Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/Cisco.json

1072 строки
41 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Cisco"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "94910267-b8f6-4b30-aa2f-e5780ad9738e",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 7776000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
},
{
"id": "bb491a9f-3089-4a2e-a6de-e7efbc77e7f6",
"version": "KqlParameterItem/1.0",
"name": "DeviceAddress",
"label": "Device Address",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| distinct DeviceAddress",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "All"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Count by Action\r\nlet data = CommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where DeviceAction != ''\r\n| where \"{DeviceAddress:lable}\" == \"All\" or DeviceAddress in ({DeviceAddress});\r\ndata\r\n| summarize Count = count() by SimplifiedDeviceAction\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SimplifiedDeviceAction)\r\n on SimplifiedDeviceAction\r\n| project-away SimplifiedDeviceAction1, TimeGenerated\r\n| extend SimplifiedDeviceActions = SimplifiedDeviceAction\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend SimplifiedDeviceAction = 'All', SimplifiedDeviceActions = '*' \r\n)\r\n| order by Count desc\r\n| take 10",
"size": 3,
"exportFieldName": "SimplifiedDeviceAction",
"exportParameterName": "SelectedDeviceAction",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Events, by action",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "SimplifiedDeviceAction",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "33",
"name": "Events by action"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Count by Severity\r\nlet data = CommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where \"{DeviceAddress:lable}\" == \"All\" or DeviceAddress in ({DeviceAddress});\r\ndata\r\n| summarize Count = count() by LogSeverity\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by LogSeverity)\r\n on LogSeverity\r\n| project-away LogSeverity1, TimeGenerated\r\n| extend LogSeveritys = LogSeverity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend LogSeverity = 'All', LogSeveritys = '*' \r\n)\r\n| order by Count desc, LogSeverity asc\r\n| take 10",
"size": 3,
"exportFieldName": "LogSeverity",
"exportParameterName": "SelectedLogSeverity",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Severity, by volume",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "LogSeverity",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
"showBorder": false,
"sortCriteriaField": "LogSeverity",
"sortOrderField": 1
}
},
"customWidth": "33",
"name": "Severity by volume"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//volume by time\r\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Cisco'\r\n| where DeviceProduct =~ 'ASA'\r\n| where \"{DeviceAddress:lable}\" == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where '{SelectedDeviceAction}' == \"All\" or '{SelectedDeviceAction}' == SimplifiedDeviceAction\r\n| where '{SelectedLogSeverity}' == \"All\" or '{SelectedLogSeverity}' == LogSeverity\r\n| summarize Volme=count() by bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Event trends, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "50",
"name": "Severity"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//volume by time\r\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Cisco'\r\n| where DeviceProduct =~ 'ASA'\r\n| where \"{DeviceAddress:lable}\" == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where '{SelectedDeviceAction}' == \"All\" or '{SelectedDeviceAction}' == SimplifiedDeviceAction\r\n| where '{SelectedLogSeverity}' == \"All\" or '{SelectedLogSeverity}' == LogSeverity\r\n| summarize Volume=count() by LogSeverity, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Event severity, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "50",
"name": "Event severity by time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where '{SelectedDeviceAction}' == \"All\" or '{SelectedDeviceAction}' == SimplifiedDeviceAction\r\n| where '{SelectedLogSeverity}' == \"All\" or '{SelectedLogSeverity}' == LogSeverity\r\n| project TimeGenerated, LogSeverity, DeviceAction, SimplifiedDeviceAction, DeviceAddress, DestinationPort, DestinationIP, Message, Protocol, SourcePort, SourceIP\r\n| sort by TimeGenerated desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "All events, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"filter": true,
"labelSettings": []
}
},
"name": "All events, by time"
},
{
"type": 1,
"content": {
"json": "---"
},
"name": "text - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//no. of concurrent sessions\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '302010'\r\n| extend ConcurrentSession= extract('%ASA-6-302010: ([0-9]*?) in use,',1,Message)\r\n| summarize AvgSession=avg(toint(ConcurrentSession)) by TimeGenerated",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Average concurrent sessions, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "33",
"name": "concurrent"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Max Sessions\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '302010'\r\n| extend MaxSessions= extract('%ASA-6-302010:.*, ([0-9].*?) most used',1,Message)\r\n| summarize AvgSession=avg(toint(MaxSessions)) by TimeGenerated\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Average max concurrent sessions, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "33",
"name": "max concurrent"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//top 5 reason for packet drop\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '733100'\r\n| extend TrafficType= extract('%ASA-4-733100: \\\\[(.*?)\\\\]',1,Message)\r\n| project TrafficType\r\n| summarize AttackCount=count() by TrafficType\r\n| top 5 by AttackCount desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 reasons for packet drop",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "TrafficType",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AttackCount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "30",
"name": "Top 5 reasons for packet drop"
},
{
"type": 1,
"content": {
"json": "---\r\n## Firewall log trends and activities"
},
"name": "text - 14"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Communication direction count by time\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where CommunicationDirection != ''\r\n| summarize DirectionVolume=count() by CommunicationDirection, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Inbound Outbound Time Trend",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "25",
"name": "Inbound Outbound Time Trend"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//out bound\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where CommunicationDirection contains 'outbound'\r\n| summarize TrafficVolume=count() by SimplifiedDeviceAction, TimeGenerated\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Outbound traffic connection, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "25",
"name": "Outbound traffic connection by time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//allowd vs denied for in bound\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where CommunicationDirection contains 'inbound'\r\n| where SimplifiedDeviceAction in ('Deny', 'Allow')\r\n| summarize TrafficVolume=count() by SimplifiedDeviceAction, TimeGenerated",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Inbound traffic events, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "25",
"name": "Inbound traffic events by time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Communication direction count\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where CommunicationDirection != ''\r\n| summarize DirectionVolume=count() by CommunicationDirection\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Summary of inbound and outbound traffic",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "25",
"name": "Summary of inbound and outbound traffic"
},
{
"type": 1,
"content": {
"json": "---\r\n## Top 5 allowed and blocked ports"
},
"name": "text - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//top 5 port inbound Allow \r\nCommonSecurityLog \r\n| where DeviceProduct =~ 'ASA' \r\n| where DeviceVendor =~ 'Cisco' \r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '106100' \r\n | where SimplifiedDeviceAction == 'Allow' \r\n//| where Message contains ' -> inside' \r\n| extend DestinationPortS=tostring(DestinationPort) \r\n| summarize PortCount=count() by DestinationPortS \r\n| top 5 by PortCount desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed inbound ports",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DestinationPortS",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "PortCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 allowed inbound ports"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//top 5 port inbound deny\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where CommunicationDirection contains 'inbound'\r\n | where SimplifiedDeviceAction == 'Deny'\r\n| extend DestinationPortS=tostring(DestinationPort)\r\n| summarize PortCount=count() by DestinationPortS\r\n| top 5 by PortCount desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 blocked inbound ports",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DestinationPortS",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "PortCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 blocked inbound ports"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//top 5 port outbound Allow\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '106100'\r\n | where SimplifiedDeviceAction == 'Allow'\r\n//| where Message contains ' -> management'\r\n| extend DestinationPortS=tostring(DestinationPort)\r\n| summarize PortCount=count() by DestinationPortS\r\n| top 5 by PortCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed outbound ports",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DestinationPortS",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "PortCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 allowed outbound ports"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top 5 Outbound Ports Denied\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where CommunicationDirection contains'outbound'\r\n| where SimplifiedDeviceAction =='Deny'\r\n| extend DestinationPortS=tostring(DestinationPort)\r\n| summarize PortCount=count() by DestinationPortS\r\n| top 5 by PortCount desc ",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 denied outbound ports",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DestinationPortS",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "PortCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 denied outbound ports"
},
{
"type": 1,
"content": {
"json": "---\r\n## Top 5 allowed and blocked IP addresses"
},
"name": "text - 20"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//top 5 protocol Deny\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where Protocol != ''\r\n| where SimplifiedDeviceAction == 'Deny'\r\n| summarize ProtocolCount= count() by Protocol\r\n| top 5 by ProtocolCount\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 denied protocols",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "Top 5 denied protocols"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//top 5 protocol Allow\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where Protocol != ''\r\n| where SimplifiedDeviceAction == 'Allow'\r\n| summarize ProtocolCount= count() by Protocol\r\n| top 5 by ProtocolCount",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed protocols",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "Top 5 allowed protocols"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top 5 Inbound Destination IP Addresses Blocked \r\nCommonSecurityLog \r\n| where DeviceProduct =~ 'ASA' \r\n| where DeviceVendor =~ 'Cisco' \r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where CommunicationDirection contains 'inbound' \r\n| where SimplifiedDeviceAction == 'Deny' \r\n| summarize IpCount= count() by DestinationIP \r\n| top 5 by IpCount desc nulls last ",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 blocked inbound destination IP addresses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "DestinationIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IpCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 blocked inbound destination IP addresses"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top 5 Inbound Destination IP Addresses Allowed \r\nCommonSecurityLog \r\n| where DeviceProduct =~ 'ASA' \r\n| where DeviceVendor =~ 'Cisco' \r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where CommunicationDirection contains 'inbound' \r\n| where DestinationIP != '' \r\n| where SimplifiedDeviceAction == 'Allow' or SimplifiedDeviceAction == 'Built' \r\n| summarize IpCount= count() by DestinationIP \r\n| top 5 by IpCount desc nulls last",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed inbound destination IP addresses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DestinationIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IpCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 allowed inbound destination IP addresses"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//top 5 outbound deny dst ip\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '106100'\r\n | where SimplifiedDeviceAction == 'Deny'\r\n//| where Message contains ' -> management'\r\n| summarize IpCount= count() by DestinationIP\r\n| top 5 by IpCount desc nulls last\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 denied outbound destination IP addresses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DestinationIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IpCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 denied outbound destination IP addresses"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//top 5 outbound Allow dst ip\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '106100'\r\n | where SimplifiedDeviceAction == 'Allow'\r\n | where Message contains ' -> management'\r\n| summarize IpCount= count() by DestinationIP\r\n| top 5 by IpCount desc nulls last\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed outbound destination IP addresses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DestinationIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IpCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 allowed outbound destination IP addresses"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top 5 Inbound Source IP Addresses Denied \r\nCommonSecurityLog \r\n| where DeviceProduct =~ 'ASA' \r\n| where DeviceVendor =~ 'Cisco' \r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where CommunicationDirection contains 'inbound' \r\n| where SimplifiedDeviceAction == 'Deny' \r\n| summarize IpCount= count() by SourceIP \r\n| top 5 by IpCount desc nulls last",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 denied inbound source IP addresses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "SourceIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IpCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 denied inbound source IP addresses"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top 5 Outbound Source IP Addresses Allowed \r\nCommonSecurityLog \r\n| where DeviceProduct =~ 'ASA' \r\n| where DeviceVendor =~ 'Cisco' \r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where CommunicationDirection contains 'outbound' \r\n| where SimplifiedDeviceAction == 'Built' \r\n| summarize IpCount= count() by SourceIP \r\n| top 5 by IpCount desc nulls last",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 allowed outbound source IP addresses",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "SourceIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IpCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 allowed outbound source IP addresses"
},
{
"type": 1,
"content": {
"json": "---\r\n## Firewall management"
},
"name": "text - 29"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top 5 Source IP Addresses By Failed Authentication \r\nCommonSecurityLog \r\n| where DeviceProduct =~ 'ASA' \r\n| where DeviceVendor =~ 'Cisco' \r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '611102' \r\n| extend IPAddress= extract('%ASA-6-611102:.*: IP address: (.*?), Uname.*',1,Message) \r\n| summarize IPAddressCount=count() by IPAddress \r\n| top 5 by IPAddressCount desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 source IP addresses, by failed authentication",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "ipaddress",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IPCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 source IP addresses, by failed authentication"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "\r\n//Login Attempts For Nonexistent User Account \r\nCommonSecurityLog \r\n| where DeviceProduct =~ 'ASA' \r\n| where DeviceVendor =~ 'Cisco' \r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '113015' \r\n| extend ipaddress=extract('%ASA-6-113015:.*: user IP = (.*)$',1,Message) \r\n| summarize IPCount=count() by ipaddress \r\n| top 5 by IPCount desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Logon attempts to nonexistent user account, by source IP address",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "ipaddress",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IPCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Logon attempts to nonexistent user account by source IP address"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top 5 SSH Failed Attempt By Source IP \r\nCommonSecurityLog \r\n| where DeviceProduct =~ 'ASA' \r\n| where DeviceVendor =~ 'Cisco' \r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '315011' \r\n| extend IP= extract('%ASA-6-315011: SSH session from (.*) on',1,Message) \r\n| summarize ReasonCount=count() by IP \r\n| top 5 by ReasonCount desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 SSH failed attempts, by source IP address",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ReasonCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 SSH failed attempts by source IP address"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Authentocation Success\r\nCommonSecurityLog\r\n| where DeviceProduct =~ 'ASA'\r\n| where DeviceVendor =~ 'Cisco'\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == '113012'\r\n| extend UserName= extract('%ASA-6-113012:.*: user = (.*)$',1,Message)\r\n| summarize UserCount=count() by UserName\r\n| top 5 by UserCount desc\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 successfully authenticated users",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "UserName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "UserCount",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 successfully authenticated users"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//top 10 commands\r\nCommonSecurityLog\r\n| where DeviceProduct == \"ASA\"\r\n| where DeviceVendor == \"Cisco\"\r\n| where '{DeviceAddress:label}' == \"All\" or DeviceAddress in ({DeviceAddress})\r\n| where DeviceEventClassID == \"111008\"\r\n| extend CommandExecuted= extract(\"%ASA-5-111008: User '.*?' executed the '(.*?)' command.\",1,Message) \r\n| summarize Count= count() by CommandExecuted \r\n| top 10 by Count desc ",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top 5 Commands Executed on Firewall",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "CommandExecuted",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"customWidth": "25",
"name": "Top 5 Commands Executed on Firewall"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-Cisco",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку