1524 строки
60 KiB
JSON
1524 строки
60 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "997c84bc-c454-47f7-a288-99429173dfeb",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Subscription",
|
|
"type": 6,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"value": [],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"includeAll": false
|
|
}
|
|
},
|
|
{
|
|
"id": "73638b3d-aa3f-4872-a56b-a0eaf3fc7714",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspace",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"query": "Resources | where type =~ \"microsoft.operationalinsights/workspaces\" | order by name | project id, name, selected=row_number()==1, group=resourceGroup",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "9fa77675-1222-4936-89d0-285da325bba0",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"value": {
|
|
"durationMs": 604800000
|
|
}
|
|
},
|
|
{
|
|
"id": "a0406b61-d150-4fd8-80d7-b2e0f97585c4",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Help",
|
|
"type": 10,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Help file\r\n\r\nCisco Firepower by Clive Watson - Quorum Cyber."
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "text - 7"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Change Log \r\n\r\n|Version|Description|\r\n|---|---|\r\n|v1.0| Initial Version.| \r\n\r\n"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Change Log"
|
|
},
|
|
"name": "text - 7 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain})",
|
|
"size": 1,
|
|
"title": "📊 Data flow over Time - TimeBrush enabled. You can click within this chart and select a subset of the data. TimeRange selected: {TimeRange:label} with Automatic Time Grain of: {TimeRange:grain}",
|
|
"color": "pink",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeBrushParameterName": "TimeRange",
|
|
"timeBrushExportOnlyWhenBrushed": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "areachart"
|
|
},
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"id": "36551f60-027c-458a-b566-64258b24c35a",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Overview",
|
|
"subTarget": "overview",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "9765ed81-1e76-4bde-98eb-791b5acfd313",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Malicious IP",
|
|
"subTarget": "malicious",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "94ed67b9-3b31-4660-8027-3ac1c2ab852e",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Top 10",
|
|
"subTarget": "top",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "d5eb3a10-16cb-421b-8f15-00c7dd47bb7f",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Hunting",
|
|
"subTarget": "hunting",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "48d4cb41-9517-476f-b13f-8116dff34873",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Status",
|
|
"subTarget": "status",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 12"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Overview",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceAction\r\n| order by count_ desc",
|
|
"size": 3,
|
|
"title": "Count by Actions ",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "DeviceEventClassID",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "blueDark",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "Threats by subtypes"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by Protocol\r\n| order by Protocol asc, count_ desc",
|
|
"size": 3,
|
|
"title": "Count by Protocols",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Protocol",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Protocol",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "DeviceEventClassID",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "blueDark",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "Protocols"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceName\r\n| order by count_ desc",
|
|
"size": 3,
|
|
"title": "Count by DeviceName",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "DeviceEventClassID",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "blueDark",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "Protocols - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| where isnotempty(ThreatId)\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| order by LogSeverity desc",
|
|
"size": 3,
|
|
"title": "Count by Threats",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Amount",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "DeviceEventClassID",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "blueDark",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "Protocols - threats"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by ApplicationProtocol\r\n| order by count_ desc",
|
|
"size": 0,
|
|
"title": "Count by Application Protocol ",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Amount",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "DeviceEventClassID",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "blueDark",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "Protocols - app protocol"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceEventClassID\r\n| order by count_ desc",
|
|
"size": 1,
|
|
"title": "Count by EventClass",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "DeviceEventClassID",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "blueDark",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "Protocols - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| where isnotempty(ThreatId)\r\n| where AdditionalExtensions !contains \"Not\"\r\n| summarize arg_max(TimeGenerated,*) by ThreatId\r\n",
|
|
"size": 0,
|
|
"title": "Lastest Threats by ThreatId, {$rowCount}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAction",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "startsWith",
|
|
"thresholdValue": "Block",
|
|
"representation": "3",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "startsWith",
|
|
"thresholdValue": "Allow",
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "more",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Amount",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "DeviceEventClassID",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "blueDark",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "Protocols - threats last"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction has \"Block\"\r\n| summarize arg_max(TimeGenerated,*) by DeviceName, SourceIP",
|
|
"size": 0,
|
|
"title": "Blocks by Device, {$rowCount} - Click to check IOC status",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "SourceIP",
|
|
"exportParameterName": "IPAddress",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "DeviceEventClassID",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "blueDark",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "Threat"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated > ago(180d)\r\n| where NetworkIP == '{IPAddress}'\r\n| summarize arg_max(TimeGenerated, Active) by IndicatorId, SourceSystem, Description, ThreatType\r\n| project SourceSystem, Description, ThreatType, Active",
|
|
"size": 4,
|
|
"title": "IP Threat Intelligence",
|
|
"noDataMessage": "No Threat Intelligence was found for the selected IP.",
|
|
"noDataMessageStyle": 3,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 13"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": " let starttime = 14d;\r\n let endtime = 1d;\r\n let timeframe = 1h;\r\n let scorethreshold = 5;\r\n let percentotalthreshold = 50;\r\n let TimeSeriesData = CommonSecurityLog\r\n | where DeviceVendor =~ \"Cisco\"\r\n | where DeviceProduct =~ 'Firepower'\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\r\n | project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\r\n | make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\r\n // Filtering specific records associated with spikes as outliers\r\n let TimeSeriesAlerts=materialize(TimeSeriesData\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\r\n | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\r\n | where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\r\n | project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\r\n let AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\r\n // Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\r\n TimeSeriesAlerts\r\n | where TimeGenerated > ago(2d)\r\n | join (\r\n CommonSecurityLog\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated > ago(2d)\r\n | extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\r\n | where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\r\n | summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\r\n | extend AnomalyHour = TimeGeneratedHour\r\n ) on AnomalyHour, DeviceVendor\r\n | extend PercentTotal = round((HourlyCount / Total) * 100, 3)\r\n | where PercentTotal > percentotalthreshold\r\n | project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\r\n | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\r\n | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\r\n | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax",
|
|
"size": 0,
|
|
"title": "Time series anomaly detection for total volume of traffic, {$rowCount}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "08d36e84-8b0b-449c-9d25-87c43f942139",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "ComputerList",
|
|
"type": 10,
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n//| where DeviceAction has \"Block\"\r\n| summarize by Computer\r\n| order by Computer asc",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 12 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where Activity == \"File Malware Event\"\r\n| where '{ComputerList}' == DeviceAction or '{ComputerList:label}' == \"<unset>\"\r\n",
|
|
"size": 0,
|
|
"title": "File Malware Events, {$rowCount}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 9"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "430a4e5d-e516-4020-9c31-12f5e0297e95",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DeviceAction",
|
|
"type": 10,
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n//| where DeviceAction has \"Block\"\r\n| where DestinationPort == \"80\"\r\n| summarize by DeviceAction\r\n| order by DeviceAction asc",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 12"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where DestinationPort == \"80\"\r\n| where '{DeviceAction}' == DeviceAction or '{DeviceAction:label}' == \"<unset>\"\r\n",
|
|
"size": 0,
|
|
"title": "Outbound Web Traffic Port 80, {$rowCount}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 9 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\"\r\n| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)\r\n| summarize by bytesOut, Computer, RequestURL, SourceUserName , SourceIP, SourceHostName, DestinationIP, DestinationPort\r\n| top 20 by bytesOut\r\n| order by bytesOut desc",
|
|
"size": 0,
|
|
"title": "Top 20 sending URLs (bytes Sent Out)",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "bytesOut",
|
|
"formatter": 0,
|
|
"numberFormat": {
|
|
"unit": 36,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"name": "query - 15"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "overview"
|
|
},
|
|
"name": "group - overview"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| summarize LastLogReceived = max(TimeGenerated)| project IsConnected = LastLogReceived > ago(30d), LastLogReceived, minsSinceLastLog = datetime_diff('minute',LastLogReceived, now())",
|
|
"size": 0,
|
|
"title": "IsConnected",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "IsConnected",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "!=",
|
|
"thresholdValue": "true",
|
|
"representation": "Unavailable",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "success",
|
|
"text": "{True}"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 9 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where _IsBillable = true\r\n| make-series billedData = sum(_BilledSize) on TimeGenerated from {TimeRange:start} to now() step 1d by Type",
|
|
"size": 1,
|
|
"title": "Data Ingested during {TimeRange:label}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "billedData",
|
|
"formatter": 21,
|
|
"formatOptions": {
|
|
"palette": "purple"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 5
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 12"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "status"
|
|
},
|
|
"name": "group - status"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Group: MaliciousIP",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude,SourceIP, DestinationIP, DeviceName, IndicatorThreatType, ThreatConfidence, ReportReferenceLink\r\n| order by count_ desc",
|
|
"size": 0,
|
|
"title": "Count by Malicious IP",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "ThreatConfidence",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ReportReferenceLink",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "CellDetails",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"compositeBarSettings": {
|
|
"labelText": "",
|
|
"columnSettings": []
|
|
}
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "IndicatorThreatType",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "IndicatorThreatType",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude\r\n| order by count_ desc",
|
|
"size": 0,
|
|
"title": "Malicious IP by Country",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "map",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"compositeBarSettings": {
|
|
"labelText": "",
|
|
"columnSettings": []
|
|
}
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"sortBy": [],
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "MaliciousIPLatitude",
|
|
"longitude": "MaliciousIPLongitude",
|
|
"sizeSettings": "MaliciousIPLatitude",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "MaliciousIPCountry",
|
|
"legendMetric": "count_",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "MaliciousIPLatitude",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 0 - Copy"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "malicious"
|
|
},
|
|
"name": "group - malicious ip"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Group: Top 10",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourceIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
|
"size": 0,
|
|
"title": "Top 10 Blocked inbound IPs",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - block "
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourcePort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
|
"size": 0,
|
|
"title": "Top 10 Blocked inbound Ports",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - block - Port"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
|
"size": 0,
|
|
"title": "Top 10 Blocked outbound IPs",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - block - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationPort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
|
"size": 0,
|
|
"title": "Top 10 Blocked outbound Ports",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - block - out port"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Protocol\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
|
"size": 0,
|
|
"title": "Top 10 Blocked Protocols",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - block - protocols"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Computer, DeviceName\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
|
"size": 0,
|
|
"title": "Top 10 Blocked Computer vs. DeviceName",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - block - Computer vs Device"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "top"
|
|
},
|
|
"name": "group - top"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Group: Hunting",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "fe452f11-ddc9-4b85-b441-b8f6be3b33a8",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DeviceAction",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize Count = count() by DeviceAction\r\n| order by Count desc\r\n| project Value = DeviceAction, Label = strcat(DeviceAction, \" count: \", Count)",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All",
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SourceIP",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")\r\n| where isnotempty(DestinationIP) \r\n| summarize Count = count() by SourceIP\r\n| order by Count desc\r\n| project Value = SourceIP, Label = strcat(SourceIP, \" count: \", Count)",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All",
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"id": "d83accb3-5f6c-4794-ae8b-b6045265c539"
|
|
},
|
|
{
|
|
"id": "d5fa439b-b1d7-491e-8953-5e4f7bf74f81",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SourcePort",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")\r\n| summarize Count = count() by SourcePort\r\n| order by Count desc\r\n| project Value = SourcePort, Label = strcat(SourcePort, \" count: \", Count)",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All",
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "2f749931-c232-471f-b91f-f91514fd7fa7",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DestinationIP",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")\r\n| where isnotempty(DestinationIP) \r\n| summarize Count = count() by DestinationIP\r\n| order by Count desc\r\n| project Value = DestinationIP, Label = strcat(DestinationIP, \" count: \", Count)",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All",
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "5ecf989b-46cc-4cde-80fb-720d1ad2a5e2",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DestinationPort",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")\r\n| where isnotempty(DestinationPort) \r\n| summarize Count = count() by DestinationPort\r\n| order by Count desc\r\n| project Value = DestinationPort, Label = strcat(DestinationPort, \" count: \", Count)",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All",
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (SourceIP in ({SourceIP}) or '{SourceIP:label}' == \"All\") \r\n and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") \r\n and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n and (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")",
|
|
"size": 0,
|
|
"title": "Filtered View, count: {$rowCount}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 1"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "hunting"
|
|
},
|
|
"name": "group - Hunting"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-CiscoFirepowerWorkbook",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |