KiB
JSON
1507 строки
64 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "# Security Operations Efficiency"
|
|
},
|
|
"customWidth": "35",
|
|
"name": "Main headline"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [],
|
|
"parameters": [
|
|
{
|
|
"id": "9a199167-2dde-49dd-8f01-23e9d1fa8151",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "InternalWSs",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "SecurityIncident\r\n| take 1\r\n| parse IncidentUrl with * \"/workspaces/\" Workspace \"/\" *\r\n| project Workspace",
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "7806fefd-432f-4828-9756-8c0be5c08d07",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "InternalSub",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "55d3ab63-6e1f-4d02-8d9e-2225526689c7",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Subscription",
|
|
"type": 6,
|
|
"isRequired": true,
|
|
"query": "Resources\r\n| summarize Count = count() by subscriptionId\r\n| order by Count desc\r\n| extend Rank = row_number()\r\n| project value = subscriptionId, label = subscriptionId, selected = Rank == 1",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "95a45501-31b5-4ea2-bcb3-eb208e0080e2",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspace",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "//resources | where type =~ 'Microsoft.operationsmanagement/solutions' | where name contains //'SecurityInsights' | project id //= tostring(properties.workspaceResourceId)\r\n\r\nwhere type =~ 'microsoft.operationalinsights/workspaces'\r\n| project value =id, label = name, selected = iff(name =~ '{InternalWSs}', true, false)\r\n\r\n\r\n",
|
|
"crossComponentResources": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "7d597ad7-4a2a-45ed-a4fe-7ee32de0fc22",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"label": "Incident Creation Time",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
},
|
|
{
|
|
"id": "3a87d4f7-42cc-4c62-b543-6b5d9ab8cf27",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Severity",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "SecurityIncident\r\n| summarize Count = count(IncidentNumber) by Severity\r\n| project Value = Severity, Label = strcat(Severity, \": \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "*"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "81085d3a-5aca-488e-b7c6-ecf1167e59f7",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Tactics",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "SecurityIncident\r\n| extend Tactics = todynamic(AdditionalData.tactics)\r\n| mvexpand Tactics to typeof(string)\r\n| summarize Count=count(IncidentNumber) by Tactics\r\n| project Value = Tactics, Label = strcat(Tactics, \": \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "*"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "0f9efb0d-ac34-41d0-8a19-165840eb2a71",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Owner",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "SecurityIncident\r\n| extend owner = tostring(Owner.assignedTo) \r\n| summarize Count=count(IncidentNumber) by Owner= case(owner==\"\", \"Unassigned\",owner)\r\n| project Value = Owner, Label = strcat(Owner, \": \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "*"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "cf86113b-59ad-4fc9-aeb7-9b44e230641e",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Product",
|
|
"label": "Product Name",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "SecurityIncident\r\n| extend Product = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0]) \r\n| summarize Count=count(IncidentNumber) by Product\r\n| project Value = Product, Label = strcat(Product, \": \", Count)\r\n",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "*"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "baa92cd2-7ade-41c3-a07c-a11f5ce3e0e6",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Help",
|
|
"label": "Show Help",
|
|
"type": 10,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"customWidth": "100",
|
|
"name": "parameters - 6"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Incidents created over time"
|
|
},
|
|
"customWidth": "67",
|
|
"name": "Incidents over time - headline"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Incidents by closing classification"
|
|
},
|
|
"customWidth": "32",
|
|
"name": "Incidents by classification - headline"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize count() by bin(CreatedTime, 1h)\n\n\n\n",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeBrushParameterName": "TimeBrush",
|
|
"exportFieldName": "CreatedTime",
|
|
"exportParameterName": "TimePicker",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "unstackedbar",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "CreatedTime",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "CreatedTime",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "count_",
|
|
"label": "Incidents"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "67",
|
|
"name": "Incidents over time "
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\n| where Status == 'Closed'\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| extend feedback =strcat(Classification,\" \",ClassificationReason)\n| summarize dcount(IncidentNumber) by feedback\n",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "Incidents by classification - headline"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated,Status, Severity, Owner, AdditionalData) by IncidentNumber\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize dcount(IncidentNumber) by Severity",
|
|
"size": 1,
|
|
"title": "Incidents created by severity",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "piechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Classification",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "dcount_IncidentNumber",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "Informational",
|
|
"color": "gray"
|
|
},
|
|
{
|
|
"seriesName": "Low",
|
|
"color": "yellow"
|
|
},
|
|
{
|
|
"seriesName": "Medium",
|
|
"color": "orange"
|
|
},
|
|
{
|
|
"seriesName": "High",
|
|
"color": "red"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "22",
|
|
"name": "By severity"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize count() by case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner))\n\n",
|
|
"size": 1,
|
|
"title": "Incidents created by owner",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "piechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Classification",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "dcount_IncidentNumber",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "22",
|
|
"name": "By owner"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize count() by Status\n",
|
|
"size": 1,
|
|
"title": "Incidents created by status",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "piechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Classification",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "dcount_IncidentNumber",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "22",
|
|
"name": "By status"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Time to triage, is the time between the incident creation and its first update.",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "50",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "Help1"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Time to closure, is the time between the incident creation and its last closure.",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "50",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "Help1 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\n| summarize AvgTTT=avg(TimeToTriage) \n",
|
|
"size": 1,
|
|
"title": "Mean time to triage",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "AvgTTT",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 26,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false,
|
|
"maximumFractionDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false,
|
|
"size": "auto"
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "MTTT"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(TimeGenerated,*) by IncidentNumber \n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\n| summarize AvgTTC=avg(TimeToClosure)",
|
|
"size": 1,
|
|
"title": "Mean time to closure ",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "tiles",
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Classification",
|
|
"formatter": 1,
|
|
"formatOptions": {}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "AvgTTC",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 26,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false,
|
|
"maximumFractionDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false,
|
|
"size": "auto"
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "MTTM"
|
|
}
|
|
]
|
|
},
|
|
"customWidth": "34",
|
|
"name": "Mean times"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Incidents created by severity over time "
|
|
},
|
|
"name": "text - 2 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize Incidents=dcount(IncidentNumber) by Severity, bin(CreatedTime, 1d)",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 2 - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incidents severity over time"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Incidents created by owner over time "
|
|
},
|
|
"name": "text - 2 - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize Incidents=dcount(IncidentNumber) by case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner)), bin(CreatedTime, 1d)\n",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 2 - Copy - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incident owner over time"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Incidents created by status over time"
|
|
},
|
|
"name": "text - 2 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize Incidents=dcount(IncidentNumber) by Status, bin(CreatedTime, 1d)",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "series",
|
|
"exportParameterName": "Status",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 2 - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incident status over time",
|
|
"styleSettings": {
|
|
"margin": "0",
|
|
"padding": "0"
|
|
}
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Incidents created by product over time"
|
|
},
|
|
"name": "text - 2 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize Incidents=dcount(IncidentNumber) by tostring(Product), bin(CreatedTime, 1d)",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "series",
|
|
"exportParameterName": "Status",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 2 - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incident status over time - Copy",
|
|
"styleSettings": {
|
|
"margin": "0",
|
|
"padding": "0"
|
|
}
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Incidents created by tactics over time "
|
|
},
|
|
"name": "text - 2 - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| mvexpand Tactics to typeof(string)\n| summarize Incidents=dcount(IncidentNumber) by Tactics, bin(CreatedTime, 1d)",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "unstackedbar"
|
|
},
|
|
"name": "query - 2 - Copy - Copy - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incidents tactic over time"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Incidents created by tags over time "
|
|
},
|
|
"name": "text - 2 - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| extend Tags = extract_all('labelName\":\"(.*?)\"',tostring(Labels))\n| mvexpand Tags to typeof(string)\n| summarize Incidents=dcount(IncidentNumber) by Tags, bin(CreatedTime, 1d)",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "unstackedbar"
|
|
},
|
|
"name": "query - 2 - Copy - Copy - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incidents tactic over time - Copy"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Incidents created by name"
|
|
},
|
|
"name": "text - 2 - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber, Title\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize count() by bin(CreatedTime, 1h), Title\n| order by count_ desc",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 2 - Copy - Copy - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incidents tactic over time - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "Over time left panel"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Time to triage (percentiles)"
|
|
},
|
|
"name": "text - 2 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Time to triage, is the time between the incident creation and its first update.",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "100",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "Help2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\n| summarize 5th_Percentile=max_of(percentile(TimeToTriage, 5),0),50th_Percentile=percentile(TimeToTriage, 50), 90th_Percentile=percentile(TimeToTriage, 90),99th_Percentile=percentile(TimeToTriage, 99) by bin(FirstModifiedTime, 1d)\n",
|
|
"size": 1,
|
|
"aggregation": 3,
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "linechart",
|
|
"chartSettings": {
|
|
"ySettings": {
|
|
"numberFormatSettings": {
|
|
"unit": 26,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": true,
|
|
"maximumFractionDigits": 3
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 2 - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incidents severity over time"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Time to closure (percentiles)\r\n"
|
|
},
|
|
"name": "text - 2 - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Time to closure, is the time between the incident creation and its last closure.",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "100",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "Help3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\n| summarize 5th_Percentile=percentile(TimeToClosure, 5),50th_Percentile=percentile(TimeToClosure, 50), 90th_Percentile=percentile(TimeToClosure, 90),99th_Percentile=percentile(TimeToClosure, 99) by bin(ClosedTime, 1d)\n",
|
|
"size": 1,
|
|
"aggregation": 3,
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "linechart",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "percentile_MinToTriage_5",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "percentile_MinToTriage_5",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"tileSettings": {
|
|
"showBorder": false
|
|
},
|
|
"chartSettings": {
|
|
"ySettings": {
|
|
"numberFormatSettings": {
|
|
"unit": 26,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": true,
|
|
"maximumFractionDigits": 3
|
|
}
|
|
},
|
|
"min": 0
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 2 - Copy - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incident owner over time"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Mean time to closure per owner\r\n"
|
|
},
|
|
"name": "text - 2 - Copy"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "The mean time between the incident creation and last closure by owner",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "100",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "Help3 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n|where Status == 'Closed' \n| extend Ownerr = case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner))\n| summarize arg_min(LastModifiedTime,*) by IncidentNumber, Owner = Ownerr\n| extend TimeToTriage = LastModifiedTime - CreatedTime, Owner\n| summarize avg(TimeToTriage/1h) by Owner\n",
|
|
"size": 4,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "series",
|
|
"exportParameterName": "Status",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Owner",
|
|
"formatter": 1,
|
|
"formatOptions": {}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "avg_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 26,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false,
|
|
"maximumFractionDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "query - 2 - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incident status over time",
|
|
"styleSettings": {
|
|
"margin": "0",
|
|
"padding": "0"
|
|
}
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Mean time to triage per owner\r\n"
|
|
},
|
|
"name": "text - 2 - Copy"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "The mean time between the incident creation and first modification by owner",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "100",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "Help3 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(FirstModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = FirstModifiedTime - CreatedTime\n| extend MinToTriage = TimeToTriage/1h\n| summarize avg(TimeToTriage/1h) by owner=case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner))\n\n",
|
|
"size": 4,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "series",
|
|
"exportParameterName": "Status",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "owner",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "avg_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 26,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false,
|
|
"maximumFractionDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "query - 2 - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incident status triage",
|
|
"styleSettings": {
|
|
"margin": "0",
|
|
"padding": "0"
|
|
}
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Actions per user"
|
|
},
|
|
"name": "text - 2 - Copy"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "The number of actions taken on incidents per incident modifier",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "100",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "Help3 - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\n| where ModifiedBy !in(\"Alert Grouping\",\"Fusion\",\"Incident created from alert\")\n| where ModifiedBy !contains(\"Automation rule\")\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize count() by ModifiedBy\n",
|
|
"size": 4,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "series",
|
|
"exportParameterName": "Status",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "ModifiedBy",
|
|
"formatter": 1,
|
|
"formatOptions": {}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
}
|
|
},
|
|
"showBorder": false,
|
|
"sortCriteriaField": "count_",
|
|
"sortOrderField": 2
|
|
}
|
|
},
|
|
"name": "query - 2 - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incident status over time - Copy",
|
|
"styleSettings": {
|
|
"margin": "0",
|
|
"padding": "0"
|
|
}
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Recent activities"
|
|
},
|
|
"name": "text - 2 - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Most recent activities taken on incidents",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "100",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "Help3 - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| order by LastModifiedTime \n| project LastModifiedTime,IncidentNumber, Title, Product, IncidentUrl, ModifiedBy,Status, Severity, Owner\n| take 250\n\n\n",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "IncidentUrl",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "Url",
|
|
"linkLabel": "Go to incident >"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "LastModifiedTime",
|
|
"label": "Last Modified Time"
|
|
},
|
|
{
|
|
"columnId": "IncidentNumber",
|
|
"label": "Incident Number"
|
|
},
|
|
{
|
|
"columnId": "Title"
|
|
},
|
|
{
|
|
"columnId": "Product"
|
|
},
|
|
{
|
|
"columnId": "IncidentUrl",
|
|
"label": "Link to incident"
|
|
},
|
|
{
|
|
"columnId": "ModifiedBy",
|
|
"label": "Modified By"
|
|
},
|
|
{
|
|
"columnId": "Status"
|
|
},
|
|
{
|
|
"columnId": "Severity"
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Column1",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "IncidentNumber",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 2 - Copy - Copy - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incidents tactic over time - Copy"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Recent incident closing classification"
|
|
},
|
|
"name": "text - 2 - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Recent closing classifications and comments of incidents",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "100",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "Help3 - Copy - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| where Status == 'Closed'\n| order by LastModifiedTime \n| project LastModifiedTime,IncidentNumber, Title, Classification, ClassificationReason,ClassificationComment, Product, IncidentUrl, ModifiedBy,Status, Severity,Owner\n| take 250\n\n\n",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "IncidentUrl",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "Url",
|
|
"linkLabel": "Go to incident >"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "LastModifiedTime",
|
|
"label": "Last Modified Time"
|
|
},
|
|
{
|
|
"columnId": "IncidentNumber",
|
|
"label": "Incident Number"
|
|
},
|
|
{
|
|
"columnId": "Title"
|
|
},
|
|
{
|
|
"columnId": "Classification"
|
|
},
|
|
{
|
|
"columnId": "ClassificationReason",
|
|
"label": "Classification Reason"
|
|
},
|
|
{
|
|
"columnId": "ClassificationComment",
|
|
"label": "Classification Comment"
|
|
},
|
|
{
|
|
"columnId": "Product"
|
|
},
|
|
{
|
|
"columnId": "IncidentUrl",
|
|
"label": "Link to incident"
|
|
},
|
|
{
|
|
"columnId": "ModifiedBy",
|
|
"label": "Modified By"
|
|
},
|
|
{
|
|
"columnId": "Status"
|
|
},
|
|
{
|
|
"columnId": "Severity"
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Column1",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "IncidentNumber",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 2 - Copy - Copy - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "Incidents tactic over time - Copy"
|
|
}
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "Over time right panel"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-SecurityOperationsEfficiency",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|