435 строки
17 KiB
JSON
435 строки
17 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## AWS network activities"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"query": "",
|
|
"crossComponentResources": [],
|
|
"parameters": [
|
|
{
|
|
"id": "b9e68383-3369-42fc-b7e7-506fd187832d",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 1209600000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = AWSCloudTrail;\r\ndata\r\n| summarize Count = count() by AWSRegion\r\n| join kind = fullouter (datatable(AWSRegion:string)['OneDrive', 'SharePoint']) on AWSRegion\r\n| project AWSRegion = iff(AWSRegion == '', AWSRegion1, AWSRegion), Count = iff(AWSRegion == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by AWSRegion)\r\n on AWSRegion\r\n| project-away AWSRegion1, TimeGenerated\r\n| extend AWSRegion = AWSRegion\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend AWSRegion = 'All', AWSRegions = '*' \r\n)\r\n| order by Count desc\r\n| take 10\r\n",
|
|
"size": 4,
|
|
"exportFieldName": "AWSRegion",
|
|
"exportParameterName": "AWSRegion",
|
|
"exportDefaultValue": "All",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top 10 active regions - click to filter",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "AWSRegion",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AWSCloudTrail\r\n//| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"replace\" or EventName startswith \"delete\" or EventName startswith \"authorize\" or EventName startswith \"revoke\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where AWSRegion == '{AWSRegion}' or '{AWSRegion}' == \"All\"\r\n| summarize count() by AWSRegion, bin(TimeGenerated, {TimeRange:grain})",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Network events, by region",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AWSCloudTrail\r\n//| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"replace\" or EventName startswith \"delete\" or EventName startswith \"authorize\" or EventName startswith \"revoke\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where AWSRegion == '{AWSRegion}' or '{AWSRegion}' == \"All\"\r\n| summarize count() by EventName, bin(TimeGenerated, {TimeRange:grain})",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Network event types",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---\r\n### Security group and network ACL change events"
|
|
},
|
|
"name": "text - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName == \"AuthorizeSecurityGroupEgress\" or EventName == \"AuthorizeSecurityGroupIngress\" or EventName == \"CreateSecurityGroup\" or EventName == \"RevokeSecurityGroupEgress\" or EventName == \"RevokeSecurityGroupIngress\" or EventName == \"DeleteSecurityGroup\" or EventName == \"ReplaceNetworkAclEntry\" or EventName == \"CreateNetworkAcl\" or EventName == \"DeleteNetworkAcl\")\r\n| summarize Count = count() by EventName, UserIdentityArn, AWSRegion, EventTypeName, SessionIssuerType, EventSource, SourceIpAddress\r\n| project-rename TotalChanges = Count\r\n| order by TotalChanges desc\r\n",
|
|
"size": 0,
|
|
"exportFieldName": "EventName",
|
|
"exportParameterName": "EventName",
|
|
"exportDefaultValue": "All",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Click to filter by event name",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "EventName",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkIsContextBlade": true,
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "UserIdentityArn",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"aggregation": "Unique"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "AWSRegion",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventTypeName",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SessionIssuerType",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventSource",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceIpAddress",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TotalChanges",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "purple",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName == \"AuthorizeSecurityGroupEgress\" or EventName == \"AuthorizeSecurityGroupIngress\" or EventName == \"CreateSecurityGroup\" or EventName == \"RevokeSecurityGroupEgress\" or EventName == \"RevokeSecurityGroupIngress\" or EventName == \"DeleteSecurityGroup\" or EventName == \"ReplaceNetworkAclEntry\" or EventName == \"CreateNetworkAcl\" or EventName == \"DeleteNetworkAcl\")\r\n| where EventName == '{EventName}' or '{EventName}' == \"All\"\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), EventName\r\n| project-rename TotalChanges = count_\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Network ACL events over time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---\r\n### Create and Delete network events"
|
|
},
|
|
"name": "text - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"delete\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| summarize count() by EventName, UserIdentityArn, AWSRegion, EventTypeName, SessionIssuerType, EventSource, SourceIpAddress\r\n| project-rename TotalChanges = count_ \r\n| order by TotalChanges desc\r\n\r\n",
|
|
"size": 0,
|
|
"exportFieldName": "EventName",
|
|
"exportParameterName": "EventName",
|
|
"exportDefaultValue": "All",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Click to filter by event name",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "EventName",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkIsContextBlade": true,
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "UserIdentityArn",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "AWSRegion",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventTypeName",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SessionIssuerType",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventSource",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceIpAddress",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TotalChanges",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blueDark",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"delete\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where EventName == '{EventName}' or '{EventName}' == \"All\"\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), EventName\r\n| project-rename TotalChanges = count_\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Create and Delete network events over time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 10"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---\r\n### Elastic IP Address Operations"
|
|
},
|
|
"name": "text - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName == \"AllocateAddress\" or EventName == \"ReleaseAddress\" or EventName == \"AssociateAddress\" or EventName == \"DisassociateAddress\") \r\n| extend AllocationID1 = todynamic(ResponseElements).[\"allocationId\"]\r\n| extend AllocationID2 = todynamic(RequestParameters).[\"allocationId\"]\r\n| extend AssociationID = todynamic(ResponseElements).[\"associationId\"]\r\n| extend ElasticIP = todynamic(ResponseElements).[\"publicIp\"]\r\n| extend AllocationID = coalesce(AllocationID1, AllocationID2)\r\n| summarize count() by TimeGenerated, UserIdentityArn, EventName, tostring(todynamic(RequestParameters).[\"instanceId\"]), tostring(AllocationID), tostring(AssociationID), tostring(ElasticIP) \r\n| project-rename InstanceID = RequestParameters_instanceId\r\n| project-away count_\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"filter": true,
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"name": "query - 12"
|
|
}
|
|
],
|
|
"styleSettings": {},
|
|
"fromTemplateId": "sentinel-AWSNetworkActivities",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |