Azure-Sentinel/Workbooks/WebApplicationFirewallGatew...

366 строки
12 KiB
JSON

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Application gateway access events\n"
},
"customWidth": "100",
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "b3ac8870-500d-4dd8-a570-f49a2c2f1a76",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "parameters - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ActivityData = AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\";\r\nActivityData\r\n| summarize Count = count() by clientIP_s\r\n| join kind = inner (ActivityData\r\n | make-series Trend = count() default = 0 on bin(TimeGenerated, 1d) from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by clientIP_s)\r\n on clientIP_s\r\n | project-away clientIP_s1, TimeGenerated\r\n| extend clientIP = clientIP_s\r\n| union (\r\n ActivityData\r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (ActivityData\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend clientIP_s = 'All Clients', clientIP_ = '*' \r\n)\r\n| order by Count desc\r\n| take 10",
"size": 4,
"title": "Top 10 IP's by activity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "clientIp_s",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"rightContent": {
"columnMatch": "clientIP_s"
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9
},
"showBorder": false
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\"\r\n| summarize Count= count() by clientIP_s, bin(TimeGenerated, 1d)\r\n",
"size": 0,
"title": "Activity, by cIient IP address",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "70",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\"\r\n| summarize count() by clientIP_s, TimeGenerated\r\n",
"size": 0,
"title": "SSL use",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\" \r\n| summarize receivedBytes = sum(receivedBytes_d)/1048576, sentBytes = sum(sentBytes_d)/1048576 by bin(TimeGenerated, 1d)\r\n//| project receivedBytes_d, sentBytes_d, TimeGenerated \r\n",
"size": 0,
"title": "Received and sent data, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "70",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\" \r\n| summarize number = count() by userAgent_s\r\n| top 10 by number desc nulls last \r\n",
"size": 0,
"title": "User agent use",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\"\r\n| summarize number= count() by requestURI=requestUri_s, originalHost=originalHost_s, clientIP=clientIP_s\r\n| order by number desc",
"size": 0,
"title": "URL address use, by client IP address",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "number",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "blue",
"showIcon": true
}
}
],
"filter": true
}
},
"customWidth": "30",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\" \r\n| summarize Count = count() by httpMethod=httpMethod_s\r\n| sort by Count desc\r\n",
"size": 0,
"title": "HTTP Methods",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "number",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "purple",
"showIcon": true
}
}
],
"filter": true
}
},
"customWidth": "35",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\"\r\n| summarize Count = count() by requestQuery=requestQuery_s\r\n| sort by Count desc",
"size": 0,
"title": "Request queries",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "turquoise",
"showIcon": true
}
}
],
"filter": true
}
},
"customWidth": "35",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\"\r\n| where OperationName == \"ApplicationGatewayAccess\"\r\n| summarize sentBytes = sum(sentBytes_d), recBytes= sum(receivedBytes_d), Count = count() by originalHost=originalHost_s ,clientIP=clientIP_s, requestURI=requestUri_s, httpMethod=httpMethod_s, requestQuery=requestQuery_s, userAgent=userAgent_s, httpVersion=httpVersion_s, httpStatus=httpStatus_d,sslEnabled=sslEnabled_s, bin(TimeGenerated, 1d)\r\n| order by sentBytes, recBytes",
"size": 0,
"title": "Detailed activity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "sentB",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "coldHot",
"showIcon": true
}
},
{
"columnMatch": "recB",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "coldHot",
"showIcon": true
}
},
{
"columnMatch": "sentb",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "coldHot",
"showIcon": true
}
}
],
"rowLimit": 1000,
"filter": true
}
},
"name": "query - 10"
}
],
"fromTemplateId": "sentinel-WebApplicationFirewallGatewayAccessEvents",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}