Azure-Sentinel/Workbooks/WebApplicationFirewallWAFTy...

671 строка
41 KiB
JSON

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Azure WAF Events"
},
"name": "text - 10"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "afd56a69-16a5-436d-850e-16c24e839503",
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
"crossComponentResources": [
"value::all"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "e38cad87-ff16-40e6-9384-f6fd24fa9d6b",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "summarize by subscriptionId\r\n| project value=strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
"crossComponentResources": [
"value::all"
],
"value": [
"/subscriptions/6b1ceacd-5731-4780-8f96-2078dd96fd96"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "a125fc08-be6d-4b8b-87e2-7e0cd957db47",
"version": "KqlParameterItem/1.0",
"name": "DefaultWorkspace_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n|take 1\r\n|project id",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "65674a40-2869-4867-a24d-f86f05fd0354",
"version": "KqlParameterItem/1.0",
"name": "Workspaces",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id, selected = iff(id =~ '{DefaultWorkspace_Internal}', true, false)\r\n",
"crossComponentResources": [
"{Subscription}"
],
"value": [
"/subscriptions/6b1ceacd-5731-4780-8f96-2078dd96fd96/resourceGroups/SOC-NS/providers/Microsoft.OperationalInsights/workspaces/SOC-NS-Logs"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "49e2f511-592f-4d7f-8fda-d686803f3dbf",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
}
],
"allowCustom": true
}
},
{
"id": "604a42a0-deca-4a95-a15f-8977646a7fac",
"version": "KqlParameterItem/1.0",
"name": "WAFType",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\"\r\n| summarize Count=count() by ResourceType\r\n| extend ResourceTypeImproved = iif(ResourceType == \"APPLICATIONGATEWAYS\", \"Application Gateway\", ResourceType)\r\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \"FRONTDOORS\", \"Azure Front Door\", ResourceTypeImproved)\r\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\", \"Azure CDN\", ResourceTypeImproved)\r\n| order by Count desc, ResourceTypeImproved asc\r\n| project ResourceTypeImproved",
"crossComponentResources": [
"{Workspaces}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"label": "WAF Type"
},
{
"id": "d54c1639-d46c-4655-9d76-d5416926a453",
"version": "KqlParameterItem/1.0",
"name": "WAF",
"label": "WAF Items",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\"))\r\n| summarize Count=count() by Resource\r\n| order by Count desc, Resource asc\r\n| project Value = Resource, Label = strcat(Resource, \" - \", Count)",
"crossComponentResources": [
"{Workspaces}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or OperationName == \"ApplicationGatewayFirewall\" or Category == \"WebApplicationFirewallLogs\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n// Application Gateway has Matched, Blocked, Detected : translates to Matched, Block, Log\r\n// Azure Front Door has Matched, Block, Log : translates to Matched, Block, Log\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| summarize number = count() by Action",
"size": 3,
"showAnalytics": true,
"title": "WAF actions filter",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "series",
"exportParameterName": "SelectedAction",
"exportDefaultValue": "*",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "27",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or OperationName == \"ApplicationGatewayFirewall\" or Category == \"WebApplicationFirewallLogs\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where Action == \"Block\"\r\n| where requestUri_s <> \"/\"\r\n| summarize count() by requestUri_s \r\n| top 40 by count_ desc ",
"size": 3,
"showAnalytics": true,
"title": "Top 40 Blocked Request URI addresses, filter to single URI address",
"noDataMessage": "The current data has no \"Blocked\" results",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "requestUri_s",
"exportParameterName": "RequestURI",
"exportDefaultValue": "*",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "requestUri_s",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 5
}
}
},
"showBorder": false
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "requestUri_s",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "63",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or OperationName == \"ApplicationGatewayFirewall\" or Category == \"WebApplicationFirewallLogs\"\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Rule= iif(Rule contains \"Mandatory rule. Cannot be disabled.\", strcat_array(split(Rule, \"Mandatory rule. Cannot be disabled. Inbound \",1),\"\"), Rule) // Removes initial component for mandatory rule \r\n| extend Rule = iif(Rule contains \"Total Inbound Score\", strcat_array(array_concat(split(Rule, \" - SQLI=\", 0), parse_json('[\") -\"]'), split(Rule,\"):\",1)),\"\"),Rule) // Removes smaller information if more info is available for anomaly score\r\n| summarize count() by Rule\r\n| top 50 by count_ desc\r\n",
"size": 0,
"showAnalytics": true,
"title": "Top 50 event trigger, filter by rule name",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Rule",
"exportParameterName": "Selected",
"exportDefaultValue": "*",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "blue",
"showIcon": true
}
}
],
"sortBy": [
{
"itemKey": "$gen_bar_count__1",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "count_",
"label": ""
}
]
},
"sortBy": [
{
"itemKey": "$gen_bar_count__1",
"sortOrder": 2
}
]
},
"customWidth": "30",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or OperationName == \"ApplicationGatewayFirewall\" or Category == \"WebApplicationFirewallLogs\"\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| summarize count() by Rule, bin(TimeGenerated, 1h)\r\n",
"size": 0,
"showAnalytics": true,
"title": "Messages, by time",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "timeBrushUpperSection",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Message",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "70",
"name": "query - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,requestUri_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,instanceId_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\",\"\", \"\", \"\", \"\", \"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or OperationName == \"ApplicationGatewayFirewall\" or Category == \"WebApplicationFirewallLogs\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| where '{Selected}' == Rule or '{Selected}' == \"*\" \r\n| extend Role = extract(\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\",1,instanceId_s) \r\n| extend RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s, Site = site_s\r\n| project Rule, TimeGenerated, SourceSystem, Hostname, ResourceId, ResourceGroup, ResourceProvider, Category, Role, Action, Site, Message_Details, File_Details, ClientIP, RequestUri\r\n| sort by TimeGenerated",
"size": 0,
"showAnalytics": true,
"title": "Message, full details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeBrushUpperSection",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"filter": true
},
"sortBy": []
},
"name": "query - 11"
},
{
"type": 1,
"content": {
"json": "---"
},
"name": "text - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\"\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{Selected}' == Rule or '{Selected}' == \"*\" \r\n| summarize Amount = count() by Rule\r\n| order by Amount desc\r\n\r\n",
"size": 0,
"title": "Attacks events, by messages and filterable by rule name",
"noDataMessage": "Filtered messages are not attack events",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "",
"exportParameterName": "MessageFilter",
"exportDefaultValue": "{\"Rule\":\"*\"}",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Amount",
"formatter": 8,
"formatOptions": {
"palette": "blueDark",
"showIcon": true,
"aggregation": "Sum"
}
}
],
"filter": true
},
"sortBy": []
},
"customWidth": "20",
"name": "query - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\r\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\" \r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| where Rule == Child or Child == \"*\"\r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| summarize Amount = count() by Rule, bin(TimeGenerated, 1h), ResourceId\r\n| project Amount, Rule, TimeGenerated, ResourceId\r\n| order by Amount desc",
"size": 0,
"showAnalytics": true,
"title": "Attack events, by time",
"noDataMessage": "Filtered messages are not attack events",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "timeBrushLowerSection",
"exportParameterName": "Message",
"exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"customWidth": "80",
"name": "query - 14"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\r\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\"\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| where Rule == Child or Child == \"*\" \r\n| summarize count() by TrackingID\r\n| top 50 by count_ desc\r\n",
"size": 0,
"showAnalytics": true,
"title": "TrackingID filter",
"noDataMessage": "You've over filtered or you're missing this data.",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeBrushLowerSection",
"exportFieldName": "TrackingID",
"exportParameterName": "SelectedTrackingID",
"exportDefaultValue": "*",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"rowLimit": 500,
"filter": true,
"sortBy": [
{
"itemKey": "TrackingID",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "TrackingID",
"sortOrder": 2
}
]
},
"customWidth": "20",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\r\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\",\"\", \"\", \"\", \"\", \"\",\"\",\"\",\"\",\"\",\"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\"\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\r\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \"*\" \r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| where Rule == Child or Child == \"*\"\r\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\r\n| project TrackingID, TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category",
"size": 0,
"showAnalytics": true,
"title": "TrackingID Messages",
"noDataMessage": "You've over filtered or you're missing this data.",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeBrushLowerSection",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"rowLimit": 50
}
},
"customWidth": "80",
"name": "query - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\r\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\r\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \"*\" \r\n| where Rule == Child or Child == \"*\"\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\"\r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| summarize count() by ClientIP\r\n| top 10 by count_ desc",
"size": 0,
"showAnalytics": true,
"title": "Top 10 Attacking IP Addresses, filter to single IP address",
"noDataMessage": "Filtered messages are not attack events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeBrushLowerSection",
"exportFieldName": "x",
"exportParameterName": "ClientIP",
"exportDefaultValue": "*",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "ClientIP",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "ClientIP",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"showLegend": true
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "25",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\r\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,requestUri_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\",\"\", \"\", \"\", \"\", \"\",\"\",\"\",\"\",\"\",\"\",\"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in ({WAF}))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\"\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| where Rule == Child or Child == \"*\"\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\r\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \"*\" \r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| where ('{ClientIP}' == ClientIP or '{ClientIP}' == \"*\")\r\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\r\n| project TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category",
"size": 0,
"title": "Attack messages of IP address",
"noDataMessage": "Filtered messages are not attack events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeBrushLowerSection",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"filter": true
}
},
"customWidth": "75",
"showPin": true,
"name": "query - 13"
}
],
"fromTemplateId": "sentinel-WebApplicationFirewallWAFTypeEvents",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}