366 строки
12 KiB
JSON
366 строки
12 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Application gateway access events\n"
|
|
},
|
|
"customWidth": "100",
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "b3ac8870-500d-4dd8-a570-f49a2c2f1a76",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 86400000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "parameters - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let ActivityData = AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\";\r\nActivityData\r\n| summarize Count = count() by clientIP_s\r\n| join kind = inner (ActivityData\r\n | make-series Trend = count() default = 0 on bin(TimeGenerated, 1d) from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by clientIP_s)\r\n on clientIP_s\r\n | project-away clientIP_s1, TimeGenerated\r\n| extend clientIP = clientIP_s\r\n| union (\r\n ActivityData\r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (ActivityData\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend clientIP_s = 'All Clients', clientIP_ = '*' \r\n)\r\n| order by Count desc\r\n| take 10",
|
|
"size": 4,
|
|
"title": "Top 10 IP's by activity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "clientIp_s",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false,
|
|
"maximumFractionDigits": 2,
|
|
"maximumSignificantDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"rightContent": {
|
|
"columnMatch": "clientIP_s"
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\"\r\n| summarize Count= count() by clientIP_s, bin(TimeGenerated, 1d)\r\n",
|
|
"size": 0,
|
|
"title": "Activity, by cIient IP address",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\"\r\n| summarize count() by clientIP_s, TimeGenerated\r\n",
|
|
"size": 0,
|
|
"title": "SSL use",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\" \r\n| summarize receivedBytes = sum(receivedBytes_d)/1048576, sentBytes = sum(sentBytes_d)/1048576 by bin(TimeGenerated, 1d)\r\n//| project receivedBytes_d, sentBytes_d, TimeGenerated \r\n",
|
|
"size": 0,
|
|
"title": "Received and sent data, by time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\" \r\n| summarize number = count() by userAgent_s\r\n| top 10 by number desc nulls last \r\n",
|
|
"size": 0,
|
|
"title": "User agent use",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\"\r\n| summarize number= count() by requestURI=requestUri_s, originalHost=originalHost_s, clientIP=clientIP_s\r\n| order by number desc",
|
|
"size": 0,
|
|
"title": "URL address use, by client IP address",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "number",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\" \r\n| summarize Count = count() by httpMethod=httpMethod_s\r\n| sort by Count desc\r\n",
|
|
"size": 0,
|
|
"title": "HTTP Methods",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "number",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "purple",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "35",
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\"\r\n| summarize Count = count() by requestQuery=requestQuery_s\r\n| sort by Count desc",
|
|
"size": 0,
|
|
"title": "Request queries",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "turquoise",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "35",
|
|
"name": "query - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\"\r\n| summarize sentBytes = sum(sentBytes_d), recBytes= sum(receivedBytes_d), Count = count() by originalHost=originalHost_s ,clientIP=clientIP_s, requestURI=requestUri_s, httpMethod=httpMethod_s, requestQuery=requestQuery_s, userAgent=userAgent_s, httpVersion=httpVersion_s, httpStatus=httpStatus_d,sslEnabled=sslEnabled_s, bin(TimeGenerated, 1d)\r\n| order by sentBytes, recBytes",
|
|
"size": 0,
|
|
"title": "Detailed activity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "sentB",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "recB",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "sentb",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 1000,
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 10"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-WebApplicationFirewallGatewayAccessEvents",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|