49 строки
2.2 KiB
JSON
49 строки
2.2 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "<h2>Top 5 Users by Number of Failed Attempts</h2>"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where TimeGenerated <= now()\r\n| extend outcome = coalesce(\r\n column_ifexists(\"EventOutcome\", \"\"),\r\n split(split(AdditionalExtensions, \";\", 2)[0], \"=\", 1)[0],\r\n \"\"\r\n )\r\n| extend reason = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n split(split(AdditionalExtensions, \";\", 3)[0], \"=\", 1)[0],\r\n \"\"\r\n )\r\n| where DeviceVendor == \"Forcepoint CASB\"\r\n| where DeviceProduct in (\"SaaS Security Gateway\", \"Cloud Service Monitoring\", \"CASB Admin audit log\")\r\n| where outcome ==\"Failure\" \r\n| summarize Count= count() by DestinationUserName| render barchart",
|
|
"size": 0,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "\r\n<h2>Top 5 Users With The Highest Number Of Logs</h2>"
|
|
},
|
|
"name": "text - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where TimeGenerated <= now()\r\n| where DeviceVendor == \"Forcepoint CASB\"\r\n| where DeviceProduct in (\"SaaS Security Gateway\", \"Cloud Service Monitoring\", \"CASB Admin audit log\")\r\n| summarize Count = count() by DestinationUserName\r\n| top 5 by DestinationUserName| render barchart",
|
|
"size": 1,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 4"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-ForcepointCASB",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |