Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/SymantecProxySG.json

492 строки
17 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "2314cc81-4c5b-4754-8373-c69685ad2d1f",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
},
"resourceType": "microsoft.insights/components",
"label": "Time Range"
},
{
"id": "494e3bb8-f769-4c4a-918b-278d8082ac66",
"version": "KqlParameterItem/1.0",
"name": "Host",
"label": "Proxy Device",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SymantecProxySG\r\n| distinct Computer",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 259200000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "c40f7ad2-8191-41eb-8d28-887280d4dc19",
"version": "KqlParameterItem/1.0",
"name": "FilterResults",
"label": "Filter Result",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SymantecProxySG\n| distinct sc_filter_result",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "72f17d90-aaf9-418e-9c77-b1e8bc06ebb4",
"version": "KqlParameterItem/1.0",
"name": "ThreatRisk",
"label": "Threat Risk",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SymantecProxySG\n| extend threat_score = case(cs_threat_risk in (\"1\",\"2\"), \"Low\",\ncs_threat_risk in (\"3\",\"4\"), \"Medium-Low\",\ncs_threat_risk in (\"5\",\"6\"), \"Medium\",\ncs_threat_risk in (\"7\",\"8\",\"9\"), \"Medium-High\",\ncs_threat_risk in (\"10\"), \"High\",\"none\")\n| extend threat_risk = strcat(cs_threat_risk,\" - \", threat_score)\n| distinct cs_threat_risk, threat_risk\n| sort by cs_threat_risk asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecProxySG\r\n| where Computer in ({Host}) or '*' in ({Host})\r\n| where cs_threat_risk in ({ThreatRisk}) or '*' in ({ThreatRisk})\r\n| where sc_filter_result in ({FilterResults}) or '*' in ({FilterResults}) \r\n| summarize count() by sc_filter_result, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Total Events by Filter Results",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecProxySG\r\n| where Computer in ({Host}) or '*' in ({Host})\r\n| where cs_threat_risk in ({ThreatRisk}) or '*' in ({ThreatRisk})\r\n| where sc_filter_result in ({FilterResults}) or '*' in ({FilterResults}) \r\n| mv-expand cs_categories\r\n| summarize count() by tostring(cs_categories)",
"size": 0,
"title": "Web Browsing by Category",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "40",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecProxySG\r\n| where Computer in ({Host}) or '*' in ({Host})\r\n| where cs_threat_risk in ({ThreatRisk}) or '*' in ({ThreatRisk})\r\n| where sc_filter_result in ({FilterResults}) or '*' in ({FilterResults}) \r\n| mv-expand cs_categories\r\n| summarize count() by tostring(cs_categories), bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Total Events by Category",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "60",
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecProxySG\r\n| where Computer in ({Host}) or '*' in ({Host})\r\n| where cs_threat_risk in ({ThreatRisk}) or '*' in ({ThreatRisk})\r\n| where sc_filter_result in ({FilterResults}) or '*' in ({FilterResults}) \r\n| where cs_userdn != \"-\"\r\n| summarize count(cs_host) by cs_userdn\r\n| top 10 by count_cs_host desc",
"size": 0,
"title": "Top 10 Users by Web Browsing Activity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecProxySG\r\n| where Computer in ({Host}) or '*' in ({Host})\r\n| summarize count(sent_bytes) by cs_host\r\n| top 5 by count_sent_bytes desc",
"size": 0,
"title": "Top 10 URL - Date Sent",
"noDataMessage": "Top 10 WebSites Sent Data",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_sent_bytes",
"formatter": 3,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "cs_host",
"label": "URL"
},
{
"columnId": "count_sent_bytes",
"label": "Total"
}
]
},
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "cs_host",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_sent_bytes",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "cs_host",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_sent_bytes",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecProxySG\r\n| where Computer in ({Host}) or '*' in ({Host})\r\n| summarize count(received_bytes) by cs_host\r\n| top 5 by count_received_bytes desc\r\n",
"size": 0,
"title": "Top 10 URL - Data Received",
"noDataMessage": "Top 5 Website Data Received",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_received_bytes",
"formatter": 3,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "cs_host",
"label": "URL"
},
{
"columnId": "count_received_bytes",
"label": "Total"
}
]
}
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecProxySG\r\n| where Computer in ({Host}) or '*' in ({Host})\r\n| where cs_threat_risk in ({ThreatRisk}) or '*' in ({ThreatRisk})\r\n| where sc_filter_result in ({FilterResults}) or '*' in ({FilterResults}) \r\n| where sc_filter_result == \"DENIED\"\r\n| summarize count() by cs_host\r\n| top 10 by count_ desc\r\n",
"size": 0,
"title": "Top 10 Blocked Websites",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "cs_host",
"formatter": 1,
"formatOptions": {}
},
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "cs_host",
"label": "URL"
},
{
"columnId": "count_",
"label": "Total"
}
]
}
},
"customWidth": "50",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecProxySG\r\n| where Computer in ({Host}) or '*' in ({Host})\r\n| where cs_threat_risk in ({ThreatRisk}) or '*' in ({ThreatRisk})\r\n| where sc_filter_result in ({FilterResults}) or '*' in ({FilterResults}) \r\n| where sc_filter_result in (\"PROXIED\",\"OBSERVED\")\r\n| summarize count() by cs_host\r\n| top 10 by count_ desc",
"size": 0,
"title": "Top 10 Allowed Websites",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
}
],
"rowLimit": 10,
"labelSettings": [
{
"columnId": "cs_host",
"label": "URL"
},
{
"columnId": "count_",
"label": "Total"
}
]
}
},
"customWidth": "50",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecProxySG\r\n| where Computer in ({Host}) or '*' in ({Host})\r\n| where cs_threat_risk in ({ThreatRisk}) or '*' in ({ThreatRisk})\r\n| where sc_filter_result in ({FilterResults}) or '*' in ({FilterResults}) \r\n| where sc_filter_result contains \"DENIED\"\r\n| where country != \"None\" \r\n| where cs_host != \"127.0.0.1\" and cs_host != \"0.0.0.0\"\r\n| summarize Total = count() by ['Host URL'] = cs_host, Country = country\r\n| top 10 by Total\r\n",
"size": 0,
"title": "Top Denied Host URL",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"customWidth": "50",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SymantecProxySG\r\n| where Computer in ({Host}) or '*' in ({Host})\r\n| where cs_threat_risk in ({ThreatRisk}) or '*' in ({ThreatRisk})\r\n| where sc_filter_result in ({FilterResults}) or '*' in ({FilterResults}) \r\n| extend threat_score = case(cs_threat_risk in (\"1\",\"2\"), \"Low\",\r\ncs_threat_risk in (\"3\",\"4\"), \"Medium-Low\",\r\ncs_threat_risk in (\"5\",\"6\"), \"Medium\",\r\ncs_threat_risk in (\"7\",\"8\",\"9\"), \"Medium-High\",\r\ncs_threat_risk in (\"10\"), \"High\",\"none\")\r\n| summarize count() by threat_score, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Threat Risks by Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"customWidth": "50",
"name": "query - 10"
}
],
"fromTemplateId": "sentinel-UserWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку