785 строки
29 KiB
JSON
785 строки
29 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "688dc7cb-bea3-41ae-ae94-32d22e09568c",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DefaultWorkspace",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"value": "value::1",
|
|
"isHiddenWhenLocked": true,
|
|
"typeSettings": {
|
|
"resourceTypeFilter": {
|
|
"microsoft.operationalinsights/workspaces": true
|
|
},
|
|
"additionalResourceOptions": [
|
|
"value::1"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "c11b5651-cf86-4865-b23d-9ecc4f16b712",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "ContextFree",
|
|
"type": 1,
|
|
"query": "{\"version\":\"1.0.0\",\"content\":\"\\\"{DefaultWorkspace}\\\"\"}",
|
|
"isHiddenWhenLocked": true,
|
|
"queryType": 8
|
|
},
|
|
{
|
|
"id": "bbbc300a-6f91-4b2b-b4b5-842b4bf8577a",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Selection",
|
|
"type": 1,
|
|
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend match = strcat(\"'\", id, \"'\") =~ \"{DefaultWorkspace:value}\"\r\n| order by match desc, name asc\r\n| take 1\r\n| project value = tostring(pack('sub', subscriptionId, 'rg', resourceGroup, 'ws', id))",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_",
|
|
"comparison": "isEqualTo",
|
|
"value": "_"
|
|
},
|
|
"name": "parameters - 0"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "# Computer Security Status\r\n<br>\r\n### This report shows various security status messages from Azure Resource Graph and Log Analytics"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "ContextFree",
|
|
"comparison": "isEqualTo",
|
|
"value": "value::1"
|
|
},
|
|
"name": "text - 1"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "1db5ee15-fe52-458b-91d1-7ee39d8c2cd3",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Subscriptions",
|
|
"type": 6,
|
|
"isRequired": true,
|
|
"query": "summarize by subscriptionId\r\n| project value = strcat('/subscriptions/', subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ todynamic('{Selection}').sub, true, false)",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "9732eff8-fb57-4cbd-8ade-5ae746f33760",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspaces",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| summarize by id, name\r\n| project id, selected = iff(id =~ todynamic('{Selection}').ws, true, false)",
|
|
"crossComponentResources": [
|
|
"{Subscriptions}"
|
|
],
|
|
"value": "/subscriptions/<subs_ID>/resourcegroups/<rg_name>/providers/microsoft.operationalinsights/workspaces/<workspace_name>",
|
|
"typeSettings": {
|
|
"resourceTypeFilter": {
|
|
"microsoft.operationalinsights/workspaces": true
|
|
},
|
|
"additionalResourceOptions": []
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "5f8cce4b-9c4c-47da-8683-7e5ccc9faed3",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000,
|
|
"createdTime": "2018-10-04T22:01:18.372Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 900000,
|
|
"createdTime": "2018-10-04T22:01:18.372Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 1800000,
|
|
"createdTime": "2018-10-04T22:01:18.372Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 3600000,
|
|
"createdTime": "2018-10-04T22:01:18.372Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 14400000,
|
|
"createdTime": "2018-10-04T22:01:18.374Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 43200000,
|
|
"createdTime": "2018-10-04T22:01:18.374Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 86400000,
|
|
"createdTime": "2018-10-04T22:01:18.374Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 172800000,
|
|
"createdTime": "2018-10-04T22:01:18.374Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 259200000,
|
|
"createdTime": "2018-10-04T22:01:18.375Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 604800000,
|
|
"createdTime": "2018-10-04T22:01:18.375Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 1209600000,
|
|
"createdTime": "2018-10-04T22:01:18.375Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 2592000000,
|
|
"createdTime": "2018-10-04T22:01:18.375Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 5184000000,
|
|
"createdTime": "2018-10-04T22:01:18.375Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
},
|
|
{
|
|
"durationMs": 7776000000,
|
|
"createdTime": "2018-10-04T22:01:18.375Z",
|
|
"isInitialTime": false,
|
|
"grain": 1,
|
|
"useDashboardTimeRange": false
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"value": {
|
|
"durationMs": 604800000
|
|
}
|
|
},
|
|
{
|
|
"id": "d6de19ff-cde4-41c2-9fba-b441312ea5c9",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Test",
|
|
"type": 1,
|
|
"query": "Perf\r\n| where TimeGenerated {TimeRange}\r\n| take 1",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "4e5f340e-9ca8-4f16-aa10-48d30b486cce",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Computer",
|
|
"type": 5,
|
|
"query": "resources\r\n| where type == \"microsoft.compute/virtualmachines\" or type == \"microsoft.hybridcompute/machines\"\r\n| project name",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"value": "default",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"name": "parameters - 2"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "⚠ A subscription has not yet been selected. Select a subscription under the `Subscriptions` dropdown or refresh the workbook."
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Subscriptions",
|
|
"comparison": "isEqualTo",
|
|
"value": null
|
|
},
|
|
"name": "text - 29"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---"
|
|
},
|
|
"name": "text - 4"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Status",
|
|
"subTarget": "Status",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Events",
|
|
"subTarget": "Events",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Azure Arc",
|
|
"subTarget": "Arc",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 20"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "securityresources\r\n| where type == \"microsoft.security/securitystatuses\" or type == \"microsoft.security/securitystatuses/servers\" or type == \"microsoft.security/assessments\" \r\n//| where name startswith '{Computer}'\r\n| extend compute = tostring(properties.type)\r\n| where compute =~\"virtualmachine\"\r\n| summarize count() by name",
|
|
"size": 4,
|
|
"title": "Count of Computers with Security status info",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "piechart",
|
|
"chartSettings": {
|
|
"showMetrics": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 20 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union withsource = Table_Name *\r\n| where Table_Name in (\"Syslog\",\"SecurityEvent\",\"CommonSecurityLog\")\r\n| summarize count(EventID) by Table_Name",
|
|
"size": 4,
|
|
"title": "Count of log entries by Type",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 20"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "securityresources\r\n| where type == \"microsoft.security/securitystatuses\" or type == \"microsoft.security/securitystatuses/servers\" or type == \"microsoft.security/assessments\" \r\n| where name startswith '{Computer}'\r\n| extend p=array_length(properties.resourceDetails) \r\n| extend compute = tostring(properties.type)\r\n| where compute =~\"virtualmachine\"\r\n| mvexpand prop=properties.resourceDetails\r\n| project ComputerName = name, Resource= prop.name, Status = prop.value ",
|
|
"size": 0,
|
|
"title": "Security Status for {Computer}",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "ComputerName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Resource",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Status",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Status"
|
|
},
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "securityresources\r\n| where type == \"microsoft.security/assessments\"\r\n| where properties contains '{Computer}'\r\n| project Resource = properties.displayName, Status = trim(@\"[^\\w]+\",tostring(split(properties.status,\":\",1))), Location = trim(@\"[^\\w]+\",tostring(split(properties.resourceDetails,\":\",1)))\r\n| extend Status = iif(Status has \",\",trim(@\"[^\\w]+\",tostring(split(Status,\",\",0))),Status)\r\n| extend Location = iif(Location has \"\\\\\",trim(@\"[^\\w]+\",tostring(split(Location,\"\\\\\",0))),Location)\r\n| summarize count() by Status, tostring(Resource), Location",
|
|
"size": 1,
|
|
"title": "Security Asessment findings for {Computer}",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Status"
|
|
},
|
|
"name": "query - 18"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "securityresources\r\n| where type == \"microsoft.security/assessments\"\r\n| where properties contains '{Computer}'\r\n| project Resource = properties.displayName, Status = trim(@\"[^\\w]+\",tostring(split(properties.status,\":\",1))), Location = trim(@\"[^\\w]+\",tostring(split(properties.resourceDetails,\":\",1)))\r\n| extend Status = iif(Status has \",\",trim(@\"[^\\w]+\",tostring(split(Status,\",\",0))),Status)\r\n| extend Location = iif(Location has \"\\\\\",trim(@\"[^\\w]+\",tostring(split(Location,\"\\\\\",0))),Location)\r\n| summarize count() by Status, tostring(Resource), Location\r\n| order by count_ desc",
|
|
"size": 0,
|
|
"title": "Security Asessment findings for {Computer}",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"gridSettings": {
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Status",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Status",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Status"
|
|
},
|
|
"name": "query - 18 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityEvent\r\n| where Computer startswith \"{Computer}\"\r\n| summarize count() by Activity\r\n",
|
|
"size": 1,
|
|
"title": "Securtity Events for: {Computer} ",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "piechart",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Activity",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"nodeIdField": "Activity",
|
|
"nodeSize": null,
|
|
"staticNodeSize": 100,
|
|
"colorSettings": null,
|
|
"hivesMargin": 5
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Events"
|
|
},
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n| where Computer startswith \"{Computer}\"\r\n| summarize count() by Facility, SeverityLevel\r\n",
|
|
"size": 1,
|
|
"title": "Syslog for: {Computer}",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "piechart"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Events"
|
|
},
|
|
"name": "query - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where Computer startswith \"{Computer}\"\r\n| summarize count() by DeviceVendor, DeviceEventClassID, Message\r\n",
|
|
"size": 1,
|
|
"title": "CommonSecurityEvent (CEF) for: {Computer}",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "piechart"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Events"
|
|
},
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union isfuzzy=true (W3CIISLog\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), (DnsEvents\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country= RemoteIPCountry, Latitude = RemoteIPLatitude, Longitude = RemoteIPLongitude), (WireData\r\n| extend TrafficDirection = iff(Direction != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), (WindowsFirewall\r\n| extend TrafficDirection = iff(CommunicationDirection != \"SEND\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude), (CommonSecurityLog\r\n| extend TrafficDirection = iff(CommunicationDirection != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude, Confidence=ThreatDescription, Description=ThreatDescription), (VMConnection\r\n| where Type == \"VMConnection\"\r\n| extend TrafficDirection = iff(Direction != \"outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteCountry, Latitude=RemoteLatitude, Longitude=RemoteLongitude)\r\n| where isnotempty(MaliciousIP) and isnotempty(Country) and isnotempty(Latitude) and isnotempty(Longitude)\r\n| where Computer startswith \"{Computer}\"\r\n| summarize MaliciousIPcount = count(MaliciousIP) by Country//, Latitude, Longitude\r\n| order by MaliciousIPcount desc\r\n| top 10 by Country\r\n",
|
|
"size": 0,
|
|
"title": "Potential Locations for: {Computer}",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "map",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "MaliciousIPcount",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "MaliciousIPcount",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"mapSettings": {
|
|
"locInfo": "CountryRegion",
|
|
"locInfoColumn": "Country",
|
|
"latitude": "Latitude",
|
|
"longitude": "Longitude",
|
|
"sizeSettings": "MaliciousIPcount",
|
|
"sizeAggregation": "Sum",
|
|
"defaultSize": 0,
|
|
"labelSettings": "MaliciousIP",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "MaliciousIPcount",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Events"
|
|
},
|
|
"name": "query - 14"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "union isfuzzy=true (W3CIISLog\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), (DnsEvents\r\n| extend TrafficDirection = \"InboundOrUnknown\", Country= RemoteIPCountry, Latitude = RemoteIPLatitude, Longitude = RemoteIPLongitude), (WireData\r\n| extend TrafficDirection = iff(Direction != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude), (WindowsFirewall\r\n| extend TrafficDirection = iff(CommunicationDirection != \"SEND\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude), (CommonSecurityLog\r\n| extend TrafficDirection = iff(CommunicationDirection != \"Outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude, Confidence=ThreatDescription, Description=ThreatDescription), (VMConnection\r\n| where Type == \"VMConnection\"\r\n| extend TrafficDirection = iff(Direction != \"outbound\",\"InboundOrUnknown\", \"Outbound\"), Country=RemoteCountry, Latitude=RemoteLatitude, Longitude=RemoteLongitude)\r\n| where isnotempty(MaliciousIP) and isnotempty(Country) and isnotempty(Latitude) and isnotempty(Longitude)\r\n| where Computer startswith \"{Computer}\"\r\n| summarize MaliciousIPcount = dcount(MaliciousIP), TableSource = make_set(Type) by Country, TrafficDirection\r\n| top 10 by MaliciousIPcount\r\n| order by MaliciousIPcount desc\r\n\r\n",
|
|
"size": 0,
|
|
"title": "Top10: Potential Locations for: {Computer}",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "MaliciousIPcount",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "MaliciousIPcount",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"mapSettings": {
|
|
"locInfo": "CountryRegion",
|
|
"locInfoColumn": "Code",
|
|
"latitude": "Latitude",
|
|
"longitude": "Longitude",
|
|
"sizeSettings": "count_",
|
|
"sizeAggregation": "Sum",
|
|
"defaultSize": 0,
|
|
"labelSettings": "MaliciousIP",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "MaliciousIPcount",
|
|
"colorAggregation": "Sum",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Events"
|
|
},
|
|
"name": "query - 14 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": " resources\r\n| where type == \"microsoft.hybridcompute/machines\"\r\n//| extend p=array_length(properties.provisioningState) \r\n| mvexpand prop=properties.provisioningState\r\n| project ComputerName = id, Status = properties.status, State=prop, location, resourceGroup, type",
|
|
"size": 1,
|
|
"title": "All Azure Arc resources",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscriptions}"
|
|
],
|
|
"sortBy": []
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Arc"
|
|
},
|
|
"name": "query - 18"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "securityresources\r\n| where type == \"microsoft.security/assessments\"\r\n| where properties has '{Computer}'\r\n| project Resource = properties.displayName, Status = trim(@\"[^\\w]+\",tostring(split(properties.status,\":\",1))), Location = trim(@\"[^\\w]+\",tostring(split(properties.resourceDetails,\":\",1)))\r\n| extend Status = iif(Status has \",\",trim(@\"[^\\w]+\",tostring(split(Status,\",\",0))),Status)\r\n| extend Location = iif(Location has \"\\\\\",trim(@\"[^\\w]+\",tostring(split(Location,\"\\\\\",0))),Location)\r\n| where Location == \"OnPremise\"\r\n| summarize count() by Status, tostring(Resource), Location=\"Azure Arc\"\r\n| order by count_ desc",
|
|
"size": 1,
|
|
"title": "Azure Arc Security Status for: {Computer}",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"{Subscriptions}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Status",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Resource",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Location",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "id",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "Resource",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Arc"
|
|
},
|
|
"name": "query - 18 - Copy"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-SecurityStatus",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|