1646 строки
72 KiB
JSON
1646 строки
72 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## View Azure Sentinel Incidents and details from any selected Workspaces \r\n\r\n"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "1ca69445-60fc-4806-b43d-ac7e6aad630a",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Subscription",
|
|
"type": 6,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"showDefault": false
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "e94aafa3-c5d9-4523-89f0-4e87aa754511",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspace",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "resources\n| where type =~ 'microsoft.operationalinsights/workspaces'\n| extend customerID = trim(' ', tostring(properties.customerId))\n| project id, customerID, name=tolower(name)\n|join \n(\n\tresources\n\t// Just show Workspaces that have Sentinel enabled\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\n\t| where name has \"SecurityInsights\"\n\t| parse name with * '(' s_workspace ')'*\n\t| project name=tolower(s_workspace)\n) on name\n| project tolower(id), customerID, name",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"value": [
|
|
""
|
|
],
|
|
"typeSettings": {
|
|
"resourceTypeFilter": {
|
|
"microsoft.operationalinsights/workspaces": true
|
|
},
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"showDefault": false
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "66f59acd-2628-457d-a5cd-176aa453472a",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 5184000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
},
|
|
{
|
|
"id": "65e74c73-69f0-4eb5-a772-4fb5eae73d28",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "WorkspaceIDguid",
|
|
"type": 1,
|
|
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend customerID = trim(' ', tostring(properties.customerId))\r\n| project '{Workspace:name}', name, customerID\r\n| where '{Workspace:name}' has name\r\n//| project customerID, name\r\n// join two columns, seperate with a \":\"; ARG, will comma seperate each row by default\r\n| project strcat(customerID,\":\",name)",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "2af84437-b015-456b-9660-97c8415e72fd",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Product",
|
|
"label": "Product Name",
|
|
"type": 2,
|
|
"description": "Filter on All or a named Product",
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "SecurityIncident\r\n| extend productName_ = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0])\r\n| summarize by productName_\r\n",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "5a683c1d-5e10-4d94-bb2a-32c05b17da8e",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "resourceGroup",
|
|
"type": 1,
|
|
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n//| where name == \"{Workspace:label}\" \r\n| project resourceGroup",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "306edc18-d122-478d-97aa-ebc5a4cb88db",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Owner",
|
|
"type": 2,
|
|
"description": "Filter on All or a named Owner assigned to an Incident",
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "SecurityIncident\r\n| extend owner = tostring(Owner.assignedTo) \r\n| summarize Count=count(IncidentNumber) by Owner= case(owner==\"\", \"Unassigned\",owner)\r\n| project Value = Owner, Label = strcat(Owner, \": \", Count)",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "*",
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "04338a2a-010c-409d-91ac-4b74a0e9d56c",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Help",
|
|
"type": 10,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]",
|
|
"timeContextFromParameter": "TimeRange"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Sentinel Central\r\n### Change Log\r\nUse this report to view Incident and Alert data across many workspaces (works with Azure Lighthouse)\r\n\r\n\r\n|Version|Description|\r\n|---|---|\r\n|v1.2| View Alerts from multiple workspaces (Azure Lighhouse compatiable)|\r\n|v1.3| MSSP release |"
|
|
},
|
|
"customWidth": "50",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Change Log"
|
|
},
|
|
"name": "text - 7"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Sentinel Central\r\n### Help\r\nUse this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to.\r\nThe Workbook is not intended to replace the Multiple Incidents across Workspace view/feature in the Azure Sentinel UI, it's just a way of seeing the data in a different way.\r\n\r\nWorkspaces not linked to Azure Sentinel will not be shown.\r\n\r\n\r\nData sources: REST api, SentinelIncident and SecurityAlert Tables"
|
|
},
|
|
"customWidth": "50",
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "text - 7 - Copy"
|
|
}
|
|
],
|
|
"exportParameters": true
|
|
},
|
|
"name": "group - parameter and help"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mvexpand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| summarize count(IncidentName) by [\"Workspace\"] = workSpacename\r\n\r\n\r\n\r\n",
|
|
"size": 4,
|
|
"title": "Count of Security Incidents for selected {$rowCount} Workspaces",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"hierarchySettings": {
|
|
"treeType": 1,
|
|
"groupBy": [
|
|
"wsName"
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "wsName",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "wsName",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"name": "query - 3 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| summarize High= countif(Severity==\"High\"),\r\n Medium=countif(Severity==\"Medium\"),\r\n Low =countif(Severity==\"Low\"), \r\n Informational=countif(Severity==\"Informational\"),\r\n Total = count()\r\n by workSpacename\r\n| join\r\n(\r\nSecurityIncident\r\n// mean time to triage Section\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n//| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\r\n| extend Owner = todynamic(Owner.assignedTo) \r\n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\r\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \r\n| where Product in ({Product}) or '{Product:label}' == \"All\"\r\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \r\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\r\n| summarize 50th_PercentileMeanTime=percentile(TimeToTriage, 50) by workSpacename\r\n) on workSpacename\r\n|project-away workSpacename1\r\n| join\r\n(\r\nSecurityIncident\r\n// mean time to close Section\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| extend iD = TenantId\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n//| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\r\n| extend Owner = todynamic(Owner.assignedTo) \r\n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\r\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \r\n| where Product in ({Product}) or '{Product:label}' == \"All\"\r\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \r\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\r\n| summarize 50th_PercentileCloseTime=percentile(TimeToClosure, 50) by workSpacename\r\n) on workSpacename\r\n|project-away workSpacename1\r\n\r\n\r\n",
|
|
"size": 1,
|
|
"title": "Count of Security Incidents for selected Workspaces and Severity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "workSpacename",
|
|
"exportParameterName": "exportworkSpacename",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "High",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Medium",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Low",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Informational",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"customColumnWidthSetting": "150px"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "coldHot"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "50th_PercentileMeanTime",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 26,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false,
|
|
"maximumFractionDigits": 3
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "50th_PercentileCloseTime",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 26,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumFractionDigits": 3
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "iD",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "workSpacename",
|
|
"label": "Workspace Name"
|
|
},
|
|
{
|
|
"columnId": "High"
|
|
},
|
|
{
|
|
"columnId": "Medium"
|
|
},
|
|
{
|
|
"columnId": "Low"
|
|
},
|
|
{
|
|
"columnId": "Informational"
|
|
},
|
|
{
|
|
"columnId": "Total"
|
|
},
|
|
{
|
|
"columnId": "50th_PercentileMeanTime",
|
|
"label": "Mean time to triage"
|
|
},
|
|
{
|
|
"columnId": "50th_PercentileCloseTime",
|
|
"label": "Mean time to closure"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"name": "query - SecIncidents"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "resources\r\n | where type == \"microsoft.insights/workbooks\"\r\n | where properties.displayName has \"Security operations efficiency\" \r\n //| where properties.displayName has '{exportworkSpacename}'\r\n //| project properties.displayName, id\r\n | project id, note='Please select the Subscription and Workpsace names again in the new blade'\r\n | limit 1\r\n\r\n",
|
|
"size": 4,
|
|
"title": "Open [Security Operations Efficiency] Workbook - if the Workbook exists locally?",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "id",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "WorkbookTemplate",
|
|
"linkLabel": "Click to Open [Security operations efficiency] workbook",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "note",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "100ch"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "id",
|
|
"label": "Open"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"conditionalVisibility": {
|
|
"parameterName": "exportworkSpacename",
|
|
"comparison": "isNotEqualTo"
|
|
},
|
|
"name": "query - open_SOC_workbook"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend customerWorkspaceID = trim(' ', tostring(properties.customerId))\r\n| project id, customerWorkspaceID, name=tolower(name), subscriptionId, tenantId\r\n|join \r\n(\r\n\tresources\r\n\t// Just show Workspaces that have Sentinel enabled\r\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n\t| where name has \"SecurityInsights\"\r\n\t| parse name with * '(' s_workspace ')'*\r\n\t| project name=tolower(s_workspace), subscriptionId, location, properties, resourceGroup\r\n) on name\r\n| where name =~ '{exportworkSpacename}'\r\n| project name, Open=tolower(id), tenantId, customerWorkspaceID, subscriptionId, location, properties, resourceGroup\r\n",
|
|
"size": 4,
|
|
"title": "Workspace details - click on \"name\" for more details",
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "tenantId",
|
|
"parameterName": "exporttenantId",
|
|
"parameterType": 1
|
|
},
|
|
{
|
|
"fieldName": "subscriptionId",
|
|
"parameterName": "exportSubscriptionId",
|
|
"parameterType": 1
|
|
},
|
|
{
|
|
"fieldName": "resourceGroup",
|
|
"parameterName": "exportResourceGroup",
|
|
"parameterType": 1
|
|
},
|
|
{
|
|
"fieldName": "name",
|
|
"parameterName": "exportName",
|
|
"parameterType": 1
|
|
}
|
|
],
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Open",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "Resource",
|
|
"linkLabel": "Workspace context blade",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "id",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "WorkbookTemplate",
|
|
"linkLabel": "Click to Open [Security operations efficiency] workbook",
|
|
"linkIsContextBlade": false
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "note",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "100ch"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"conditionalVisibility": {
|
|
"parameterName": "exportworkSpacename",
|
|
"comparison": "isNotEqualTo"
|
|
},
|
|
"name": "query - Workspace Details"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/tenants?api-version=2020-01-01\",\"urlParams\":[{\"key\":\"\",\"value\":\"\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[]}}]}",
|
|
"size": 4,
|
|
"title": "Tenant details",
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "id",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "domains",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Domain name(s)",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Open",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "Resource",
|
|
"linkLabel": "Workspace context blade",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "note",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "100ch"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"conditionalVisibility": {
|
|
"parameterName": "exportworkSpacename",
|
|
"comparison": "isEqualTo",
|
|
"value": "hide"
|
|
},
|
|
"name": "query - Tenant Details"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{exportSubscriptionId}/resourceGroups/{exportResourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{exportworkSpacename}/providers/Microsoft.SecurityInsights/AlertRules\",\"urlParams\":[{\"key\":\"\",\"value\":\"\"},{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"displayName\"},{\"path\":\"type\",\"columnid\":\"type\"},{\"path\":\"kind\",\"columnid\":\"kind\"},{\"path\":\"properties\",\"columnid\":\"properties\"},{\"path\":\"properties.lastModifiedUtc\",\"columnid\":\"lastModifiedUtc\"}]}}]}",
|
|
"size": 4,
|
|
"title": "Rules details ('{exportName}' with {$rowCount} deployed Rules)",
|
|
"showExportToExcel": true,
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "id",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "name",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "etag",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "domains",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Domain name(s)",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Open",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "Resource",
|
|
"linkLabel": "Workspace context blade",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "note",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "100ch"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 500,
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "kind",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "kind",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"conditionalVisibility": {
|
|
"parameterName": "exportResourceGroup",
|
|
"comparison": "isNotEqualTo",
|
|
"value": ""
|
|
},
|
|
"name": "query - Rules details"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"724f0ff2-e293-4655-9005-b25c4442a0de\",\"mergeType\":\"innerunique\",\"leftTable\":\"query - Workspace Details\",\"rightTable\":\"query - Tenant Details\",\"leftColumn\":\"tenantId\",\"rightColumn\":\"tenantId\"}],\"projectRename\":[{\"originalName\":\"[query - Workspace Details].name\",\"mergedName\":\"name\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].Open\",\"mergedName\":\"Open\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].tenantId\",\"mergedName\":\"tenantId\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].customerWorkspaceID\",\"mergedName\":\"customerWorkspaceID\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].subscriptionId\",\"mergedName\":\"subscriptionId\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].location\",\"mergedName\":\"location\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].properties\",\"mergedName\":\"properties\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].id\",\"mergedName\":\"id\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].tenantId\",\"mergedName\":\"tenantId1\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].countryCode\",\"mergedName\":\"countryCode\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].displayName\",\"mergedName\":\"displayName\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].domains\",\"mergedName\":\"domains\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].tenantCategory\",\"mergedName\":\"tenantCategory\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].defaultDomain\",\"mergedName\":\"defaultDomain\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].tenantType\",\"mergedName\":\"tenantType\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].tenantBrandingLogoUrl\",\"mergedName\":\"tenantBrandingLogoUrl\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].resourceGroup\",\"mergedName\":\"resourceGroup\",\"fromId\":\"unknown\"}]}",
|
|
"size": 4,
|
|
"title": "Tenant Details",
|
|
"showExportToExcel": true,
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "id",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "tenantId1",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "domains",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "CellDetails",
|
|
"linkLabel": "Domain List",
|
|
"linkIsContextBlade": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "exportworkSpacename",
|
|
"comparison": "isNotEqualTo"
|
|
},
|
|
"showPin": false,
|
|
"name": "query - merged Tenant view"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Classification and Tactics report",
|
|
"expandable": true,
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| where Status == 'Closed'// and Classification !=\"Undetermined\"\r\n| order by LastModifiedTime \r\n| summarize count(), make_set(ClassificationComment) by workSpacename, Classification , ClassificationReason //,ClassificationComment, IncidentUrl, ModifiedBy,Status, Severity, LastModifiedTime,IncidentNumber, Title\r\n| evaluate pivot(Classification, sum(count_))",
|
|
"size": 1,
|
|
"title": "Incident Classification report",
|
|
"timeContext": {
|
|
"durationMs": 5184000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "set_ClassificationComment",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "CellDetails",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "BenignPositive",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"customColumnWidthSetting": "150px"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "FalsePositive",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"customColumnWidthSetting": "150px"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TruePositive",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"customColumnWidthSetting": "150px"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Undetermined",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"customColumnWidthSetting": "150px"
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "workSpacename",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "workSpacename"
|
|
},
|
|
{
|
|
"columnId": "ClassificationReason"
|
|
},
|
|
{
|
|
"columnId": "set_ClassificationComment",
|
|
"label": "Reason"
|
|
},
|
|
{
|
|
"columnId": "BenignPositive"
|
|
},
|
|
{
|
|
"columnId": "FalsePositive"
|
|
},
|
|
{
|
|
"columnId": "TruePositive"
|
|
},
|
|
{
|
|
"columnId": "Undetermined"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "workSpacename",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"name": "query - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| extend Tactics_ = tostring(parse_json(tostring(AdditionalData.tactics)))\r\n| summarize count()\r\n by workSpacename, Tactics_\r\n| order by count_ desc\r\n| evaluate pivot(Tactics_, sum(count_))",
|
|
"size": 1,
|
|
"title": "Incident Tactics report",
|
|
"timeContext": {
|
|
"durationMs": 5184000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "set_ClassificationComment",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "CellDetails",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TruePositive",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "workSpacename",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "workSpacename"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "workSpacename",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"name": "query - 10 - Tactics"
|
|
}
|
|
]
|
|
},
|
|
"name": "group - classification and tactics"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mvexpand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| summarize Total = count()\r\n by workSpacename\r\n\r\n\r\n\r\n\r\n",
|
|
"size": 1,
|
|
"title": "Count of Security Incidents for selected Workspaces and Severity",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "High",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Medium",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Low",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Informational",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "workSpacename",
|
|
"label": "Workspace Name"
|
|
},
|
|
{
|
|
"columnId": "Total"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"customWidth": "40",
|
|
"conditionalVisibility": {
|
|
"parameterName": "hide",
|
|
"comparison": "isEqualTo",
|
|
"value": "hide"
|
|
},
|
|
"name": "query - KQL for MAP count"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "resources\r\n// Just show Workspaces that have Sentinel enabled\r\n| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| summarize count() by location, s_workspace",
|
|
"size": 0,
|
|
"title": "Azure Sentinel Workspaces by Azure Region",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"visualization": "table",
|
|
"mapSettings": {
|
|
"locInfo": "AzureLoc",
|
|
"locInfoColumn": "location",
|
|
"sizeSettings": "count_",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "location",
|
|
"legendMetric": "location",
|
|
"legendAggregation": "Count",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "count_",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"conditionalVisibility": {
|
|
"parameterName": "hide",
|
|
"comparison": "isEqualTo",
|
|
"value": "hide"
|
|
},
|
|
"name": "query - ARG for MAp count"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\",\"mergeType\":\"innerunique\",\"leftTable\":\"query - KQL for MAP count\",\"rightTable\":\"query - ARG for MAp count\",\"leftColumn\":\"workSpacename\",\"rightColumn\":\"s_workspace\"}],\"projectRename\":[{\"originalName\":\"[query - KQL for MAP count].workSpacename\",\"mergedName\":\"Workspace Name\",\"fromId\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\"},{\"originalName\":\"[query - KQL for MAP count].Total\",\"mergedName\":\"Total\",\"fromId\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\"},{\"originalName\":\"[query - ARG for MAp count].location\",\"mergedName\":\"location\",\"fromId\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\"},{\"originalName\":\"[query - ARG for MAp count].s_workspace\",\"mergedName\":\"s_workspace\",\"fromId\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\"},{\"originalName\":\"[query - ARG for MAp count].count_\",\"mergedName\":\"count_\",\"fromId\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\"}]}",
|
|
"size": 0,
|
|
"title": "Azure Sentinel Incident Count by Region",
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "",
|
|
"parameterName": "exportMap1"
|
|
},
|
|
{
|
|
"fieldName": "location",
|
|
"parameterName": "location",
|
|
"parameterType": 1
|
|
}
|
|
],
|
|
"queryType": 7,
|
|
"visualization": "map",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "s_workspace",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "s_workspace",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"mapSettings": {
|
|
"locInfo": "AzureLoc",
|
|
"locInfoColumn": "location",
|
|
"sizeSettings": "Total",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "location",
|
|
"legendMetric": "Total",
|
|
"numberOfMetrics": 50,
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "Total",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"showPin": false,
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "resources\r\n// Just show Workspaces that have Sentinel enabled\r\n| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| summarize count() by location, s_workspace",
|
|
"size": 0,
|
|
"title": "Azure Sentinel Workspaces by Azure Region",
|
|
"exportParameterName": "exportMap2",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"visualization": "map",
|
|
"mapSettings": {
|
|
"locInfo": "AzureLoc",
|
|
"locInfoColumn": "location",
|
|
"sizeSettings": "count_",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "location",
|
|
"legendMetric": "location",
|
|
"legendAggregation": "Count",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "count_",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 10"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "5443aca4-a73d-46ad-aaea-bd391acc3f0d",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "getMapdata1",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "extend a = parse_json('{exportMap1}')\r\n| project ['region']=a.regionName, ['Incident Count']=a.legendValue\r\n| limit 1",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "getMapdata2",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "extend a = parse_json('{exportMap2}')\r\n| project ['region']=a.regionName, ['Incident Count']=a.legendValue\r\n| limit 1",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"id": "793ac0c4-7518-4e52-9509-eb1bdf97854b"
|
|
},
|
|
{
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "getMapdata1_count",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "extend a = parse_json('{exportMap1}')\r\n| project ['Incident Count']=a.legendValue\r\n| limit 1",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"id": "d4349432-c9cf-436e-9ede-2cd303c4bc9c"
|
|
},
|
|
{
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "getMapdata2_count",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "extend a = parse_json('{exportMap2}')\r\n| project ['Incident Count']=a.legendValue\r\n| limit 1",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"id": "88076350-2736-407f-a272-6b473dc92c6c"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"name": "parameters - 8"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Results from clicking on the Maps above\r\n--------------\r\n\r\n|Azure Region|Location|Incident Count|Workspace Counter|\r\n|---|---|---|\r\n|Azure Sentinel Incident Count by Region| {getMapdata1}|{getMapdata1_count}||\r\n|Azure Sentinel Workspaces by Azure Region| {getMapdata2}||{getMapdata2_count}|\r\n\r\n-----------"
|
|
},
|
|
"name": "text - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mvexpand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| extend Tactics_ = tostring(parse_json(tostring(AdditionalData.tactics)))\r\n| summarize count()\r\n by workSpacename, Tactics_\r\n| order by count_ desc\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
|
|
"size": 1,
|
|
"title": "Count of Tactics for selected Workspaces",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "coldHot"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "High",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Medium",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Low",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Informational",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "coldHot"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "workSpacename"
|
|
},
|
|
{
|
|
"columnId": "Tactics_"
|
|
},
|
|
{
|
|
"columnId": "count_",
|
|
"label": "count"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"customWidth": "50",
|
|
"conditionalVisibility": {
|
|
"parameterName": "hide",
|
|
"comparison": "isEqualTo",
|
|
"value": "hide"
|
|
},
|
|
"name": "query - 3 - Copy - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"name": "group - overview"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---------------"
|
|
},
|
|
"name": "text - 9"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Expand to Show: Incident details",
|
|
"expandable": true,
|
|
"expanded": true,
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\r\n| where TimeGenerated > startofday(ago(0d))\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| extend productName_ = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0])\r\n| where productName_ in ({Product}) or '{Product:label}' ==\"All\"\r\n| summarize count() by IncidentNumber, Title, productName_, Severity, [\"Workspace\"] = workSpacename, IncidentUrl\r\n| order by Workspace asc , IncidentNumber desc\r\n//| top 50 by [\"Workspace\"]",
|
|
"size": 1,
|
|
"title": "{$rowCount} Incidents in Workspaces today",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "IncidentNumber",
|
|
"parameterName": "IncidentNumber",
|
|
"parameterType": 1
|
|
},
|
|
{
|
|
"fieldName": "Workspace",
|
|
"parameterName": "Workspace_export",
|
|
"parameterType": 1
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "productName_",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "30ch"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "greenDark",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "lightBlue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Workspace",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "IncidentUrl",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "Url",
|
|
"linkLabel": "Open Azure Sentinel Incident"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 5000,
|
|
"filter": true,
|
|
"hierarchySettings": {
|
|
"treeType": 1,
|
|
"groupBy": [
|
|
"Workspace"
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "IncidentNumber",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "IncidentNumber"
|
|
},
|
|
{
|
|
"columnId": "Title"
|
|
},
|
|
{
|
|
"columnId": "productName_",
|
|
"label": "Product Name"
|
|
},
|
|
{
|
|
"columnId": "Severity"
|
|
},
|
|
{
|
|
"columnId": "IncidentUrl"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "IncidentNumber",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"name": "query - multi Alerts"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "For further analysis I suggest you open the Azure Sentinel Incident Blade and _Investigate_ (use the hyper link provided in the table, if you have the correct RBAC).\r\n\r\nAlternatively open the [_Investigation Insights_] or [_Incident Overview_] Workbooks for guided and deeper investigation. Open Incident Overview from the Portal, _Investigation Insights_ can be opened to the right --->.\r\n\r\n- You must have previoulsy SAVED these Workbooks in your workspace(s). \r\n- Investigation Insights requires release v1.2 or above (you may have to manually select the Workspace), for prior versions you will have to select the matching Incident Number as well. \r\n- For the Workbooks to be listed, they need \"Investigation\" in the name when you save them."
|
|
},
|
|
"customWidth": "50",
|
|
"name": "text - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "resources\r\n | where type == \"microsoft.insights/workbooks\"\r\n | where properties.displayName has \"Investigation\" // or properties.displayName has \"Incident\"\r\n | where properties.displayName has '{Workspace_export}'\r\n | project properties.displayName, id, {IncidentNumber}\r\n",
|
|
"size": 4,
|
|
"title": "Workspace Name: {Workspace_export}",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "properties_displayName",
|
|
"formatter": 1
|
|
},
|
|
{
|
|
"columnMatch": "id",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "WorkbookTemplate",
|
|
"linkLabel": "Open Workbook",
|
|
"linkIsContextBlade": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "properties_displayName",
|
|
"label": "Workbook Name"
|
|
},
|
|
{
|
|
"columnId": "id",
|
|
"label": "Open"
|
|
},
|
|
{
|
|
"columnId": "Column1",
|
|
"label": "Incident Number"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Select a single workspace to see Incident level details "
|
|
},
|
|
"name": "text - 6"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "4383a3f4-7606-41a7-b1cf-e5bffd2d9ecb",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "iWorkspace",
|
|
"label": "Incident Workspace",
|
|
"type": 7,
|
|
"query": "resources\r\n// Just show Workspaces that have Sentinel enabled\r\n| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| project name = s_workspace\r\n| sort by name asc",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"value": "CyberSecuritySOC",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "c2494755-05cc-4b93-b253-e8a0d4b7c899",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "iResourceGroup",
|
|
"type": 1,
|
|
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where tolower(name) == \"{iWorkspace}\"\r\n| project resourceGroup",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"name": "parameters - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of workspace validation, now match workspace to the selected parameter\r\n| where tolower(workSpacename) == tolower('{iWorkspace}')\r\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\r\n| extend Alerts = extract(\"\\\\[(.*?)\\\\]\", 1, tostring(AlertIds))\r\n| extend productName_ = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0])\r\n| where productName_ in ({Product}) or '{Product:label}' ==\"All\"\r\n| mv-expand AlertIds to typeof(string)\r\n| join \r\n(\r\n SecurityAlert\r\n | extend AlertEntities = parse_json(Entities)\r\n | mv-expand AlertEntities\r\n) on $left.AlertIds == $right.SystemAlertId\r\n| summarize AlertCount=dcount(AlertIds), entityList=make_set(tostring(AlertEntities.Type)) by IncidentNumber, Status, Severity, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , Tactics =tostring(AdditionalData.tactics), workSpacename, productName_\r\n// set column order\r\n| project workSpacename, IncidentNumber, Severity, Status, AlertCount,Owner, Title, entityList, Tactics, IncidentUrl, productName_\r\n| order by IncidentNumber desc\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
|
|
"size": 0,
|
|
"title": "Details for {iWorkspace} Workspace, count of: {$rowCount} Incidents during {TimeRange:label}",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "workSpacename",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "greenDark",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "lightBlue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Status",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "New",
|
|
"representation": "gray",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "AlertCount",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "IncidentUrl",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkTarget": "Url",
|
|
"linkLabel": "Open Incident in Azure Sentinel "
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 500,
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "IncidentNumber",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "IncidentNumber",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "iWorkspace",
|
|
"comparison": "isNotEqualTo",
|
|
"value": ""
|
|
},
|
|
"name": "query - single alert"
|
|
}
|
|
]
|
|
},
|
|
"name": "group - Incidents"
|
|
}
|
|
],
|
|
"fallbackResourceIds": [
|
|
"Azure Monitor"
|
|
],
|
|
"fromTemplateId": "sentinel-SentinelCentral",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |