Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/AIVectraDetectWorkbook.json

3370 строки
130 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"cellValue": "workbook-group",
"linkTarget": "parameter",
"linkLabel": "Cognito Detect",
"subTarget": "detect",
"style": "link"
},
{
"cellValue": "workbook-group",
"linkTarget": "parameter",
"linkLabel": "Health",
"subTarget": "health",
"style": "link"
},
{
"cellValue": "workbook-group",
"linkTarget": "parameter",
"linkLabel": "Audit",
"subTarget": "audit",
"style": "link"
}
]
},
"name": "Links"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"cellValue": "workbook",
"linkTarget": "parameter",
"linkLabel": "Overview",
"subTarget": "Overview",
"style": "link"
},
{
"cellValue": "workbook",
"linkTarget": "parameter",
"linkLabel": "Hosts",
"subTarget": "Hosts",
"style": "link"
},
{
"cellValue": "workbook",
"linkTarget": "parameter",
"linkLabel": "Accounts",
"subTarget": "Accounts",
"style": "link"
},
{
"cellValue": "workbook",
"linkTarget": "parameter",
"linkLabel": "Detections",
"subTarget": "Detections",
"style": "link"
},
{
"cellValue": "workbook",
"linkTarget": "parameter",
"linkLabel": "Campaigns",
"subTarget": "Campaigns",
"style": "link"
}
]
},
"conditionalVisibility": {
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "detect"
},
"name": "Detect Links"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "521734b3-6af4-48dc-b622-3f3dd3e1bdeb",
"version": "KqlParameterItem/1.0",
"name": "time_token",
"label": "Timerange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Overview - Parameters"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "datatable (Count:long, status:string, status_count:long) [0,\"Low\",1, 0,\"Medium\",2, 0,\"High\",3, 0,\"Critical\",4]\r\n|union\r\n(\r\nCommonSecurityLog\r\n| where DeviceVendor==\"Vectra Networks\" and DeviceEventClassID==\"hsc\"\r\n| extend src = coalesce(SourceHostName, SourceIP)\r\n| summarize arg_max(TimeGenerated, *) by src\r\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\",\r\n FlexNumber1>=50 and FlexNumber2>=50, \"Critical\",\r\n FlexNumber1<50 and FlexNumber2>=50, \"Medium\",\r\n FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\",\r\n \"True\"\r\n )\r\n| where status != \"True\"\r\n| extend status_count = case(status==\"Critical\", 4, status==\"High\", 3, status==\"Medium\", 2, 1)\r\n| summarize Count = count() by status, status_count\r\n)\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc",
"size": 4,
"showAnalytics": true,
"title": "Hosts Count By Severity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"exportFieldName": "status",
"exportParameterName": "status",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "status",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Critical",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "High",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "yellow",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
},
"emptyValCustomText": "0"
}
},
"showBorder": true,
"sortCriteriaField": "status_count",
"sortOrderField": 1
},
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "status",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"centerContent": {
"columnMatch": "status_count",
"formatter": 1,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "status",
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "status",
"type": 1,
"colorPalette": "default"
},
"hivesMargin": 5
}
},
"customWidth": "100",
"name": "Overview - Hosts Count By Severity",
"styleSettings": {
"progressStyle": "squares"
}
},
{
"type": 1,
"content": {
"json": "💡 _Click on the above tile to view more details_"
},
"name": "Drill Down Info"
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "status",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor==\"Vectra Networks\" and DeviceEventClassID==\"hsc\"\r\n| extend src = coalesce(SourceHostName, SourceIP)\r\n| summarize arg_max(TimeGenerated, *) by src\r\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\",\r\n FlexNumber1>=50 and FlexNumber2>=50, \"Critical\",\r\n FlexNumber1<50 and FlexNumber2>=50, \"Medium\",\r\n FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\",\r\n \"True\"\r\n )\r\n| where status != \"True\" and '{status}'==status\r\n| sort by FlexNumber1 desc, FlexNumber2 desc\r\n| project row_number() , status ,src,SourceIP ,DeviceCustomString1 , DeviceCustomString2 , FlexNumber1 , FlexNumber2 , DeviceCustomString4 , TimeGenerated \r\n| project-rename Sr_No = Column1, Severity=status , Hostname=src, IP_Address=SourceIP , Src_Key_Asset=DeviceCustomString1 , Dest_Key_Asset=DeviceCustomString2 , Threat=FlexNumber1 , Certainty=FlexNumber2 , Host_Details=DeviceCustomString4, Latest_Update = TimeGenerated\r\n\r\n",
"size": 0,
"title": "Hosts With {status} Severity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"exportFieldName": "Hostname",
"exportParameterName": "hostname",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Sr_No",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Severity",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Critical",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "yellow",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Hostname",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IP_Address",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Src_Key_Asset",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Dest_Key_Asset",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Host_Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkLabel": "",
"showIcon": true
}
},
{
"columnMatch": "Latest_Update",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Column1",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "src",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Row number",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Count"
}
}
],
"rowLimit": 10000,
"filter": true,
"labelSettings": [
{
"columnId": "Severity"
},
{
"columnId": "Hostname"
},
{
"columnId": "IP_Address"
},
{
"columnId": "Src_Key_Asset"
},
{
"columnId": "Dest_Key_Asset"
},
{
"columnId": "Threat"
},
{
"columnId": "Certainty"
},
{
"columnId": "Host_Details"
},
{
"columnId": "Latest_Update"
}
]
}
},
"conditionalVisibility": {
"parameterName": "status",
"comparison": "isNotEqualTo"
},
"name": "Overview - Hosts With selected Severity",
"styleSettings": {
"progressStyle": "squares"
}
},
{
"type": 1,
"content": {
"json": "💡 _Click on a row in the above grid to view more details_"
},
"conditionalVisibility": {
"parameterName": "status",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Info"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\")\r\n and isnotnull(ExternalID)\r\n| search kind=case_sensitive '{hostname}'\r\n| summarize arg_max(TimeGenerated, *) by ExternalID\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| extend src = coalesce(SourceHostName, SourceIP), dst = coalesce(DestinationHostName, DestinationIP)\r\n| sort by TimeGenerated desc, FlexNumber1 desc, FlexNumber2 desc\r\n| project row_number(), TimeGenerated, DeviceCustomString5, Category, DeviceEventClassID, src, SourceIP, dst, DestinationIP, FlexNumber1, FlexNumber2, DeviceCustomString4\r\n| project-rename Sr_No = Column1, Detection_Time = TimeGenerated, Triaged = DeviceCustomString5, Type = DeviceEventClassID , Source = src , Source_IP = SourceIP ,Destination = dst , Destination_IP = DestinationIP , Threat = FlexNumber1 , Certainty = FlexNumber2, Detection_Details = DeviceCustomString4\r\n| take 10\r\n",
"size": 0,
"title": "Latest 10 Detections For Host: {hostname}",
"noDataMessage": "No detections found for the selected host in the specified time duration.",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Detection_Time",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Triaged",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Category",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Detection_Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"showIcon": true
}
}
],
"rowLimit": 10
}
},
"conditionalVisibility": {
"parameterName": "hostname",
"comparison": "isNotEqualTo"
},
"name": "Overview - Top 10 Detections For selected Host"
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "status",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor==\"Vectra Networks\" and DeviceEventClassID == \"hsc\"\r\n| extend src = coalesce(SourceHostName, SourceIP)\r\n| summarize arg_max(TimeGenerated, *) by src \r\n| sort by FlexNumber1 desc, FlexNumber2 desc\r\n| limit 10\r\n| project row_number(), src, SourceIP, FlexNumber1 , FlexNumber2, TimeGenerated\r\n| project-rename Sr_No = Column1, Source=src, Source_IP=SourceIP, Threat=FlexNumber1, Certainty=FlexNumber2, Latest_Detection = TimeGenerated",
"size": 0,
"showAnalytics": true,
"title": "Worst Offenders",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Source",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Latest_Detection",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"rowLimit": 10
}
},
"customWidth": "50",
"name": "Overview - Worst Offenders",
"styleSettings": {
"progressStyle": "squares",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor==\"Vectra Networks\" and DeviceEventClassID == \"hsc\" and (DeviceCustomString1 == \"True\" or DeviceCustomString2 == \"True\")\r\n| extend src = coalesce(SourceHostName, SourceIP)\r\n| summarize arg_max(TimeGenerated, *) by src \r\n| sort by FlexNumber1 desc, FlexNumber2 desc\r\n| limit 10\r\n| project row_number(), src, SourceIP, DeviceCustomString1 , DeviceCustomString2, FlexNumber1 , FlexNumber2, TimeGenerated\r\n| project-rename Sr_No = Column1, Source=src, Source_IP=SourceIP,Src_Key_Asset=DeviceCustomString1,Des_Key_Asset=DeviceCustomString2, Threat=FlexNumber1, Certainty=FlexNumber2, Latest_Detection = TimeGenerated",
"size": 0,
"showAnalytics": true,
"title": "Key Assets",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Source",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Src_Key_Asset",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Des_Key_Asset",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Latest_Detection",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"rowLimit": 10
}
},
"customWidth": "50",
"name": "Overview - Key Assets",
"styleSettings": {
"progressStyle": "squares",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor==\"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\")\r\n and isnotnull(ExternalID)\r\n | summarize Count=count() by DeviceEventClassID \r\n | top 10 by Count desc",
"size": 0,
"showAnalytics": true,
"title": "Top 10 Detection Types",
"color": "turquoise",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"exportFieldName": "x",
"exportParameterName": "type_token",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"chartSettings": {}
},
"name": "Overview - Top 10 Detection Types",
"styleSettings": {
"progressStyle": "squares",
"showBorder": true
}
},
{
"type": 1,
"content": {
"json": "💡 _Click on a bar in the above chart to view more details_"
},
"name": "Drill Down Info"
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "type_token",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\")\r\n and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| where DeviceEventClassID == '{type_token}'\r\n| extend src = coalesce(SourceHostName, SourceIP), dst = coalesce(DestinationHostName, DestinationIP)\r\n| sort by TimeGenerated desc, FlexNumber1 desc, FlexNumber2 desc\r\n| project row_number(), DeviceCustomString5, Category, src, SourceIP, dst, DestinationIP, FlexNumber1, FlexNumber2, DeviceCustomString4, TimeGenerated\r\n| project-rename Sr_No = Column1, Triaged = DeviceCustomString5, Source = src , Source_IP = SourceIP ,Destination = dst , Destination_IP = DestinationIP , Threat = FlexNumber1 , Certainty = FlexNumber2, Detection_Details = DeviceCustomString4, Latest_Detection = TimeGenerated\r\n",
"size": 0,
"title": "Details For Detection Type: {type_token}",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Triaged",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Category",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Detection_Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"showIcon": true
}
},
{
"columnMatch": "Latest_Detection",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"rowLimit": 10000,
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "type_token",
"comparison": "isNotEqualTo"
},
"name": "Overview - Details For selected Detection Type",
"styleSettings": {
"progressStyle": "squares"
}
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "type_token",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor==\"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\")\r\n and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" cat \";\"*\r\n| summarize Count = count() by cat\r\n| top 10 by Count desc",
"size": 0,
"showAnalytics": true,
"title": "Top 10 Detection Categories",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"exportFieldName": "x",
"exportParameterName": "category_token",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "cat",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {}
},
"name": "Overview - Top 10 Detection Categories",
"styleSettings": {
"progressStyle": "squares",
"showBorder": true
}
},
{
"type": 1,
"content": {
"json": "💡 _Click on a bar in the above chart to view more details_"
},
"name": "Drill Down Info"
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "category_token",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\")\r\n and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| where Category == \"{category_token}\"\r\n| extend src = coalesce(SourceHostName, SourceIP), dst = coalesce(DestinationHostName, DestinationIP)\r\n| sort by TimeGenerated desc, FlexNumber1 desc, FlexNumber2 desc\r\n| project row_number(), DeviceCustomString5, DeviceEventClassID, src, SourceIP, dst, DestinationIP, FlexNumber1, FlexNumber2, DeviceCustomString4, TimeGenerated\r\n| project-rename Sr_No = Column1, Triaged = DeviceCustomString5, Type = DeviceEventClassID , Source = src , Source_IP = SourceIP ,Destination = dst , Destination_IP = DestinationIP , Threat = FlexNumber1 , Certainty = FlexNumber2, Detection_Details = DeviceCustomString4, Latest_Detection = TimeGenerated\r\n",
"size": 0,
"title": "Details For Detection Category: {category_token}",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Triaged",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Detection_Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"showIcon": true
}
},
{
"columnMatch": "Latest_Detection",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Category",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"rowLimit": 10000,
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "category_token",
"comparison": "isNotEqualTo"
},
"name": "Overview - Details For selected Detection Category",
"styleSettings": {
"progressStyle": "squares"
}
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "category_token",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
}
]
},
"conditionalVisibilities": [
{
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "detect"
},
{
"parameterName": "workbook",
"comparison": "isEqualTo",
"value": "Overview"
}
],
"conditionalVisibility": {
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "detect"
},
"name": "Cognito Detect - Overview"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "e2a6498e-1f10-4c1a-90cf-b0d97004f545",
"version": "KqlParameterItem/1.0",
"name": "Timerange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
},
{
"id": "1840c704-6f4b-40fd-8a54-6984bdc1d7e3",
"version": "KqlParameterItem/1.0",
"name": "severity_token",
"label": "Severity",
"type": 2,
"isRequired": true,
"query": "datatable (status:string) [\"All\"]\r\n|union\r\n(\r\nCommonSecurityLog\r\n| where DeviceEventClassID == \"hsc\" and DeviceVendor == \"Vectra Networks\"\r\n| extend src = coalesce(SourceHostName, SourceIP)\r\n| summarize arg_max(TimeGenerated, *) by src\r\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\",\r\n FlexNumber1>=50 and FlexNumber2>=50, \"Critical\",\r\n FlexNumber1<50 and FlexNumber2>=50, \"Medium\",\r\n FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\",\r\n \"pass\"\r\n )\r\n| where status != \"pass\"\r\n| distinct status\r\n)",
"value": "All",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Timerange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Hosts - Parameters"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let token = \"{severity_token}\";\r\nCommonSecurityLog\r\n| where DeviceEventClassID == \"hsc\" and DeviceVendor == \"Vectra Networks\"\r\n| extend src = coalesce(SourceHostName, SourceIP)\r\n| summarize arg_max(TimeGenerated, *) by src\r\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\",\r\n FlexNumber1>=50 and FlexNumber2>=50, \"Critical\",\r\n FlexNumber1<50 and FlexNumber2>=50, \"Medium\",\r\n FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\",\r\n \"pass\"\r\n )\r\n| where status != \"pass\"\r\n| where case(token == \"All\", status!=\"All\", status==token)\r\n| sort by FlexNumber1 desc, FlexNumber2 desc,TimeGenerated desc\r\n| project row_number(), status , SourceHostName , SourceIP , DeviceCustomString1 , DeviceCustomString2 , FlexNumber1 , FlexNumber2 , DeviceCustomString4 , TimeGenerated\r\n| project-rename Sr_No = Column1, Severity = status ,Hostname= SourceHostName , Source_IP = SourceIP , Src_Key_Asset = DeviceCustomString1 ,Dest_Key_Asset = DeviceCustomString2 , Threat = FlexNumber1 , Certainty = FlexNumber2 , Host_Details = DeviceCustomString4, Latest_Update = TimeGenerated\r\n",
"size": 1,
"showAnalytics": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Timerange",
"exportFieldName": "Hostname",
"exportParameterName": "hostname",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Severity",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Low",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "High",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "yellow",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Critical",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "All",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Hostname",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Src_Key_Asset",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Dest_Key_Asset",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Host_Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"showIcon": true
}
},
{
"columnMatch": "Latest_Update",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"rowLimit": 10000,
"filter": true
}
},
"name": "Hosts - Details"
},
{
"type": 1,
"content": {
"json": "💡 _Click on a row in the above grid to view more details_"
},
"name": "Drill Down Info"
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "hostname",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceEventClassID == \"hsc\" and DeviceVendor == \"Vectra Networks\"\r\n| extend src = coalesce(SourceHostName, SourceIP)\r\n| where src=='{hostname}'\r\n| summarize arg_max(TimeGenerated, FlexNumber1, FlexNumber2) by TimeGenerated=bin(TimeGenerated,10m)\r\n| project-rename Threat=FlexNumber1, Certainty=FlexNumber2\r\n",
"size": 0,
"aggregation": 5,
"title": "Threat And Certainty Over Time For Host: {hostname}",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Timerange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Threat",
"label": "Threat",
"color": "redBright"
},
{
"seriesName": "Certainty",
"label": "Certainty",
"color": "blue"
}
]
}
},
"conditionalVisibility": {
"parameterName": "hostname",
"comparison": "isNotEqualTo"
},
"name": "Hosts - Threat And Certainty Over Time For selected Host"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\")\r\n and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| extend src = coalesce(SourceHostName, SourceIP), dst = coalesce(DestinationHostName, DestinationIP)\r\n| search kind=case_sensitive '{hostname}'\r\n| summarize arg_max(TimeGenerated, *) by ExternalID\r\n| sort by FlexNumber1 desc, FlexNumber2 desc\r\n| project row_number(), TimeGenerated, DeviceCustomString5, Category, DeviceEventClassID, src, SourceIP, dst, DestinationIP, FlexNumber1, FlexNumber2, DeviceCustomString4\r\n| project-rename Sr_No = Column1, Detection_Time = TimeGenerated, Triaged = DeviceCustomString5, Type = DeviceEventClassID , Source = src , Source_IP = SourceIP ,Destination = dst , Destination_IP = DestinationIP , Threat = FlexNumber1 , Certainty = FlexNumber2, Detection_Details = DeviceCustomString4\r\n",
"size": 0,
"title": "Detection Details For Host: {hostname}",
"noDataMessage": "No detections found for the selected host in the specified time duration.",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Timerange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Detection_Time",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Triaged",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Category",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Detection_Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"showIcon": true
}
}
],
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "hostname",
"comparison": "isNotEqualTo"
},
"name": "Hosts - Detection Details For selected Host"
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "hostname",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
}
]
},
"conditionalVisibilities": [
{
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "detect"
},
{
"parameterName": "workbook",
"comparison": "isEqualTo",
"value": "Hosts"
}
],
"conditionalVisibility": {
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "detect"
},
"name": "Cognito Detect - Hosts"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "8641c210-ae59-4759-be51-6c92fa8e4d4e",
"version": "KqlParameterItem/1.0",
"name": "time_token",
"label": "Timerange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
},
{
"id": "f27ef7a3-1638-4b26-8027-7bc5ca4948b4",
"version": "KqlParameterItem/1.0",
"name": "severity_token",
"label": "Severity",
"type": 2,
"isRequired": true,
"query": "datatable (status:string) [\"All\"]\r\n|union\r\n(\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"asc\" and isnotnull(ExternalID) and isnotnull(FlexNumber1) and isnotnull(FlexNumber2)\r\n| summarize arg_max(TimeGenerated, *) by ExternalID\r\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\",\r\n FlexNumber1>=50 and FlexNumber2>=50, \"Critical\",\r\n FlexNumber1<50 and FlexNumber2>=50, \"Medium\",\r\n FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\",\r\n \"pass\"\r\n )\r\n| where status != \"pass\"\r\n| distinct status\r\n)",
"value": "All",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Accounts - Parameters"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor==\"Vectra Networks\" and DeviceEventClassID==\"asc\" and isnotnull(ExternalID) and isnotnull(FlexNumber1) and isnotnull(FlexNumber2)\r\n| summarize arg_max(TimeGenerated, *) by ExternalID\r\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\",FlexNumber1>=50 and FlexNumber2>=50, \"Critical\",FlexNumber1<50 and FlexNumber2>=50, \"Medium\",FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\",\"True\")\r\n| extend saccount = extract(\"saccount=(.+?);\", 1, AdditionalExtensions)\r\n | where status != \"True\"\r\n| where case(\"{severity_token}\" == \"All\", status!=\"All\", status==\"{severity_token}\")\r\n| sort by FlexNumber1 desc, FlexNumber2 desc\r\n| project row_number(), status, saccount, FlexNumber1, FlexNumber2, DeviceCustomString4, TimeGenerated\r\n| project-rename Sr_No = Column1, Severity=status, Account_Name=saccount, Threat=FlexNumber1, Certainty=FlexNumber2, Account_Details=DeviceCustomString4, Latest_Update = TimeGenerated",
"size": 0,
"showAnalytics": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"exportFieldName": "Account_Name",
"exportParameterName": "account_name",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Severity",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Critical",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "yellow",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Account_Name",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Account_Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"showIcon": true
}
},
{
"columnMatch": "Latest_Update",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"rowLimit": 10000,
"filter": true
}
},
"name": "Accounts - Details"
},
{
"type": 1,
"content": {
"json": "💡 _Click on a row in the above grid to view more details_"
},
"name": "Drill Down Info"
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "account_name",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| parse-where AdditionalExtensions with * \"account=\" account \";\"*\r\n| where account == '{account_name}'\r\n| summarize count() by Category, TimeGenerated",
"size": 0,
"showAnnotations": true,
"title": "Detection Categories Over Time For Account: {account_name}",
"noDataMessage": "No detections found for the selected Account in the specified time duration.",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"conditionalVisibility": {
"parameterName": "account_name",
"comparison": "isNotEqualTo"
},
"name": "Accounts - Detection Categories over Time for selected Account"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| parse-where AdditionalExtensions with * \"account=\" account \";\"*\r\n| where account == '{account_name}'\r\n| sort by TimeGenerated desc, FlexNumber1 desc, FlexNumber2 desc\r\n| project row_number(), TimeGenerated, DeviceCustomString5, Category, DeviceEventClassID, account, FlexNumber1, FlexNumber2, DeviceCustomString4\r\n| project-rename Sr_No = Column1, Detection_Time = TimeGenerated, Triaged = DeviceCustomString5, Type = DeviceEventClassID , Account = account , Threat = FlexNumber1 , Certainty = FlexNumber2, Detection_Details = DeviceCustomString4",
"size": 0,
"title": "Detections Details For Account: {account_name}",
"noDataMessage": "No detections found for the selected Account in the specified time duration.",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "time_token",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Triaged",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Category",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Detection_Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"showIcon": true
}
},
{
"columnMatch": "Latest_Detection",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "account_name",
"comparison": "isNotEqualTo"
},
"name": "Accounts - Detection Details for selected Account"
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "account_name",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
}
]
},
"conditionalVisibilities": [
{
"parameterName": "workbook",
"comparison": "isEqualTo",
"value": "Accounts"
},
{
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "detect"
}
],
"conditionalVisibility": {
"parameterName": "workbook",
"comparison": "isEqualTo",
"value": "Accounts"
},
"name": "Cognito Detect - Accounts"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "4464cdd2-3612-4e5c-ba5e-791de3647382",
"version": "KqlParameterItem/1.0",
"name": "Time_Range",
"label": "Timerange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
},
{
"id": "06436e5d-7593-4db7-9b38-cd148e7ef014",
"version": "KqlParameterItem/1.0",
"name": "category_token",
"label": "Detection Categories",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n| where DeviceEventClassID !in~ (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| distinct Category\r\n",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": ""
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Time_Range",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "dd678237-f94c-4041-acca-99d5213042db",
"version": "KqlParameterItem/1.0",
"name": "type_token",
"label": "Type",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n| where DeviceEventClassID !in~ (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| where Category in ({category_token})\r\n| distinct DeviceEventClassID\r\n",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": ""
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Time_Range",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Detections - Parameters"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\")\r\n and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| where Category in ({category_token}) \r\n and DeviceEventClassID in ({type_token})\r\n| summarize count() by Category, TimeGenerated",
"size": 0,
"showAnnotations": true,
"showAnalytics": true,
"title": "Detection Categories Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Time_Range",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"chartSettings": {
"xAxis": "TimeGenerated",
"ySettings": {
"unit": 17,
"min": null,
"max": null
}
}
},
"name": "Detections - Detection Categories over Time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\")\r\n and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| where Category in ({category_token}) \r\n and DeviceEventClassID in ({type_token})\r\n| extend src = coalesce(SourceHostName, SourceIP), dst = coalesce(DestinationHostName, DestinationIP)\r\n| sort by TimeGenerated desc, FlexNumber1 desc, FlexNumber2 desc\r\n| project row_number(), TimeGenerated, ExternalID, DeviceCustomString5, Category, DeviceEventClassID, src, SourceIP, dst, DestinationIP, FlexNumber1, FlexNumber2, DeviceCustomString4\r\n| project-rename Sr_No = Column1,Detection_Time = TimeGenerated, External_ID = ExternalID, Triaged = DeviceCustomString5, Type = DeviceEventClassID , Source = src , Source_IP = SourceIP ,Destination = dst , Destination_IP = DestinationIP , Threat = FlexNumber1 , Certainty = FlexNumber2, Detection_Details = DeviceCustomString4",
"size": 0,
"aggregation": 3,
"showAnalytics": true,
"title": "Detection Details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Time_Range",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Triaged",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Category",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Detection_Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"showIcon": true
}
},
{
"columnMatch": "Latest_Detection",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"rowLimit": 10000,
"filter": true
},
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Triaged",
"formatter": 1
},
"leftContent": {
"columnMatch": "Threat",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "Detections - Detection Details"
}
]
},
"conditionalVisibilities": [
{
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "detect"
},
{
"parameterName": "workbook",
"comparison": "isEqualTo",
"value": "Detections"
}
],
"conditionalVisibility": {
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "detect"
},
"name": "Cognito Detect - Detections"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "02b1f3a8-4aa8-4a98-9725-0d960b4fecbf",
"version": "KqlParameterItem/1.0",
"name": "timerange",
"label": "Timerange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
},
{
"id": "799a853f-1f98-477e-b3bf-66cba445dcf5",
"version": "KqlParameterItem/1.0",
"name": "campaign_token",
"label": "Campaign ID",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"campaigns\"\r\n| distinct Activity",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timerange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "3dc8536b-3619-4418-862b-023d05ae58bd",
"version": "KqlParameterItem/1.0",
"name": "type_token",
"label": "Type",
"type": 2,
"isRequired": true,
"query": "datatable (reason:string) [\"All\"]\r\n| union\r\n(\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"campaigns\"\r\n| parse AdditionalExtensions with * \"reason=\"reason\r\n| where Activity in ({campaign_token})\r\n| distinct reason\r\n)",
"value": "All",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timerange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Campaigns - Parameters"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"campaigns\"\r\n| parse AdditionalExtensions with * \"reason=\"reason\r\n| where Activity in ({campaign_token})\r\n| where case(\"{type_token}\" == \"All\", reason != \"All\", reason == \"{type_token}\")\r\n| extend src = coalesce(SourceHostName, SourceIP) , dest = coalesce(DestinationHostName, DestinationIP)\r\n| summarize Count = count() by Activity\r\n| top 10 by Count desc\r\n\r\n",
"size": 0,
"showAnalytics": true,
"title": "Top 10 Campaigns",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timerange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"chartSettings": {
"xAxis": "Activity",
"ySettings": {
"unit": 17,
"min": null,
"max": null
}
}
},
"name": "Campaigns - Top 10 Campaigns",
"styleSettings": {
"progressStyle": "squares"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"campaigns\"\r\n| parse AdditionalExtensions with * \"reason=\"reason\r\n| where Activity in ({campaign_token})\r\n| where case(\"{type_token}\" == \"All\", reason != \"All\", reason == \"{type_token}\")\r\n| extend src = coalesce(SourceHostName, SourceIP) , dest = coalesce(DestinationHostName, DestinationIP)\r\n| sort by TimeGenerated desc\r\n| project row_number(), TimeGenerated , Activity , DeviceCustomString4 , DeviceAction , src , SourceIP , dest , DestinationIP , reason, DeviceCustomString6\r\n| project-rename Sr_No = Column1, Time_Generated = TimeGenerated, Campaign_ID = Activity, Campaign_URL = DeviceCustomString4, Action = DeviceAction, Hostname = src, Source_IP = SourceIP, Destination = dest, Destination_IP = DestinationIP, Type = reason, Detection_ID = DeviceCustomString6\r\n\r\n\r\n",
"size": 0,
"showAnalytics": true,
"title": "Campaign Details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timerange",
"exportFieldName": "Hostname",
"exportParameterName": "search_detections",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Time_Generated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Campaign_ID",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Campaign_URL",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"showIcon": true
}
},
{
"columnMatch": "Action",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Hostname",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Detection_ID",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"rowLimit": 10000,
"filter": true
}
},
"name": "Campaigns - Campaign Details",
"styleSettings": {
"progressStyle": "squares"
}
},
{
"type": 1,
"content": {
"json": "💡 _Click on a row in the above grid to view more details_"
},
"name": "Drill Down Info"
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "search_detections",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\")\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| search kind=case_sensitive \"{search_detections}\"\r\n| summarize count() by Category, TimeGenerated",
"size": 0,
"title": "Detection Categories Over Time for Host: {search_detections}",
"noDataMessage": "No detections found for the selected host in the specified time duration.",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timerange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"chartSettings": {
"xAxis": "TimeGenerated"
}
},
"conditionalVisibility": {
"parameterName": "search_detections",
"comparison": "isNotEqualTo"
},
"name": "Campaigns - Detection Categories over Time for selected Host"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\")\r\n and isnotnull(ExternalID)\r\n| parse-where AdditionalExtensions with * \"cat=\" Category \";\"*\r\n| search kind=case_sensitive \"{search_detections}\"\r\n| extend src = coalesce(SourceHostName, SourceIP), dst = coalesce(DestinationHostName, DestinationIP)\r\n| sort by TimeGenerated desc, FlexNumber1 desc, FlexNumber2 desc\r\n| project row_number(), TimeGenerated, DeviceCustomString5, Category, DeviceEventClassID, src, SourceIP, dst, DestinationIP, FlexNumber1, FlexNumber2, DeviceCustomString4\r\n| project-rename Sr_No = Column1,Detection_Time = TimeGenerated, Triaged = DeviceCustomString5, Type = DeviceEventClassID , Source = src , Source_IP = SourceIP ,Destination = dst , Destination_IP = DestinationIP , Threat = FlexNumber1 , Certainty = FlexNumber2, Detection_Details = DeviceCustomString4",
"size": 0,
"title": "Detection Details For Host: {search_detections}",
"noDataMessage": "No detections found for the selected host in the specified time duration.",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timerange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Detection_Time",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Triaged",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Category",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Source_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Destination_IP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Threat",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "redBright",
"showIcon": true
}
},
{
"columnMatch": "Certainty",
"formatter": 3,
"formatOptions": {
"min": 0,
"max": 100,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Detection_Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"showIcon": true
}
}
],
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "search_detections",
"comparison": "isNotEqualTo"
},
"name": "Campaigns - Detection details for selected Host",
"styleSettings": {
"progressStyle": "squares"
}
},
{
"type": 1,
"content": {
"json": "<hr style=\"border-top: 1.25px dotted red;background-color:#fff;\">"
},
"conditionalVisibility": {
"parameterName": "search_detections",
"comparison": "isNotEqualTo"
},
"name": "Drill Down Line"
}
]
},
"conditionalVisibilities": [
{
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "detect"
},
{
"parameterName": "workbook",
"comparison": "isEqualTo",
"value": "Campaigns"
}
],
"conditionalVisibility": {
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "detect"
},
"name": "Cognito Detect - Campaigns"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "01f96cf3-5a76-4528-a6e4-0dd997b074f0",
"version": "KqlParameterItem/1.0",
"name": "Timerange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
},
{
"id": "b015e943-3b18-4fc2-b048-408104856b8a",
"version": "KqlParameterItem/1.0",
"name": "result_token",
"label": "Result",
"type": 2,
"isRequired": true,
"query": "datatable (Result:string) [\"All\"]\r\n| union\r\n(\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n| where DeviceEventClassID == \"health\"\r\n| parse-where AdditionalExtensions with * \"outcome=\"Result\r\n| summarize by Result\r\n) \r\n",
"value": "All",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Timerange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Health - Parameters"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\"\r\n| where DeviceEventClassID == \"health\"\r\n| parse AdditionalExtensions with * \"outcome=\"outcome\r\n| where case(\"{result_token:value}\" == \"All\", outcome != \"All\", outcome==\"{result_token:value}\")\r\n| sort by TimeGenerated desc\r\n| project row_number(), TimeGenerated ,outcome,Message\r\n| project-rename Sr_No = Column1,Time_Generated = TimeGenerated, Activity = Message,Result = outcome\r\n\r\n",
"size": 0,
"showAnalytics": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Timerange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Sr_No",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Time_Generated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Result",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Activity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "activity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"rowLimit": 10000,
"filter": true,
"labelSettings": [
{
"columnId": "Sr_No"
},
{
"columnId": "Time_Generated"
},
{
"columnId": "Result"
},
{
"columnId": "Activity"
}
]
}
},
"customWidth": "100",
"name": "Health - Details"
}
]
},
"conditionalVisibility": {
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "health"
},
"name": "Cognito Health"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "b0cf3947-fa7b-438f-a994-40fc131f7350",
"version": "KqlParameterItem/1.0",
"name": "Timerange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
},
{
"id": "d1edf9eb-ef80-4bc2-84c6-d7a34487aafb",
"version": "KqlParameterItem/1.0",
"name": "user_token",
"label": "User",
"type": 2,
"isRequired": true,
"query": "datatable (SourceUserName:string) [\"All\"]\r\n| union\r\n(\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"audit\"\r\n| extend SourceUserName = coalesce(SourceUserName, \"Unknown\")\r\n| distinct SourceUserName\r\n)",
"value": "All",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Timerange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "7ffa2e20-6a43-4afb-b38f-7db9816057ad",
"version": "KqlParameterItem/1.0",
"name": "result_token",
"label": "Result",
"type": 2,
"isRequired": true,
"query": "datatable (Result:string) [\"All\"]\r\n| union\r\n(\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"audit\"\r\n| parse-where AdditionalExtensions with * \"outcome=\"Result\r\n| where case(\"{user_token}\" == \"All\", SourceUserName != \"All\", \"{user_token}\" == \"Unknown\", SourceUserName == \"\", SourceUserName == \"{user_token}\")\r\n| distinct Result\r\n)",
"value": "All",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Timerange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Audit - Parameters"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceEventClassID == \"audit\" and DeviceVendor == \"Vectra Networks\"\r\n| parse-where AdditionalExtensions with * \"outcome=\"outcome\r\n| where case(\"{user_token}\" == \"All\", SourceUserName != \"All\", \"{user_token}\" == \"Unknown\", SourceUserName == \"\", SourceUserName == \"{user_token}\") \r\n and case(\"{result_token}\" == \"All\", outcome != \"All\", outcome == \"{result_token}\")\r\n| sort by TimeGenerated desc\r\n| project row_number(), TimeGenerated,SourceUserName,SourceUserPrivileges,Message,outcome\r\n| project-rename Sr_No= Column1,Time_Generated = TimeGenerated, User=SourceUserName, Role=SourceUserPrivileges, Activity=Message, Result=outcome\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"size": 0,
"showAnalytics": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "Timerange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"rowLimit": 10000,
"filter": true
}
},
"name": "Audit - Details"
}
]
},
"conditionalVisibility": {
"parameterName": "workbook-group",
"comparison": "isEqualTo",
"value": "audit"
},
"name": "Cognito Audit"
},
{
"type": 1,
"content": {
"json": "📝 ***Refresh the web page to fetch details of recently collected events***"
},
"name": "Info Message"
}
],
"fromTemplateId": "sentinel-AIVectraDetect",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку