296 строки
8.4 KiB
JSON
296 строки
8.4 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Citrix Analytics workbook\n---"
|
|
},
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CitrixAnalytics_SAlerts_CL \n| where alertType_s == \"RISK_SCORE\" \n| where alertValue_d > 64\n| where alertValue_d < 100\n| summarize arg_max(alertTime_s, alertValue_d) by entityId_s\n| count",
|
|
"size": 4,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "High Risk Users",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"tooltipFormat": {
|
|
"tooltip": "Risk Score of 64 to 100"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Count",
|
|
"label": "High Risk Users"
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"min": 64,
|
|
"max": 100,
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 6 - Copy - Copy",
|
|
"styleSettings": {
|
|
"padding": "10px",
|
|
"maxWidth": "33%",
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CitrixAnalytics_SAlerts_CL \n| where alertType_s == \"RISK_SCORE\" \n| where alertValue_d > 34\n| where alertValue_d < 63\n| summarize arg_max(alertTime_s, alertValue_s) by entityId_s\n| count",
|
|
"size": 4,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Medium Risk Users",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"tooltipFormat": {
|
|
"tooltip": "Risk Score of 33 to 64"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Count",
|
|
"label": "Medium Risk Users"
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "orange",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 6 - Copy",
|
|
"styleSettings": {
|
|
"padding": "10px",
|
|
"maxWidth": "33%",
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CitrixAnalytics_SAlerts_CL \n| where alertType_s == \"RISK_SCORE\" \n| where alertValue_d > 0\n| where alertValue_d < 33\n| summarize arg_max(alertTime_s, alertValue_s) by entityId_s\n| count",
|
|
"size": 4,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Low Risk Users",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"tooltipFormat": {
|
|
"tooltip": "Risk Score of 0 to 33"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Count",
|
|
"label": "Low Risk Users"
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "gray",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 6",
|
|
"styleSettings": {
|
|
"padding": "10px",
|
|
"maxWidth": "33%",
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CitrixAnalytics_SAlerts_CL\n| where alertType_s == \"RISK_SCORE\"\n| summarize arg_max(alertTime_s, alertValue_d) by entityId_s",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top 5 Risky Users",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "entity_id_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "alert_time_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "alert_value_d",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "alertValue_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "entity_id_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "alert_time_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "alert_value_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 5,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "entity_id_s",
|
|
"label": "User Name"
|
|
},
|
|
{
|
|
"columnId": "alert_time_s",
|
|
"label": "Alert Time"
|
|
},
|
|
{
|
|
"columnId": "alert_value_d",
|
|
"label": "Risk Score"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 4",
|
|
"styleSettings": {
|
|
"padding": "10px",
|
|
"maxWidth": "50%",
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CitrixAnalytics_SAlerts_CL \n| where alertType_s == \"RISK_INDICATOR\" \n| summarize count(alertType_s) by alertValue_s",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Breakdown by Risk Indicator",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 2",
|
|
"styleSettings": {
|
|
"maxWidth": "50%",
|
|
"showBorder": true
|
|
}
|
|
}
|
|
],
|
|
"styleSettings": {
|
|
"paddingStyle": "narrow",
|
|
"spacingStyle": "narrow"
|
|
},
|
|
"fromTemplateId": "sentinel-Citrix",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|