565 строки
30 KiB
JSON
565 строки
30 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"id": "bd618d6f-8e52-4cd4-87af-0fa8a03dc56d",
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "IOCs Overview",
|
|
"subTarget": "iocs_overview",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "a482be59-ecc1-4215-b0ff-fd4455197422",
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Correlation Overview",
|
|
"subTarget": "correlation_overview",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 3"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "e61becba-cfb6-42f3-a155-422e4f359817",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"label": "Time Range:",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 86400000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "15",
|
|
"name": "parameters - 3"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "3e8bb03d-ba1e-4d9f-b649-e8964090f6b4",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "reporting_feeds",
|
|
"label": "Reporting Feeds:",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "ThreatIntelligenceIndicator\n| extend ReportingFeeds=parse_json(Description)['ReportingFeeds']\n| where isnotnull(ReportingFeeds)\n| mv-expand ReportingFeeds\n| summarize by tostring(ReportingFeeds)\n| order by ReportingFeeds asc",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"defaultValue": "value::all",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"value": [
|
|
"value::all"
|
|
]
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "parameters - 1"
|
|
}
|
|
],
|
|
"exportParameters": true
|
|
},
|
|
"name": "filters"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data=ThreatIntelligenceIndicator\n| extend Enrichment=parse_json(Description)\n| extend ReportingFeed=Enrichment['ReportingFeeds'][0], IocSeverity=tostring(Enrichment['Severity']), Value=tostring(Enrichment['IOC'])\n| where ReportingFeed in ({reporting_feeds});\ndata\n| summarize Count=dcount(Value) by IocSeverity\n| extend IocSeverities=IocSeverity\n| union (\n data \n | summarize Count=dcount(Value) \n | extend IocSeverity='All', IocSeverities='*' \n)\n| extend Severity = iif(IocSeverity == \"All\", 0,iif(IocSeverity == \"High\", 1, iif(IocSeverity == \"Medium\", 2, iif(IocSeverity == \"Low\", 3, 4))))\n| order by Severity asc",
|
|
"size": 3,
|
|
"title": "Total Indicators by Severity",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "IocSeverity",
|
|
"exportParameterName": "IndicatorSeverityPicker",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "IocSeverity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"compositeBarSettings": {
|
|
"labelText": "",
|
|
"columnSettings": [
|
|
{
|
|
"columnName": "Severity",
|
|
"color": "blue"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "none"
|
|
}
|
|
},
|
|
"showBorder": true,
|
|
"size": "auto"
|
|
}
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ThreatIntelligenceIndicator\n| extend Enrichment=parse_json(Description)\n| extend ReportingFeed = Enrichment['ReportingFeeds'][0], Value = tostring(Enrichment['IOC'])\n| where ReportingFeed in ({reporting_feeds})\n| where Enrichment['Severity'] == '{IndicatorSeverityPicker}' or '{IndicatorSeverityPicker}' == 'All'\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\n iff(isnotempty(Url), \"URL\",\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\n iff(isnotempty(FileHashValue), \"File\",\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\n \"Other\")))))\n| summarize CountOfIndicators=dcount(Value) by IndicatorType",
|
|
"size": 0,
|
|
"title": "Total Indicators by Type",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "IPs",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"aggregation": "Count"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Domains",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"aggregation": "Count"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Hashes",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"aggregation": "Count"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "IndicatorType",
|
|
"formatter": 1
|
|
},
|
|
"subtitleContent": {
|
|
"columnMatch": "CountOfIndicators",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0
|
|
},
|
|
"chartSettings": {
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "IP",
|
|
"color": "blue"
|
|
},
|
|
{
|
|
"seriesName": "Domain",
|
|
"color": "orange"
|
|
},
|
|
{
|
|
"seriesName": "File",
|
|
"color": "green"
|
|
}
|
|
],
|
|
"ySettings": {
|
|
"min": 0
|
|
}
|
|
}
|
|
},
|
|
"name": "total_indicator_by_type"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ThreatIntelligenceIndicator\n| extend Enrichment=parse_json(Description)\n| extend ReportingFeed = Enrichment['ReportingFeeds'][0]\n| where ReportingFeed in ({reporting_feeds})\n| where Enrichment['Severity'] == '{IndicatorSeverityPicker}' or '{IndicatorSeverityPicker}' == 'All'\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\n iff(isnotempty(Url), \"URL\",\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\n iff(isnotempty(FileHashValue), \"File\",\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\n \"Other\")))))\n| project Value=tostring(Enrichment['IOC']), Type=IndicatorType, tostring(ReportingFeed), Severity=tostring(Enrichment['Severity']), FirstSeen=tostring(Enrichment['FirstSeen']),\n LastSeen=tostring(Enrichment['LastSeen']), RelatedAlert=tostring(Enrichment['RelatedAlert'])\n| summarize make_set(Value) by Value, Type, ReportingFeed, Severity, FirstSeen, LastSeen, RelatedAlert\n| order by LastSeen desc",
|
|
"size": 0,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "gray",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "set_Value",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "0ch"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 5000,
|
|
"filter": true
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "ioc",
|
|
"comparison": "isEqualTo"
|
|
},
|
|
"name": "iocs_overview_list"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "iocs_overview"
|
|
},
|
|
"name": "IOCs Overview"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let tiObservables = ThreatIntelligenceIndicator\n| extend Enrichment=parse_json(Description)\n| extend ReportingFeed = Enrichment['ReportingFeeds'][0], IocSeverity=tostring(Enrichment['Severity'])\n| where ReportingFeed in ({reporting_feeds})\n| project observableValue = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName), IocSeverity;\nlet alertEntity = SecurityAlert \n| project parse_json(Entities), SystemAlertId\n| mvexpand(Entities)\n| extend entity = iif(isnotempty(Entities.Address), Entities.Address,\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\n iif(isnotempty(Entities.Url), Entities.Url,\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))) \n| where isnotempty(entity) \n| project entity, SystemAlertId;\nalertEntity\n| join kind= inner tiObservables on $left.entity == $right.observableValue\n| summarize Count=dcount(observableValue) by IocSeverity\n| extend IocSeverities=IocSeverity\n| union (\n alertEntity\n | join kind= inner tiObservables on $left.entity == $right.observableValue\n | summarize Count=dcount(observableValue)\n | extend IocSeverity='All', IocSeverities='*' \n)\n| extend Severity = iif(IocSeverity == \"All\", 0,iif(IocSeverity == \"High\", 1, iif(IocSeverity == \"Medium\", 2, iif(IocSeverity == \"Low\", 3, 4))))\n| order by Severity asc",
|
|
"size": 3,
|
|
"title": "Total Matched Indicators by Severity",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "IocSeverity",
|
|
"exportParameterName": "IndicatorSeverityPicker",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "IocSeverity",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "none"
|
|
}
|
|
},
|
|
"showBorder": true,
|
|
"size": "full"
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "total_matched_by_severity"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let tiObservables = ThreatIntelligenceIndicator\n| extend Enrichment=parse_json(Description)\n| extend ReportingFeed = Enrichment['ReportingFeeds'][0]\n| where ReportingFeed in ({reporting_feeds})\n| where Enrichment['Severity'] == '{IndicatorSeverityPicker}' or '{IndicatorSeverityPicker}' == 'All'\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\n iff(isnotempty(Url), \"URL\",\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\n iff(isnotempty(FileHashValue), \"File\",\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\n \"Other\")))))\n| project observableValue = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName), IndicatorType;\nlet alertEntity = SecurityAlert \n| project parse_json(Entities), SystemAlertId\n| mvexpand(Entities)\n| extend entity = iif(isnotempty(Entities.Address), Entities.Address,\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\n iif(isnotempty(Entities.Url), Entities.Url,\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))) \n| where isnotempty(entity) \n| project entity, SystemAlertId;\nalertEntity\n| join kind= inner tiObservables on $left.entity == $right.observableValue\n| summarize CountOfIndicators=dcount(observableValue) by IndicatorType",
|
|
"size": 3,
|
|
"title": "Total Matched Indicators by Type",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"chartSettings": {
|
|
"showMetrics": false,
|
|
"showLegend": true
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"showPin": false,
|
|
"name": "total_matched_by_type"
|
|
}
|
|
],
|
|
"exportParameters": true
|
|
},
|
|
"name": "group - 0"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let tiObservables = ThreatIntelligenceIndicator\n| extend Enrichment=parse_json(Description)\n| extend ReportingFeed = Enrichment['ReportingFeeds'][0]\n| where ReportingFeed in ({reporting_feeds})\n| where Enrichment['Severity'] == '{IndicatorSeverityPicker}' or '{IndicatorSeverityPicker}' == 'All'\n| extend Tags=set_union(Enrichment['UserTags'],Enrichment['SystemTags'])\n| mvexpand Tags\n| where isnotnull(Tags)\n| project observableValue = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName), Tags;\nlet alertEntity = SecurityAlert \n| project parse_json(Entities), SystemAlertId\n| mvexpand(Entities)\n| extend entity = iif(isnotempty(Entities.Address), Entities.Address,\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\n iif(isnotempty(Entities.Url), Entities.Url,\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))) \n| where isnotempty(entity) \n| project entity, SystemAlertId;\nalertEntity\n| join kind= inner tiObservables on $left.entity == $right.observableValue\n| summarize Count=dcount(observableValue) by Tag=tostring(Tags)\n| order by Count desc",
|
|
"size": 1,
|
|
"title": "Top Tags Linked with Matched Indicators",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "tags"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let tiObservables = ThreatIntelligenceIndicator\n| extend Enrichment = parse_json(Description)\n| extend ReportingFeed = Enrichment['ReportingFeeds'][0]\n| where ReportingFeed in ({reporting_feeds})\n| where Enrichment['Severity'] == '{IndicatorSeverityPicker}' or '{IndicatorSeverityPicker}' == 'All'\n| extend Malwares= Enrichment['Malwares']\n| where isnotnull(Malwares)\n| mvexpand Malwares\n| project observableValue = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName), Malwares;\nlet alertEntity = SecurityAlert \n| project parse_json(Entities), SystemAlertId\n| mvexpand(Entities)\n| extend entity = iif(isnotempty(Entities.Address), Entities.Address,\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\n iif(isnotempty(Entities.Url), Entities.Url,\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))) \n| where isnotempty(entity) \n| project entity, SystemAlertId;\nalertEntity\n| join kind= inner tiObservables on $left.entity == $right.observableValue\n| summarize Count=dcount(observableValue) by Malware=tostring(Malwares)\n| order by Count desc",
|
|
"size": 1,
|
|
"title": "Top Malwares Linked with Matched Indicators",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "malwares"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let tiObservables = ThreatIntelligenceIndicator\n| extend Enrichment = parse_json(Description)\n| extend ReportingFeed = Enrichment['ReportingFeeds'][0]\n| where ReportingFeed in ({reporting_feeds})\n| where Enrichment['Severity'] == '{IndicatorSeverityPicker}' or '{IndicatorSeverityPicker}' == 'All'\n| extend ThreatActors=Enrichment['ThreatActors']\n| where isnotnull(ThreatActors)\n| mvexpand ThreatActors\n| project observableValue = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName), ThreatActors;\nlet alertEntity = SecurityAlert \n| project parse_json(Entities), SystemAlertId\n| mvexpand(Entities)\n| extend entity = iif(isnotempty(Entities.Address), Entities.Address,\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\n iif(isnotempty(Entities.Url), Entities.Url,\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))) \n| where isnotempty(entity) \n| project entity, SystemAlertId;\nalertEntity\n| join kind= inner tiObservables on $left.entity == $right.observableValue\n| summarize Count=dcount(observableValue) by ThreatActor=tostring(ThreatActors)\n| order by Count desc",
|
|
"size": 1,
|
|
"title": "Top Threat Actors Linked with Matched Indicators",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "threat_actors"
|
|
}
|
|
]
|
|
},
|
|
"name": "group - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let tiObservables=ThreatIntelligenceIndicator\n| extend Enrichment=parse_json(Description)\n| extend ReportingFeed=Enrichment['ReportingFeeds'][0]\n| where ReportingFeed in ({reporting_feeds})\n| where Enrichment['Severity'] == '{IndicatorSeverityPicker}' or '{IndicatorSeverityPicker}' == 'All'\n| project Enrichment, observableValue = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\nlet alertEntity = SecurityAlert \n| project parse_json(Entities), SystemAlertId, AlertName\n| mvexpand(Entities)\n| extend entity=iif(isnotempty(Entities.Address), Entities.Address,\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\n iif(isnotempty(Entities.Url), Entities.Url,\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))) \n| where isnotempty(entity) \n| project entity, SystemAlertId, AlertName;\nalertEntity\n| join kind= inner tiObservables on $left.entity == $right.observableValue\n| extend Severity=tostring(Enrichment['Severity']), Tags=tostring(set_union(Enrichment['UserTags'],Enrichment['SystemTags'])), ThreatActors=tostring(Enrichment['ThreatActors']), Malwares=tostring(Enrichment['Malwares'])\n| summarize Alerts = dcount(SystemAlertId) by Value=observableValue, Severity, SourceSystem, AlertName\n| order by Alerts desc",
|
|
"size": 0,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "gray",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Alerts",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 5000,
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Value",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Value",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"name": "correlation_iocs_list"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "correlation_overview"
|
|
},
|
|
"name": "Correlation Overview"
|
|
}
|
|
],
|
|
"fallbackResourceIds": [
|
|
"/subscriptions/df5ebcb7-3cc5-4549-b82d-2ee2a62cf4de/resourcegroups/resource_group_for_sentinel_clint/providers/microsoft.operationalinsights/workspaces/azure-sentinel-clint"
|
|
],
|
|
"fromTemplateId": "sentinel-IntsightsIOCWorkbook",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |