Azure-Sentinel/Workbooks/IllusiveASM.json

342 строки
12 KiB
JSON

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Illusive ASM Dashboard\n"
},
"name": "text - 2"
},
{
"type": 1,
"content": {
"json": "\n"
},
"customWidth": "80",
"name": "text - 2 - Copy"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "e5b79f84-7773-4162-9750-702cd0001041",
"version": "KqlParameterItem/1.0",
"name": "NumberOfDays",
"label": "Number of Days ",
"type": 2,
"description": "Select range of days to query",
"isRequired": true,
"value": "14",
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[1,7,14,21,30]"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "20",
"name": "parameters - 6",
"styleSettings": {
"margin": "0px",
"maxWidth": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union CommonSecurityLog | \r\nwhere (DeviceEventClassID == \"illusive:violation\") |\r\nwhere TimeGenerated > ago({NumberOfDays}d) |\r\nsummarize count = count() by ViolationType = DeviceCustomString1 \r\n\r\n",
"size": 0,
"title": "Violation Types",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"yAxis": [
"count"
],
"group": "ViolationType",
"createOtherGroup": 7
}
},
"customWidth": "50",
"name": "Violation Types",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let binSize = iff({NumberOfDays} > 1, 1d, 1h);\nunion CommonSecurityLog | \nwhere (DeviceEventClassID == \"illusive:violation\") |\nwhere TimeGenerated > ago({NumberOfDays}d) | \nmake-series event_count=count() default=0 on TimeGenerated in range (ago({NumberOfDays}d), now(), binSize) |\nmvexpand TimeGenerated, event_count |\nproject todatetime(TimeGenerated), toint(event_count)",
"size": 0,
"aggregation": 3,
"title": "Violations Over Time",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "event_count",
"color": "yellow"
}
]
}
},
"customWidth": "50",
"name": "Violations Trendline",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 1,
"content": {
"json": "\r\n## Domain User Credentials"
},
"name": "text - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union CommonSecurityLog | \r\nwhere (DeviceEventClassID == \"illusive:violation\") |\r\nwhere (DeviceCustomString1 == \"USER_CREDENTIALS\") |\r\nwhere TimeGenerated > ago({NumberOfDays}d) |\r\nsummarize NumberOfViolations = count() by TopViolatingHost = SourceHostName |\r\ntop 5 by NumberOfViolations desc\r\n\r\n",
"size": 0,
"title": "Domain User Credentials - Top Violating Hosts",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"rowLimit": 10
},
"chartSettings": {
"yAxis": [
"NumberOfViolations"
],
"group": "TopViolatingHost",
"createOtherGroup": 6
}
},
"customWidth": "50",
"name": "Domain User Credentials Top Violating Hosts",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union CommonSecurityLog | \r\nwhere (DeviceEventClassID == \"illusive:violation\") |\r\nwhere (DeviceCustomString1 == \"USER_CREDENTIALS\") |\r\nwhere TimeGenerated > ago({NumberOfDays}d) |\r\nsummarize NumberOfViolations = count() by TopViolatingUsers = SourceUserName |\r\ntop 5 by NumberOfViolations desc\r\n\r\n",
"size": 0,
"title": "Domain User Credentials - Top Violating Users",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"rowLimit": 10
},
"chartSettings": {
"yAxis": [
"NumberOfViolations"
],
"group": "TopViolatingUsers",
"createOtherGroup": 7
}
},
"customWidth": "50",
"name": "Domain User Credentials Top Violating Users",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 1,
"content": {
"json": "\r\n## Crown Jewel Connections"
},
"name": "text - 9 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union CommonSecurityLog | \r\nwhere (DeviceEventClassID == \"illusive:violation\") |\r\nwhere (DeviceCustomString1 == \"CROWN_JEWEL_CREDENTIALS\") |\r\nwhere TimeGenerated > ago({NumberOfDays}d) |\r\nsummarize NumberOfViolations = count() by TopViolatingHost = SourceHostName |\r\ntop 5 by NumberOfViolations desc\r\n\r\n",
"size": 0,
"title": "Crown Jewel Connections - Top Violating Hosts",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"rowLimit": 10
},
"chartSettings": {
"yAxis": [
"NumberOfViolations"
],
"group": "TopViolatingHost",
"createOtherGroup": 6
}
},
"customWidth": "33",
"name": "Crown Jewel Connections Top Violating Hosts",
"styleSettings": {
"maxWidth": "33"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union CommonSecurityLog | \r\nwhere (DeviceEventClassID == \"illusive:violation\") |\r\nwhere (DeviceCustomString1 == \"CROWN_JEWEL_CREDENTIALS\") |\r\nwhere TimeGenerated > ago({NumberOfDays}d) |\r\nsummarize NumberOfViolations = count() by CrownJewelType = DeviceCustomString6 |\r\ntop 5 by NumberOfViolations desc\r\n\r\n",
"size": 0,
"title": "Crown Jewel Connections - Crown Jewel Types",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"rowLimit": 10
},
"chartSettings": {
"yAxis": [
"NumberOfViolations"
],
"group": "CrownJewelType",
"createOtherGroup": 6
}
},
"customWidth": "33",
"name": "Crown Jewel Connections - Crown Jewel Types",
"styleSettings": {
"maxWidth": "33"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union CommonSecurityLog | \r\nwhere (DeviceEventClassID == \"illusive:violation\") |\r\nwhere (DeviceCustomString1 == \"CROWN_JEWEL_CREDENTIALS\") |\r\nwhere TimeGenerated > ago({NumberOfDays}d) |\r\nsummarize NumberOfViolations = count() by ServiceType = DeviceCustomString4 |\r\ntop 5 by NumberOfViolations desc\r\n\r\n",
"size": 0,
"title": "Crown Jewel Connections - Service Types",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"rowLimit": 10
},
"chartSettings": {
"yAxis": [
"NumberOfViolations"
],
"group": "ServiceType",
"createOtherGroup": 8
}
},
"customWidth": "33",
"name": "Crown Jewel Connections - Service Types",
"styleSettings": {
"maxWidth": "33"
}
},
{
"type": 1,
"content": {
"json": "\r\n## Local User Administrators"
},
"name": "text - 9 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union CommonSecurityLog | \r\nwhere (DeviceEventClassID == \"illusive:violation\") |\r\nwhere (DeviceCustomString1 == \"LOCAL_USER_ADMINISTRATORS\") |\r\nwhere TimeGenerated > ago({NumberOfDays}d) |\r\nsummarize NumberOfViolations = count() by TopViolatingHost = SourceHostName |\r\ntop 5 by NumberOfViolations desc\r\n\r\n",
"size": 0,
"title": "Local User Administrators - Top Violating Hosts",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"yAxis": [
"NumberOfViolations"
],
"group": "TopViolatingHost",
"createOtherGroup": 7
}
},
"customWidth": "50",
"name": "Local User Administrators Top Violating Hosts",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union CommonSecurityLog | \r\nwhere (DeviceEventClassID == \"illusive:violation\") |\r\nwhere (DeviceCustomString1 == \"LOCAL_USER_ADMINISTRATORS\") |\r\nwhere TimeGenerated > ago({NumberOfDays}d) |\r\nsummarize NumberOfViolations = count() by TopViolatingUsers = SourceUserName |\r\ntop 5 by NumberOfViolations desc\r\n\r\n",
"size": 0,
"title": "Local User Administrators - Top Violating Users",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"yAxis": [
"NumberOfViolations"
],
"group": "TopViolatingUsers",
"createOtherGroup": 7
}
},
"customWidth": "50",
"name": "Local User Administrators - Top Violating Users",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 1,
"content": {
"json": "\r\n## Suspicious Files"
},
"name": "text - 9 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union CommonSecurityLog | \r\nwhere (DeviceEventClassID == \"illusive:violation\") |\r\nwhere (DeviceCustomString1 == \"SUSPICIOUS_FILES\") |\r\nwhere TimeGenerated > ago({NumberOfDays}d) |\r\nsummarize NumberOfViolations = count() by TopSuspiciousFilesHashes = DeviceCustomString3 |\r\ntop 5 by NumberOfViolations desc\r\n\r\n",
"size": 0,
"title": "Suspicious Files - Top Violating Processes",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"chartSettings": {
"yAxis": [
"NumberOfViolations"
],
"group": "TopViolatingHost",
"createOtherGroup": 7
}
},
"customWidth": "50",
"name": "Suspicious Files Top Violating Hosts",
"styleSettings": {
"maxWidth": "50"
}
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-IllusiveASM",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}