421 строка
12 KiB
JSON
421 строка
12 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "**NOTE**: This data connector depends on a parser based on Kusto Function **GCPCloudDNS** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-gcpclouddns-parser)"
|
|
},
|
|
"name": "text - 8"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"description": "Sets the time name for analysis",
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
|
|
"size": 0,
|
|
"title": "Events Over Time",
|
|
"color": "blueDark",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart",
|
|
"graphSettings": {
|
|
"type": 0
|
|
}
|
|
},
|
|
"customWidth": "45",
|
|
"name": "query - 12",
|
|
"styleSettings": {
|
|
"maxWidth": "55"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\n| summarize count() by QueryTypeName",
|
|
"size": 3,
|
|
"title": "Query Types",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "27",
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "DNS Requests Summary",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\n| where isnotempty(Query)\n| summarize count()",
|
|
"size": 3,
|
|
"title": "Total Requests",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "card",
|
|
"textSettings": {
|
|
"style": "bignumber"
|
|
}
|
|
},
|
|
"customWidth": "35",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\n| where isnotempty(Query)\n| summarize dcount(Query)",
|
|
"size": 3,
|
|
"title": "Unique Domains",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "card",
|
|
"textSettings": {
|
|
"style": "bignumber"
|
|
}
|
|
},
|
|
"customWidth": "35",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\n| where EventResultDetails != 'NOERROR'\n| summarize count()",
|
|
"size": 3,
|
|
"title": "DNS Errors",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "card",
|
|
"textSettings": {
|
|
"style": "bignumber"
|
|
}
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\r\n| where isnotempty(SrcIpAddr)\r\n| summarize dcount(SrcIpAddr)",
|
|
"size": 3,
|
|
"title": "IP Addresses",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "card",
|
|
"textSettings": {
|
|
"style": "bignumber"
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 3",
|
|
"styleSettings": {
|
|
"margin": "10",
|
|
"padding": "10"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\n| summarize round(avg(payload_serverLatency_d), 1)",
|
|
"size": 3,
|
|
"title": "Average Server Latency",
|
|
"noDataMessage": "0",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "card",
|
|
"textSettings": {
|
|
"style": "bignumber"
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 3"
|
|
}
|
|
]
|
|
},
|
|
"customWidth": "28",
|
|
"name": "group - 11"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## DNS Queries Summary"
|
|
},
|
|
"name": "text - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\n| summarize count() by Query\n| top 10 by count_",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "35",
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\r\n| summarize EventCount = count() by Query\r\n| order by EventCount\r\n",
|
|
"size": 1,
|
|
"title": "Top domains",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"filter": true
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "URL Category",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumFractionDigits": 2,
|
|
"maximumSignificantDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "purple"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "35",
|
|
"name": "query - 0",
|
|
"styleSettings": {
|
|
"maxWidth": "30"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\n| where EventResultDetails != 'NOERROR'\n| summarize EventCount = count() by Query\n| order by EventCount",
|
|
"size": 1,
|
|
"title": "Top DNS queries with errors",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"filter": true
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "User",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "TotalMailsReceived",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 10,
|
|
"formatOptions": {
|
|
"palette": "magenta"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\r\n| where isnotempty(SrcIpAddr)\r\n| summarize count() by SrcIpAddr",
|
|
"size": 3,
|
|
"title": "Top Sources",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Total Bytes (KB)",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\n| where isnotempty(SrcIpAddr)\n| where EventResultDetails != 'NOERROR'\n| summarize EventCount = count() by SrcIpAddr",
|
|
"size": 0,
|
|
"title": "Top Sources with errors",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table"
|
|
},
|
|
"customWidth": "25",
|
|
"name": "query - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "GCPCloudDNS\r\n| where EventResultDetails != 'NOERROR'\r\n| order by TimeGenerated\r\n| project Query, EventResultDetails, SrcIpAddr\r\n",
|
|
"size": 1,
|
|
"title": "Latest DNS query errors",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "40",
|
|
"name": "query - 1"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-GCPDNSWorkbook",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |