601 строка
19 KiB
JSON
601 строка
19 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "# F5 BIG-IP ASM Insights"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"query": "",
|
|
"crossComponentResources": [],
|
|
"parameters": [
|
|
{
|
|
"id": "977757fe-a2e3-4c43-8b7f-cc4cae3b03cc",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = F5Telemetry_LTM_CL;\r\ndata\r\n| summarize Count = count() by hostname_s\r\n| join kind = fullouter (datatable(hostname_s:string)['OneDrive', 'SharePoint']) on hostname_s\r\n| project hostname_s = iff(hostname_s == '', hostname_s1, hostname_s), Count = iff(hostname_s == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by hostname_s)\r\n on hostname_s\r\n| project-away hostname_s1, TimeGenerated\r\n| extend hostname_s = hostname_s\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend hostname_s = 'All', hostname_ss = '*' \r\n)\r\n| order by Count desc\r\n| take 10\r\n",
|
|
"size": 4,
|
|
"exportFieldName": "hostname_s",
|
|
"exportParameterName": "HostName",
|
|
"exportDefaultValue": "All",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "HostName events",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "hostname_s",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto",
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 10,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---\r\n## LTM events"
|
|
},
|
|
"name": "text - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "F5Telemetry_LTM_CL \r\n| where hostname_s == '{HostName}' or '{HostName}' == \"All\"\r\n| summarize count() by hostname_s, bin(TimeGenerated, {TimeRange:grain}) ",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "HostName LTM events over time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---\r\n## System events"
|
|
},
|
|
"name": "text - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "F5Telemetry_system_CL \r\n| where hostname_s == '{HostName}' or '{HostName}' == \"All\"\r\n| summarize AggregatedValue = avg(cpu_d) by hostname_s, bin(TimeGenerated, {TimeRange:grain}) \r\n| sort by AggregatedValue desc",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "BIG-IP CPU use over time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "F5Telemetry_system_CL \r\n| where hostname_s == '{HostName}' or '{HostName}' == \"All\"\r\n| summarize AggregatedValue = avg(tmmMemory_d) by hostname_s, bin(TimeGenerated, {TimeRange:grain}) \r\n| sort by AggregatedValue desc",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "BIG-IP TMM Memory use over time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "F5Telemetry_system_CL \r\n| where hostname_s == '{HostName}' or '{HostName}' == \"All\"\r\n| summarize AggregatedValue = avg(memory_d) by hostname_s, bin(TimeGenerated, {TimeRange:grain}) \r\n| sort by AggregatedValue desc",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "BIG-IP Memory use over time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "hostname_s",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "AggregatedValue",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---\r\n## ASM events"
|
|
},
|
|
"name": "text - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "F5Telemetry_ASM_CL \r\n| where hostname_s == '{HostName}' or '{HostName}' == \"All\"\r\n| where isnotempty(request_status_s)\r\n| summarize ASM_Policy_Status = count() by ['Request Status'] = request_status_s, severity_s, violations_s\r\n| order by ['Request Status'] asc",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Request Status",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "severity_s",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Critical",
|
|
"representation": "4",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Informational",
|
|
"representation": "1",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Error",
|
|
"representation": "3",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Worning",
|
|
"representation": "warning",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "more",
|
|
"text": "{0}{1}"
|
|
}
|
|
],
|
|
"aggregation": "Unique"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "violations_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true,
|
|
"aggregation": "Unique"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ASM_Policy_Status",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true,
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "request_status",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "request_status_s",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "$gen_group",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"hierarchySettings": {
|
|
"treeType": 1,
|
|
"groupBy": [
|
|
"Request Status"
|
|
],
|
|
"expandTopLevel": true
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_group",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "request_status_s",
|
|
"label": "Request Status"
|
|
},
|
|
{
|
|
"columnId": "severity_s",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "violations_s",
|
|
"label": "Violations"
|
|
},
|
|
{
|
|
"columnId": "ASM_Policy_Status",
|
|
"label": "Count"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "F5Telemetry_ASM_CL \r\n| where hostname_s == '{HostName}' or '{HostName}' == \"All\"\r\n| where isnotempty(attack_type_s) \r\n| summarize count() by hostname_s, bin(TimeGenerated, {TimeRange:grain})",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "ASM violations",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "F5Telemetry_ASM_CL \r\n| where hostname_s == '{HostName}' or '{HostName}' == \"All\"\r\n| where isnotempty(attack_type_s) \r\n| summarize Total_Attacks = count() by ['Attack Type'] = attack_type_s , attack_type_s\r\n| sort by Total_Attacks",
|
|
"size": 0,
|
|
"exportFieldName": "attack_type_s",
|
|
"exportParameterName": "attack_type",
|
|
"exportDefaultValue": "All",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "ASM violations attacks",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Attack Type",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "attack_type_s",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total_Attacks",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "greenRed",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 12"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "F5Telemetry_ASM_CL \r\n| where hostname_s == '{HostName}' or '{HostName}' == \"All\"\r\n| where '{attack_type}' == attack_type_s or '{attack_type}' == \"All\"\r\n| where isnotempty(attack_type_s) \r\n| summarize Total_Attacks = count() by ['Attack Type'] = attack_type_s \r\n| sort by Total_Attacks",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "ASM violations attacks",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 14"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "F5Telemetry_ASM_CL \r\n| where hostname_s == '{HostName}' or '{HostName}' == \"All\"\r\n| where '{attack_type}' == attack_type_s or '{attack_type}' == \"All\"\r\n| where request_status_s == \"blocked\" \r\n| project TimeGenerated, ip_client_s, request_status_s, violation_rating_s ,hostname_s, request_s , attack_type_s, violations_s, support_id_s \r\n| order by toint(violation_rating_s) desc\r\n",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Attack summary",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "ip_client_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "request_status_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "hostname_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "request_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "attack_type_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "violations_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "violation_rating_s",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "greenRed",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "session_id_s",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "ip_client_s",
|
|
"label": "IP client"
|
|
},
|
|
{
|
|
"columnId": "request_status_s",
|
|
"label": "Request Status"
|
|
},
|
|
{
|
|
"columnId": "hostname_s",
|
|
"label": "Hostname"
|
|
},
|
|
{
|
|
"columnId": "request_s",
|
|
"label": "Request"
|
|
},
|
|
{
|
|
"columnId": "attack_type_s",
|
|
"label": "Attack Type"
|
|
},
|
|
{
|
|
"columnId": "violations_s",
|
|
"label": "Violations"
|
|
},
|
|
{
|
|
"columnId": "violation_rating_s",
|
|
"label": "Violation Rating"
|
|
},
|
|
{
|
|
"columnId": "session_id_s",
|
|
"label": "Session Id"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 13"
|
|
}
|
|
],
|
|
"styleSettings": {},
|
|
"fromTemplateId": "sentinel-F5Networks",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|