Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/BETTER_MTD_Workbook.json

716 строки
22 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Better Mobile Threat Defense (MTD)"
},
"name": "text - Banner"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "521734b3-6af4-48dc-b622-3f3dd3e1bdeb",
"version": "KqlParameterItem/1.0",
"name": "time_token",
"label": "Timerange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 7776000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Overview - Parameters"
},
{
"type": 1,
"content": {
"json": "### Devices"
},
"name": "text - devices Header"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BetterMTDDeviceLog_CL\r\n| distinct DeviceId_d, DevicePlatform_s\r\n| summarize count() by DevicePlatform_s\r\n| render piechart",
"size": 1,
"title": "Device Distribution by Platform",
"noDataMessage": "No device has Enrolled in the given time range",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - Device Distribution by Platform",
"styleSettings": {
"margin": "5px",
"padding": "5",
"maxWidth": "25%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "datatable (Count:long, threat_status:string, pos:long) [0,\"Safe\",1, 0,\"Medium Risk\",2, 0,\"High Risk\",3]\n|union\n(\nBetterMTDDeviceLog_CL\n| distinct DeviceUDID_g, ThreatLevel_s\n| extend threat_status = case(ThreatLevel_s == 'High' , \"High Risk\",\n ThreatLevel_s == 'Medium' , \"Medium Risk\",\n ThreatLevel_s == 'Low' ,\"Safe\",\n \"Pass\"\n )\n| where threat_status != \"Pass\"\n| extend pos = case(threat_status==\"High Risk\", 3, threat_status==\"Medium Risk\", 2, 1)\n| summarize Count = count() by threat_status, pos\n)\n| summarize Count=sum(Count) by threat_status, pos\n| sort by pos asc",
"size": 4,
"showAnalytics": true,
"title": "Devices Count By Threat Level",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"exportFieldName": "threat_status",
"exportParameterName": "threat_status",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "threat_status",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High Risk",
"representation": "red",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium Risk",
"representation": "yellow",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Safe",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
},
"emptyValCustomText": "0"
}
},
"showBorder": true,
"sortCriteriaField": "status_count",
"sortOrderField": 1
},
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "status",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"centerContent": {
"columnMatch": "status_count",
"formatter": 1,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "status",
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "status",
"type": 1,
"colorPalette": "default"
},
"hivesMargin": 5
}
},
"customWidth": "50",
"name": "Overview - Devices Count By Threat Level",
"styleSettings": {
"margin": "5px",
"padding": "5px",
"maxWidth": "50%"
}
},
{
"type": 1,
"content": {
"json": "### Incidents"
},
"name": "text - Threat Header"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BetterMTDIncidentLog_CL\r\n| distinct ThreatId_d, ThreatCategory_s\r\n| summarize count() by ThreatCategory_s\r\n| render piechart \r\n",
"size": 1,
"title": "Incident Distribution by Threat Type",
"noDataMessage": "No Threat has been detected in the given time range",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - Incident Distribution by Threat Type",
"styleSettings": {
"margin": "5px",
"padding": "5px",
"maxWidth": "25%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BetterMTDIncidentLog_CL\r\n | distinct ThreatId_d, DevicePlatform_s\r\n| summarize count() by DevicePlatform_s\r\n| render piechart \r\n",
"size": 1,
"title": "Incident Distribution by Platform",
"noDataMessage": "No Threat has been detected in the given time range",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - Incident Distribution by Platform",
"styleSettings": {
"margin": "5px",
"padding": "5px",
"maxWidth": "25%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "datatable (Count:long, severity:string, status_count:long) [0,\"Low\",1, 0,\"Medium\",2, 0,\"High\",3]\n|union\n(\nBetterMTDIncidentLog_CL\n| distinct ThreatId_d, ThreatSeverity_s, Status_s\n| extend severity = case(ThreatSeverity_s == 'high' , \"High\",\n ThreatSeverity_s == 'medium' , \"Medium\",\n ThreatSeverity_s == 'low' ,\"Low\",\n \"Pass\"\n )\n| where severity != \"Pass\" \n| extend status_count = case(severity==\"High\", 3, severity==\"Medium\", 2, 1)\n| summarize Count = count() by severity, status_count\n)\n| summarize Count=sum(Count) by severity, status_count\n| sort by status_count asc",
"size": 4,
"showAnalytics": true,
"title": "Incidents Count By Severity",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"exportFieldName": "severity",
"exportParameterName": "severity",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "severity",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "yellow",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
},
"emptyValCustomText": "0"
}
},
"showBorder": true,
"sortCriteriaField": "status_count",
"sortOrderField": 1
},
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "status",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"centerContent": {
"columnMatch": "status_count",
"formatter": 1,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "status",
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "status",
"type": 1,
"colorPalette": "default"
},
"hivesMargin": 5
}
},
"customWidth": "50",
"name": "Overview - Incidents Count By Severity",
"styleSettings": {
"progressStyle": "squares",
"margin": "5px",
"padding": "5px",
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BetterMTDIncidentLog_CL\r\n| summarize count() by UserEmail_s \r\n| top 10 by count_\r\n",
"size": 1,
"title": "Top 10 Users by Threat Count",
"noDataMessage": "No Threat is Detected",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"showExpandCollapseGrid": true,
"gridSettings": {
"filter": true,
"labelSettings": [
{
"columnId": "UserEmail_s",
"label": "User Email"
},
{
"columnId": "count_",
"label": "Count"
}
]
}
},
"customWidth": "50",
"name": "query - Top 10 Users by Threat Count",
"styleSettings": {
"margin": "5px",
"padding": "5px",
"maxWidth": "40%",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BetterMTDIncidentLog_CL\r\n| distinct ThreatId_d, ThreatType_s\r\n| summarize count() by ThreatType_s\r\n| take 10 \r\n| render barchart \r\n",
"size": 3,
"title": "Top 10 Threat Types",
"noDataMessage": "No threat has been detected in the given time range",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - Top 10 Threat Types",
"styleSettings": {
"margin": "5px",
"padding": "5px",
"maxWidth": "50%"
}
},
{
"type": 1,
"content": {
"json": "### Applications"
},
"name": "text - App Header"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BetterMTDAppLog_CL\r\n| where AppStatus_s == \"installed\"\r\n| summarize count() by AppName_s, AppStatus_s, BundleId_s\r\n| top 10 by count_ ",
"size": 1,
"title": "Top 10 Installed Apps by Count",
"noDataMessage": "No App is installed in the given time period",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 20,
"formatOptions": {
"min": 0,
"palette": "blue",
"aggregation": "Count"
}
}
],
"labelSettings": [
{
"columnId": "AppName_s",
"label": "App Name"
},
{
"columnId": "AppStatus_s",
"label": "App Status"
},
{
"columnId": "BundleId_s",
"label": "Bundele Id"
},
{
"columnId": "count_",
"label": "Count"
}
]
}
},
"customWidth": "50",
"name": "query - Top 10 Installed Apps by Count",
"styleSettings": {
"margin": "5px",
"padding": "5px",
"maxWidth": "50%"
}
},
{
"type": 1,
"content": {
"json": "### Netflow"
},
"name": "text - netflow Header"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BetterMTDNetflowLog_CL\r\n| summarize AggregateValue = count() by Status_s\r\n| render piechart ",
"size": 1,
"title": "Netflow Count by Status",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - Netflow Count by Status",
"styleSettings": {
"margin": "5px",
"padding": "5px",
"maxWidth": "25%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BetterMTDNetflowLog_CL\r\n| where Status_s == \"blocked\"\r\n| where not(ipv4_is_match(\"10.0.0.0\",Destination_s,8) or ipv4_is_match(\"172.16.0.0\",Destination_s,12) or ipv4_is_match(\"192.168.0.0\",Destination_s,16))\r\n| where isnotempty(DestinationCountryCode_s)\r\n| summarize Total = count() by ['destination_country_code'] = DestinationCountryCode_s\r\n| top 25 by Total",
"size": 0,
"title": "Netflow Destination on Map",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "destination_country_code",
"sizeSettings": "Total",
"sizeAggregation": "Sum",
"legendMetric": "Total",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "Total",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"name": "query - Netflow Destination on Map",
"styleSettings": {
"margin": "5px",
"padding": "5px",
"maxWidth": "75%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BetterMTDNetflowLog_CL\r\n| project Status_s, DeviceName_s, Username_s, SourceClient_s, SourceCountry_s, Destination_s, DestinationCountry_s\r\n| take 100\r\n",
"size": 1,
"title": "Netflow Monitor",
"noDataMessage": "No Netflow Log Detected",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"filter": true,
"sortBy": [
{
"itemKey": "SourceCountry_s",
"sortOrder": 1
}
],
"labelSettings": [
{
"columnId": "Status_s",
"label": "Status"
},
{
"columnId": "DeviceName_s",
"label": "Device Name"
},
{
"columnId": "Username_s",
"label": "Username"
},
{
"columnId": "SourceClient_s",
"label": "Source Client"
},
{
"columnId": "SourceCountry_s",
"label": "Source Country"
},
{
"columnId": "Destination_s",
"label": "Destination"
},
{
"columnId": "DestinationCountry_s",
"label": "Destination Country"
}
]
},
"sortBy": [
{
"itemKey": "SourceCountry_s",
"sortOrder": 1
}
],
"tileSettings": {
"showBorder": false
}
},
"customWidth": "100",
"name": "query - Netflow Monitor",
"styleSettings": {
"margin": "5px",
"padding": "5px",
"maxWidth": "100%",
"showBorder": true
}
},
{
"type": 1,
"content": {
"json": "### Total Log Count"
},
"name": "text - log overview"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "\nunion withsource=LogTableName *\n| where LogTableName == \"BetterMTDAppLog_CL\" or LogTableName == \"BetterMTDDeviceLog_CL\" or LogTableName == \"BetterMTDIncidentLog_CL\" or LogTableName == \"BetterMTDNetflowLog_CL\"\n| summarize count() by LogTableName\n| render piechart",
"size": 1,
"title": "BETTER MTD Log Count by Type",
"noDataMessage": "No Logs Recieved from BETTER MTD",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "time_token",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "LogTableName",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "yellowOrangeRed"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"showBorder": true,
"sortCriteriaField": "count_",
"sortOrderField": 1
}
},
"customWidth": "50",
"name": "query - BETTER MTD Log Count by Type"
}
],
"fromTemplateId": "sentinel-BetterMTD",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку