2234 строки
99 KiB
JSON
2234 строки
99 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "1ca69445-60fc-4806-b43d-ac7e6aad630a",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Subscription",
|
|
"type": 6,
|
|
"isRequired": true,
|
|
"value": "",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"includeAll": false
|
|
}
|
|
},
|
|
{
|
|
"id": "e94aafa3-c5d9-4523-89f0-4e87aa754511",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspace",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"query": "Resources \n| where type =~ \"microsoft.operationalinsights/workspaces\" \n| order by name \n| project id, name, selected=row_number()==1, group=resourceGroup",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"typeSettings": {
|
|
"resourceTypeFilter": {
|
|
"microsoft.operationalinsights/workspaces": true
|
|
},
|
|
"additionalResourceOptions": []
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"value": "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourceGroups/SOC/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC"
|
|
},
|
|
{
|
|
"id": "c4b69c01-2263-4ada-8d9c-43433b739ff3",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 5184000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
},
|
|
{
|
|
"id": "6ed3bbc6-be3f-44ed-84b3-9908e7c92315",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Help",
|
|
"type": 10,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "e648443b-bf59-4ae6-8c04-a5edf7097da6",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Measurement",
|
|
"type": 10,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"jsonData": "[\r\n{\"value\": \"KM\", \"label\": \"KM\"},\r\n{\"value\": \"Miles\", \"label\": \"Miles\", \"selected\":true}\r\n]"
|
|
},
|
|
{
|
|
"id": "ba4eb749-336e-4aa0-8a4b-2b7987507852",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Top",
|
|
"label": "Show Top locations",
|
|
"type": 2,
|
|
"description": "Only show this amount of locations om the map",
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"jsonData": "[\r\n{ \"value\": \"5\", \"label\": \"5\"},\r\n{\"value\": \"10\", \"label\": \"10\", \"selected\":true },\r\n{\"value\": \"20\", \"label\": \"20\" },\r\n{\"value\": \"30\", \"label\": \"30\" },\r\n{\"value\": \"50\", \"label\": \"50\" }\r\n]"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "parameters - settings"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"id": "8f36c3bf-807c-4478-bfc2-570584d36bb9",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Malicious IP",
|
|
"subTarget": "MaliciousIP",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "0d78c03f-f8d7-40da-8761-3ef454b14ad8",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "User Data",
|
|
"subTarget": "UserData",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "d5ae52bd-03a5-452e-a395-98fbe02b6e20",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Microsoft WAF",
|
|
"subTarget": "WAF",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 5"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "#### Tab One. Malicious IP \r\nThis report can get data from a number of sources (six are defined in this release) to show the distance from the Malicious IP addresses to a selected users default location. \r\nYou may see an error if one or more data sources are missing. There will be no entries if *all* sources are missing - there is a warning dialog box displayed if this happens.\r\nThis is a similar view to the one shown on the Summary page of Azure Sentinel, but this is showing distance data as well.\r\nThere are three options to aid filtering:\r\n1. Select a Location from a list (for that you will have to edit this workbook and amend the \"CityList\" parameter if you require changes to the capital cities I have provided). Please save the JSON of any co-ordinates you add, as you will need to add them back if you ever update the workbook to a newer version. This is useful if you have some office locations or important places that you wish to add.\r\n2. Select from Azure Active Directory (AAD), if the SigninLogs table exists, this will populate from the latest record, a entry per City /( Country ) with Longitude and Latitude data.\r\n3. Enter a Latitude and Longitude of your choice, and a label to describe the location. \r\nYou may also select to show the data in Kilometers (KM) or Miles. You can also set how many locations to show, 5, 10, 20 etc...\r\n\r\nDatasources: WireData, VMconnection, CommonSecurityLog, WindowsFirewall, W3CIISLog and DnsEvents \r\n\t\t\t Note: SigninLogs is required to build the AAD list, if you dont have this critical datasource, please use options #1 or #3.\r\n\r\n#### Tab two. Locations and distances (User Data)\r\nInformation using Azure Active Directory (AAD) Signinlogs data, this shows user Signin Locations and distance between as well as order visited (you select a User from dropdown options, ordered by their signin count). \r\n\r\nDatasources:SigninLogs\r\n\r\n#### Tab three. Microsoft WAF \r\nShow Azure Front door and Application Gateway Web Application Firewall \r\n\r\nDatasources: AzureDiagnostics\r\n",
|
|
"style": "info"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "text - 8"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Change Log\r\n|Version|Description|\r\n|---|---|\r\n|v1.0\t|Initial Version|\r\n|V1.1.0\t|Updated from 2019 version, combining new features and improving the look and feel. | \r\n|V1.1.1\t|Updated chart to display Location, Latitude, Longitude when a region is clicked| \r\n|V1.2\t|Added info when you select a region on the 'Map showing locations for User', fixed a time display message. Added dwell time (the time delay between the entries), in the \"looking for\" grid to augment the distance travelled.|\r\n|V1.3| Add support for a drop down warning, and UserMap user selection options (user by count, User by first Letter & free text search) |"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Change Log"
|
|
},
|
|
"name": "text - 7"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Group: Malicious IP",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "b12b1e24-c504-4ccb-9f00-3dc445232897",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "getLocation",
|
|
"label": "Location selector",
|
|
"type": 10,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"jsonData": "[\r\n { \"value\": \"mylist\", \"label\": \"From a list\",\"selected\":true},\r\n {\"value\": \"aad\", \"label\": \"From AAD\"},\r\n { \"value\": \"manual\", \"label\": \"Add a manual entry\"}\r\n]",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"value": "aad"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "parameters - 7"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "d14c2e32-c58e-4409-b2ea-14394a69e70e",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "CityList",
|
|
"label": "Location - custom list",
|
|
"type": 2,
|
|
"description": "Edit this parameter to provide your own locations - please see Help",
|
|
"isRequired": true,
|
|
"value": "48.856613,2.352222",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"jsonData": "[\r\n{ \"value\": \"51.507351,-0.127758\" ,\"label\": \"London\"},\r\n{ \"value\": \"48.856613,2.352222\" ,\"label\": \"Paris\"},\r\n{ \"value\": \"40.712776,-74.005974\",\"label\": \"New York\"},\r\n{ \"value\": \"47.608013,-122.335167\",\"label\": \"Seattle\"},\r\n{ \"value\": \"41.881832,-87.623177\",\"label\": \"Chicago\"},\r\n{ \"value\": \"-33.865143,151.209900\",\"label\": \"Sydney\"}\r\n]"
|
|
},
|
|
{
|
|
"id": "a1c6c49d-c452-4010-851a-55f5f950df23",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "defaultCityList",
|
|
"type": 1,
|
|
"value": "Paris",
|
|
"isHiddenWhenLocked": true,
|
|
"criteriaData": [
|
|
{
|
|
"criteriaContext": {
|
|
"leftOperand": "CityList",
|
|
"operator": "isNotNull",
|
|
"rightValType": "param",
|
|
"resultValType": "static",
|
|
"resultVal": "{CityList:label}"
|
|
}
|
|
},
|
|
{
|
|
"criteriaContext": {
|
|
"operator": "Default",
|
|
"rightValType": "param",
|
|
"resultValType": "param",
|
|
"resultVal": "CityList"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"style": "above",
|
|
"doNotRunWhenHidden": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "getLocation",
|
|
"comparison": "isEqualTo",
|
|
"value": "mylist"
|
|
},
|
|
"name": "parameters - mylist"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "d14c2e32-c58e-4409-b2ea-14394a69e70e",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "CityListAAD",
|
|
"label": "Location - obtained from AAD ",
|
|
"type": 2,
|
|
"description": "Locations found in AAD",
|
|
"isRequired": true,
|
|
"query": "SigninLogs\r\n| where UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| extend city_ = tostring(LocationDetails.city) \r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) \r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) \r\n| summarize count(), arg_max(TimeGenerated,*) by city_\r\n| where isnotempty(city_)\r\n| distinct city_ , count_, latitude_, longitude_, Location\r\n| extend city_ = strcat(city_,\" (\", Location ,\")\")\r\n| project label = strcat(city_,\",\",latitude_,\",\",longitude_), value = city_\r\n| order by label asc\r\n",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": "Aeroskobing (DK),54.89149856567382,10.40470027923584",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "56079538-c786-4a1f-8e20-c33232a46852",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "defaultCityListAAD",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"value": "Aeroskobing (DK),54.89149856567382,10.40470027923584",
|
|
"isHiddenWhenLocked": true,
|
|
"criteriaData": [
|
|
{
|
|
"criteriaContext": {
|
|
"leftOperand": "CityListAAD",
|
|
"operator": "is Empty",
|
|
"rightValType": "param",
|
|
"resultValType": "static",
|
|
"resultVal": "\"no AAD\""
|
|
}
|
|
},
|
|
{
|
|
"criteriaContext": {
|
|
"operator": "Default",
|
|
"rightValType": "param",
|
|
"resultValType": "param",
|
|
"resultVal": "CityListAAD"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"style": "above",
|
|
"doNotRunWhenHidden": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "getLocation",
|
|
"comparison": "isEqualTo",
|
|
"value": "aad"
|
|
},
|
|
"name": "parameters - aad"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Please select a Location, or confirm data source: SigninLogs exists\r\n\tif there are no values you may not have the [SigninLogs] table in this workspace.\r\nPlease use a Location Selection of:\r\n\r\n\tFrom a List\r\nor\r\n\r\n\tAdd a manual entry\r\n",
|
|
"style": "warning"
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "CityListAAD",
|
|
"comparison": "isEqualTo",
|
|
"value": ""
|
|
},
|
|
{
|
|
"parameterName": "getLocation",
|
|
"comparison": "isEqualTo",
|
|
"value": "aad"
|
|
}
|
|
],
|
|
"name": "text - 7"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "631833b1-6b7d-485c-ab7d-a101d8e1ef77",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Latitude",
|
|
"type": 1,
|
|
"description": "Add a Latitude value",
|
|
"value": "51.461377",
|
|
"criteriaData": [
|
|
{
|
|
"criteriaContext": {
|
|
"operator": "Default",
|
|
"rightValType": "param",
|
|
"resultValType": "static",
|
|
"resultVal": "51.461377"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "e10c4b13-f3af-4faf-a5cd-605b7660c019",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Longitude",
|
|
"type": 1,
|
|
"description": "Add a Longitude value",
|
|
"value": "-0.925915",
|
|
"criteriaData": [
|
|
{
|
|
"criteriaContext": {
|
|
"operator": "Default",
|
|
"rightValType": "param",
|
|
"resultValType": "static",
|
|
"resultVal": "-0.925915"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "e10c4b13-f3af-4faf-a5cd-605b7660c019",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "defaultLocationName",
|
|
"type": 1,
|
|
"description": "Add a name for your custom Latitude/Longitude",
|
|
"value": "Microsoft Campus, Reading (UK)",
|
|
"criteriaData": [
|
|
{
|
|
"criteriaContext": {
|
|
"operator": "Default",
|
|
"rightValType": "param",
|
|
"resultValType": "static",
|
|
"resultVal": "Microsoft Campus, Reading (UK)"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"style": "above",
|
|
"doNotRunWhenHidden": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "getLocation",
|
|
"comparison": "isEqualTo",
|
|
"value": "manual"
|
|
},
|
|
"name": "parameters -manual"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "b1bb0a06-ac1d-438a-931b-a255d0eb5611",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "locationName",
|
|
"type": 1,
|
|
"query": " // create a common location for chart titles\r\n extend locationName = case( \r\n '{getLocation}' == 'mylist', '{defaultCityList}',\r\n '{getLocation}' == 'aad' , '{defaultCityListAAD}',\r\n '{getLocation}' == 'manual', '{defaultLocationName}',\r\n //else\r\n \"fail\"\r\n )\r\n|project locationName | limit 1",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"name": "parameters - common Location Name"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "// Look back at data and see if any from six named tables have Malicious IP info \r\n// This query is based on the Sentinel home page \"Potential malicious events\" view \r\n// We'll also enrich the data with distance data (in KM or miles) of each entry to defined home location \r\n//\r\n// Please enter how many days worth of data to look at?\r\n// Microsoft Campus UK is used as a base parameter - adjust as required with your own Location Longitude / Latitude \r\n// isFuzzy will allow us to continue on errors or if a table is empty etc...\r\nunion isfuzzy=true \r\n(W3CIISLog\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), \r\n(DnsEvents\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country= RemoteIPCountry, Latitude = RemoteIPLatitude, Longitude = RemoteIPLongitude),\r\n(WireData\r\n| extend TrafficDirection = iff(Direction != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), \r\n(WindowsFirewall\r\n| extend TrafficDirection = iff(CommunicationDirection != \"SEND\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude), \r\n(CommonSecurityLog\r\n| extend TrafficDirection = iff(CommunicationDirection != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude, Confidence=ThreatDescription, Description=ThreatDescription), \r\n(VMConnection\r\n| where Type == \"VMConnection\"\r\n| extend TrafficDirection = iff(Direction != \"outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteCountry, Latitude=RemoteLatitude, Longitude=RemoteLongitude)\r\n// Start of main logic\r\n// Supply a default location (long/lat) from selected parameter \r\n| extend myLatitude = case( \r\n '{getLocation}' == 'mylist', todouble(split('{CityList:value}',\",\").[0]),\r\n '{getLocation}' == 'aad' , todouble(split('{defaultCityListAAD:value}',\",\").[1]),\r\n '{getLocation}' == 'manual', todouble({Latitude}),\r\n //else\r\n todouble(0)\r\n )\r\n| extend myLongitude = case( \r\n '{getLocation}' == 'mylist', todouble(split('{CityList:value}',\",\").[1]),\r\n '{getLocation}' == 'aad' , todouble(split('{defaultCityListAAD:value}',\",\").[2]),\r\n '{getLocation}' == 'manual', todouble({Longitude}),\r\n //else\r\n todouble(0)\r\n )\r\n| where isnotempty(MaliciousIP) and isnotempty(Country) and isnotempty(Latitude) and isnotempty(Longitude)\r\n// measure the distance between the base/city and maliciousIP location in km or miles\r\n| extend distance_in = iif('{Measurement}' == \"KM\", geo_distance_2points(Longitude, Latitude, myLongitude, myLatitude)/1000.00, geo_distance_2points(Longitude, Latitude, myLongitude, myLatitude)/1609.344 )\r\n| summarize count(), arg_max(TimeGenerated,TimeGenerated) by Country, distance_in, Latitude , Longitude, '{getLocation}', myLatitude, myLongitude\r\n| top {Top} by count_\r\n\r\n",
|
|
"size": 0,
|
|
"title": "Top: '{Top}' Malicious IP distances from {locationName} in ('{Measurement}') ",
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportParameterName": "Selected",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "map",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "distance_in",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "distance_in",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "Country",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "distance_in",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "Latitude",
|
|
"longitude": "Longitude",
|
|
"sizeSettings": "count_",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "Country",
|
|
"legendMetric": "distance_in",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "count_",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "orange"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "// Look back at data and see if any from six named tables have Malicious IP info \r\n// This query is based on the Sentinel home page \"Potential malicious events\" view \r\n// We'll also enrich the data with distance data (in KM or miles) of each entry to defined home location \r\n//\r\n// Please enter how many days worth of data to look at?\r\n// Microsoft Campus UK is used as a base parameter - adjust as required with your own Location Longitude / Latitude \r\n// isFuzzy will allow us to continue on errors or if a table is empty etc...\r\nunion isfuzzy=true \r\n(W3CIISLog\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), \r\n(DnsEvents\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country= RemoteIPCountry, Latitude = RemoteIPLatitude, Longitude = RemoteIPLongitude),\r\n(WireData\r\n| extend TrafficDirection = iff(Direction != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), \r\n(WindowsFirewall\r\n| extend TrafficDirection = iff(CommunicationDirection != \"SEND\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude), \r\n(CommonSecurityLog\r\n| extend TrafficDirection = iff(CommunicationDirection != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude, Confidence=ThreatDescription, Description=ThreatDescription), \r\n(\r\nAzureDiagnostics\r\n| where ResourceType == \"FRONTDOORS\" and Category == \"FrontdoorWebApplicationFirewallLog\"\r\n| extend TrafficDirection = iff(isReceivedFromClient_b != false,\"InboundOrUnknown\", \"Outbound\")\r\n),\r\n(VMConnection\r\n| where Type == \"VMConnection\"\r\n| extend TrafficDirection = iff(Direction != \"outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteCountry, Latitude=RemoteLatitude, Longitude=RemoteLongitude)\r\n// Start of main logic\r\n// Supply a default location (long/lat) from selected parameter \r\n| extend myLatitude = case( \r\n '{getLocation}' == 'mylist', todouble(split('{CityList:value}',\",\").[0]),\r\n '{getLocation}' == 'aad' , todouble(split('{defaultCityListAAD:value}',\",\").[1]),\r\n '{getLocation}' == 'manual', todouble({Latitude}),\r\n //else\r\n todouble(0)\r\n )\r\n| extend myLongitude = case( \r\n '{getLocation}' == 'mylist', todouble(split('{CityList:value}',\",\").[1]),\r\n '{getLocation}' == 'aad' , todouble(split('{defaultCityListAAD:value}',\",\").[2]),\r\n '{getLocation}' == 'manual', todouble({Longitude}),\r\n //else\r\n todouble(0)\r\n )\r\n| where isnotempty(MaliciousIP) and isnotempty(Country) and isnotempty(Latitude) and isnotempty(Longitude)\r\n// measure the distance between the base/city and maliciousIP location in km or miles\r\n| extend distance_in = iif('{Measurement}' == \"KM\", geo_distance_2points(Longitude, Latitude, myLongitude, myLatitude)/1000.00, geo_distance_2points(Longitude, Latitude, myLongitude, myLatitude)/1609.344 )\r\n| summarize count(), arg_max(TimeGenerated,TimeGenerated) by Country, distance_in, Latitude , Longitude, '{getLocation}', myLatitude, myLongitude\r\n| top {Top} by count_\r\n\r\n",
|
|
"size": 0,
|
|
"title": "Top: '{Top}' Malicious IP distances from {locationName} in ('{Measurement}') ",
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportParameterName": "Selected",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "distance_in",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "distance_in",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "Country",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "distance_in",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "Latitude",
|
|
"longitude": "Longitude",
|
|
"sizeSettings": "count_",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "Country",
|
|
"legendMetric": "distance_in",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "count_",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "orange"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 8 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "extend a = parse_json('{Selected}')\r\n| project ['region']=a.regionName, ['latitude']=a.latitude, ['longitude']=a.longitude\r\n| limit 1",
|
|
"size": 4,
|
|
"title": "Please select a map region for more details",
|
|
"noDataMessage": "Please click on a map region ",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "// Show a summary of the map data \r\nunion isfuzzy=true \r\n(W3CIISLog\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), \r\n(DnsEvents\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country= RemoteIPCountry, Latitude = RemoteIPLatitude, Longitude = RemoteIPLongitude),\r\n(WireData\r\n| extend TrafficDirection = iff(Direction != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), \r\n(WindowsFirewall\r\n| extend TrafficDirection = iff(CommunicationDirection != \"SEND\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude), \r\n(CommonSecurityLog\r\n| extend TrafficDirection = iff(CommunicationDirection != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude, Confidence=ThreatDescription, Description=ThreatDescription), \r\n(VMConnection\r\n| where Type == \"VMConnection\"\r\n| extend TrafficDirection = iff(Direction != \"outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteCountry, Latitude=RemoteLatitude, Longitude=RemoteLongitude)\r\n// Start of main logic\r\n// Supply a default location (long/lat)\r\n| extend myLatitude = case( \r\n '{getLocation}' == 'mylist', todouble(split('{CityList:value}',\",\").[0]),\r\n '{getLocation}' == 'aad' , todouble(split('{defaultCityListAAD:value}',\",\").[1]),\r\n '{getLocation}' == 'manual', todouble({Latitude}),\r\n //else\r\n todouble(0)\r\n )\r\n| extend myLongitude = case( \r\n '{getLocation}' == 'mylist', todouble(split('{CityList:value}',\",\").[1]),\r\n '{getLocation}' == 'aad' , todouble(split('{defaultCityListAAD:value}',\",\").[2]),\r\n '{getLocation}' == 'manual', todouble({Longitude}),\r\n //else\r\n todouble(0)\r\n ) \r\n| where isnotempty(MaliciousIP) and isnotempty(Country) and isnotempty(Latitude) and isnotempty(Longitude)\r\n// measure the distance between the base/city and maliciousIP location in km or miles\r\n| extend distance_in = iif('{Measurement}' == \"KM\", geo_distance_2points(Longitude, Latitude, myLongitude, myLatitude)/1000.00, geo_distance_2points(Longitude, Latitude, myLongitude, myLatitude)/1609.344 )\r\n| summarize count(), arg_max(TimeGenerated,TimeGenerated) by Country, \r\n distance_in,Latitude, Longitude, toggle='{getLocation}', myLatitude, myLongitude\r\n| top {Top} by count_\r\n| order by distance_in desc\r\n\r\n",
|
|
"size": 1,
|
|
"showAnalytics": true,
|
|
"title": "Top: '{Top}' Malicious IP distances from {locationName} in ('{Measurement}') ",
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "distance_in",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "toggle",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "coldHot"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TimeGenerated1",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_bar_distance_in_1",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Country"
|
|
},
|
|
{
|
|
"columnId": "distance_in",
|
|
"label": "Distance"
|
|
},
|
|
{
|
|
"columnId": "Latitude",
|
|
"label": "Destination Latitude"
|
|
},
|
|
{
|
|
"columnId": "Longitude",
|
|
"label": "Destination Longitude"
|
|
},
|
|
{
|
|
"columnId": "toggle",
|
|
"label": ""
|
|
},
|
|
{
|
|
"columnId": "myLatitude",
|
|
"label": "Source Latitude"
|
|
},
|
|
{
|
|
"columnId": "myLongitude",
|
|
"label": "Source Longitude"
|
|
},
|
|
{
|
|
"columnId": "count_"
|
|
},
|
|
{
|
|
"columnId": "TimeGenerated"
|
|
},
|
|
{
|
|
"columnId": "TimeGenerated1"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_bar_distance_in_1",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "Country",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "distance_in",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "Latitude",
|
|
"longitude": "Longitude",
|
|
"sizeSettings": "count_",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "Country",
|
|
"legendMetric": "distance_in",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "count_",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "orange"
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 8 - Copy"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "MaliciousIP"
|
|
},
|
|
"name": "group - Malicious"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Group: UserMap",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "268ebde4-5b20-4106-9e91-8e7d36b26d4f",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Select",
|
|
"label": "Select Users method",
|
|
"type": 10,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"jsonData": "[\r\n {\"value\": \"name\", \"label\": \"Select User by Name\", \"selected\":true },\r\n {\"value\": \"letter\", \"label\": \"Select User by letter\"},\r\n {\"value\": \"free\", \"label\": \"Select User using free text search\"}\r\n]",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 10"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "4fd13b3f-9856-4e1d-93f5-c4681a6b4c16",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SelectUserName",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"query": "SigninLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where isnotempty(UserDisplayName) and UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| summarize Count = count() by UserDisplayName\r\n| order by Count desc, UserDisplayName asc\r\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\r\n",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": "Chris Boehm",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 5184000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "8aa43840-1b93-449a-861e-450856dc1297",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "userCount",
|
|
"label": "How many unique Users?",
|
|
"type": 10,
|
|
"description": "1000 users max are shown",
|
|
"isRequired": true,
|
|
"query": "SigninLogs\r\n| where isnotempty(UserDisplayName) and UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| distinct UserDisplayName\r\n| summarize Count = strcat(count(),\" of 1000\")",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"doNotRunWhenHidden": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Select",
|
|
"comparison": "isEqualTo",
|
|
"value": "name"
|
|
},
|
|
"name": "parameters - 7"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "adb47350-f652-4bd3-b2c7-dcfc3e380a23",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "UserFilter",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"query": "SigninLogs\r\n| distinct UserDisplayName\r\n| project Alpha = toupper(substring(UserDisplayName,0,1))\r\n| summarize Count = count() by Alpha\r\n| order by Alpha asc\r\n| project Value=Alpha, Label=Alpha, selected = false",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": "A",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "ad7f576a-5df8-49c1-99c2-f8fdbca5557b",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SelectUserLetter",
|
|
"label": " Select User Letter",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"query": "SigninLogs\r\n| where UserDisplayName startswith '{UserFilter:label}'\r\n| summarize by UserDisplayName\r\n| order by UserDisplayName asc",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": "Alex Humphrey",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "96d46227-91be-4519-a83d-449e38b5f32c",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "selectedUserCount",
|
|
"label": "How many unique Users?",
|
|
"type": 10,
|
|
"description": "1000 users max are shown",
|
|
"isRequired": true,
|
|
"query": "SigninLogs\r\n| where UserDisplayName startswith '{UserFilter:label}'\r\n| distinct UserDisplayName\r\n| summarize Count = strcat(count(),\" of 1000\")",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"doNotRunWhenHidden": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Select",
|
|
"comparison": "isEqualTo",
|
|
"value": "letter"
|
|
},
|
|
"name": "parameters - 9"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "c2577785-56e7-415e-b95d-4af62446fb49",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SelectUserFree",
|
|
"label": "Search for a User here",
|
|
"type": 1,
|
|
"description": "Enter a free text search for a User Name ",
|
|
"value": "",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange"
|
|
},
|
|
{
|
|
"id": "38ee7b13-de6b-48da-a98f-0ae75ae0517e",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SelectUserwithin",
|
|
"label": "Matched User(s)",
|
|
"type": 2,
|
|
"query": "SigninLogs\r\n| where UserDisplayName contains '{SelectUserFree}'\r\n| distinct UserDisplayName\r\n| project UserDisplayName \r\n| order by UserDisplayName asc",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": null,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 5184000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "1407f53f-c0b3-4eae-a3a8-8d60c737fb4d",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "selectedUserCount2",
|
|
"label": "How many unique Users?",
|
|
"type": 10,
|
|
"description": "1000 users max are shown",
|
|
"isRequired": true,
|
|
"query": "SigninLogs\r\n| where UserDisplayName contains '{SelectUserFree}'\r\n| distinct UserDisplayName\r\n| summarize Count = strcat(count(),\" of 1000\")",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Select",
|
|
"comparison": "isEqualTo",
|
|
"value": "free"
|
|
},
|
|
"name": "parameters - 12"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "ba660562-9b21-4412-b2d7-cc12bb64c33d",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SelectUser",
|
|
"type": 1,
|
|
"description": "Only shows user from name or letter parameter - depending on Toggle",
|
|
"query": "SigninLogs\r\n| extend SelectUser = case( '{Select}' == \"name\" , '{SelectUserName}',\r\n '{Select}' == \"letter\" , '{SelectUserLetter}',\r\n '{Select}' == \"free\" , '{SelectUserwithin}',\r\n // else\r\n \"error\"\r\n )\r\n| limit 1\r\n| project SelectUser",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 12"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Missing Input data Warning: diagnostics\r\n\r\nUser Name displayed, from the selected parameter: \r\n## {SelectUser}\r\n\r\n|Parameter|Value detected|\r\n|---|---|\r\n|Name|{SelectUserName}|\r\n|Letter|{SelectUserLetter}|\r\n|Free|{SelectUserFree}|"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "SelectUser",
|
|
"comparison": "isEqualTo"
|
|
},
|
|
"name": "text - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SigninLogs\r\n| where UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| where UserDisplayName == '{SelectUser}'\r\n| extend city_ = tostring(LocationDetails.city) \r\n| extend state_ = tostring(LocationDetails.state) \r\n| extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion) \r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) \r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) \r\n| order by TimeGenerated asc , city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_,1)\r\n| extend pLon = prev(longitude_,1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(row_number() > 1,tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),\"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(TimeGenerated, {TimeRange:grain}),\r\n UserDisplayName,\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = distance_in,\r\n distanceTravelled2 = strcat(distance_in,' ','{Measurement}'),\r\n latitude_,\r\n longitude_\r\n| order by TimeGenerated asc, visitedInThisOrder asc",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Map showing locations for user: '{SelectUser}'",
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "Namespace",
|
|
"parameterName": "Namespace",
|
|
"defaultValue": "All"
|
|
},
|
|
{
|
|
"parameterName": "SelectedUsers",
|
|
"parameterType": 1
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "map",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Table Entries",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "green",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 2,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "visit_order",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "UserDisplayName",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"nodeIdField": "userNameLocation",
|
|
"sourceIdField": "TimeGenerated",
|
|
"targetIdField": "MilesTravelled",
|
|
"nodeSize": null,
|
|
"staticNodeSize": 100,
|
|
"colorSettings": null,
|
|
"hivesMargin": 5
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "latitude_",
|
|
"longitude": "longitude_",
|
|
"sizeSettings": "distanceTravelled",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "City",
|
|
"legendMetric": "distanceTravelled",
|
|
"numberOfMetrics": 10,
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "distanceTravelled",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "blueDark"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 6 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "extend a = parse_json('{SelectedUsers}')\r\n| project ['User']='{SelectUser}', ['region']=a.regionName, ['latitude']=a.latitude, ['longitude']=a.longitude\r\n| limit 1",
|
|
"size": 4,
|
|
"title": "Please select a map region for more details",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscription}"
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SigninLogs\r\n| where UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| where UserDisplayName == '{SelectUser}'\r\n| extend city_ = tostring(LocationDetails.city) \r\n| extend state_ = tostring(LocationDetails.state) \r\n| extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion) \r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) \r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) \r\n| order by TimeGenerated asc , city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_,1)\r\n| extend pLon = prev(longitude_,1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(row_number() > 1,tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),strcat(\"FirstLocation\",' ','({Measurement})') ) \r\n| extend dwell_in = datetime_diff(\"second\",TimeGenerated, prev(TimeGenerated))\r\n| where distance_in !=\"0.0\"\r\n| summarize by TimeGenerated,\r\n UserDisplayName,\r\n City=city_ ,\r\n Location=countryOrRegion_, \r\n visitOrder = row_number(),\r\n distanceBetweenLocations = distance_in, // strcat(distance_in,' ','({Measurement})')\r\n dwell_in\r\n| order by TimeGenerated asc, visitOrder asc",
|
|
"size": 1,
|
|
"showAnalytics": true,
|
|
"title": "Looking for '{SelectUser}'",
|
|
"color": "green",
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "Namespace",
|
|
"exportParameterName": "Namespace",
|
|
"exportDefaultValue": "All",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "dwell_in",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 24,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false,
|
|
"maximumSignificantDigits": 3
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "distanceBetweenLocations",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Entries",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "green"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 2,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue"
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "UserDisplayName"
|
|
},
|
|
{
|
|
"columnId": "City"
|
|
},
|
|
{
|
|
"columnId": "distanceBetweenLocations"
|
|
},
|
|
{
|
|
"columnId": "dwell_in",
|
|
"label": "Dwell time"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "visit_order",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "UserDisplayName",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"nodeIdField": "userNameLocation",
|
|
"sourceIdField": "TimeGenerated",
|
|
"targetIdField": "MilesTravelled",
|
|
"nodeSize": null,
|
|
"staticNodeSize": 100,
|
|
"colorSettings": null,
|
|
"hivesMargin": 5
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "latitude_",
|
|
"longitude": "longitude_",
|
|
"sizeSettings": "MilesTravelled",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "visit_order",
|
|
"legendMetric": "MilesTravelled",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "MilesTravelled",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "redDark"
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 6 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SigninLogs\r\n| where UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| where UserDisplayName == '{SelectUser}'\r\n| extend city_ = tostring(LocationDetails.city) \r\n| extend state_ = tostring(LocationDetails.state) \r\n| extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion) \r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) \r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) \r\n| order by TimeGenerated asc , city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_,1)\r\n| extend pLon = prev(longitude_,1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(isnotempty(pLat),tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),\"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(TimeGenerated, {TimeRange:grain}),\r\n UserDisplayName,\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = strcat(distance_in,' ','{Measurement}')\r\n//| top {Top} by City\r\n| order by TimeGenerated asc, visitedInThisOrder asc\r\n",
|
|
"size": 1,
|
|
"showAnalytics": true,
|
|
"title": " '{SelectUser}' : Cities visitied",
|
|
"color": "green",
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "Namespace",
|
|
"exportParameterName": "Namespace",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "unstackedbar",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Table Entries",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "green",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 2,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "visit_order",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "UserDisplayName",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"nodeIdField": "userNameLocation",
|
|
"sourceIdField": "TimeGenerated",
|
|
"targetIdField": "MilesTravelled",
|
|
"nodeSize": null,
|
|
"staticNodeSize": 100,
|
|
"colorSettings": null,
|
|
"hivesMargin": 5
|
|
},
|
|
"chartSettings": {
|
|
"group": "City",
|
|
"createOtherGroup": 10,
|
|
"showMetrics": false,
|
|
"showLegend": true
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "latitude_",
|
|
"longitude": "longitude_",
|
|
"sizeSettings": "MilesTravelled",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "visit_order",
|
|
"legendMetric": "MilesTravelled",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "MilesTravelled",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "redDark"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 6 - by Location - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SigninLogs\r\n| where UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| where UserDisplayName == '{SelectUser}'\r\n| extend city_ = tostring(LocationDetails.city) \r\n| extend state_ = tostring(LocationDetails.state) \r\n| extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion) \r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) \r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) \r\n| order by TimeGenerated asc , city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_,1)\r\n| extend pLon = prev(longitude_,1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(isnotempty(pLat),tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),\"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(TimeGenerated, {TimeRange:grain}),\r\n UserDisplayName,\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = strcat(distance_in,' ','{Measurement}')\r\n| order by TimeGenerated asc, visitedInThisOrder asc",
|
|
"size": 1,
|
|
"showAnalytics": true,
|
|
"title": " '{SelectUser}' : distance travelled",
|
|
"color": "green",
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "Namespace",
|
|
"exportParameterName": "Namespace",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "unstackedbar",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Table Entries",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "green",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 2,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "visit_order",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "UserDisplayName",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"nodeIdField": "userNameLocation",
|
|
"sourceIdField": "TimeGenerated",
|
|
"targetIdField": "MilesTravelled",
|
|
"nodeSize": null,
|
|
"staticNodeSize": 100,
|
|
"colorSettings": null,
|
|
"hivesMargin": 5
|
|
},
|
|
"chartSettings": {
|
|
"group": "distanceTravelled",
|
|
"createOtherGroup": null,
|
|
"showMetrics": false,
|
|
"showLegend": true
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "latitude_",
|
|
"longitude": "longitude_",
|
|
"sizeSettings": "MilesTravelled",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "visit_order",
|
|
"legendMetric": "MilesTravelled",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "MilesTravelled",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "redDark"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 6 - by Location "
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SigninLogs\r\n| where UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| where UserDisplayName == '{SelectUser}'\r\n| extend city_ = tostring(LocationDetails.city) \r\n| extend state_ = tostring(LocationDetails.state) \r\n| extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion) \r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) \r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) \r\n| order by TimeGenerated asc , city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_,1)\r\n| extend pLon = prev(longitude_,1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(isnotempty(pLat),tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),\"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(TimeGenerated, {TimeRange:grain}),\r\n UserDisplayName,\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = strcat(distance_in,' ','{Measurement}')\r\n| order by TimeGenerated asc, visitedInThisOrder asc",
|
|
"size": 4,
|
|
"showAnalytics": true,
|
|
"title": " '{SelectUser}' : Countries visitied ",
|
|
"color": "green",
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "Namespace",
|
|
"exportParameterName": "Namespace",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Table Entries",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "green",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 2,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "visit_order",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "UserDisplayName",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"nodeIdField": "userNameLocation",
|
|
"sourceIdField": "TimeGenerated",
|
|
"targetIdField": "MilesTravelled",
|
|
"nodeSize": null,
|
|
"staticNodeSize": 100,
|
|
"colorSettings": null,
|
|
"hivesMargin": 5
|
|
},
|
|
"chartSettings": {
|
|
"group": "CountryorRegion",
|
|
"createOtherGroup": null,
|
|
"showMetrics": false,
|
|
"showLegend": true
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "latitude_",
|
|
"longitude": "longitude_",
|
|
"sizeSettings": "MilesTravelled",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "visit_order",
|
|
"legendMetric": "MilesTravelled",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "MilesTravelled",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "redDark"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 6 - by Location - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SigninLogs\r\n| where UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| extend city_ = tostring(LocationDetails.city) \r\n| extend state_ = tostring(LocationDetails.state) \r\n| extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion) \r\n| order by TimeGenerated asc , city_ asc\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}),\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_ \r\n| order by count_ desc",
|
|
"size": 4,
|
|
"showAnalytics": true,
|
|
"title": "All Users : Countries by most frequent",
|
|
"color": "green",
|
|
"timeContext": {
|
|
"durationMs": 7776000000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "Namespace",
|
|
"exportParameterName": "Namespace",
|
|
"exportDefaultValue": "All",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Table Entries",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "green",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 2,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Size Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "visit_order",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "UserDisplayName",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"nodeIdField": "userNameLocation",
|
|
"sourceIdField": "TimeGenerated",
|
|
"targetIdField": "MilesTravelled",
|
|
"nodeSize": null,
|
|
"staticNodeSize": 100,
|
|
"colorSettings": null,
|
|
"hivesMargin": 5
|
|
},
|
|
"chartSettings": {
|
|
"group": "CountryorRegion",
|
|
"createOtherGroup": null,
|
|
"showMetrics": false,
|
|
"showLegend": true
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "latitude_",
|
|
"longitude": "longitude_",
|
|
"sizeSettings": "MilesTravelled",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "visit_order",
|
|
"legendMetric": "MilesTravelled",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "MilesTravelled",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "redDark"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 6 - by Location - All User"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "UserData"
|
|
},
|
|
"name": "group - UserMap"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Group: WAF",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"FRONTDOORS\" and Category == \"FrontdoorWebApplicationFirewallLog\"\r\n\r\n",
|
|
"size": 0,
|
|
"title": "Front door",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "70",
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where ResourceType == \"FRONTDOORS\" and Category == \"FrontdoorWebApplicationFirewallLog\"\r\n| summarize dcount(Resource), dcount(clientIP_s), dcount(clientPort_d) by Resource\r\n",
|
|
"size": 4,
|
|
"title": "Front door",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Resource",
|
|
"formatter": 1,
|
|
"tooltipFormat": {
|
|
"tooltip": "Front Door"
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "dcount_Resource",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"rightContent": {
|
|
"columnMatch": "dcount_clientIP_s",
|
|
"tooltipFormat": {
|
|
"tooltip": "ClientIPs"
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "dcount_clientPort_d",
|
|
"tooltipFormat": {
|
|
"tooltip": "Ports"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 0 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics \r\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"ApplicationGatewayFirewallLog\"\r\n",
|
|
"size": 0,
|
|
"title": "Application Gateway Web Application Firewall (WAF) Logs",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "70",
|
|
"name": "query - 0 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics \r\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"ApplicationGatewayFirewallLog\"\r\n| distinct Resource\r\n| summarize dcount(Resource) by Resource\r\n",
|
|
"size": 4,
|
|
"title": "Application Gateway Web Application Firewall (WAF) Logs",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Resource",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "dcount_Resource",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumFractionDigits": 2,
|
|
"maximumSignificantDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 0 - Copy - Copy"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "WAF"
|
|
},
|
|
"name": "group - WAF"
|
|
}
|
|
],
|
|
"fallbackResourceIds": [
|
|
"Azure Monitor"
|
|
],
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|