583 строки
29 KiB
JSON
583 строки
29 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Microsoft Defender for Endpoint (Preview)\n---\n\nA wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.\n\n\n"
|
|
},
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "b22a3bd7-19b3-495d-a0df-95a7a59d98ff",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"value": {
|
|
"durationMs": 172800000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
},
|
|
{
|
|
"id": "f0450560-ef16-4aa9-a3ad-7485dd909587",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Help",
|
|
"type": 10,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]",
|
|
"label": "Show Help",
|
|
"value": "Yes"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 2"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "\r\n|Overview|Device|Network|File|\r\n|--------|------|-------|----|\r\n|MDE Tables Last Data Received|Source of the AV detections|Internet Connected Devices|FileActivityCount per Device|\r\n|Daily Data Flow on MDE Tables|Get stats on ASR audit events|Count By Machine Group|Count by InitiatingProcessAccountUpn|\r\n|Device Heartbeat|Get stats on ASR blocks|Count By Network Adaptor||\r\n|Device where files are copied to USB Drive|AV Detections with USB Disk Drive|TimeSeries on Network Activity||\r\n|Device Internet Connectivity Status |List files copied to USB mounted drives|Top 10 RemoteUrl accessed over TimeRange||\r\n|Device Count by DNS Suffix ||Tor Clients||\r\n|Device Azure AD Join status ||||\r\n|Device ClientVersion ||||"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "text - 8"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"id": "454d4e02-26ba-4195-ae30-94752bbf4603",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Overview",
|
|
"subTarget": "Overview",
|
|
"preText": "Overview",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "3d902e84-3e5b-4631-85d1-c229ec2abf75",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Device",
|
|
"subTarget": "Device",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "bbc20288-b398-4f63-b7a9-e3830213bb34",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Network",
|
|
"subTarget": "Network",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "edab4a44-8ca3-4ba1-bede-4186f4376d28",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "File",
|
|
"subTarget": "File",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 3"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union \r\nisfuzzy = true\r\n(DeviceInfo | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type= \"DeviceInfo\" | extend Description = \"Machine information (including OS information)\"),\r\n(DeviceNetworkInfo | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\"DeviceNetworkInfo\" | extend Description = \"Network properties of machines\"),\r\n(DeviceProcessEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\"DeviceProcessEvents\" | extend Description = \"Process creation and related events\"),\r\n(DeviceNetworkEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\"DeviceNetworkEvents\" | extend Description = \"Network connection and related events\"),\r\n(DeviceFileEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\"DeviceFileEvents\" | extend Description = \"File creation, modification, and other file system events\"),\r\n(DeviceRegistryEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\"DeviceRegistryEvents\" | extend Description = \"Creation and modification of registry entries\"),\r\n(DeviceLogonEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\"DeviceLogonEvents\" | extend Description = \"Sign-ins and other authentication events\"),\r\n(DeviceImageLoadEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\"DeviceImageLoadEvents\" | extend Description = \"DLL loading events\"),\r\n(DeviceEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\"DeviceEvents\" | extend Description = \"Additional events types\"),\r\n(DeviceFileCertificateInfo | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\"DeviceFileCertificateInfo\" | extend Description = \"Certificate information of signed files)\")\r\n| extend [\"Last Log Received At (Local Time)\"] = TimeGenerated\r\n| project Type, Description, [\"Last Log Received At (Local Time)\"]",
|
|
"size": 0,
|
|
"title": "MDE Tables Last Data Received based on {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Type",
|
|
"formatter": 0,
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Last Log Received At",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"showUtcTime": null,
|
|
"formatName": "fullDateTimePattern"
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let AllDeviceNames = DeviceInfo | distinct DeviceId, DeviceName;\nlet DeviceEventSummary = DeviceEvents | summarize count() by DeviceId, Type, bin(TimeGenerated,1d);\nlet DeviceNetworkEventsSummary = DeviceNetworkEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\nlet DeviceNetworkInfoSummary = DeviceNetworkInfo | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\nlet DeviceLogonEventsSummary = DeviceLogonEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\nlet DeviceRegistryEventsSummary = DeviceRegistryEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\nlet DeviceProcessEventsSummary = DeviceProcessEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\n(DeviceEventSummary\n| union DeviceNetworkEventsSummary,\nDeviceNetworkEventsSummary,\nDeviceNetworkInfoSummary,\nDeviceLogonEventsSummary,\nDeviceRegistryEventsSummary,\nDeviceProcessEventsSummary)\n| join kind=inner ( \nAllDeviceNames\n)\non $left.DeviceId == $right.DeviceId\n| project-reorder Type, TimeGenerated, count_\n//| project-away DeviceId, DeviceId1",
|
|
"size": 1,
|
|
"title": "Daily Data Flow on MDE Tables over {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart",
|
|
"chartSettings": {
|
|
"xAxis": "count_"
|
|
}
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceInfo \r\n| summarize arg_max(TimeGenerated,*) by DeviceId\r\n| extend ParsedFields=parse_json(LoggedOnUsers)[0]\r\n| extend DurationAtLeast= format_timespan(now()-TimeGenerated,'dd:hh:mm:ss')\r\n| project DurationAtLeast,TimeGenerated,DeviceName,DomainName=ParsedFields.DomainName,UserName=ParsedFields.UserName\r\n| order by DurationAtLeast asc",
|
|
"size": 0,
|
|
"title": "Device Heartbeat from TimeTange {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let UsbDriveMount = DeviceEvents\r\n| where ActionType==\"UsbDriveMounted\"\r\n| extend ParsedFields=parse_json(AdditionalFields)\r\n| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,\r\nProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer\r\n| order by DeviceId asc, MountTime desc;\r\nlet FileCreation = DeviceFileEvents\r\n| where InitiatingProcessAccountName != \"system\"\r\n| where ActionType == \"FileCreated\"\r\n| where FolderPath !startswith \"C:\\\\\"\r\n| where FolderPath !startswith \"\\\\\"\r\n| project ReportId,DeviceId,InitiatingProcessAccountDomain,\r\nInitiatingProcessAccountName,InitiatingProcessAccountUpn,\r\nFileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied\r\n| order by DeviceId asc, Timestamp desc;\r\nFileCreation | lookup kind=inner (UsbDriveMount) on DeviceId\r\n| where FolderPath startswith DriveLetter\r\n| where Timestamp >= MountTime\r\n| partition by ReportId ( top 1 by MountTime )\r\n| order by DeviceId asc, Timestamp desc\r\n| summarize FileCount = count() by DeviceName\r\n| order by FileCount desc",
|
|
"size": 1,
|
|
"title": "Device where files are copied to USB Drive from TimeTange {TimeRange}",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "FileCount",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red"
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 0 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceNetworkInfo\r\n| summarize arg_max(TimeGenerated,*) by DeviceId\r\n| mvexpand ConnectedNetworks\r\n| summarize count() by tostring(ConnectedNetworks.IsConnectedToInternet)",
|
|
"size": 1,
|
|
"title": "Device Internet Connectivity Status from TimeTange {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "FileCount",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red"
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 0 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceInfo\r\n| where isnotempty(OSPlatform)\r\n| summarize arg_max(Timestamp, DeviceName) by DeviceId\r\n| extend DeviceMachineName = split(DeviceName, '.')[0]\r\n| extend DeviceDomain = substring(DeviceName, strlen(DeviceMachineName) + 1, strlen(DeviceName) - strlen(DeviceMachineName) - 1)\r\n| summarize count() by DeviceDomain",
|
|
"size": 1,
|
|
"title": "Device Count by DNS Suffix",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"filter": true
|
|
},
|
|
"chartSettings": {
|
|
"showMetrics": false,
|
|
"showLegend": true
|
|
}
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 0 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceInfo\r\n| where isnotempty(OSPlatform)\r\n| summarize arg_max(TimeGenerated, *) by DeviceId\r\n| summarize count() by tostring(IsAzureADJoined)",
|
|
"size": 1,
|
|
"title": "Device Azure AD Join status",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"filter": true
|
|
},
|
|
"chartSettings": {
|
|
"showMetrics": false,
|
|
"showLegend": true
|
|
}
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 0 - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceInfo\r\n| where isnotempty(OSPlatform)\r\n| summarize arg_max(TimeGenerated, *) by DeviceId\r\n| summarize count() by ClientVersion",
|
|
"size": 1,
|
|
"title": "Device ClientVersion",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"filter": true
|
|
},
|
|
"chartSettings": {
|
|
"showMetrics": false,
|
|
"showLegend": true
|
|
}
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 0 - Copy - Copy - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Overview"
|
|
},
|
|
"name": "groupOverview"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//This query shows the source of the AV detections (e.g., the website the file was downloaded from etc.)\r\n//\r\n//Get the list of AV detections\r\nlet avDetections =\r\nDeviceEvents\r\n| where ActionType == \"AntivirusDetection\" and isnotempty(MD5)\r\n| extend ParsedFields=parse_json(AdditionalFields)\r\n| project Timestamp, DeviceName, ThreatName=tostring(ParsedFields.ThreatName), FileName, FolderPath, MD5;\r\n//Get a list of file creations\r\nlet fileCreations =\r\nDeviceFileEvents \r\n| where (isnotempty(FileOriginReferrerUrl) or isnotempty(FileOriginUrl)) and isnotempty(MD5)\r\n| project MD5, FileOriginUrl, FileOriginReferrerUrl, InitiatingProcessFileName, InitiatingProcessParentFileName;\r\n//Join the file creations and AV detections on the MD5 of the file\r\navDetections | join kind=inner (fileCreations) on MD5\r\n| project-away MD51 //Remove the duplicated MD5 field\r\n| sort by Timestamp desc ",
|
|
"size": 0,
|
|
"title": "Source of the AV detections for {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceEvents\r\n| where ActionType startswith \"Asr\" and ActionType endswith \"Audited\"\r\n// Count total stats - count events and machines per rule\r\n| summarize EventCount=count(), MachinesCount=dcount(DeviceId) by ActionType",
|
|
"size": 0,
|
|
"title": "Get stats on ASR audit events - count events and machines per rule for {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceEvents\r\n| where ActionType startswith \"Asr\" and ActionType endswith \"Blocked\"\r\n// Count total stats - count events and machines per rule\r\n| summarize EventCount=count(), MachinesCount=dcount(DeviceId) by ActionType",
|
|
"size": 0,
|
|
"title": "Get stats on ASR blocks - count events and machines per rule for {TimeRange}",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 1 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//This query make a best-guess detection regarding which removable media device caused an AV detection\r\n//The query is best run over 30 days to get the full USB history\r\n//\r\n//Get a list of USB AV detections. This assumes any path not beginning with C is a removable/USB device\r\nlet usbDetections =\r\n DeviceEvents\r\n | where ActionType == \"AntivirusDetection\" and FolderPath !startswith \"c\" and FolderPath matches regex \"^[A-Za-z]{1}\"\r\n | extend ParsedFields=parse_json(AdditionalFields)\r\n | project DetectionTime=Timestamp, DeviceName, ThreatName=tostring(ParsedFields.ThreatName), FileName, FolderPath;\r\n//Get a list of USB disk drive connections, grouped by computer name and DeviceID\r\nlet usbConnections = \r\n DeviceEvents\r\n | where ActionType == \"PnpDeviceConnected\"\r\n | extend parsed=parse_json(AdditionalFields)\r\n | project Timestamp, DeviceName, DeviceId=tostring(parsed.DeviceId), ClassName=tostring(parsed.ClassName)\r\n | where ClassName == \"DiskDrive\"\r\n | summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName;\r\n//Join USB AV detections and connections, where the detection occurs after the USB has been plugged in\r\nusbDetections | join kind=inner (usbConnections) on DeviceName | where DetectionTime > UsbFirstSeen and DetectionTime < UsbLastSeen\r\n| project DetectionTime, DeviceName, ThreatName, FileName, FolderPath, DeviceId, UsbFirstSeen, UsbLastSeen\r\n| sort by DetectionTime desc",
|
|
"size": 0,
|
|
"title": "AV Detections with USB Disk Drive for {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let UsbDriveMount = DeviceEvents\r\n| where ActionType==\"UsbDriveMounted\"\r\n| extend ParsedFields=parse_json(AdditionalFields)\r\n| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,\r\nProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer\r\n| order by DeviceId asc, MountTime desc;\r\nlet FileCreation = DeviceFileEvents\r\n| where InitiatingProcessAccountName != \"system\"\r\n| where ActionType == \"FileCreated\"\r\n| where FolderPath !startswith \"C:\\\\\"\r\n| where FolderPath !startswith \"\\\\\"\r\n| project ReportId,DeviceId,InitiatingProcessAccountDomain,\r\nInitiatingProcessAccountName,InitiatingProcessAccountUpn,\r\nFileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied\r\n| order by DeviceId asc, Timestamp desc;\r\nFileCreation | lookup kind=inner (UsbDriveMount) on DeviceId\r\n| where FolderPath startswith DriveLetter\r\n| where Timestamp >= MountTime\r\n| partition by ReportId ( top 1 by MountTime )\r\n| order by DeviceId asc, Timestamp desc",
|
|
"size": 0,
|
|
"title": "List files copied to USB mounted drives for {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 4"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Device"
|
|
},
|
|
"name": "groupDevice"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceNetworkInfo\r\n| summarize arg_max(TimeGenerated,*) by DeviceId\r\n| mv-apply ConnectedNetworks on \r\n(\r\nwhere ConnectedNetworks.IsConnectedToInternet == true\r\n)\r\n| project DeviceName, DefaultGateways, IPv4Dhcp, IPv6Dhcp,MacAddress,MachineGroup, ConnectedNetworks.IsConnectedToInternet",
|
|
"size": 0,
|
|
"title": "Internet Connected Devices for {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceNetworkInfo\r\n| summarize arg_max(TimeGenerated,*) by DeviceId\r\n| summarize count() by MachineGroup",
|
|
"size": 0,
|
|
"title": "Count By Machine Group for {TimeRange}",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 0 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceNetworkInfo\r\n| summarize arg_max(TimeGenerated,*) by DeviceId\r\n| summarize count() by NetworkAdapterType, NetworkAdapterStatus",
|
|
"size": 0,
|
|
"title": "Count By Network Adaptor",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 0 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceNetworkEvents\r\n| summarize count() by DeviceName, DeviceId,bin( TimeGenerated,5m)",
|
|
"size": 0,
|
|
"title": "TimeSeries on Network Activity for {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"name": "query - 0 - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceNetworkEvents\r\n| where isnotempty(RemoteUrl)\r\n| summarize count() by RemoteUrl\r\n| order by count_ desc\r\n| limit 10",
|
|
"size": 0,
|
|
"title": "Top 10 RemoteUrl accessed over TimeRange {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "categoricalbar"
|
|
},
|
|
"name": "query - 0 - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "// This query looks for Tor client, or for a common Tor plugin called Meek.\r\n// We query for active Tor connections, but could have alternatively looked for active Tor runs (ProcessCreateEvents) or Tor downloads (DeviceFileEvents)\r\n// To read more about this technique, see:\r\n// Tor: https://attack.mitre.org/wiki/Software/S0183#Techniques_Used\r\n// Meek plugin: https://attack.mitre.org/wiki/Software/S0175\r\n// Multi-hop proxy technique: https://attack.mitre.org/wiki/Technique/T1188\r\n// Tags: #Tor, #MultiHopProxy, #CnC\r\nDeviceNetworkEvents \r\n| where Timestamp < ago(3d) and InitiatingProcessFileName in~ (\"tor.exe\", \"meek-client.exe\")\r\n// Returns MD5 hashes of files used by Tor, to enable you to block them.\r\n// We count how prevalent each file is (by machines) and show examples for some of them (up to 5 machine names per hash).\r\n| summarize MachineCount=dcount(DeviceName), MachineNames=makeset(DeviceName, 5) by InitiatingProcessMD5\r\n| order by MachineCount desc",
|
|
"size": 0,
|
|
"title": "Tor Clients for {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 5"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Network"
|
|
},
|
|
"name": "groupNetwork"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceFileEvents\r\n| summarize FileActivityCount = count() by DeviceName",
|
|
"size": 0,
|
|
"title": "FileActivityCount per Device for {TimeRange}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "unstackedbar"
|
|
},
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "DeviceFileEvents\r\n| summarize count() by InitiatingProcessAccountUpn",
|
|
"size": 0,
|
|
"title": "Count by InitiatingProcessAccountUpn for {TimeRange}",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "unstackedbar"
|
|
},
|
|
"name": "query - 0 - Copy"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "File"
|
|
},
|
|
"name": "groupFile"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-MicrosoftDefenderForEndPoint",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|