Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/ConditionalAccessTrendsandC...

1035 строки
38 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Conditional Access Trends and Changes"
},
"name": "text - 0"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "18289c31-463f-48ea-b452-4244b147912f",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Conditional Access Trends",
"subTarget": "cap1",
"preText": "",
"style": "link"
},
{
"id": "f74be862-4160-4e7c-9c32-1e55ef62c6ae",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Conditional Access Changes",
"subTarget": "cap2",
"style": "link"
}
]
},
"name": "links - 1"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "18302244-0cfb-46d8-92e2-554fa9974c38",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"description": "Select at least one workspace that contains continuous export data based on the selected subscriptions",
"isRequired": true,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id",
"crossComponentResources": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "CAPTime",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": null
},
{
"id": "9943b4a1-371e-4e50-8cbe-749a6dd87d76",
"version": "KqlParameterItem/1.0",
"name": "CAPTime",
"type": 4,
"isRequired": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
},
"value": {
"durationMs": 604800000
}
},
{
"id": "7ffbab18-9e02-4840-a27f-e89207b0636a",
"version": "KqlParameterItem/1.0",
"name": "UserPrincipalName",
"type": 1,
"description": "Type username prefix and any search will be found",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "CAPTime",
"defaultValue": "value::all"
},
{
"id": "75142a7d-ca45-427e-a349-a7d217191be2",
"version": "KqlParameterItem/1.0",
"name": "CategorySignIn",
"type": 2,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"jsonData": "[\"SignInLogs\",\"NonInteractiveUserSignInLogs\"]",
"defaultValue": "value::all",
"value": [
"SignInLogs"
]
},
{
"id": "b506d8e1-ce7a-4af8-b94c-65bbd3e70534",
"version": "KqlParameterItem/1.0",
"name": "AzureADApplication",
"type": 2,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SigninLogs | union AADNonInteractiveUserSignInLogs\r\n| extend AzureADApplication = AppDisplayName\r\n| where isnotempty(AzureADApplication)\r\n| distinct AzureADApplication\r\n| sort by AzureADApplication asc ",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "CAPTime",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "e14cf77f-6d3d-46f2-a0bf-fe18d731e51f",
"version": "KqlParameterItem/1.0",
"name": "PolicyName",
"type": 2,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend displayName_ = tostring(ConditionalAccessPolicies.displayName)\r\n| distinct displayName_\r\n| sort by displayName_ asc\r\n",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "CAPTime",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
},
{
"id": "b4ddb6f0-8afb-4f3c-aca9-c3d3847e019b",
"version": "KqlParameterItem/1.0",
"name": "Report",
"type": 2,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SigninLogs \r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| distinct CAResult",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "CAPTime",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap1"
},
"name": "parameters - 22 - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"value::all"
],
"parameters": [
{
"id": "38660ba6-7173-4395-8c08-b477161f5bfc",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"isRequired": true,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id",
"crossComponentResources": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": null
},
{
"id": "e327ae2b-6659-4d53-98d7-7326e30a893a",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 86400000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 604800000
}
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap2"
},
"name": "parameters - TimeRange",
"styleSettings": {
"margin": "0",
"padding": "0"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AuditLogs\r\n| where OperationName in (\"Add conditional access policy\", \"Update conditional access policy\", \"Delete conditional access policy\")\r\n| summarize count() by OperationName, bin(TimeGenerated, 1d)",
"size": 1,
"title": "Conditional Access Change History",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "barchart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Update conditional access policy",
"color": "blue"
},
{
"seriesName": "Add conditional access policy",
"color": "green"
},
{
"seriesName": "Delete conditional access policy",
"color": "redBright"
}
]
}
},
"customWidth": "60",
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap2"
},
"name": "query - changehistory",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AuditLogs\r\n| where OperationName in (\"Add conditional access policy\", \"Update conditional access policy\", \"Delete conditional access policy\")\r\n| project modifiedBy=tostring(InitiatedBy.user.userPrincipalName)\r\n| summarize count() by modifiedBy\r\n| order by count_ desc",
"size": 1,
"title": "Conditional Access Top Editors",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "modifiedBy",
"exportParameterName": "modifiedBy",
"exportDefaultValue": "*",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "40",
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap2"
},
"name": "query - topeditors",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AuditLogs\r\n| where OperationName in (\"Add conditional access policy\", \"Update conditional access policy\", \"Delete conditional access policy\")\r\n| project TimeGenerated, Operation=OperationName, Policy=TargetResources[0].displayName, ModifiedBy=InitiatedBy.user.userPrincipalName, CorrelationId\r\n| order by TimeGenerated desc",
"size": 1,
"title": "Conditional Access Change Log (click for comparison)",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "CorrelationId",
"exportParameterName": "SelectedCorrelationId",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap2"
},
"name": "query - changelog",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let OldPolicy = AuditLogs\r\n| where CorrelationId == \"{SelectedCorrelationId}\"\r\n| where OperationName in (\"Add conditional access policy\", \"Update conditional access policy\", \"Delete conditional access policy\")\r\n| extend Policy=todynamic(tostring(TargetResources[0].modifiedProperties[0].oldValue))\r\n| project Policy\r\n| extend version=\"OldVersion\"\r\n;\r\nlet NewPolicy = AuditLogs\r\n| where CorrelationId == \"{SelectedCorrelationId}\"\r\n| where OperationName in (\"Add conditional access policy\", \"Update conditional access policy\", \"Delete conditional access policy\")\r\n| extend Policy=todynamic(tostring(TargetResources[0].modifiedProperties[0].newValue))\r\n| project Policy\r\n| extend version=\"NewVersion\"\r\n;\r\nunion OldPolicy, NewPolicy\r\n| order by version desc\r\n| extend grantControls = todynamic(\"\")\r\n| extend sessionControls = todynamic(\"\")\r\n| evaluate bag_unpack(Policy, columnsConflict='replace_source')\r\n| evaluate bag_unpack(conditions, columnsConflict='replace_source')\r\n| evaluate bag_unpack(grantControls, columnsConflict='replace_source')\r\n| evaluate bag_unpack(sessionControls, columnsConflict='replace_source')\r\n| project-away id",
"size": 4,
"title": "Change Comparison",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "TenantId",
"formatter": 1
},
"leftContent": {
"columnMatch": "DurationMs",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "TenantId",
"formatter": 1
},
"centerContent": {
"columnMatch": "DurationMs",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong"
}
},
"conditionalVisibilities": [
{
"parameterName": "SelectedCorrelationId",
"comparison": "isNotEqualTo"
},
{
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap2"
}
],
"name": "query - comparison",
"styleSettings": {
"showBorder": true
}
},
{
"type": 1,
"content": {
"json": "### Conditional Access Emergency Account Exclusions\r\n[Manage Emergency Accounts in AAD](https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access)"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap2"
},
"name": "text - 13"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "05ef3b6b-055a-4744-98b7-e569dc827d15",
"version": "KqlParameterItem/1.0",
"name": "ExclusionGroup",
"label": "Enter Exclusion Group",
"type": 1,
"description": "Enter the exclusion group from your access policies",
"isRequired": true,
"timeContext": {
"durationMs": 86400000
},
"value": ""
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap2"
},
"name": "parameters - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AuditLogs\r\n //| where OperationName == \"Add member to group\"\r\n | where OperationName contains_cs \"group\"\r\n | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n | extend Target = tostring(TargetResources[0].userPrincipalName)\r\n | extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))\r\n //| where GroupName has \"Exclude\" //enter exlusion group name\r\n | where GroupName has ('{ExclusionGroup}')\r\n | project TimeGenerated, Actor, OperationName, Target, GroupName",
"size": 0,
"title": "Conditional Access Exclusion Group Changes",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"sortBy": [
{
"itemKey": "TimeGenerated",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "TimeGenerated",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap2"
},
"name": "query - 5"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap2"
},
"name": "CAPChangesGroup"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\n| mv-expand ConditionalAccessPolicies\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\n| project CAResult\n| summarize count() by CAResult",
"size": 1,
"title": "Conditional Access 'Signin' Summaries",
"timeContextFromParameter": "CAPTime",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "CAResult",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap1"
},
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend Result = tostring(ConditionalAccessPolicies.result)\r\n| extend AzureADApplication = AppDisplayName\r\n| extend ['PolicyName'] = tostring(ConditionalAccessPolicies.displayName)\r\n| extend NamedNetwork = tostring(parse_json(tostring(parse_json(NetworkLocationDetails)[0].networkNames))[0])\r\n| extend ClientOS = tostring(parse_json(DeviceDetail).operatingSystem)\r\n| extend DeviceName = tostring(parse_json(DeviceDetail).displayName)\r\n| extend Managed = tostring(parse_json(DeviceDetail).isManaged)\r\n| extend Trust = tostring(parse_json(DeviceDetail).trustType)\r\n| where AzureADApplication in ({AzureADApplication})\r\n| where UserPrincipalName contains_cs ('{UserPrincipalName}')\r\n| where ['PolicyName'] in ({PolicyName})\r\n| where Result in ({Report}) or '*' in ({Report})\r\n| where Category in ({CategorySignIn}) or '*' in ({CategorySignIn})\r\n| project TimeGenerated, Category, UserPrincipalName, AzureADApplication, Grant = ConditionalAccessPolicies.enforcedGrantControls,ClientOS, DeviceName, Managed, Trust,ClientIP = IPAddress, Location, NamedNetwork, ['PolicyName'], Result\r\n| union \r\n(AADNonInteractiveUserSignInLogs \r\n| mv-expand todynamic(ConditionalAccessPolicies)\r\n| extend Result = tostring(ConditionalAccessPolicies.result)\r\n| extend AzureADApplication = AppDisplayName\r\n| extend ['PolicyName'] = tostring(ConditionalAccessPolicies.displayName)\r\n| extend NamedNetwork = tostring(parse_json(tostring(parse_json(NetworkLocationDetails)[0].networkNames))[0])\r\n| extend ClientOS = tostring(parse_json(DeviceDetail).operatingSystem)\r\n| extend DeviceName = tostring(parse_json(DeviceDetail).displayName)\r\n| extend Managed = tostring(parse_json(DeviceDetail).isManaged)\r\n| extend Trust = tostring(parse_json(DeviceDetail).trustType)\r\n| where AzureADApplication in ({AzureADApplication})\r\n| where UserPrincipalName contains_cs ('{UserPrincipalName}')\r\n| where ['PolicyName'] in ({PolicyName})\r\n| where Result in ({Report}) or '*' in ({Report})\r\n| where Category in ({CategorySignIn}) or '*' in ({CategorySignIn})\r\n| project TimeGenerated, Category, UserPrincipalName, AzureADApplication, Grant = ConditionalAccessPolicies.enforcedGrantControls,ClientOS, DeviceName, Managed, Trust, ClientIP = IPAddress, Location, NamedNetwork, ['PolicyName'], Result)\r\n| order by TimeGenerated desc",
"size": 0,
"showAnalytics": true,
"title": "Conditional Access Status",
"timeContextFromParameter": "CAPTime",
"exportParameterName": "Detail",
"exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\", \"Parent\":\"*\"}",
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "$gen_group",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "70ch"
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25ch"
}
},
{
"columnMatch": "Category",
"formatter": 5
},
{
"columnMatch": "UserPrincipalName",
"formatter": 5,
"formatOptions": {
"customColumnWidthSetting": "35ch"
}
},
{
"columnMatch": "AzureADApplication",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25ch"
}
},
{
"columnMatch": "ClientIP",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "15ch"
}
},
{
"columnMatch": "Location",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "13ch"
}
},
{
"columnMatch": "NamedNetwork",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "PolicyName",
"formatter": 5
},
{
"columnMatch": "Result",
"formatter": 5
},
{
"columnMatch": "$gen_group",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "70ch"
}
},
{
"columnMatch": "CA Policy Name",
"formatter": 5
},
{
"columnMatch": "CAResult",
"formatter": 5
},
{
"columnMatch": "GrantControls",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "18ch"
}
}
],
"rowLimit": 5000,
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Result",
"PolicyName",
"UserPrincipalName"
],
"expandTopLevel": false,
"finalBy": "Category"
}
},
"sortBy": [],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "CA Policy Name",
"formatter": 1
},
"leftContent": {
"columnMatch": "failure",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "failure",
"sizeAggregation": "Sum",
"legendMetric": "failure",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "failure",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap1"
},
"customWidth": "100",
"name": "query - 10 - Copy - Copy",
"styleSettings": {
"margin": "25"
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| extend deviceState = case(DeviceDetail[\"trustType\"] == \"\", \"Unmanaged\", DeviceDetail[\"trustType\"])\r\n| summarize count() by deviceState\r\n",
"size": 3,
"title": "Device State - Total",
"timeContextFromParameter": "CAPTime",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| extend device = tostring(DeviceDetail[\"operatingSystem\"])\r\n| summarize count() by UserPrincipalName, device\r\n| summarize count() by device",
"size": 3,
"title": "Device Platform - Total",
"timeContextFromParameter": "CAPTime",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| summarize count() by RiskLevelDuringSignIn",
"size": 3,
"title": "Sign-in Risk - Total",
"timeContextFromParameter": "CAPTime",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| summarize count() by ClientAppUsed",
"size": 3,
"title": "Client App - Total",
"timeContextFromParameter": "CAPTime",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| summarize count() by Location\r\n",
"size": 3,
"title": "Location - Total",
"timeContextFromParameter": "CAPTime",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "Location",
"sizeSettings": "Location",
"sizeAggregation": "Sum",
"minSize": 10,
"maxSize": 30,
"defaultSize": 12,
"labelSettings": "Location",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "Location",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenDarkDark"
},
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
},
"customWidth": "55",
"showPin": false,
"name": "query - 10",
"styleSettings": {
"margin": "40",
"padding": "0"
}
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap1"
},
"name": "group - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| extend ['CA Policy Name'] = tostring(ConditionalAccessPolicies.displayName)\r\n| where RiskLevelDuringSignIn <> \"none\" or RiskState <> \"none\"\r\n| union\r\nAADUserRiskEvents\r\n| project TimeGenerated, UserPrincipalName, RiskDetail, RiskEventType, RiskLevel, RiskState, ['CA Policy Name']\r\n| sort by TimeGenerated desc",
"size": 0,
"title": "Conditional Access Risk Details",
"timeContextFromParameter": "CAPTime",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "$gen_group",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "75ch"
}
},
{
"columnMatch": "UserPrincipalName",
"formatter": 5
},
{
"columnMatch": "CA Policy Name",
"formatter": 5
},
{
"columnMatch": "$gen_group",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "75ch"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"UserPrincipalName"
],
"finalBy": "CA Policy Name"
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap1"
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| project TimeGenerated, ConditionalAccessPolicies, UserPrincipalName, AppDisplayName\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| extend CAPolicyName = tostring(ConditionalAccessPolicies.displayName)\r\n| where CAResult == \"failure\"\r\n| summarize\r\n ['List of Failed Application']=make_set(AppDisplayName),\r\n ['Count of Failed Application']=dcount(AppDisplayName)\r\n by UserPrincipalName, bin(TimeGenerated, 1h)\r\n| where ['Count of Failed Application'] >= 5",
"size": 0,
"title": "Conditional Access Block to 5+ Apps within 1 Hour",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "UserPrincipalName",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count of Failed Application",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cap1"
},
"name": "query - 6"
}
],
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку