Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/UnifiSGNetflow.json

1588 строки
61 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "5d84a856-8fc4-4bb1-8f7d-ca97d9a780bb",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Overview",
"subTarget": "Overview",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Conversation Partners",
"subTarget": "ConversationPartners",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Traffic Analysis",
"subTarget": "TrafficAnalysis",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Top-N",
"subTarget": "TopN",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Geo Location",
"subTarget": "GeoLocation",
"style": "link"
}
]
},
"name": "links - 4"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "IP Version and Protocols (Sum of Bytes)",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_ip_protocol_version_d\n| extend IPVersion = iff(netflow_ip_protocol_version_d == 4, \"4\", iff(netflow_ip_protocol_version_d == 6, \"6\", \"Unknown\"))\n| project IPVersion, Sum",
"size": 4,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 2",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = externaldata (Decimal:int, Keyword:string) [\"https://www.iana.org/assignments/protocol-numbers/protocol-numbers-1.csv\"]\nwith(ignorefirstrecord=true);\nnetflow_CL\n| extend NetflowProtocol = toint(netflow_protocol_d)\n| summarize Sum = sum(netflow_in_bytes_d) by NetflowProtocol\n| join (\ndata\n ) on $left.NetflowProtocol == $right.Decimal\n | project-rename Protocol = Keyword\n | project Protocol, Sum\n",
"size": 4,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 3",
"styleSettings": {
"maxWidth": "50%"
}
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "group - 4"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Destinations and Ports (Sum of Bytes)",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " netflow_CL\n | where isnotempty(netflow_ipv4_dst_addr_s)\n | summarize Sum = sum(netflow_in_bytes_d) by netflow_ipv4_dst_addr_s\n | project-rename DestinationIP = netflow_ipv4_dst_addr_s",
"size": 2,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 0",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = externaldata (ServiceName:string, PortNumber:int) [\"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv\"]\nwith(ignorefirstrecord=true);\nnetflow_CL\n| where isnotempty(netflow_l4_dst_port_d)\n| where netflow_l4_dst_port_d != 0\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_l4_dst_port_d\n| extend Port = toint(netflow_l4_dst_port_d)\n| join (\ndata\n ) on $left.Port == $right.PortNumber\n | extend ServicePort = tostring(Port)\n | project ServicePort, Sum\n \n \n",
"size": 2,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 1",
"styleSettings": {
"maxWidth": "50%"
}
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "group - 3"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Sources and Ports (Sum of Bytes)",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " netflow_CL\n | where isnotempty(netflow_ipv4_src_addr_s)\n | summarize Sum = sum(netflow_in_bytes_d) by netflow_ipv4_src_addr_s\n | project-rename SourceIP = netflow_ipv4_src_addr_s",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 0",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = externaldata (ServiceName:string, PortNumber:int) [\"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv\"]\nwith(ignorefirstrecord=true);\nnetflow_CL\n| where isnotempty(netflow_l4_src_port_d)\n| where netflow_l4_src_port_d != 0\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_l4_src_port_d\n| extend Port = toint(netflow_l4_src_port_d)\n| join (\ndata\n ) on $left.Port == $right.PortNumber\n | extend ServicePort = tostring(Port)\n | project ServicePort, Sum\n \n \n",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 1",
"styleSettings": {
"maxWidth": "50%"
}
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "group - 3 - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "TCP Flags and Types of Service (Sum of Bytes)",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_tcp_flags_d)\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_tcp_flags_d\n| extend TCPFlags = toint(netflow_tcp_flags_d)\n| project tostring(TCPFlags), Sum\n",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 0",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_src_tos_d)\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_src_tos_d\n| extend TOS = toint(netflow_src_tos_d)\n| project tostring(TOS), Sum",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 1",
"styleSettings": {
"maxWidth": "50%"
}
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "group - 3 - Copy - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "ASN and Location (Sum of Bytes)",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_destinationASN_as_org_s",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 0",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_destinationGeo_country_code2_s, netflow_destinationGeo_city_name_s\n| extend City = iff(isempty(netflow_destinationGeo_city_name_s), \"Other\", netflow_destinationGeo_city_name_s)\n| extend Country = iff(isempty(netflow_destinationGeo_country_code2_s), \"Other\", netflow_destinationGeo_country_code2_s)\n| extend Location = strcat(City, \", \", Country)\n| project Location, Sum\n\n",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 1",
"styleSettings": {
"maxWidth": "50%"
}
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "group - 3 - Copy - Copy - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Sources and Destinations (Sum of Bytes)",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_ipv4_src_addr_s\n| sort by Sum desc",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_ipv4_dst_addr_s\n| sort by Sum desc",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "ConversationPartners"
},
"name": "group - 3 - Copy - Copy - Copy - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Source and Destionation Ports (Sum of Bytes)",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_l4_src_port_d\n| extend SourcePort = toint(netflow_l4_src_port_d)\n| project tostring(SourcePort), Sum\n| sort by Sum desc",
"size": 3,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_l4_dst_port_d\n| extend DestinationPort = toint(netflow_l4_dst_port_d)\n| project tostring(DestinationPort), Sum\n| sort by Sum desc",
"size": 3,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "ConversationPartners"
},
"name": "group - 8"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Conversation Partners",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Records = count() by Source = netflow_ipv4_src_addr_s, Destination = netflow_ipv4_dst_addr_s\n| sort by MB desc",
"size": 0,
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "MB",
"formatter": 8,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Packets",
"formatter": 8,
"formatOptions": {
"palette": "orange"
}
},
{
"columnMatch": "Records",
"formatter": 8,
"formatOptions": {
"palette": "green"
}
}
]
}
},
"name": "query - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "ConversationPartners"
},
"name": "group - 10"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Sources",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_src_addr_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by SourceIP = netflow_ipv4_src_addr_s\n| sort by MB desc",
"size": 4,
"title": "Sources by MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "SourcesbyMB"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_src_addr_s)\n| distinct netflow_ipv4_src_addr_s\n| count\n| extend SourceIP = \"Count of Source IPs\"\n",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "SourceIP",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_ipv4_src_addr_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by SourceIP = netflow_ipv4_src_addr_s\n| top 10 by MB\n| project SourceIP;\n netflow_CL\n | where netflow_ipv4_src_addr_s in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by SourceIP = netflow_ipv4_src_addr_s, bin(TimeGenerated, 1m)",
"size": 3,
"title": "Source by MB Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"customWidth": "100",
"name": "SourcebyMBoverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by SourceIP = netflow_ipv4_src_addr_s\n| top 10 by Count\n| project SourceIP;\n netflow_CL\n | where netflow_ipv4_src_addr_s in (data)\n | summarize Count = sum(netflow_in_pkts_d) by SourceIP = netflow_ipv4_src_addr_s, bin(TimeGenerated, 1m)",
"size": 3,
"title": "Source by Packet Count Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "SourcebyPacketCountoverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_l4_src_port_d)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by SourcePort = netflow_l4_src_port_d\n| project tostring(SourcePort), MB\n| sort by MB desc",
"size": 4,
"title": "Source by Port",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "SourcebyPort"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_l4_src_port_d)\n| distinct netflow_l4_src_port_d\n| count\n| extend SourcePorts = \"Count of Source Ports\"\n",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "SourcePorts",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_l4_src_port_d)\n| summarize bytes = sum(netflow_in_bytes_d) by SourcePort = netflow_l4_src_port_d\n| top 10 by bytes;\n netflow_CL\n | where netflow_l4_src_port_d in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by SourcePort = netflow_l4_src_port_d, bin(TimeGenerated, 1m)\n | project tostring(SourcePort), MB, TimeGenerated\n",
"size": 3,
"title": "Source Port by MB Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"customWidth": "100",
"name": "SourcePortbyMBoverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by SourcePort = netflow_l4_src_port_d\n| top 10 by Count\n| project SourcePort;\n netflow_CL\n | where netflow_l4_src_port_d in (data)\n | summarize Count = sum(netflow_in_pkts_d) by SourcePort = tostring(netflow_l4_src_port_d), bin(TimeGenerated, 1m)",
"size": 3,
"title": "Source Port by Count Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "SourcePortbyCountoverTime"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TrafficAnalysis"
},
"name": "Sources"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Destinations",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_dst_addr_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationIP = netflow_ipv4_dst_addr_s\n| sort by MB desc",
"size": 4,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_dst_addr_s)\n| distinct netflow_ipv4_dst_addr_s\n| count\n| extend SourceIP = \"Count of Destination IPs\"\n",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "SourceIP",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_ipv4_dst_addr_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationIP = netflow_ipv4_dst_addr_s\n| top 10 by MB\n| project DestinationIP;\n netflow_CL\n | where netflow_ipv4_dst_addr_s in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationIP = netflow_ipv4_dst_addr_s, bin(TimeGenerated, 1m)",
"size": 3,
"title": "Destination by MB Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "DestinationbyMBoverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by DestinationIP = netflow_ipv4_dst_addr_s\n| top 10 by Count\n| project DestinationIP;\n netflow_CL\n | where netflow_ipv4_dst_addr_s in (data)\n | summarize Count = sum(netflow_in_pkts_d) by DestinationIP = netflow_ipv4_dst_addr_s, bin(TimeGenerated, 1m)",
"size": 3,
"title": "Destination by Packet Count Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "DestinationbyPacketCountoverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_l4_dst_port_d)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationPort = tostring(netflow_l4_dst_port_d)\n| sort by MB desc",
"size": 4,
"title": "Destination by MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "DestinationbyMB"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_l4_dst_port_d)\n| distinct netflow_l4_dst_port_d\n| count\n| extend SourcePorts = \"Count of Destination Ports\"\n",
"size": 4,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "SourcePorts",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_l4_dst_port_d)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationPort = netflow_l4_dst_port_d\n| top 10 by MB\n| project DestinationPort;\n netflow_CL\n | where netflow_l4_dst_port_d in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationPort = tostring(netflow_l4_dst_port_d), bin(TimeGenerated, 1m)",
"size": 3,
"title": "Destination Port by MB Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "DestinationPortbyMBoverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by DestinationPort = netflow_l4_dst_port_d\n| top 10 by Count\n| project DestinationPort;\n netflow_CL\n | where netflow_l4_dst_port_d in (data)\n | summarize Count = sum(netflow_in_pkts_d) by DestinationPort = tostring(netflow_l4_dst_port_d), bin(TimeGenerated, 1m)",
"size": 3,
"title": "Destination Port by Packet Count Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "DestinationPortbyPacketCountoverTime"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TrafficAnalysis"
},
"name": "group - 11 - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "ASNs",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_destinationASN_asn_d)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by ASN = tostring(netflow_destinationASN_as_org_s)\n| sort by MB desc",
"size": 4,
"title": "ASNs by MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "ASNsbyMB"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_destinationASN_asn_d)\n| distinct netflow_destinationASN_as_org_s\n| count\n| extend ASN = \"Count of ASNs\"\n",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "ASN",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_destinationASN_asn_d)\n| summarize bytes = sum(netflow_in_bytes_d) by ASN = netflow_destinationASN_asn_d\n| top 10 by bytes\n| project ASN;\n netflow_CL\n | where netflow_destinationASN_asn_d in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by ASN = netflow_destinationASN_as_org_s, bin(TimeGenerated, 1m)",
"size": 3,
"title": "ASNs by MB Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "ASNsbyMBoverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by ASN = netflow_destinationASN_asn_d\n| top 10 by Count\n| project ASN;\n netflow_CL\n | where netflow_destinationASN_asn_d in (data)\n | summarize Count = sum(netflow_in_pkts_d) by ASN = netflow_destinationASN_as_org_s, bin(TimeGenerated, 1m)",
"size": 3,
"title": "ASNs by Packet Count Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "ASNsbyPacketCountoverTime"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TrafficAnalysis"
},
"name": "group - 11 - Copy - Copy - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Countries and Cities",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_destinationGeo_country_code2_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by Country = netflow_destinationGeo_country_code2_s\n| sort by MB desc",
"size": 4,
"title": "Country by MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "CountrybyMB"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_destinationGeo_country_code2_s)\n| distinct netflow_destinationGeo_country_code2_s\n| count\n| extend Country = \"Count of Countries\"\n",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Country",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_destinationGeo_country_code2_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by Country = netflow_destinationGeo_country_code2_s\n| top 10 by MB\n| project Country;\n netflow_CL\n | where netflow_destinationGeo_country_code2_s in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by Country = netflow_destinationGeo_country_code2_s, bin(TimeGenerated, 1m)",
"size": 3,
"title": "Country by MB Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "CountrybyMBOverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by Country = netflow_destinationGeo_country_code2_s\n| top 10 by Count\n| project Country;\n netflow_CL\n | where netflow_destinationGeo_country_code2_s in (data)\n | summarize Count = sum(netflow_in_pkts_d) by Country = netflow_destinationGeo_country_code2_s, bin(TimeGenerated, 1m)",
"size": 3,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_destinationGeo_city_name_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by Country = netflow_destinationGeo_city_name_s\n| sort by MB desc",
"size": 4,
"title": "City by MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "CitybyMB"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_destinationGeo_city_name_s)\n| distinct netflow_destinationGeo_city_name_s\n| count\n| extend City = \"Count of Cities\"\n",
"size": 3,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "City",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_destinationGeo_city_name_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by City = netflow_destinationGeo_city_name_s\n| top 10 by MB\n| project City;\n netflow_CL\n | where netflow_destinationGeo_city_name_s in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by City = netflow_destinationGeo_city_name_s, bin(TimeGenerated, 1m)",
"size": 3,
"title": "City by MB Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "CitybyMBOverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by City = netflow_destinationGeo_city_name_s\n| top 10 by Count\n| project City;\n netflow_CL\n | where netflow_destinationGeo_city_name_s in (data)\n | summarize Count = sum(netflow_in_pkts_d) by City = netflow_destinationGeo_city_name_s, bin(TimeGenerated, 1m)",
"size": 3,
"title": "City by Packet Count Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "CitybyPacketCountOverTime"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TrafficAnalysis"
},
"name": "group - 11 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_src_addr_s)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by SourceIP = netflow_ipv4_src_addr_s\n| sort by Mbytes desc ",
"size": 0,
"title": "Top Sources",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Mbytes",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Packets",
"formatter": 4,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TopN"
},
"customWidth": "50",
"name": "query - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_dst_addr_s)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by DestinationPort = netflow_ipv4_dst_addr_s\n| sort by Mbytes desc ",
"size": 0,
"title": "Top Destinations",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Mbytes",
"formatter": 4,
"formatOptions": {
"palette": "blue"
},
"tooltipFormat": {}
},
{
"columnMatch": "Packets",
"formatter": 4,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TopN"
},
"customWidth": "50",
"name": "query - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_l4_src_port_d)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by SourcePort = netflow_l4_src_port_d\n| sort by Mbytes desc ",
"size": 0,
"title": "Top Source Ports",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Mbytes",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Packets",
"formatter": 4,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TopN"
},
"customWidth": "50",
"name": "query - 15 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_l4_dst_port_d)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by DestinationPort = netflow_l4_dst_port_d\n| sort by Mbytes desc ",
"size": 0,
"title": "Top Destination Ports",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Mbytes",
"formatter": 4,
"formatOptions": {
"palette": "blue"
},
"tooltipFormat": {}
},
{
"columnMatch": "Packets",
"formatter": 4,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TopN"
},
"customWidth": "50",
"name": "query - 16 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = externaldata (Decimal:int, Keyword:string) [\"https://www.iana.org/assignments/protocol-numbers/protocol-numbers-1.csv\"]\nwith(ignorefirstrecord=true);\nnetflow_CL\n| extend NetflowProtocol = toint(netflow_protocol_d)\n| summarize Mbytes = sum(netflow_in_bytes_d), Packets = sum(netflow_in_pkts_d), Records = count() by NetflowProtocol\n| join (\ndata\n ) on $left.NetflowProtocol == $right.Decimal\n | project Protocol = Keyword, Mbytes, Packets, Records\n | sort by Mbytes desc\n\n",
"size": 0,
"title": "Top Protocols",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Mbytes",
"formatter": 4,
"formatOptions": {
"palette": "blue"
},
"tooltipFormat": {}
},
{
"columnMatch": "Packets",
"formatter": 4,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Records",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
},
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TopN"
},
"customWidth": "50",
"name": "query - 16 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_destinationASN_asn_d)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by ASN = netflow_destinationASN_as_org_s\n| sort by Mbytes desc ",
"size": 0,
"title": "Top Autonomous Systems",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Mbytes",
"formatter": 4,
"formatOptions": {
"palette": "blue"
},
"tooltipFormat": {}
},
{
"columnMatch": "Packets",
"formatter": 4,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Records",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
},
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TopN"
},
"customWidth": "50",
"name": "query - 16 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_destinationGeo_city_name_s)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by City = netflow_destinationGeo_city_name_s\n| sort by Mbytes desc ",
"size": 0,
"title": "Top Cities",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Mbytes",
"formatter": 4,
"formatOptions": {
"palette": "blue"
},
"tooltipFormat": {}
},
{
"columnMatch": "Packets",
"formatter": 4,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Records",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
},
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "TopN"
},
"customWidth": "50",
"name": "query - 16 - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "netflow_CL\n| where isnotempty(netflow_destinationASN_asn_d)\n| summarize count() by ASN = netflow_destinationASN_asn_d, netflow_destinationGeo_latitude_d, netflow_destinationGeo_longitude_d, netflow_destinationGeo_country_name_s, netflow_destinationGeo_city_name_s",
"size": 3,
"title": "Destination Geo Location Heatmap",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "LatLong",
"latitude": "netflow_destinationGeo_latitude_d",
"longitude": "netflow_destinationGeo_longitude_d",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"labelSettings": "netflow_destinationGeo_city_name_s",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "count_",
"colorAggregation": "Count",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "GeoLocation"
},
"name": "query - 22"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-UnifiSGNetflow",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку