Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/VMwareCarbonBlack.json

938 строки
34 KiB
JSON
Исходник Ответственный История

Этот файл содержит невидимые символы Юникода!

Этот файл содержит невидимые символы Юникода, которые могут быть отображены не так, как показано ниже. Если это намеренно, можете спокойно проигнорировать это предупреждение. Используйте кнопку Экранировать, чтобы показать скрытые символы.

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "7276a9d6-ba34-4f06-9a14-785f03cedf52",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 2419200000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
},
{
"id": "e10ce65c-0f31-4def-a81b-2c565d36a1d6",
"version": "KqlParameterItem/1.0",
"name": "EventType",
"label": "Event Type",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CarbonBlackEvents_CL\n| distinct eventType_s\n| sort by eventType_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "b7f7d6bb-20af-4f36-9d0e-389147598e04",
"version": "KqlParameterItem/1.0",
"name": "ThreatIndicator",
"label": "Threat Indicator",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| distinct tostring(threatIndicators_s)\r\n| sort by threatIndicators_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "34e19468-ad9e-4170-bd1e-d9970cc6df5b",
"version": "KqlParameterItem/1.0",
"name": "PriorityType",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(deviceDetails_targetPriorityType_s)\r\n| distinct tostring(deviceDetails_targetPriorityType_s)\r\n| sort by deviceDetails_targetPriorityType_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"label": "Priority Type"
},
{
"id": "b06c1de8-163e-4f8a-8cc5-5aa0fe3fccfc",
"version": "KqlParameterItem/1.0",
"name": "Location",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CarbonBlackEvents_CL\r\n| summarize count() by deviceDetails_deviceLocation_countryName_s\r\n| project deviceDetails_deviceLocation_countryName_s\r\n| order by deviceDetails_deviceLocation_countryName_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "046ce247-834a-49d5-9896-9d2bd5a559ce",
"version": "KqlParameterItem/1.0",
"name": "SensorOS",
"label": "Sensor OS",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CarbonBlackEvents_CL\n| distinct deviceDetails_deviceVersion_s\n| sort by deviceDetails_deviceVersion_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize count() by bin(eventTime,{TimeRange:grain}), tostring(threatIndicators_s)",
"size": 0,
"title": "Total Events by Threat Indicators",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "threatIndicators_s",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize count() by bin(eventTime, {TimeRange:grain}), deviceDetails_targetPriorityType_s",
"size": 0,
"title": "Total Events by Priority Type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "MEDIUM",
"color": "orange"
},
{
"seriesName": "HIGH",
"color": "redBright"
}
]
}
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\n| mvexpand todynamic(threatIndicators_s)\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\n| where eventType_s in ({EventType}) or '*' in ({EventType})\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| summarize count() by City = netFlow_peerLocation_city_s, netFlow_peerLocation_countryName_s, latitude = netFlow_peerLocation_latitude_d, longitude = netFlow_peerLocation_longitude_d\n| where isnotempty(City)",
"size": 0,
"title": "Net Data Flow by City",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "LatLong",
"latitude": "latitude",
"longitude": "longitude",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"labelSettings": "City",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "count_",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
},
"numberFormatSettings": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
}
}
}
},
"customWidth": "50",
"name": "query - 17 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\n| mvexpand todynamic(threatIndicators_s)\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\n| where eventType_s in ({EventType}) or '*' in ({EventType})\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| summarize count() by City = deviceDetails_deviceLocation_city_s, IPAddress = deviceDetails_deviceIpV4Address_s, Country = deviceDetails_deviceLocation_countryName_s, latitude = deviceDetails_deviceLocation_latitude_d, longitude = deviceDetails_deviceLocation_longitude_d",
"size": 0,
"title": "Endpoint Generated Events by City",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "LatLong",
"latitude": "latitude",
"longitude": "longitude",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"labelSettings": "City",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "count_",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
},
"numberFormatSettings": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
}
}
}
},
"customWidth": "50",
"name": "query - 17"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize HIGH = countif(deviceDetails_targetPriorityType_s == \"HIGH\"), MEDIUM = countif(deviceDetails_targetPriorityType_s == \"MEDIUM\"), LOW = countif(deviceDetails_targetPriorityType_s == \"LOW\"), Total = count() by ParentProcess = processDetails_name_s\r\n| top 10 by Total",
"size": 0,
"title": "Top 10 Parent Processes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "HIGH",
"formatter": 8,
"formatOptions": {
"palette": "redDark"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "MEDIUM",
"formatter": 8,
"formatOptions": {
"palette": "orange"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "LOW",
"formatter": 8,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "yellowOrangeRed"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "ParentProcess",
"label": "Parent Process"
},
{
"columnId": "HIGH"
},
{
"columnId": "MEDIUM"
},
{
"columnId": "LOW"
},
{
"columnId": "Total"
}
]
},
"sortBy": [],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "ApplicationName",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 9 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize count() by eventType_s",
"size": 0,
"title": "Event Types",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize count() by targetApp_effectiveReputation_s",
"size": 0,
"title": "Trageted Application Reputation Types",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 7 - Copy",
"styleSettings": {
"progressStyle": "squares"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize Sensors = dcount(deviceDetails_deviceName_s)",
"size": 0,
"title": "Total Sensors",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 1
}
}
}
]
},
"sortBy": [],
"tileSettings": {
"titleContent": {
"formatter": 1,
"formatOptions": {}
},
"leftContent": {
"columnMatch": "Sensors",
"formatter": 12,
"formatOptions": {
"palette": "auto"
}
},
"showBorder": false,
"size": "auto"
}
},
"customWidth": "20",
"name": "query - 9 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize Total = count() by Sensor = deviceDetails_deviceName_s\r\n| top 10 by Total",
"size": 0,
"title": "Top 10 Event Generating Sensors",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "hotCold"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 1
}
}
}
]
},
"sortBy": []
},
"customWidth": "40",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize Total = dcount(deviceDetails_deviceName_s) by ['OS Version'] = deviceDetails_deviceVersion_s",
"size": 0,
"title": "Top 10 Sensor Operating Systems",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
}
]
},
"sortBy": []
},
"customWidth": "40",
"name": "query - 9 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| where targetApp_effectiveReputation_s == \"KNOWN_MALWARE\"\r\n| summarize count() by eventTime, processDetails_fullUserName_s, deviceDetails_deviceName_s, processDetails_targetName_s, targetApp_applicationName_s\r\n| project-away count_\r\n| sort by eventTime desc, deviceDetails_deviceName_s asc",
"size": 0,
"title": "Recent Known Malware Detected",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "HIGH",
"formatter": 8,
"formatOptions": {
"palette": "redDark"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "MEDIUM",
"formatter": 8,
"formatOptions": {
"palette": "orange"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "LOW",
"formatter": 8,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "yellowOrangeRed"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "eventTime",
"label": "Event Time"
},
{
"columnId": "processDetails_fullUserName_s",
"label": "User"
},
{
"columnId": "deviceDetails_deviceName_s",
"label": "Endpoint"
},
{
"columnId": "processDetails_targetName_s",
"label": "Process Name"
},
{
"columnId": "targetApp_applicationName_s",
"label": "Application Name"
}
]
},
"sortBy": [],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "ApplicationName",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 9 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| where targetApp_effectiveReputation_s == \"KNOWN_MALWARE\"\r\n| summarize count() by deviceDetails_deviceName_s, bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Known Malware Activity by Endpoint",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"gridSettings": {
"formatters": [
{
"columnMatch": "HIGH",
"formatter": 8,
"formatOptions": {
"palette": "redDark"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "MEDIUM",
"formatter": 8,
"formatOptions": {
"palette": "orange"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "LOW",
"formatter": 8,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "yellowOrangeRed"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "eventTime",
"label": "Event Time"
},
{
"columnId": "processDetails_fullUserName_s",
"label": "User"
},
{
"columnId": "deviceDetails_deviceName_s",
"label": "Endpoint"
},
{
"columnId": "processDetails_targetName_s",
"label": "Process Name"
},
{
"columnId": "targetApp_applicationName_s",
"label": "Application Name"
}
]
},
"sortBy": [],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "ApplicationName",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 9 - Copy - Copy - Copy"
}
],
"fromTemplateId": "sentinel-UserWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку