Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/OnapsisAlarmsOverview.json

384 строки
12 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "3448d079-06d5-493b-8769-0a54a0309367",
"version": "KqlParameterItem/1.0",
"name": "time_range",
"label": "Time Range",
"type": 4,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
}
],
"allowCustom": true,
"defaultValue": 86400000
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 2592000000
}
},
{
"id": "73dba27b-6754-4b81-a3fe-254d8d03f2b6",
"version": "KqlParameterItem/1.0",
"name": "category",
"label": "Category",
"type": 2,
"multiSelect": true,
"quote": "",
"delimiter": ",",
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[\r\n { \"value\":1, \"label\":\"User Activity\", \"selected\":true },\r\n { \"value\":2, \"label\":\"Exploitation\", \"selected\":true },\r\n { \"value\":3, \"label\":\"Vulnerable Access\", \"selected\":true },\r\n { \"value\":4, \"label\":\"Sensitive Access\", \"selected\":true }\r\n]",
"value": [
"1",
"4"
]
},
{
"id": "9a5ccc66-29a2-473a-b93d-a1e0a1442815",
"version": "KqlParameterItem/1.0",
"name": "asset",
"label": "Asset",
"type": 2,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" | distinct DeviceCustomString1",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_range",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | summarize count=count() by DeviceEventClassID | extend Category=case(DeviceEventClassID==1,\"User Activity\", DeviceEventClassID==2,\"Exploitation\",DeviceEventClassID==3,\"Vulnerable Access\",\"Sensitive Access\")",
"size": 0,
"title": "Alarm breakdown by category",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "time_range",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "incident_type_s",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "incident_type_s",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"yAxis": [
"count"
],
"group": "Category",
"createOtherGroup": null
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "30",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | summarize Count=count() by bin(TimeGenerated, 1d)",
"size": 0,
"title": "Alarm volume over time",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "time_range",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "40",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | summarize count() by DeviceCustomString1 | take 10",
"size": 0,
"title": "Assets triggering the most alarms",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "time_range",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "asset_name_s",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "30",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | summarize Count=count() by SourceUserName | order by Count | take 10 | project Username=SourceUserName, Count",
"size": 1,
"title": "Users triggering the most alarms",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "time_range",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Username",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "50%"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "50%"
}
}
]
}
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | summarize Count=count() by SourceIP | order by Count | take 10 | project Source=SourceIP, Count",
"size": 1,
"title": "Sources triggering the most alarms",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "time_range",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Source",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "50%"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "50%"
}
}
]
}
},
"customWidth": "50",
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and DeviceCustomString1 in ({asset}) and DeviceEventClassID in ({category}) | parse kind = regex AdditionalExtensions with \"sev=\" Criticality |summarize Count = count() by Message, Criticality | order by Criticality, Count | project Incident_Name=Message, Criticality, Count",
"size": 1,
"title": "Incident Report",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "time_range",
"exportFieldName": "Incident_Name",
"exportParameterName": "incident_name",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "incident_lookup | where IncidentName == '{incident_name}'",
"size": 0,
"title": "Incident Details",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"sortBy": [
{
"itemKey": "RootCause",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "RootCause",
"sortOrder": 1
}
],
"tileSettings": {
"showBorder": false
},
"graphSettings": {
"type": 0
},
"mapSettings": {
"locInfo": "LatLong"
}
},
"conditionalVisibility": {
"parameterName": "incident_name",
"comparison": "isNotEqualTo"
},
"customWidth": "50",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog | where DeviceVendor==\"Onapsis\" and Message == '{incident_name}' and DeviceCustomString1 in ({asset}) | project Time=TimeGenerated, Asset=DeviceCustomString1, Client=DeviceCustomString2, Username=SourceUserName, Source=SourceIP, Logline=DeviceCustomString5 | order by Time",
"size": 0,
"title": "Incident Occurrences",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "time_range",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "incident_name",
"comparison": "isNotEqualTo"
},
"customWidth": "50",
"name": "query - 8"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-OnapsisAlarms",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку