Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/SquadraTechnologiesSecRMM.json

160 строки
4.4 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Removable storage security via Squadra Technologies secRMM\n---\nFile writes to removable storage by User\n\n"
},
"name": "text - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "secRMM_CL | where Event_s == \"WRITE COMPLETED\" | summarize count() by User_s | render barchart",
"size": 1,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "User_s",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "count_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
]
}
},
"name": "query - 2"
},
{
"type": 1,
"content": {
"json": "File writes to removable storage by Computer"
},
"name": "text - 2",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "secRMM_CL \r\n| where TimeGenerated > ago(1d)\r\n| where Event_s == \"WRITE COMPLETED\"\r\n| summarize count() by Computer, bin(TimeGenerated, 1h)\r\n| render piechart",
"size": 0,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 3"
},
{
"type": 1,
"content": {
"json": "Removable storage devices used\r\n"
},
"name": "text - 6",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "secRMM_CL\r\n| where SerialNumber_s <> \"\"\r\n| summarize count() by strcat(SerialNumber_s, \", \", Model_s)\r\n| render piechart",
"size": 0,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 7"
},
{
"type": 1,
"content": {
"json": "Microsoft BitLocker Activity"
},
"name": "text - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "secRMM_CL \r\n| where DeviceDescription_s contains \"ENCRYPTED BitLocker\" \r\n| summarize count() by User_s \r\n| render piechart",
"size": 0,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 9"
},
{
"type": 1,
"content": {
"json": "Microsoft Windows Defender Activity"
},
"name": "text - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "secRMM_CL\r\n| where ((Event_s == \"EXTERNAL\") and (Message contains \"Microsoft Defender\"))\r\n| project Message\r\n",
"size": 0,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 11"
},
{
"type": 1,
"content": {
"json": "Mobile devices that are being USB mounted"
},
"name": "text - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "secRMM_CL\r\n| where ((Event_s == \"ONLINE\") and (DeviceDescription_s contains \"MOBILE\"))\r\n| project SerialNumber_s, User_s, DeviceDescription_s",
"size": 0,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 13"
},
{
"type": 1,
"content": {
"json": "Removable storage security events\r\n"
},
"name": "text - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "secRMM_CL \r\n| where isnotempty(Event_s) \r\n| summarize count() by Event_s \r\n| render piechart",
"size": 0,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 5"
}
],
"fromTemplateId": "sentinel-SquadraTechnologiesSecRMM",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку