683 строки
44 KiB
JSON
683 строки
44 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "a4b4e975-fa7c-46a3-b669-850aacc88134",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Help",
|
|
"label": "🔎 Guide",
|
|
"type": 10,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"jsonData": "[\r\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\r\n {\"value\": \"No\", \"label\": \"No\"}\r\n]"
|
|
},
|
|
{
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DefaultSubscription_Internal",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"id": "314d02bf-4691-43fa-af59-d67073c8b8fa"
|
|
},
|
|
{
|
|
"id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Subscription",
|
|
"type": 6,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
|
|
"crossComponentResources": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"showDefault": false
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"value": [
|
|
"value::all"
|
|
]
|
|
},
|
|
{
|
|
"id": "e3225ed0-6210-40a1-b2d0-66e42ffa71d6",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspace",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| order by name asc\r\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\r\n| mvexpand All limit 100\r\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"showDefault": false
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"value": [
|
|
"value::all"
|
|
]
|
|
},
|
|
{
|
|
"id": "15b2c181-7397-43c1-900a-28e175ae8a6f",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 86400000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"timeContextFromParameter": "TimeRange"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "Parameter Selectors"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "<svg viewBox=\"0 0 19 19\" width=\"20\" class=\"fxt-escapeShadow\" role=\"presentation\" focusable=\"false\" xmlns:svg=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" aria-hidden=\"true\"><g><path fill=\"#1b93eb\" d=\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\"></path><path fill=\"url(#0024423711759027356)\" d=\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\"></path><path d=\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\" class=\"msportalfx-svg-c01\"></path></g></svg> <span style=\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\"> Please take time to answer a quick survey,\r\n</span>[<span style=\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\"> click here. </span>](https://forms.office.com/r/n9beey85aP)"
|
|
},
|
|
"name": "Survey"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\n---\n\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)<br>\n"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"customWidth": "79",
|
|
"name": "Workbook Overview"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": " "
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "Microsoft Sentinel Logo"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"id": "18c690d7-7cbd-46c1-b677-1f72692d40cd",
|
|
"cellValue": "TAB",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Indicators Ingestion",
|
|
"subTarget": "Indicators",
|
|
"preText": "Alert rules",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "f88dcf47-af98-4684-9de3-1ee5f48f68fc",
|
|
"cellValue": "TAB",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Indicators Search",
|
|
"subTarget": "Observed",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "Tabs link"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Indicators Imported into Sentinel by Indicator Type and Date",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Indicators Imported into Sentinel by Indicator Provider and Date",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Active Indicators by Indicator Type",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Active Indicators by Indicator Source",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Active Indicators by Confidence Score",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let DomainQuery=view() { \r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))==1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))!=1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n ThreatIntelligenceIndicator\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n | where ExpirationDateTime > now() and Active == true\r\n | summarize count() by SourceSystem\r\n | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Uniqueness of Threat Intelligence Sources",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Source",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "View",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ActiveIndicators",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 12"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "TAB",
|
|
"comparison": "isEqualTo",
|
|
"value": "Indicators"
|
|
},
|
|
"name": "Indicators Ingestion"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "9aec751b-07bd-43ba-80b9-f711887dce45",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Indicator",
|
|
"label": "Search Indicator in Events",
|
|
"type": 1,
|
|
"value": "",
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "Threat Research Parameters"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": ""
|
|
},
|
|
"customWidth": "50",
|
|
"name": "text - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//Add additional lines for desired data columns\r\nunion withsource= Table_Name *\r\n| where column_ifexists('CallerIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileOriginUrl', '') has \"{Indicator}\"\r\nor column_ifexists('FQDN', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessSHA256', '') has \"{Indicator}\"\r\nor column_ifexists('IpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddresses', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddress', '') has \"{Indicator}\"\r\nor column_ifexists('Name', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteIP', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteUrl', '') has \"{Indicator}\"\r\nor column_ifexists('RecipientEmailAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SenderMailFromAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('Url', '') has \"{Indicator}\"\r\nor column_ifexists('SrcIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('DstIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkSourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileHashValue', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkDestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSourceIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSenderAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DomainName', '') has \"{Indicator}\"\r\nor column_ifexists('AADEmail', '') has \"{Indicator}\"\r\nor column_ifexists('Account', '') has \"{Indicator}\"\r\nor column_ifexists('AccountName', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUpn', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Caller', '') has \"{Indicator}\"\r\nor column_ifexists('CompromisedEntity', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserID', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserName', '') has \"{Indicator}\"\r\nor column_ifexists('DisplayName', '') has \"{Indicator}\"\r\nor column_ifexists('Email_s', '') has \"{Indicator}\"\r\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessAccountUpn', '') has \"{Indicator}\" \r\nor column_ifexists('MailboxOwnerUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Owner', '') has \"{Indicator}\"\r\nor column_ifexists('RequesterUpn', '') has \"{Indicator}\"\r\nor column_ifexists('SourceIdentity', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserID', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserName', '') has \"{Indicator}\"\r\nor column_ifexists('SubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUser', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUserName', '') has \"{Indicator}\"\r\nor column_ifexists('Upn', '') has \"{Indicator}\"\r\nor column_ifexists('User_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserId', '') has \"{Indicator}\" \r\nor column_ifexists('UserId_', '') has \"{Indicator}\"\r\nor column_ifexists('UserId_s_s', '') has \"{Indicator}\" \r\nor column_ifexists('userName', '') has \"{Indicator}\"\r\nor column_ifexists('UserName', '') has \"{Indicator}\" \r\nor column_ifexists('UserName_s', '') has \"{Indicator}\"\r\nor column_ifexists('userPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName', '') has \"{Indicator}\"\r\nor column_ifexists('Computer', '') has \"{Indicator}\"\r\nor column_ifexists('FileHash', '') has \"{Indicator}\"\r\nor column_ifexists('FilePath', '') has \"{Indicator}\"\r\nor column_ifexists('Process', '') has \"{Indicator}\"\r\nor column_ifexists('CommandLine', '') has \"{Indicator}\"\r\nor column_ifexists('NewProcessName', '') has \"{Indicator}\"\r\nor column_ifexists('ParentProcessName', '') has \"{Indicator}\"\r\n| summarize count() by Table_Name \r\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\r\n| sort by ['Logs Count'] desc",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Indicators Observed",
|
|
"noDataMessage": "No indicators observed within these thresholds",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "Type",
|
|
"exportParameterName": "Type",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Data Table",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Log",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Logs Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//Add additional lines for desired data columns\r\nunion withsource= Table_Name *\r\n| where column_ifexists('CallerIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileOriginUrl', '') has \"{Indicator}\"\r\nor column_ifexists('FQDN', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessSHA256', '') has \"{Indicator}\"\r\nor column_ifexists('IpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddresses', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddress', '') has \"{Indicator}\"\r\nor column_ifexists('Name', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteIP', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteUrl', '') has \"{Indicator}\"\r\nor column_ifexists('RecipientEmailAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SenderMailFromAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('Url', '') has \"{Indicator}\"\r\nor column_ifexists('SrcIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('DstIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkSourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileHashValue', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkDestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSourceIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSenderAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DomainName', '') has \"{Indicator}\"\r\nor column_ifexists('AADEmail', '') has \"{Indicator}\"\r\nor column_ifexists('Account', '') has \"{Indicator}\"\r\nor column_ifexists('AccountName', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUpn', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Caller', '') has \"{Indicator}\"\r\nor column_ifexists('CompromisedEntity', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserID', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserName', '') has \"{Indicator}\"\r\nor column_ifexists('DisplayName', '') has \"{Indicator}\"\r\nor column_ifexists('Email_s', '') has \"{Indicator}\"\r\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessAccountUpn', '') has \"{Indicator}\" \r\nor column_ifexists('MailboxOwnerUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Owner', '') has \"{Indicator}\"\r\nor column_ifexists('RequesterUpn', '') has \"{Indicator}\"\r\nor column_ifexists('SourceIdentity', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserID', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserName', '') has \"{Indicator}\"\r\nor column_ifexists('SubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUser', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUserName', '') has \"{Indicator}\"\r\nor column_ifexists('Upn', '') has \"{Indicator}\"\r\nor column_ifexists('User_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserId', '') has \"{Indicator}\" \r\nor column_ifexists('UserId_', '') has \"{Indicator}\"\r\nor column_ifexists('UserId_s_s', '') has \"{Indicator}\" \r\nor column_ifexists('userName', '') has \"{Indicator}\"\r\nor column_ifexists('UserName', '') has \"{Indicator}\" \r\nor column_ifexists('UserName_s', '') has \"{Indicator}\"\r\nor column_ifexists('userPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName', '') has \"{Indicator}\"\r\nor column_ifexists('Computer', '') has \"{Indicator}\"\r\nor column_ifexists('FileHash', '') has \"{Indicator}\"\r\nor column_ifexists('FilePath', '') has \"{Indicator}\"\r\nor column_ifexists('Process', '') has \"{Indicator}\"\r\nor column_ifexists('CommandLine', '') has \"{Indicator}\"\r\nor column_ifexists('NewProcessName', '') has \"{Indicator}\"\r\nor column_ifexists('ParentProcessName', '') has \"{Indicator}\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\r\n| render areachart",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Indicators Observed over Time",
|
|
"noDataMessage": "No indicators observed within these thresholds",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Data Table",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Log",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Logs Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "redBright"
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 4 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let tiObservables = ThreatIntelligenceIndicator\r\n | where TimeGenerated < now()\r\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\r\nlet alertEntity = SecurityAlert \r\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\r\n | mvexpand(Entities)\r\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\r\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\r\n iif(isnotempty(Entities.Url), Entities.Url,\r\n iif(isnotempty(Entities.Value), Entities.Value,\r\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))))\r\n | where isnotempty(entity) \r\n | project entity, SystemAlertId, AlertTime;\r\nlet IncidentAlerts = SecurityIncident\r\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\r\n | mv-expand AlertIds\r\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\r\nlet AlertsWithTiObservables = alertEntity\r\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\r\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\r\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\r\nIncidentsWithAlertsWithTiObservables\r\n| where Indicator contains '{Indicator}' or Indicator == \"*\"\r\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\r\n| sort by Incidents, Alerts desc",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Threat Intelligence Alerts",
|
|
"noDataMessage": "No indicators observed within these thresholds",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "ThreatType",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Botnet",
|
|
"representation": "Command and Control",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "MaliciousUrl",
|
|
"representation": "Initial_Access",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Malware",
|
|
"representation": "Execution",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Phishing",
|
|
"representation": "Exfiltration",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Pre attack",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Source",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Incidents",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "redBright"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Alerts",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\r\n| extend SystemAlertId = tostring(AlertIds[0])\r\n| join (SecurityAlert \r\n| where Entities <> \"\"\r\n| mv-expand parse_json(Entities)\r\n| where Entities contains '{Indicator}'\r\n| project SystemAlertId, Entities\r\n) on SystemAlertId\r\n| where Title <> \"\"\r\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\r\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n| extend SeverityRank=iff(Severity == \"High\", 3, iff(Severity == \"Medium\", 2, iff(Severity == \"Low\", 1, iff(Severity == \"Informational\", 0, 0))))\r\n| sort by SeverityRank, IncidentNumber desc\r\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade, Entities\r\n| limit 2500",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Security Incidents",
|
|
"noDataMessage": "No incidents observed within these thresholds",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Incident Name",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Alert",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "Sev0",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "Sev1",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "Sev2",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Sev3",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "IncidentUrl",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "OpenBlade",
|
|
"linkLabel": "Incident >>",
|
|
"bladeOpenContext": {
|
|
"bladeName": "CaseBlade",
|
|
"extensionName": "Microsoft_Azure_Security_Insights",
|
|
"bladeParameters": [
|
|
{
|
|
"name": "id",
|
|
"source": "column",
|
|
"value": "IncidentBlade"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "IncidentBlade",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"rowLimit": 2500,
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "IncidentNumber",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "IncidentNumber",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"name": "query - 3"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "TAB",
|
|
"comparison": "isEqualTo",
|
|
"value": "Observed"
|
|
},
|
|
"name": "Indicators Observed"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-ThreatIntelligence",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|