Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/AzureInformationProtection....

166 строки
7.3 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Azure Information Protection - Usage report"
},
"name": "text - 0"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "d54e6c15-7c98-48bd-b3d9-0169345ccfa8",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Logs = InformationProtectionLogs_CL | extend MachineName_s = columnifexists(\"MachineName_s\",\"\"), ObjectId_s = columnifexists(\"ObjectId_s\",\"\"), Activity_s = columnifexists(\"Activity_s\",\"\"), LabelId_g = columnifexists(\"LabelId_g\",\"\"), Protected_b = columnifexists(\"Protected_b\",false);\r\nlet minTime = toscalar(Logs | where isnotempty(MachineName_s) | summarize min(TimeGenerated));\r\nlet dates = range [\"date\"] from bin(minTime, {TimeRange:grain}) to now() step {TimeRange:grain};\r\nLogs\r\n| where isnotempty(MachineName_s)\r\n| summarize labels=countif(isnotempty(ObjectId_s) and Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\") and isnotempty(LabelId_g)),\r\nprotected=countif(isnotempty(ObjectId_s) and Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\") and Protected_b) by bin(TimeGenerated, {TimeRange:grain})\r\n| join kind= rightouter (\r\n dates\r\n)\r\non $left.TimeGenerated == $right.[\"date\"]\r\n| project [\"date\"], Labels = coalesce(labels, 0), [\"Protected Labels\"] = coalesce(protected, 0)",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Label and protect activity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"customWidth": "50",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Logs = InformationProtectionLogs_CL | extend MachineName_s = columnifexists(\"MachineName_s\",\"\"), UserId_s = columnifexists(\"UserId_s\",\"\");\r\nlet minTime = toscalar(Logs | where isnotempty(MachineName_s) | summarize min(TimeGenerated));\r\nlet dates = range [\"date\"] from bin(minTime, {TimeRange:grain}) to now() step {TimeRange:grain};\r\nLogs\r\n| where isnotempty(MachineName_s)\r\n| summarize users=dcount(UserId_s), devices = dcount(MachineName_s) by bin(TimeGenerated, {TimeRange:grain})\r\n| join kind= rightouter\r\n(\r\n dates\r\n)\r\non $left.TimeGenerated == $right.[\"date\"]\r\n| project [\"date\"], users = coalesce(users, 0), devices = coalesce(devices, 0)\r\n\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Users and devices",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"customWidth": "50",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Logs = InformationProtectionLogs_CL | extend LabelName_s = columnifexists(\"LabelName_s\",\"\"), LabelId_g = columnifexists(\"LabelId_g\",\"\"), ObjectId_s = columnifexists(\"ObjectId_s\",\"\"), Activity_s = columnifexists(\"Activity_s\",\"\");\r\nLogs\r\n| where isnotempty(LabelId_g)\r\n| where isnotempty(ObjectId_s)\r\n| where Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\")\r\n| summarize value=count() by LabelName_s\r\n| order by value\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Labels",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Logs = InformationProtectionLogs_CL | extend ApplicationName_s = columnifexists(\"ApplicationName_s\",\"\"), LabelId_g = columnifexists(\"LabelId_g\",\"\"), ObjectId_s = columnifexists(\"ObjectId_s\",\"\"), Activity_s = columnifexists(\"Activity_s\",\"\");\r\nLogs\r\n| where isnotempty(LabelId_g)\r\n| where isnotempty(ObjectId_s)\r\n| where Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\")\r\n| summarize value=count() by ApplicationName_s\r\n| order by value\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Labels by application",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 5"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-AzureInformationProtection",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку