639 строки
24 KiB
JSON
639 строки
24 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Check Point Software Technologies"
|
|
},
|
|
"name": "text - 8"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"query": "",
|
|
"crossComponentResources": [],
|
|
"parameters": [
|
|
{
|
|
"id": "932ebcf0-a1ca-48c6-bad4-a7001c05fba2",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
},
|
|
{
|
|
"id": "a5abcf5b-7db3-4424-8dd7-7c8b8821caaf",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DeviceProducts",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| summarize Count = count() by DeviceProduct\r\n| project Value = DeviceProduct, Label = strcat(DeviceProduct, \": \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All",
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "8d31f627-c863-4479-accb-6b14241f8e4a",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "LogSeverity",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| summarize Count = count() by LogSeverity\r\n| project Value = LogSeverity, Label = strcat(LogSeverity, \": \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\";\r\ndata\r\n| summarize Count = count() by DeviceProduct\r\n| join kind = fullouter (datatable(DeviceProduct:string)['OneDrive', 'SharePoint']) on DeviceProduct\r\n| project DeviceProduct = iff(DeviceProduct == '', DeviceProduct1, DeviceProduct), Count = iff(DeviceProduct == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceProduct)\r\n on DeviceProduct\r\n| project-away DeviceProduct1, TimeGenerated\r\n| extend DeviceProduct = DeviceProduct\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceProduct = 'All', DeviceProducts = '*' \r\n)\r\n| order by Count desc\r\n| take 10\r\n",
|
|
"size": 4,
|
|
"exportToExcelOptions": "visible",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Logs",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"labelSettings": []
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "DeviceProduct",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumFractionDigits": 2,
|
|
"maximumSignificantDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "pink",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| where DeviceVendor == \"Check Point\"// and DeviceProduct in~ (\"Application Control\", \"URL Filtering\")\r\n| summarize count() by bin(TimeGenerated, 1d),LogSeverity",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Application and Url filtering, by severity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "categoricalbar"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| project origin = extract(\"origin=([^;]+)\",1,AdditionalExtensions), loguid = extract(\"loguid=([^;]+)\",1,AdditionalExtensions)\r\n| summarize ['Number of log Ids'] = dcount(loguid), ['Number of logs']=count() by origin\r\n//| summarize Count=count() by origin, loguid\r\n| order by ['Number of logs']\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Number of logs by IP address",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "origin",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Number of log Ids",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Number of logs",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "purple",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "purple",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\" and DeviceProduct =~ \"Anti Malware\" and LogSeverity in~ (\"Medium\", \"High\", \"Critical\") and FlexNumber1 in (3,4,5) and DeviceCustomString3 in~ (\"DNS Reputation\",\"URL Reputation\",\"IP Reputation\")\r\n| summarize count() by SourceIP\r\n| summarize Count = count() , Title = \"Number of Infected Hosts\"",
|
|
"size": 4,
|
|
"exportToExcelOptions": "visible",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Title",
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"rightContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| project origin = extract(\"origin=([^;]+)\",1,AdditionalExtensions), loguid = extract(\"loguid=([^;]+)\",1,AdditionalExtensions)\r\n| summarize dcount(loguid) by origin\r\n| summarize Count = count(), Titel = \"Number of Gateways and Servers\"",
|
|
"size": 4,
|
|
"exportToExcelOptions": "visible",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Titel",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\" \r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| where DeviceProduct =~ \"Anti Malware\" and LogSeverity in~ (\"Medium\", \"High\", \"Critical\") and FlexNumber1 in (3,4,5) and DeviceCustomString3 in~ (\"DNS Reputation\",\"URL Reputation\",\"IP Reputation\")\r\n| summarize Amount = count() by SourceIP",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Infected hosts",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "SourceIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Amount",
|
|
"formatter": 20,
|
|
"formatOptions": {
|
|
"palette": "gray",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| project origin = extract(\"origin=([^;]+)\",1,AdditionalExtensions), loguid = extract(\"loguid=([^;]+)\",1,AdditionalExtensions)\r\n| summarize Logins = dcount(loguid), Count = count() by Origin = origin\r\n| order by Logins, Count",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Gateways and Servers",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Origin",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Logins",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "orange",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n| where DeviceProduct in~ (\"Anti-Bot\", \"Anti-Virus\", \"DDoS Protector\", \"IPS\", \"Threat Emulation\") and FlexNumber1 in (3,4,5) and LogSeverity in~ (\"Medium\", \"High\", \"Very-High\") and DeviceAction in~ (\"Detect\",\"Prevent\");\r\nlet appData = data\r\n| summarize TotalCount = count() by DeviceAction\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by DeviceAction\r\n | project-away TimeGenerated) on DeviceAction\r\n| order by TotalCount desc, DeviceAction asc\r\n| project DeviceAction, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by DeviceProduct , DeviceAction\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by DeviceAction, DeviceProduct, LogSeverity\r\n | project-away TimeGenerated) on DeviceAction, DeviceProduct\r\n| order by TotalCount desc, DeviceAction asc\r\n| project DeviceAction, DeviceProduct, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on DeviceAction\r\n| project Id, Name = DeviceProduct, Type = 'DeviceProduct', ['DeviceProduct Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = DeviceAction, Type = 'DeviceAction', ['DeviceProduct Count'] = TotalCount, Trend )\r\n| order by ['DeviceProduct Count'] desc, Name asc\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Attack actions, by policy",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Id",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Name",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Type",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceProduct Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "purple",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ParentId",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"hierarchySettings": {
|
|
"idColumn": "Id",
|
|
"parentColumn": "ParentId",
|
|
"treeType": 0,
|
|
"expanderColumn": "Name"
|
|
},
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"name": "query - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Check Point\"\r\n| where DeviceProduct in ({DeviceProducts}) or '{DeviceProducts:label}' == \"All\"\r\n| where LogSeverity in ({LogSeverity}) or '{LogSeverity:label}' == \"All\"\r\n//| where FlexNumber1 in (3,4,5) and LogSeverity in~ (\"High\", \"Very-High\", \"Critical\")\r\n| summarize Count = count() by LogSeverity, Message, DeviceProduct, SourceIP\r\n| order by Count",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Log severity detailed",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "$gen_group",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "contains",
|
|
"thresholdValue": "High",
|
|
"representation": "error",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "contains",
|
|
"thresholdValue": "Medium",
|
|
"representation": "2",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"thresholdValue": "Critical",
|
|
"representation": "critical",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "1",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Message",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"aggregation": "Unique"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceProduct",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"aggregation": "Unique"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"aggregation": "Unique"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "purpleBlue",
|
|
"showIcon": true,
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAction",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 1000,
|
|
"filter": true,
|
|
"hierarchySettings": {
|
|
"treeType": 1,
|
|
"groupBy": [
|
|
"LogSeverity"
|
|
],
|
|
"expandTopLevel": false
|
|
},
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"name": "query - 10"
|
|
}
|
|
],
|
|
"styleSettings": {},
|
|
"fromTemplateId": "sentinel-CheckPoint",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |