Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/AzureKeyVaultWorkbook.json

3041 строка
144 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Azure Key Vaults\n"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspaces}"
],
"parameters": [
{
"id": "a0259937-eda6-430d-bf13-6c07bfd4e32b",
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
"crossComponentResources": [
"value::selected"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "84ca1870-93c6-4a43-a5fb-792886ab1eca",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 7776000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "d213ef66-f7cd-4e8f-bd05-d7811577fb61",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\r\n",
"crossComponentResources": [
"value::selected"
],
"value": [
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "3d0a03f2-3edd-45a0-9113-76be5d9c81d2",
"version": "KqlParameterItem/1.0",
"name": "Workspaces",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where strcat('/subscriptions/',subscriptionId) in ({Subscription})\r\n| project id",
"crossComponentResources": [
"value::selected"
],
"value": [
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "50862310-e38b-4c56-9475-de85c7f1e78b",
"version": "KqlParameterItem/1.0",
"name": "KeyVault",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "where type =~ 'microsoft.keyvault/vaults'\r\n| where strcat('/subscriptions/',subscriptionId) in ({Subscription})\r\n| project id=tolower(id)",
"crossComponentResources": [
"{Workspaces}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 1"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "0d07fb2d-b76e-4e9d-8a68-894237cadec4",
"cellValue": "mainTab",
"linkTarget": "parameter",
"linkLabel": "Azure Defender for Key Vault alerts",
"subTarget": "alerts",
"style": "link"
},
{
"id": "918a3880-2818-48e0-8fae-b31c3020e22c",
"cellValue": "mainTab",
"linkTarget": "parameter",
"linkLabel": "Analytics over Key Vault events",
"subTarget": "diagnostics",
"style": "link"
},
{
"id": "590e729d-bf07-4670-8bbe-709f9d03a774",
"cellValue": "mainTab",
"linkTarget": "parameter",
"linkLabel": "Key Vault monitoring",
"subTarget": "monitor",
"style": "link"
}
]
},
"name": "links - 6"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Diagnostic logs coverage"
},
"name": "text - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=_TableName *\r\n| where _TableName == \"AzureDiagnostics\" and Category == \"AuditEvent\" and ResourceType == \"VAULTS\"\r\n| summarize count() by ResourceId = tolower(ResourceId)\r\n| summarize logsKVs = make_set(ResourceId)\r\n| extend selectedKVs = \"[{KeyVault}]\"\r\n| extend selectedKVs = replace(\"'\", '\"', selectedKVs)\r\n| extend selectedKVs = todynamic(selectedKVs)\r\n| mv-expand KVId = selectedKVs\r\n| project KVId = toupper(tostring(KVId)), [\"Diagnostic logs\"] = (logsKVs has tostring(KVId))\r\n| extend [\"Diagnostic settings\"] = iff([\"Diagnostic logs\"] == false, strcat(\"https://ms.portal.azure.com/#@microsoft.onmicrosoft.com/resource\", KVId, \"/diagnostics\"), \"\")\r\n| order by [\"Diagnostic settings\"] desc\r\n",
"size": 0,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Diagnostic logs",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "false",
"representation": "4",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": ""
}
]
}
},
{
"columnMatch": "Diagnostic settings",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
}
],
"filter": true
}
},
"customWidth": "60",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=_TableName *\r\n| where _TableName == \"AzureDiagnostics\" and Category == \"AuditEvent\" and ResourceType == \"VAULTS\"\r\n| summarize count() by ResourceId = tolower(ResourceId)\r\n| summarize logsKVs = make_set(ResourceId)\r\n| extend selectedKVs = \"[{KeyVault}]\"\r\n| extend selectedKVs = replace(\"'\", '\"', selectedKVs)\r\n| extend selectedKVs = todynamic(selectedKVs)\r\n| mv-expand KVId = selectedKVs\r\n| project KVId = toupper(tostring(KVId)),isDiag = (logsKVs has tostring(KVId))\r\n| summarize KeyVaults = count() by isDiag\r\n| project KeyVaults, ['Diagnostic logs for Key Vaults'] = iif(isDiag,'Diagnostic logs collected','Diagnostic logs not collected')\r\n",
"size": 0,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"customWidth": "40",
"name": "query - 2"
}
]
},
"conditionalVisibility": {
"parameterName": "mainTab",
"comparison": "isEqualTo",
"value": "diagnostics"
},
"name": "group - 7",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Key vault activity baselines and deviations"
},
"name": "text - 0"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "48d47b0d-e3f3-420c-9427-d52a8afb0f0e",
"version": "KqlParameterItem/1.0",
"name": "BaselineTimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 1209600000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where TimeGenerated > {BaselineTimeRange:start}\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({BaselineTimeRange:start}, now()-1d, 1d) by ResourceId\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n| extend MaxAnomalyScore = AnomalyScore, MinAnomalyScore = AnomalyScore, AnomlyScoreTrend = AnomalyScore\r\n| mv-apply MaxAnomalyScore to typeof(real) on (top 1 by MaxAnomalyScore desc)\r\n| mv-apply MinAnomalyScore to typeof(real) on (top 1 by MinAnomalyScore asc)\r\n| mv-expand with_itemindex=Index AnomalyScore\r\n| where Index == array_length(DailyCounts)-1\r\n| project-away day, Index\r\n| extend AnomalyScoreAbs = abs(toreal(AnomalyScore))\r\n| extend WasAnomalous = iif(MaxAnomalyScore > 3 or MinAnomalyScore < -3, true, false)\r\n| extend Anomalous = iif(AnomalyScoreAbs > 3, true, false)\r\n| order by AnomalyScoreAbs desc\r\n\r\n",
"size": 0,
"title": "Daily anomaly scores, by key vault",
"exportFieldName": "ResourceId",
"exportParameterName": "SelectedResource",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "DailyCounts",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "AnomalyScore",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "startsWith",
"thresholdValue": "-",
"representation": "trenddown",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "0",
"representation": "right",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "trendup",
"text": "{0}{1}"
}
]
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "MaxAnomalyScore",
"formatter": 5
},
{
"columnMatch": "MinAnomalyScore",
"formatter": 5
},
{
"columnMatch": "AnomlyScoreTrend",
"formatter": 9,
"formatOptions": {
"palette": "orange"
}
},
{
"columnMatch": "AnomalyScoreAbs",
"formatter": 5
},
{
"columnMatch": "WasAnomalous",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "2",
"text": ""
},
{
"operator": "==",
"thresholdValue": "false",
"representation": "Blank",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Anomalous",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "Important",
"text": ""
},
{
"operator": "==",
"thresholdValue": "false",
"representation": "Blank",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "ResourceId"
},
{
"columnId": "AnomalyScore",
"label": "Anomaly Score"
},
{
"columnId": "AnomlyScoreTrend",
"label": "Anomaly trend"
},
{
"columnId": "AnomalyScoreAbs"
},
{
"columnId": "WasAnomalous",
"label": "Historical anomaly"
}
]
},
"chartSettings": {
"yAxis": [
"AnomalyScore"
]
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where TimeGenerated > {BaselineTimeRange:start}\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) == tolower('{SelectedResource}')\r\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({BaselineTimeRange:start}, now()-1d, 1d) by ResourceId\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n",
"size": 0,
"title": "Daily activity over time for the selected key vault (from the list above)",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart",
"chartSettings": {
"yAxis": [
"DailyCounts"
],
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"customWidth": "50",
"name": "query - 2 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where TimeGenerated > {BaselineTimeRange:start}\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) == tolower('{SelectedResource}')\r\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({BaselineTimeRange:start}, now()-1d, 1d) by ResourceId\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n",
"size": 0,
"title": "Anomaly score over time for the selected key vault (from the list above)",
"color": "orange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart",
"chartSettings": {
"yAxis": [
"AnomalyScore"
],
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"customWidth": "50",
"name": "query - 2 - Copy - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "mainTab",
"comparison": "isEqualTo",
"value": "diagnostics"
},
"name": "baselines",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Azure Defender for Key Vaults coverage"
},
"name": "text - 9"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "datatable (Event:string)\r\n [\"AKV Workbook\"]\r\n| extend keyvault = (strcat(\"[\", \"{KeyVault}\", \"]\"))\r\n| extend keyvault = todynamic(replace(\"'\", '\"', keyvault))\r\n| mvexpand keyvault\r\n| extend subscriptionId = extract(@\"/subscriptions/([^/]+)\", 1, tostring(keyvault))\r\n| summarize AKVs = count() by subscriptionId, DefenderForKV = 0\r\n| union\r\n(\r\nsecurityresources\r\n| where type =~ \"microsoft.security/pricings\"\r\n| where name == \"KeyVaults\"\r\n| project DefenderForKV = iif(properties.pricingTier == 'Standard', 1, 0), AKVs = 0, subscriptionId\r\n)\r\n| summarize AKVs = sum(AKVs), DefenderForKV = sum(DefenderForKV) by subscriptionId\r\n| project Subscription = strcat('/subscriptions/', subscriptionId), [\"Kay Vaults\"] = AKVs, ['Defender for Key Vault'] = iif(DefenderForKV > 0,'yes','no'), ['Onboard Azure Defender'] = iif(DefenderForKV > 0, '', 'https://ms.portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26')\r\n| order by ['Defender for Key Vault'] asc\r\n ",
"size": 0,
"title": "Subscriptions covered by Azure Defender for Key Vault",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"gridSettings": {
"formatters": [
{
"columnMatch": "Defender for Key Vault",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "no",
"representation": "4",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": ""
}
]
}
},
{
"columnMatch": "Onboard Azure Defender",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
}
]
}
},
"customWidth": "50",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "datatable (Event:string)\r\n [\"AKV Workbook\"]\r\n| extend keyvaults = (strcat(\"[\", \"{KeyVault}\", \"]\"))\r\n| extend keyvaults = todynamic(replace(\"'\", '\"', keyvaults))\r\n| mvexpand keyvaults\r\n| extend subscriptionId = extract(@\"/subscriptions/([^/]+)\", 1, tostring(keyvaults))\r\n| summarize AKVs = count() by subscriptionId, DefenderForKV = 0\r\n| union\r\n(\r\nsecurityresources\r\n| where type =~ \"microsoft.security/pricings\"\r\n| where name == \"KeyVaults\"\r\n| project DefenderForKV = iif(properties.pricingTier == 'Standard', 1, 0), AKVs = 0, subscriptionId\r\n)\r\n| summarize AKVs = sum(AKVs), DefenderForKV = sum(DefenderForKV) by subscriptionId\r\n| project Subscription = 1, ['Defender for Key Vault'] = iif(DefenderForKV > 0,'Protected by Azure Defender','Not protected by Azure Defender')",
"size": 0,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 4"
}
]
},
"name": "group - 7"
},
{
"type": 1,
"content": {
"json": "## Azure Defender for Key Vaults alerts"
},
"name": "text - 9 - Copy"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspaces}"
],
"parameters": [
{
"id": "66a39242-f029-479f-b90e-a0249f4ae27b",
"version": "KqlParameterItem/1.0",
"name": "AlertSeverity",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityAlert\r\n| where AlertType startswith \"KV_\"\r\n| summarize Count = count() by AlertSeverity\r\n| order by Count desc, AlertSeverity asc\r\n| project Value = AlertSeverity, Label = strcat(AlertSeverity, ' - ', Count)\r\n",
"crossComponentResources": [
"{Workspaces}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = SecurityAlert\r\n| where \"{AlertSeverity:lable}\" == \"All\" or AlertSeverity in ({AlertSeverity})\r\n| where AlertType startswith \"KV_\"\r\n| where tolower(ResourceId) in ({KeyVault});\r\ndata\r\n| summarize Count = count() by AlertSeverity\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by AlertSeverity)\r\n on AlertSeverity\r\n | project-away TimeGenerated\r\n| extend AlertSeveritys = AlertSeverity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend AlertSeverity = 'All', AlertSeveritys = '*' \r\n)\r\n| extend Severity = iif(AlertSeverity == \"All\", 0,iif(AlertSeverity == \"High\", 1, iif(AlertSeverity == \"Medium\", 2, iif(AlertSeverity == \"Low\", 3, 4))))\r\n| order by Severity asc\r\n",
"size": 3,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "AlertSeverity",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where AlertType startswith \"KV_\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where AlertSeverity in ({AlertSeverity})\r\n| summarize AlertCount = count() by ResourceId\r\n| project Resource = tolower(ResourceId), AlertCount\r\n| order by AlertCount desc\r\n",
"size": 0,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertCount",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "ResourceId",
"formatter": 1
},
{
"columnMatch": "x",
"formatter": 1
}
]
}
},
"customWidth": "30",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where TimeGenerated {TimeRange}\r\n| where \"{AlertSeverity}\" has AlertSeverity or isempty(\"{AlertSeverity}\")\r\n| where AlertType startswith \"KV_\"\r\n| where ResourceId in ({KeyVault})\r\n| make-series Count=count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ResourceId\r\n//| summarize Count=count() by ResourceId, bin(TimeGenerated,{TimeRange:grain})\r\n",
"size": 0,
"title": "Key vault alerts",
"noDataMessage": "No alrets from Azure Defender for Key Vaults",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeRangeFilter",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart"
},
"customWidth": "70",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Incidents = SecurityIncident\r\n| project AlertIds, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nSecurityAlert\r\n| where TimeGenerated between ({TimeRangeFilter:start} .. ({TimeRangeFilter:end} + {TimeRange:grain}))\r\n| where AlertType startswith \"KV_\"\r\n| where ResourceId in ({KeyVault})\r\n| where AlertSeverity in ({AlertSeverity})\r\n| project TimeGenerated, ResourceId, AlertSeverity, DisplayName, AlertLink, AlertId=tostring(SystemAlertId)\r\n| order by TimeGenerated desc\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| project TimeGenerated, ResourceId, AlertSeverity, DisplayName, ['Azure Defender Alert'] = AlertLink, Incident = IncidentUrl, AlertId\r\n",
"size": 0,
"title": "Key vault alerts",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "AlertId",
"exportParameterName": "SelectedAlertId",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Azure Defender Alert",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkLabel": "Go to alert"
}
},
{
"columnMatch": "Incident",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkLabel": ""
}
},
{
"columnMatch": "AlertId",
"formatter": 5
}
],
"filter": true,
"sortBy": [
{
"itemKey": "DisplayName",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "DisplayName",
"sortOrder": 2
}
]
},
"name": "query - 15 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = SecurityAlert\r\n| where AlertType startswith \"KV_\"\r\n| where SystemAlertId == '{SelectedAlertId}';\r\nlet nodes = data\r\n| project Id = SystemAlertId, Name = DisplayName, Size = 1, Kind = 'alert'\r\n| union (\r\ndata \r\n| project parse_json(Entities), SystemAlertId\r\n| mv-expand Entities\r\n| evaluate bag_unpack(Entities)\r\n| project Id = strcat(SystemAlertId, '-',$id), Name = strcat(ResourceId,Address,AadUserId), Size = 1, Kind = Type\r\n);\r\nlet links = data\r\n| project parse_json(Entities), SystemAlertId\r\n| mv-expand Entities\r\n| evaluate bag_unpack(Entities)\r\n| project SourceId = SystemAlertId, TargetId = strcat(SystemAlertId, '-', $id), Size = 1, Kind = Type;\r\nnodes | union (links)\r\n",
"size": 2,
"title": "Alert and entity graph (chose an alert from the list above)",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "graph",
"gridSettings": {
"formatters": [
{
"columnMatch": "Name",
"formatter": 1
}
]
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Name",
"formatter": 13,
"formatOptions": {
"linkTarget": null,
"showIcon": true
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
},
"tooltipFormat": {
"tooltip": "{0}"
}
},
"centerContent": {
"columnMatch": "Kind",
"formatter": 16,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"nodeIdField": "Id",
"sourceIdField": "SourceId",
"targetIdField": "TargetId",
"graphOrientation": 3,
"showOrientationToggles": false,
"edgeSize": "Size",
"edgeLabel": "Kind",
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "Kind",
"type": 1,
"colorPalette": "default"
},
"hivesMargin": 5
}
},
"name": "query - 6",
"styleSettings": {
"showBorder": true
}
}
]
},
"conditionalVisibility": {
"parameterName": "mainTab",
"comparison": "isEqualTo",
"value": "alerts"
},
"name": "group - 10",
"styleSettings": {
"showBorder": true
}
}
]
},
"conditionalVisibility": {
"parameterName": "mainTab",
"comparison": "isEqualTo",
"value": "alerts"
},
"name": "defenderAlertsTabGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Event analysis"
},
"name": "text - 1"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "4a61e462-17aa-45db-aace-0ef094245a1c",
"cellValue": "selectedEvents",
"linkTarget": "parameter",
"linkLabel": "All events",
"subTarget": "allEvents",
"preText": "All events",
"style": "primary"
},
{
"id": "dbb78084-c5b8-42aa-bc03-e55dd51736b0",
"cellValue": "selectedEvents",
"linkTarget": "parameter",
"linkLabel": "Failed events",
"subTarget": "failedEvents",
"preText": "Failed events",
"style": "primary"
}
]
},
"name": "links - 2 - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "06733059-20fd-4155-87ed-18f1c3edbe36",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "by key vault",
"subTarget": "byKeyVault",
"style": "link"
},
{
"id": "35cfd3e6-719d-4ae9-8432-cc308836aafe",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "by caller IP",
"subTarget": "byCallerIP",
"style": "link"
},
{
"id": "d689a024-0d16-465a-bec4-39aa82912058",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "by identity",
"subTarget": "byIdentity",
"style": "link"
},
{
"id": "1373e323-a457-4371-9382-ba5271996edf",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "by operation",
"subTarget": "byOperation",
"style": "link"
}
]
},
"name": "links - 0"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize Count = count() by Resource, bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Events, by key vault",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart"
},
"name": "Events, by key vault"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by Resource\r\n| order by EventCount desc",
"size": 0,
"title": "Activity, by key vault",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "EventCount",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "60",
"name": "Activity, by key vault"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by Resource",
"size": 0,
"title": "Events, by key vault distribution",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"customWidth": "40",
"name": "Events, by key vault distribution"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "byKeyVault"
},
"name": "AllEvents-ByKeyVault-Group"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize Count = count() by CallerIPAddress, bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Events, by Caller IP",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart"
},
"name": "Events, by Caller IP"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AlertIPs = SecurityAlert\r\n| project parse_json(Entities), AlertLink, SystemAlertId\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'Address'\r\n| project IP = tostring(split(split(Entities, 'Address\":\"')[1], '\"')[0]), AlertLink, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, Title, Severity, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by IP = tostring(CallerIPAddress)\r\n| join kind=leftouter AlertIPs on IP\r\n| project-away IP1\r\n| order by EventCount desc\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| extend Incident = IncidentUrl\r\n| summarize ['Related incidents'] = count(Incident != '') by IP, EventCount\r\n| order by ['Related incidents'], EventCount desc\r\n",
"size": 0,
"title": "Activity by Caller IP",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "IP",
"exportParameterName": "SelectedIP",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "EventCount",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Related incidents",
"formatter": 3,
"formatOptions": {
"palette": "redDark"
}
}
]
},
"sortBy": []
},
"customWidth": "60",
"name": "Activity by Caller IP"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by CallerIPAddress",
"size": 0,
"title": "Events, by Caller IP distribution",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"customWidth": "40",
"name": "Events, by Caller IP distribution"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AlertIPs = SecurityAlert\r\n| extend parse_json(Entities), AlertLink, SystemAlertId, AlertType\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'Address'\r\n| project IP = tostring(split(split(Entities, 'Address\":\"')[1], '\"')[0]), TimeGenerated, DisplayName, Description, ProductName, AlertLink, AlertSeverity, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, Title, Severity, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAlertIPs\r\n| where IP in ('{SelectedIP}')\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| project TimeGenerated, Title, ProductName, Severity, Incident = IncidentUrl\r\n| where isempty(Incident) == false",
"size": 0,
"title": "Incidents involving the selected Caller IP (selected above)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Incident",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
}
]
}
},
"name": "Incidents involving the selected Caller IP"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "byCallerIP"
},
"name": "AllEvents-ByCallerIP-Group"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| summarize Count = count() by Identity = iff(isempty(User), ObjectId, User) , bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Events, by Identity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart"
},
"name": "Events, by Identity"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AlertIDs = SecurityAlert\r\n| project parse_json(Entities), AlertLink, SystemAlertId, TimeGenerated\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'AadUserId'\r\n| project ID = tostring(split(split(Entities, 'AadUserId\":\"')[1], '\"')[0]), TimeGenerated, AlertLink, AlertId = SystemAlertId;\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| where isempty(ObjectId) == false or isempty(User) == false or isempty(ApplicationId) == false\r\n| extend ID = iif(isempty(ObjectId), ApplicationId, ObjectId)\r\n//| summarize EventCount=count() by Identity = iif(isempty(User),iif(isempty(ObjectId), ApplicationId, ObjectId), User), Identifier = iif(isempty(User),iif(isempty(ObjectId), 'AppId', 'ObjectId'), 'User'), ID\r\n| summarize EventCount=count() by Identity = iif(isempty(ObjectId), ApplicationId, ObjectId), Identifier = iif(isempty(User),iif(isempty(ObjectId), 'AppId', 'ObjectId'), 'User'), User, ID\r\n| join kind=leftouter AlertIDs on ID\r\n| project-away ID, ID1\r\n| order by EventCount desc\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| extend Incident = IncidentUrl\r\n| summarize ['Related incidents'] = count(Incident != '') by Identity, Identifier, User, EventCount\r\n| order by ['Related incidents'], EventCount desc\r\n",
"size": 0,
"title": "Activity, by Identity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Identity",
"exportParameterName": "SelectedID",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "EventCount",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Related incidents",
"formatter": 3,
"formatOptions": {
"palette": "redDark"
}
}
],
"sortBy": [
{
"itemKey": "$gen_bar_Related incidents_4",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "$gen_bar_Related incidents_4",
"sortOrder": 2
}
]
},
"customWidth": "60",
"name": "Activity, by Identity"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| summarize EventCount=count() by Identiy = iif(isempty(User), ObjectId, User)",
"size": 0,
"title": "Events, by Identity distribution",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"customWidth": "40",
"name": "Events, by Identity distribution"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AlertIDs = SecurityAlert\r\n| extend parse_json(Entities), AlertLink, SystemAlertId\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'AadUserId'\r\n| project ID = tostring(split(split(Entities, 'AadUserId\":\"')[1], '\"')[0]), TimeGenerated, DisplayName, Description, ProductName, AlertLink, AlertSeverity, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, Title, Severity, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAlertIDs\r\n| where ID in ('{SelectedID}')\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| project TimeGenerated, Title, ProductName, Severity, Incident = IncidentUrl\r\n| where isempty(Incident) == false",
"size": 0,
"title": "Incidents involving the selected identity (selected above)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Incident",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
}
]
}
},
"name": "Incidents involving the selected identity"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "byIdentity"
},
"name": "AllEvents-ByIdentity-Group"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize Count = count() by OperationName, bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Events, by operation name",
"timeContext": {
"durationMs": 2419200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart"
},
"name": "Events, by operation name"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by OperationName",
"size": 0,
"title": "Activity, by operation name",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "EventCount",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "60",
"name": "Activity, by operation name"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by OperationName\r\n| order by EventCount desc",
"size": 0,
"title": "Events, by operation name distribution",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"customWidth": "40",
"name": "Events, by operation name distribution"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "byOperation"
},
"name": "AllEvents-ByOperation-Group"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedEvents",
"comparison": "isEqualTo",
"value": "allEvents"
},
"name": "EventAnalysis-AllEventsGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "06733059-20fd-4155-87ed-18f1c3edbe36",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "by key vault",
"subTarget": "byKeyVault",
"style": "link"
},
{
"id": "35cfd3e6-719d-4ae9-8432-cc308836aafe",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "by caller IP",
"subTarget": "byCallerIP",
"style": "link"
},
{
"id": "d689a024-0d16-465a-bec4-39aa82912058",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "by identity",
"subTarget": "byIdentity",
"style": "link"
},
{
"id": "1373e323-a457-4371-9382-ba5271996edf",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "by operation",
"subTarget": "byOperation",
"style": "link"
}
]
},
"name": "links - 0"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| summarize Count = count() by Resource, bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Events, by key vault",
"timeContext": {
"durationMs": 2419200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart"
},
"name": "Events, by key vault"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| summarize EventCount=count() by Resource\r\n| order by EventCount desc",
"size": 0,
"title": "Activity, by key vault",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "EventCount",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "60",
"name": "Activity, by key vault"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| summarize EventCount=count() by Resource",
"size": 0,
"title": "Events, by key vault distribution",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"customWidth": "40",
"name": "Events, by key vault distribution"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "byKeyVault"
},
"name": "AllEvents-ByKeyVault-Group"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| summarize Count = count() by CallerIPAddress, bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Events, by Caller IP",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart"
},
"name": "Events, by Caller IP"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AlertIPs = SecurityAlert\r\n| project parse_json(Entities), AlertLink, SystemAlertId\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'Address'\r\n| project IP = tostring(split(split(Entities, 'Address\":\"')[1], '\"')[0]), AlertLink, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| summarize EventCount=count() by IP = tostring(CallerIPAddress)\r\n| join kind=leftouter AlertIPs on IP\r\n| project-away IP1\r\n| order by EventCount desc\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| extend Incident = IncidentUrl\r\n| summarize ['Related incidents'] = count(Incident != '') by IP, EventCount\r\n| order by ['Related incidents'], EventCount desc\r\n",
"size": 0,
"title": "Activity by Caller IP",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "IP",
"exportParameterName": "SelectedIP",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "EventCount",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Related incidents",
"formatter": 3,
"formatOptions": {
"palette": "redDark"
}
}
]
}
},
"customWidth": "60",
"name": "Activity by Caller IP"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| summarize EventCount=count() by CallerIPAddress",
"size": 0,
"title": "Events, by Caller IP distribution",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"customWidth": "40",
"name": "Events, by Caller IP distribution"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AlertIPs = SecurityAlert\r\n| extend parse_json(Entities), AlertLink, SystemAlertId, AlertType\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'Address'\r\n| project IP = tostring(split(split(Entities, 'Address\":\"')[1], '\"')[0]), TimeGenerated, DisplayName, Description, ProductName, AlertLink, AlertSeverity, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, Title, Severity, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAlertIPs\r\n| where IP in ('{SelectedIP}')\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| project TimeGenerated, Title, ProductName, Severity, Incident = IncidentUrl\r\n| where isempty(Incident) == false",
"size": 0,
"title": "Incidents involving the selected Caller IP (selected above)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Incident",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
}
]
}
},
"name": "Incidents involving the selected Caller IP"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "byCallerIP"
},
"name": "AllEvents-ByCallerIP-Group"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| summarize Count = count() by Identity = iff(isempty(User), ObjectId, User) , bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Events, by Identity",
"timeContext": {
"durationMs": 2419200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart"
},
"name": "Events, by Identity"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AlertIDs = SecurityAlert\r\n| project parse_json(Entities), AlertLink, SystemAlertId, TimeGenerated\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'AadUserId'\r\n| project ID = tostring(split(split(Entities, 'AadUserId\":\"')[1], '\"')[0]), TimeGenerated, AlertLink, AlertId = SystemAlertId;\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| where isempty(ObjectId) == false or isempty(User) == false or isempty(ApplicationId) == false\r\n| extend ID = iif(isempty(ObjectId), ApplicationId, ObjectId)\r\n//| summarize EventCount=count() by Identity = iif(isempty(User),iif(isempty(ObjectId), ApplicationId, ObjectId), User), Identifier = iif(isempty(User),iif(isempty(ObjectId), 'AppId', 'ObjectId'), 'User'), ID\r\n| summarize EventCount=count() by Identity = iif(isempty(ObjectId), ApplicationId, ObjectId), Identifier = iif(isempty(User),iif(isempty(ObjectId), 'AppId', 'ObjectId'), 'User'), User, ID\r\n| join kind=leftouter AlertIDs on ID\r\n| project-away ID, ID1\r\n| order by EventCount desc\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| extend Incident = IncidentUrl\r\n| summarize ['Related incidents'] = count(Incident != '') by Identity, Identifier, User, EventCount\r\n| order by ['Related incidents'], EventCount desc\r\n",
"size": 0,
"title": "Activity, by Identity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Identity",
"exportParameterName": "SelectedID",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "EventCount",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Related incidents",
"formatter": 3,
"formatOptions": {
"palette": "redDark"
}
}
]
}
},
"customWidth": "60",
"name": "Activity, by Identity"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| summarize EventCount=count() by Identiy = iif(isempty(User), ObjectId, User)",
"size": 0,
"title": "Events, by Identity distribution",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"customWidth": "40",
"name": "Events, by Identity distribution"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let AlertIDs = SecurityAlert\r\n| extend parse_json(Entities), AlertLink, SystemAlertId\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'AadUserId'\r\n| project ID = tostring(split(split(Entities, 'AadUserId\":\"')[1], '\"')[0]), TimeGenerated, DisplayName, Description, ProductName, AlertLink, AlertSeverity, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, Title, Severity, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAlertIDs\r\n| where ID in ('{SelectedID}')\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| project TimeGenerated, Title, ProductName, Severity, Incident = IncidentUrl\r\n| where isempty(Incident) == false",
"size": 0,
"title": "Incidents involving the selected identity (selected above)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Incident",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
}
]
}
},
"name": "Incidents involving the selected identity"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "byIdentity"
},
"name": "AllEvents-ByIdentity-Group"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| summarize Count = count() by OperationName, bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Events, by operation name",
"timeContext": {
"durationMs": 2419200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart"
},
"name": "Events, by operation name"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| summarize EventCount=count() by OperationName",
"size": 0,
"title": "Activity, by operation name",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "EventCount",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "60",
"name": "Activity, by operation name"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith \"20\"\r\n| summarize EventCount=count() by OperationName\r\n| order by EventCount desc",
"size": 0,
"title": "Events, by operation name distribution",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"customWidth": "40",
"name": "Events, by operation name distribution"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "byOperation"
},
"name": "AllEvents-ByOperation-Group"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedEvents",
"comparison": "isEqualTo",
"value": "failedEvents"
},
"name": "EventAnalysis-FailedEventsGroup"
}
]
},
"name": "EventAnalysisGroup"
}
]
},
"conditionalVisibility": {
"parameterName": "mainTab",
"comparison": "isEqualTo",
"value": "diagnostics"
},
"name": "DiagnosticsTabGroup",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SensitiveOperationList = dynamic([\"VaultDelete\", \"KeyDelete\", \"SecretDelete\", \"SecretPurge\", \"KeyPurge\", \"SecretBackup\", \"KeyBackup\"]);\r\nAzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| extend Result = columnifexists(\"ResultType\", \"NoResult\")\r\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\r\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\r\n| where Result !~ \"None\" and isnotempty(Result)\r\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\r\n| where id_s !~ \"None\" and isnotempty(id_s)\r\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\r\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\r\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\r\n| where ResourceType =~ \"VAULTS\" and Result =~ \"Success\" \r\n| where OperationName in~ (SensitiveOperationList) \r\n| project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_http_schemas_microsoft_com_identity_claims_scope_s, requestUri_s, clientInfo_s\r\n",
"size": 0,
"title": "Sensitive Operations",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"sortBy": [
{
"itemKey": "identity_claim_appid_g",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "identity_claim_appid_g",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "mainTab",
"comparison": "isEqualTo",
"value": "diagnostics"
},
"name": "SensitiveOperations",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "29f888e1-53ba-4dc0-9d4f-63fc52d3cacf",
"version": "KqlParameterItem/1.0",
"name": "EventCountThreshold",
"label": "Event Threshold",
"type": 1,
"isRequired": true,
"value": "1000",
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "6b2fb75b-7a4e-4105-be3c-c3be5b5c8aa1",
"version": "KqlParameterItem/1.0",
"name": "MonitoredTimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let EventCountThreshold = {EventCountThreshold};\r\nlet MonitoredTimeRange = {MonitoredTimeRange:start};\r\nlet OperationList = dynamic(\r\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\r\nAzureDiagnostics\r\n| where TimeGenerated > MonitoredTimeRange\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| extend Result = columnifexists(\"ResultType\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\r\n| where Result !~ \"None\" and isnotempty(Result)\r\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\r\n| where ResourceType =~ \"VAULTS\" and Result =~ \"Success\"\r\n| where OperationName in (OperationList) \r\n| summarize EventCount = count(), OperationNames = make_set(OperationName), CallerIPList = make_set(CallerIPAddress), RequestUriList = make_set(requestUri_s), ClientInfoList = make_set(clientInfo_s) by ResourceId, Result, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_appid_g, identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| where EventCount > EventCountThreshold\r\n| order by EventCount desc\r\n\r\n\r\n\r\n",
"size": 0,
"title": "Mass Secret Retrieval",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Result",
"formatter": 5
},
{
"columnMatch": "EventCount",
"formatter": 3,
"formatOptions": {
"palette": "red"
}
}
]
}
},
"name": "MassSecretRetrieval"
}
]
},
"conditionalVisibility": {
"parameterName": "mainTab",
"comparison": "isEqualTo",
"value": "diagnostics"
},
"name": "MassSecretRetrieval",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Operation analysis"
},
"name": "text - 0"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspaces}"
],
"parameters": [
{
"id": "e51d1f48-3866-41cd-afd2-a36b24946ba7",
"version": "KqlParameterItem/1.0",
"name": "KeyVaultOperationAnalysis",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "where type =~ 'microsoft.keyvault/vaults'\r\n| where strcat('/subscriptions/',subscriptionId) in ({Subscription})\r\n| project id=tolower(id)\r\n| where id in ({KeyVault})",
"crossComponentResources": [
"{Workspaces}"
],
"value": [],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 5"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "515c8b15-31cc-44d0-926e-5ae8b3cc5ae9",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Secrets",
"subTarget": "secret",
"preText": "Secrets",
"style": "link"
},
{
"id": "7be60a7e-aff8-49c1-b7e3-ec2e91799e40",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Keys",
"subTarget": "key",
"style": "link"
},
{
"id": "1b00600a-aa98-40d4-9b4b-cc4b06c7de0b",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Certificates",
"subTarget": "certificate",
"style": "link"
}
]
},
"name": "links - 1"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "8c382ba4-42e6-4948-b7c2-49acbddc6d0f",
"version": "KqlParameterItem/1.0",
"name": "GetOperationsScale",
"type": 10,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"value": "log",
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { \"value\":\"log\", \"label\":\"Logarithmic\" },\r\n { \"value\":\"linear\", \"label\":\"Linear\" }\r\n]",
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "fcd2858b-de98-4839-a30b-34349f094de5",
"version": "KqlParameterItem/1.0",
"name": "Identity",
"type": 10,
"isRequired": true,
"value": "all",
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { \"value\":\"all\", \"label\":\"All\" },\r\n { \"value\":\"users\", \"label\":\"Users\" },\r\n { \"value\":\"servicesr\", \"label\":\"Services\" }\r\n]",
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == \"VAULTS\"\r\n| where Category == \"AuditEvent\"\r\n| where tolower(ResourceId) in ({KeyVaultOperationAnalysis})\r\n| where OperationName contains tostring('{selectedTab}')\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend userActivity = iif(isempty(User),0,1), serviceActivity = iif(isempty(User),1,0)\r\n| summarize UserCount=sum(userActivity), ServiceCount=sum(serviceActivity), AllCount = count() by OperationName, bin(TimeGenerated,{TimeRange:grain}/10)\r\n| extend Count = iif(tostring('{Identity}') == 'all', AllCount, iif(tostring('{Identity}') == 'users', UserCount, ServiceCount))\r\n| extend Count = iif(tostring('{GetOperationsScale}') == 'log', iif(OperationName contains \"get\", log(Count), toreal(Count)), toreal(Count))\r\n\r\n",
"size": 0,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "timechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "ListCount",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
},
"emptyValCustomText": "0"
}
},
{
"columnMatch": "LogListCount",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
]
},
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "GetOp",
"formatter": 1
},
"leftContent": {
"columnMatch": "LogGetCount",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "GetOp",
"formatter": 1
},
"centerContent": {
"columnMatch": "LogGetCount",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"yAxis": [
"Count"
],
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
},
"min": 0
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "LogGetCount",
"sizeAggregation": "Sum",
"legendMetric": "LogGetCount",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "LogGetCount",
"heatmapPalette": "greenRed"
}
}
},
"name": "query - 14 - Copy"
}
]
},
"name": "operation group"
}
]
},
"conditionalVisibility": {
"parameterName": "mainTab",
"comparison": "isEqualTo",
"value": "diagnostics"
},
"name": "group - 11",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": []
},
"conditionalVisibility": {
"parameterName": "mainTab",
"comparison": "isEqualTo",
"value": "monitoring"
},
"name": "monitoring"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 10,
"content": {
"chartId": "workbook9a52a059-26c9-474b-a678-8ddbedbdf6c2",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 0,
"resourceType": "microsoft.keyvault/vaults",
"metricScope": 0,
"resourceParameter": "KeyVault",
"resourceIds": [
"{KeyVault}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 7776000000
},
"metrics": [
{
"namespace": "microsoft.keyvault/vaults",
"metric": "microsoft.keyvault/vaults--ServiceApiResult",
"aggregation": 1,
"splitBy": "ActivityName",
"splitBySortOrder": -1,
"splitByLimit": 5,
"columnName": "Api hits"
},
{
"namespace": "microsoft.keyvault/vaults",
"metric": "microsoft.keyvault/vaults--ServiceApiResult",
"aggregation": 1,
"splitBy": "ActivityName",
"splitBySortOrder": -1,
"splitByLimit": null,
"columnName": "Api hit failures"
},
{
"namespace": "microsoft.keyvault/vaults",
"metric": "microsoft.keyvault/vaults--ServiceApiLatency",
"aggregation": 4,
"splitBy": "ActivityName",
"splitBySortOrder": -1,
"splitByLimit": null
},
{
"namespace": "microsoft.keyvault/vaults",
"metric": "microsoft.keyvault/vaults--SaturationShoebox",
"aggregation": 4,
"splitBy": "ActivityName",
"splitBySortOrder": -1,
"splitByLimit": null,
"columnName": "Saturation"
}
],
"title": "Overview",
"gridFormatType": 2,
"gridSettings": {
"formatters": [
{
"columnMatch": "$gen_group",
"formatter": 13,
"formatOptions": {
"linkTarget": "Resource",
"subTarget": "insights",
"showIcon": true
}
},
{
"columnMatch": "Subscription",
"formatter": 5
},
{
"columnMatch": "Name",
"formatter": 5,
"formatOptions": {
"linkTarget": "Resource"
}
},
{
"columnMatch": "Segment",
"formatter": 5
},
{
"columnMatch": "Api hits",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "blue",
"aggregation": "Sum"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
},
"emptyValCustomText": "-"
}
},
{
"columnMatch": "Api hits Timeline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "blue",
"aggregation": "Sum"
}
},
{
"columnMatch": "Api hit failures",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "red",
"aggregation": "Sum"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
},
"emptyValCustomText": "-"
}
},
{
"columnMatch": "Api hit failures Timeline",
"formatter": 5
},
{
"columnMatch": "microsoft.keyvault/vaults--ServiceApiLatency",
"formatter": 8,
"formatOptions": {
"palette": "gray",
"aggregation": "Max"
},
"numberFormat": {
"unit": 23,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "microsoft.keyvault/vaults--ServiceApiLatency Timeline",
"formatter": 5
},
{
"columnMatch": "Saturation",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": ">",
"thresholdValue": "75",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "is Empty",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
],
"aggregation": "Average"
},
"numberFormat": {
"unit": 1,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
},
"emptyValCustomText": "0%"
}
},
{
"columnMatch": "Saturation Timeline",
"formatter": 5
},
{
"columnMatch": ".*\\/Total Service Api Hits$",
"formatter": 1
},
{
"columnMatch": "microsoft.keyvault/vaults--ServiceApiResult Timeline",
"formatter": 5
},
{
"columnMatch": "microsoft.keyvault/vaults--ServiceApiResult",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "More Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "WorkbookTemplate"
}
}
],
"rowLimit": 10000,
"filter": true,
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Subscription",
"Name"
],
"expandTopLevel": true,
"finalBy": "Segment"
},
"labelSettings": [
{
"columnId": "Subscription"
},
{
"columnId": "Name"
},
{
"columnId": "Segment"
},
{
"columnId": "Api hits",
"label": "Requests"
},
{
"columnId": "Api hits Timeline",
"label": "Requests Timeline"
},
{
"columnId": "Api hit failures",
"label": "Request failures"
},
{
"columnId": "microsoft.keyvault/vaults--ServiceApiLatency",
"label": "Average latency (worst rolled up)"
},
{
"columnId": "microsoft.keyvault/vaults--ServiceApiLatency Timeline",
"label": "Overall Service Api Latency (Average) Timeline"
}
]
},
"sortBy": []
},
"name": "overviewMonitoring"
},
{
"type": 10,
"content": {
"chartId": "workbookfc929046-618d-46d4-a287-ec07bc167656",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 0,
"resourceType": "microsoft.keyvault/vaults",
"metricScope": 0,
"resourceParameter": "KeyVault",
"resourceIds": [
"{KeyVault}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 7776000000
},
"metrics": [
{
"namespace": "microsoft.keyvault/vaults",
"metric": "microsoft.keyvault/vaults--ServiceApiHit",
"aggregation": 1
},
{
"namespace": "microsoft.keyvault/vaults",
"metric": "microsoft.keyvault/vaults--ServiceApiResult",
"aggregation": 1,
"columnName": "Successes"
},
{
"namespace": "microsoft.keyvault/vaults",
"metric": "microsoft.keyvault/vaults--ServiceApiResult",
"aggregation": 1,
"columnName": "Authentication"
},
{
"namespace": "microsoft.keyvault/vaults",
"metric": "microsoft.keyvault/vaults--ServiceApiResult",
"aggregation": 1,
"columnName": "Throttling"
},
{
"namespace": "microsoft.keyvault/vaults",
"metric": "microsoft.keyvault/vaults--ServiceApiResult",
"aggregation": 1,
"columnName": "Failures"
}
],
"title": "Failures",
"gridSettings": {
"formatters": [
{
"columnMatch": "$gen_group",
"formatter": 13,
"formatOptions": {
"linkTarget": "Resource",
"subTarget": "insights",
"showIcon": true
}
},
{
"columnMatch": "Subscription",
"formatter": 5
},
{
"columnMatch": "Name",
"formatter": 5,
"formatOptions": {
"linkTarget": "Resource"
}
},
{
"columnMatch": "microsoft.keyvault/vaults--ServiceApiHit",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "blue",
"aggregation": "Sum"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
},
"emptyValCustomText": "-"
}
},
{
"columnMatch": "microsoft.keyvault/vaults--ServiceApiHit Timeline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "blue",
"aggregation": "Sum"
}
},
{
"columnMatch": "Successes",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "green",
"aggregation": "Sum"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
},
"emptyValCustomText": "-"
}
},
{
"columnMatch": "Successes Timeline",
"formatter": 5
},
{
"columnMatch": "Authentication",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "gray",
"aggregation": "Sum"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
},
"emptyValCustomText": "-"
}
},
{
"columnMatch": "Authentication Timeline",
"formatter": 5
},
{
"columnMatch": "Throttling",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "redBright",
"aggregation": "Sum"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
},
"emptyValCustomText": "-"
}
},
{
"columnMatch": "Throttling Timeline",
"formatter": 5
},
{
"columnMatch": "Failures",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "redDark",
"aggregation": "Sum"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
},
"emptyValCustomText": "-"
}
},
{
"columnMatch": "Failures Timeline",
"formatter": 5
},
{
"columnMatch": "microsoft.keyvault/vaults--ServiceApiResult",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
}
],
"rowLimit": 10000,
"filter": true,
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Subscription"
],
"expandTopLevel": true,
"finalBy": "Name"
},
"labelSettings": [
{
"columnId": "Subscription"
},
{
"columnId": "Name"
},
{
"columnId": "microsoft.keyvault/vaults--ServiceApiHit",
"label": "Total Service Api Hits (Sum)"
},
{
"columnId": "microsoft.keyvault/vaults--ServiceApiHit Timeline",
"label": "Total Service Api Hits Timeline"
},
{
"columnId": "Failures",
"label": "Other Failures"
}
]
}
},
"showPin": true,
"name": "failureMonitoring - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "mainTab",
"comparison": "isEqualTo",
"value": "monitor"
},
"name": "generalMonitoring"
}
],
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку