802 строки
22 KiB
JSON
802 строки
22 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## One Identity Safeguard for Privileged Sessions\n---\n\nThis simple workbook gives an overview of sessions going through your Safeguard for Privileged Sessions device.\n\n### Number of sessions generating events per hour"
|
|
},
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\n| where DeviceVendor == \"OneIdentity\" and DeviceProduct == \"SPS\"\n| where DeviceCustomString1Label == \"Session ID\"\n| summarize count(TimeGenerated) by DeviceCustomString1, bin(TimeGenerated, 1d)\n| summarize count() by bin(TimeGenerated, 1d)\n",
|
|
"size": 1,
|
|
"exportToExcelOptions": "visible",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Count",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Count",
|
|
"label": "Session Count of the last 24 hours"
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"subtitleContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Number of sessions per severity per hour\n"
|
|
},
|
|
"name": "text - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\n| where DeviceVendor == \"OneIdentity\" and DeviceProduct == \"SPS\"\n| where Activity == \"ServerConnect\" or Activity == \"SessionClosed\"\n| where DeviceCustomString1Label == \"Session ID\"\n| where TimeGenerated > ago(7d)\n| summarize max(LogSeverity) by DeviceCustomString1, bin(TimeGenerated, 1h)\n| summarize count() by max_LogSeverity, bin(TimeGenerated, 1h)\n\n\n\n",
|
|
"size": 0,
|
|
"aggregation": 3,
|
|
"exportToExcelOptions": "visible",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Latest logs"
|
|
},
|
|
"name": "text - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\n| where TimeGenerated > ago(1d)\n| where DeviceVendor == \"OneIdentity\" and DeviceProduct == \"SPS\"\n| sort by TimeGenerated desc\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ReceiptTime",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceVendor",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceProduct",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceEventClassID",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OriginalLogSeverity",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAction",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SimplifiedDeviceAction",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Computer",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "CommunicationDirection",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceFacility",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationPort",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Message",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Protocol",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourcePort",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "RemoteIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "RemotePort",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "MaliciousIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ThreatSeverity",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "IndicatorThreatType",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ThreatDescription",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ThreatConfidence",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ReportReferenceLink",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "MaliciousIPLongitude",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "MaliciousIPLatitude",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "MaliciousIPCountry",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceVersion",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ApplicationProtocol",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventCount",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationDnsDomain",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationServiceName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationTranslatedAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationTranslatedPort",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceDnsDomain",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceExternalID",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceInboundInterface",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceNtDomain",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceOutboundInterface",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DevicePayloadId",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ProcessName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceTranslatedAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationHostName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationMACAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationNTDomain",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationProcessId",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationUserPrivileges",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationProcessName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceTimeZone",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationUserID",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationUserName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceMacAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ProcessID",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ExternalID",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "FileCreateTime",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "FileHash",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "FileID",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "FileModificationTime",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "FilePath",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "FilePermission",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "FileType",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "FileName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "FileSize",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ReceivedBytes",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OldFileCreateTime",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OldFileHash",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OldFileID",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OldFileModificationTime",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OldFileName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OldFilePath",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OldFilePermission",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OldFileSize",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OldFileType",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SentBytes",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "RequestURL",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "RequestClientApplication",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "RequestContext",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "RequestCookies",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "RequestMethod",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceHostName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceMACAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceNTDomain",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceDnsDomain",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceServiceName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceTranslatedAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceTranslatedPort",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceProcessId",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceUserPrivileges",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceProcessName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceUserID",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceUserName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventType",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceCustomIPv6Address1",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 5"
|
|
}
|
|
],
|
|
"styleSettings": {},
|
|
"fromTemplateId": "sentinel-OneIdentity",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|