1886 строки
86 KiB
JSON
1886 строки
86 KiB
JSON
{
|
|
"name": "AzureNetworkWatcher_{Workspace_Name}",
|
|
"type": "Microsoft.Portal/dashboards",
|
|
"location": "{Dashboard_Location}",
|
|
"tags": {
|
|
"dashboardKey": "AzureNetworkWatcherDashboard",
|
|
"hidden-title": "AzureNetworkWatcher - {Workspace_Name}",
|
|
"version": "1.2",
|
|
"workspaceName": "{Workspace_Name}"
|
|
},
|
|
"properties": {
|
|
"lenses": {
|
|
"0": {
|
|
"order": 0,
|
|
"parts": {
|
|
"0": {
|
|
"position": {
|
|
"x": 1,
|
|
"y": 0,
|
|
"colSpan": 24,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [],
|
|
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
|
"settings": {
|
|
"content": {
|
|
"settings": {
|
|
"content": "<div style='font-size:300%;'>Network Watcher flow</div>",
|
|
"title": "",
|
|
"subtitle": ""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"1": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 1,
|
|
"colSpan": 15,
|
|
"rowSpan": 3
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL | where SubType_s == \"FlowLog\" | summarize TotalFlows = count() by TimeGenerated\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "TimeGenerated",
|
|
"type": "DateTime"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "TotalFlows",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "b82b73da-5cc2-4794-bfaa-5c72d586c4a2"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsChart"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"value": "Line"
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Traffic flows over time",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"2": {
|
|
"position": {
|
|
"x": 15,
|
|
"y": 1,
|
|
"colSpan": 5,
|
|
"rowSpan": 3
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL | where SubType_s == \"FlowLog\" | summarize count() by FlowType_s\r\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "FlowType_s",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "count_",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "ff009911-07c7-423f-a21c-9f026ae4dedf"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Traffic flow types",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"3": {
|
|
"position": {
|
|
"x": 20,
|
|
"y": 1,
|
|
"colSpan": 5,
|
|
"rowSpan": 3
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == \"FlowLog\"\n| summarize count() by FlowDirection = iff(FlowDirection_s == 'I', 'Inbound', 'Outbound')\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "FlowDirection",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "count_",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "18e2550a-fe26-4fa1-902a-ed9d37d84cb8"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Traffic flow direction",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"4": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 4,
|
|
"colSpan": 25,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [],
|
|
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
|
"settings": {
|
|
"content": {
|
|
"settings": {
|
|
"content": "<div style='font-size:300%;'>Malicious actors</div>",
|
|
"title": "",
|
|
"subtitle": ""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"5": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 5,
|
|
"colSpan": 11,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d) by IP = strcat(SrcIP, ' (', CountryOrRegion, ')') | sort by FlowCount desc \n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "IP",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "FlowCount",
|
|
"type": "Double"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "5ddfa31a-b8a9-46d7-b95b-f763f7a88384"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsChart"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"value": "Bar"
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Malicious IP address communication",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"6": {
|
|
"position": {
|
|
"x": 11,
|
|
"y": 5,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d) by Country = CountryOrRegion | sort by FlowCount desc \n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "Country",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "FlowCount",
|
|
"type": "Double"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "b48fdde3-d479-4c07-8f81-705ee10db294"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Traffic country of origin",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"7": {
|
|
"position": {
|
|
"x": 17,
|
|
"y": 5,
|
|
"colSpan": 8,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d), AllowedInFlows = sum(AllowedInFlows_d), DeniedInFlows = sum(DeniedInFlows_d) by IPAdress = strcat(SrcIP, ' (', CountryOrRegion, ')') | sort by AllowedInFlows desc \n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "a62a3991-87a7-403d-a462-1e2670e5879a"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Malicious IP address",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"8": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 9,
|
|
"colSpan": 25,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [],
|
|
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
|
"settings": {
|
|
"content": {
|
|
"settings": {
|
|
"content": "<div style='font-size:300%;'>Attacked resources</div>",
|
|
"title": "",
|
|
"subtitle": ""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"9": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 10,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize AllowedInFlows = sum(AllowedInFlows_d) by Computer = strcat(DestIP, ' (', Subscription2, '/', VM2, ')') | sort by AllowedInFlows desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "Computer",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "AllowedInFlows",
|
|
"type": "Double"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "59e92add-51f9-4791-a19a-ad5f6ac5fe4b"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Most attacked machines",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"10": {
|
|
"position": {
|
|
"x": 6,
|
|
"y": 10,
|
|
"colSpan": 6,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize AllowedInFlows = sum(AllowedInFlows_d) by Subnet = strcat(Subnet2, ' (', Subscription2, ')') | sort by AllowedInFlows desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "Subnet",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "AllowedInFlows",
|
|
"type": "Double"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "538e30b4-8c17-4039-8019-04892c2da5ed"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Most attacked subnets",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"11": {
|
|
"position": {
|
|
"x": 12,
|
|
"y": 10,
|
|
"colSpan": 13,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d), AllowedInFlows = sum(AllowedInFlows_d), DeniedInFlows = sum(DeniedInFlows_d) by IPAddress=DestIP, VM=VM2, Subnet=Subnet2, Subscription=Subscription2 | sort by AllowedInFlows desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "4bc5fdfb-2955-474c-9647-851e1ebb4177"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Attacked resources",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"12": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 14,
|
|
"colSpan": 25,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [],
|
|
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
|
"settings": {
|
|
"content": {
|
|
"settings": {
|
|
"content": "<div style='font-size:300%;'>Malicious traffic target protocols</div>",
|
|
"title": "",
|
|
"subtitle": ""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"13": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 15,
|
|
"colSpan": 5,
|
|
"rowSpan": 3
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d) by L4Protocol_s \n| extend L4Protocol_s = replace(\"T\", \"TCP\", L4Protocol_s)\n| extend L4Protocol = replace(\"U\", \"UDP\", L4Protocol_s)\n| project L4Protocol , FlowCount\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "L4Protocol",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "FlowCount",
|
|
"type": "Double"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "c5cc6463-0d75-4309-abe0-5bb70c7aedfe"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Malicious traffic protocols",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"14": {
|
|
"position": {
|
|
"x": 5,
|
|
"y": 15,
|
|
"colSpan": 5,
|
|
"rowSpan": 3
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize AllowedInFlows = sum(AllowedInFlows_d) by L4Protocol_s | sort by AllowedInFlows desc\n| extend L4Protocol_s = replace(\"T\", \"TCP\", L4Protocol_s)\n| extend L4Protocol = replace(\"U\", \"UDP\", L4Protocol_s)\n| project L4Protocol, AllowedInFlows\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "L4Protocol",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "AllowedInFlows",
|
|
"type": "Double"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "ee0d3076-bcc6-4ad4-b66d-863b639a9f65"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Allowed malicious traffic",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"15": {
|
|
"position": {
|
|
"x": 10,
|
|
"y": 15,
|
|
"colSpan": 5,
|
|
"rowSpan": 3
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize DeniedInFlows = sum(DeniedInFlows_d) by L4Protocol_s | sort by DeniedInFlows desc\n| extend L4Protocol_s = replace(\"T\", \"TCP\", L4Protocol_s)\n| extend L4Protocol = replace(\"U\", \"UDP\", L4Protocol_s)\n| project L4Protocol, DeniedInFlows\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "L4Protocol",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "DeniedInFlows",
|
|
"type": "Double"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "23e35aa1-d859-437a-8d7c-00cb6b4fa3d7"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Denied malicious traffic",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"16": {
|
|
"position": {
|
|
"x": 15,
|
|
"y": 15,
|
|
"colSpan": 10,
|
|
"rowSpan": 6
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d), AllowedInFlows = sum(AllowedInFlows_d), DeniedInFlows = sum(DeniedInFlows_d) by L7Protocol = strcat(L7Protocol_s, ' (', toint(DestPort_d), ')') | sort by AllowedInFlows desc | limit 10\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "446bee72-6961-4d7e-8503-1de0aa85c3fa"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Malicious traffic, by application ports",
|
|
"PartSubTitle": " ",
|
|
"GridColumnsWidth": {
|
|
"L7Protocol": "154px",
|
|
"FlowCount": "123px",
|
|
"AllowedInFlows": "134px",
|
|
"DeniedInFlows": "179px"
|
|
}
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"17": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 18,
|
|
"colSpan": 5,
|
|
"rowSpan": 3
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d) by L7Protocol = strcat(L7Protocol_s, ' (', toint(DestPort_d), ')') | sort by FlowCount desc | limit 10\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "L7Protocol",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "FlowCount",
|
|
"type": "Double"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "a581e53a-045c-4ca3-8868-4448e8902db4"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Malicious traffic, by application ports",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"18": {
|
|
"position": {
|
|
"x": 5,
|
|
"y": 18,
|
|
"colSpan": 5,
|
|
"rowSpan": 3
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize AllowedInFlows = sum(AllowedInFlows_d) by L7Protocol = strcat(L7Protocol_s, ' (', toint(DestPort_d), ')') | sort by AllowedInFlows desc | limit 10\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "L7Protocol",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "AllowedInFlows",
|
|
"type": "Double"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "14711d70-ad42-496f-ae9c-eb1a4cb5841f"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Allowed malicious traffic, by application ports",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"19": {
|
|
"position": {
|
|
"x": 10,
|
|
"y": 18,
|
|
"colSpan": 5,
|
|
"rowSpan": 3
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize DeniedInFlows = sum(DeniedInFlows_d) by L7Protocol = strcat(L7Protocol_s, ' (', toint(DestPort_d), ')') | sort by DeniedInFlows desc | limit 10\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "L7Protocol",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "DeniedInFlows",
|
|
"type": "Double"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "57e652ec-689c-4600-834c-359b2c396ab8"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsDonut"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Denied malicious traffic, by application ports",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"20": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 21,
|
|
"colSpan": 25,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [],
|
|
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
|
"settings": {
|
|
"content": {
|
|
"settings": {
|
|
"content": "<div style='font-size:300%;'>NSG rule hits by malicious traffic</div>",
|
|
"title": "",
|
|
"subtitle": ""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"21": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 22,
|
|
"colSpan": 8,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL \n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend nsgList = split(NSGList_s, ' ') | extend nsgRuleList = split(NSGRules_s, ' ') | mvexpand nsgRule = nsgRuleList | extend nsgRuleSplit = split(nsgRule, '|') \n| extend nsg = tostring(nsgList[toint(nsgRuleSplit[0])]), rule = tostring(nsgRuleSplit[1]), countHits = nsgRuleSplit[4], direction = tostring(nsgRuleSplit[2]) \n| extend prefixStrippedRule = replace('defaultrule_','', replace('userrule_','', rule))\n| extend completeNsgRule = strcat(nsg, '/', prefixStrippedRule) \n| where direction == 'I' and FlowStatus_s == 'A'\n| summarize rule_hits = sum(toint(countHits)) by nsg, rule, SourceIP=iif(isempty(SrcIP_s), 'N/A', SrcIP_s), DestIP=iif(isempty(DestIP_s),'N/A',DestIP_s), Country=iif(isempty(Country_s),'N/A',Country_s), Region=iif(isempty(Region_s),'N/A',Region_s), Subnet=iif(isempty(Subnet_s),'N/A',Subnet_s), NIC=iif(isempty(NIC_s),'N/A',NIC_s)\n| summarize TotalHits = sum(rule_hits) by FullRule = strcat(nsg,'/',rule) | sort by TotalHits desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "FullRule",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "TotalHits",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "ab8c45fd-7690-4f40-8b38-fe69cf4b45da"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsChart"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"value": "Bar"
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "NSG rules allowing inbound malicious traffic",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"22": {
|
|
"position": {
|
|
"x": 8,
|
|
"y": 22,
|
|
"colSpan": 17,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL \n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend nsgList = split(NSGList_s, ' ') | extend nsgRuleList = split(NSGRules_s, ' ') | mvexpand nsgRule = nsgRuleList | extend nsgRuleSplit = split(nsgRule, '|') \n| extend nsg = tostring(nsgList[toint(nsgRuleSplit[0])]), rule = tostring(nsgRuleSplit[1]), countHits = nsgRuleSplit[4], direction = tostring(nsgRuleSplit[2]) \n| extend prefixStrippedRule = replace('defaultrule_','', replace('userrule_','', rule))\n| extend completeNsgRule = strcat(nsg, '/', prefixStrippedRule) \n| where direction == 'I' and FlowStatus_s == 'A'\n| summarize rule_hits = sum(toint(countHits)) by nsg, rule, SourceIP=iif(isempty(SrcIP_s), 'N/A', SrcIP_s), DestIP=iif(isempty(DestIP_s),'N/A',DestIP_s), Country=iif(isempty(Country_s),'N/A',Country_s), Region=iif(isempty(Region_s),'N/A',Region_s), Subnet=iif(isempty(Subnet_s),'N/A',Subnet_s), NIC=iif(isempty(NIC_s),'N/A',NIC_s)\n| summarize TotalHits = sum(rule_hits) by nsg, rule | sort by TotalHits desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "e8144a1c-7e7c-4919-9e76-29880073d10d"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "NSG rules allowing inbound malicious traffic",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"23": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 26,
|
|
"colSpan": 8,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL \n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend nsgList = split(NSGList_s, ' ') | extend nsgRuleList = split(NSGRules_s, ' ') | mvexpand nsgRule = nsgRuleList | extend nsgRuleSplit = split(nsgRule, '|') \n| extend nsg = tostring(nsgList[toint(nsgRuleSplit[0])]), rule = tostring(nsgRuleSplit[1]), countHits = nsgRuleSplit[4], direction = tostring(nsgRuleSplit[2]) \n| extend prefixStrippedRule = replace('defaultrule_','', replace('userrule_','', rule))\n| extend completeNsgRule = strcat(nsg, '/', prefixStrippedRule) \n| where direction == 'I' and FlowStatus_s == 'D'\n| summarize rule_hits = sum(toint(countHits)) by nsg, rule, SourceIP=iif(isempty(SrcIP_s), 'N/A', SrcIP_s), DestIP=iif(isempty(DestIP_s),'N/A',DestIP_s), Country=iif(isempty(Country_s),'N/A',Country_s), Region=iif(isempty(Region_s),'N/A',Region_s), Subnet=iif(isempty(Subnet_s),'N/A',Subnet_s), NIC=iif(isempty(NIC_s),'N/A',NIC_s)\n| summarize TotalHits = sum(rule_hits) by FullRule = strcat(nsg,'/',rule) | sort by TotalHits desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "FullRule",
|
|
"type": "String"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "TotalHits",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "dbd0e852-b102-473d-ab19-20cd49d7076e"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsChart"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"value": "Bar"
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "NSG rules denying inbound malicious traffic",
|
|
"PartSubTitle": " "
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"24": {
|
|
"position": {
|
|
"x": 8,
|
|
"y": 26,
|
|
"colSpan": 17,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}",
|
|
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "AzureNetworkAnalytics_CL \n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend nsgList = split(NSGList_s, ' ') | extend nsgRuleList = split(NSGRules_s, ' ') | mvexpand nsgRule = nsgRuleList | extend nsgRuleSplit = split(nsgRule, '|') \n| extend nsg = tostring(nsgList[toint(nsgRuleSplit[0])]), rule = tostring(nsgRuleSplit[1]), countHits = nsgRuleSplit[4], direction = tostring(nsgRuleSplit[2]) \n| extend prefixStrippedRule = replace('defaultrule_','', replace('userrule_','', rule))\n| extend completeNsgRule = strcat(nsg, '/', prefixStrippedRule) \n| where direction == 'I' and FlowStatus_s == 'D'\n| summarize rule_hits = sum(toint(countHits)) by nsg, rule, SourceIP=iif(isempty(SrcIP_s), 'N/A', SrcIP_s), DestIP=iif(isempty(DestIP_s),'N/A',DestIP_s), Country=iif(isempty(Country_s),'N/A',Country_s), Region=iif(isempty(Region_s),'N/A',Region_s), Subnet=iif(isempty(Subnet_s),'N/A',Subnet_s), NIC=iif(isempty(NIC_s),'N/A',NIC_s)\n| summarize TotalHits = sum(rule_hits) by nsg, rule | sort by TotalHits desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "4d6b1d18-02f4-4da2-957b-2207248d994c"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": " "
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "NSG rules denying inbound malicious traffic",
|
|
"PartSubTitle": " ",
|
|
"GridColumnsWidth": {
|
|
"nsg": "168px",
|
|
"rule": "20.3399658203125px",
|
|
"TotalHits": "168px"
|
|
}
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"25": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 0,
|
|
"colSpan": 1,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "subscriptionId",
|
|
"value": "{Subscription_Id}"
|
|
},
|
|
{
|
|
"name": "resourceGroup",
|
|
"value": "{Resource_Group}"
|
|
},
|
|
{
|
|
"name": "workspaceName",
|
|
"value": "{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "dashboardName",
|
|
"value": "AzureNetworkWatcher"
|
|
},
|
|
{
|
|
"name": "menuItemToOpen",
|
|
"value": "Dashboards"
|
|
}
|
|
],
|
|
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
|
|
"defaultMenuItemId": "0"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|