2670 строки
96 KiB
JSON
2670 строки
96 KiB
JSON
{
|
||
"name": "CiscoDashboard_{Workspace_Name}",
|
||
"type": "Microsoft.Portal/dashboards",
|
||
"location": "{Dashboard_Location}",
|
||
"tags": {
|
||
"dashboardKey": "CiscoDashboard",
|
||
"hidden-title": "Cisco - {Workspace_Name}",
|
||
"version": "1.2",
|
||
"workspaceName": "{Workspace_Name}"
|
||
},
|
||
"properties": {
|
||
"lenses": {
|
||
"0": {
|
||
"order": 0,
|
||
"parts": {
|
||
"0": {
|
||
"position": {
|
||
"x": 1,
|
||
"y": 0,
|
||
"colSpan": 18,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [],
|
||
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
||
"settings": {
|
||
"content": {
|
||
"settings": {
|
||
"content": "<div style='font-size:300%;'>Cisco overview</div>\n\n",
|
||
"title": "",
|
||
"subtitle": " "
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"1": {
|
||
"position": {
|
||
"x": 19,
|
||
"y": 0,
|
||
"colSpan": 6,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [],
|
||
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
||
"settings": {
|
||
"content": {
|
||
"settings": {
|
||
"content": "<img width='450' height='50' src='https://bitwizards.com/bitwizards/media/blogs/jeff-mitchell/2015/may/cisco-router/2015-05-05-topimage.jpg'/>\n",
|
||
"title": "",
|
||
"subtitle": " "
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"2": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 1,
|
||
"colSpan": 13,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//severity count\nCommonSecurityLog\n| where DeviceVendor =~ 'Cisco'\n| where DeviceProduct =~ 'ASA'\n| summarize SeverityVolume= count() by LogSeverity\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "LogSeverity",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "SeverityVolume",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "d669fb39-3d3c-4109-8019-08f17d5ae112"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Traffic, by event severity",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"3": {
|
||
"position": {
|
||
"x": 13,
|
||
"y": 1,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//no. of concurrent sessions\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '302010'\n| extend ConcurrentSession= extract('%ASA-6-302010: ([0-9]*?) in use,',1,Message)\n| summarize AvgSession=avg(toint(ConcurrentSession)) by TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "AvgSession",
|
||
"type": "Double"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "a396b4a0-be52-4965-bb96-a0cd793540eb"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Average concurrent sessions, by time",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"4": {
|
||
"position": {
|
||
"x": 19,
|
||
"y": 1,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Count by Action\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceAction != ''\n| summarize ActionCount= count() by SimplifiedDeviceAction\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "SimplifiedDeviceAction",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "ActionCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "ff598f07-4502-4992-9164-7fc607d3b625"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Summary of firewall events",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"5": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 5,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Max Sessions\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '302010'\n| extend MaxSessions= extract('%ASA-6-302010:.*, ([0-9].*?) most used',1,Message)\n| summarize AvgSession=avg(toint(MaxSessions)) by TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "AvgSession",
|
||
"type": "Double"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "9e0f12d6-a118-4163-8826-1864f3bd6007"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Average max concurrent sessions, by time",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"6": {
|
||
"position": {
|
||
"x": 6,
|
||
"y": 5,
|
||
"colSpan": 7,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//volume by time\nCommonSecurityLog\n| where DeviceVendor =~ 'Cisco'\n| where DeviceProduct =~ 'ASA'\n| summarize Volme=count() by TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "Volme",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "0a05ab08-5e9d-4073-8cba-1fd25c08a2a2"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Line"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Event trends, by time",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"7": {
|
||
"position": {
|
||
"x": 13,
|
||
"y": 5,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//severity by time\nCommonSecurityLog\n| where DeviceVendor =~ 'Cisco'\n| where DeviceProduct =~ 'ASA'\n| summarize SeverityVolume= count() by LogSeverity, TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "SeverityVolume",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [
|
||
{
|
||
"name": "LogSeverity",
|
||
"type": "String"
|
||
}
|
||
],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "97999b99-b3a8-4c07-8970-f3299f7cd50a"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Event severity, by time",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"8": {
|
||
"position": {
|
||
"x": 19,
|
||
"y": 5,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//top 5 reason for packet drop\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '733100'\n| extend TraficType= extract('%ASA-4-733100: \\\\[(.*?)\\\\]',1,Message)\n| summarize AttackCount=count() by TraficType\n| top 5 by AttackCount desc\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TraficType",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "AttackCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "c179ca70-97c8-4398-b366-be6d295b5d9d"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 reasons for packet drop",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"9": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 9,
|
||
"colSpan": 25,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [],
|
||
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
||
"settings": {
|
||
"content": {
|
||
"settings": {
|
||
"content": "<div style='font-size:300%;'>Firewall log trends and activities</div>",
|
||
"title": "",
|
||
"subtitle": " "
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"10": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 10,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Communication direction count by time\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection != ''\n| summarize DirectionVolume=count() by CommunicationDirection, TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "DirectionVolume",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [
|
||
{
|
||
"name": "CommunicationDirection",
|
||
"type": "String"
|
||
}
|
||
],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "ecdf022f-f258-4d0b-a9f5-2e87a5c57d89"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Inbound Outbound Time Trend",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"11": {
|
||
"position": {
|
||
"x": 6,
|
||
"y": 10,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//out bound\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains 'outbound'\n| summarize TrafficVolume=count() by SimplifiedDeviceAction, TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "TrafficVolume",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [
|
||
{
|
||
"name": "SimplifiedDeviceAction",
|
||
"type": "String"
|
||
}
|
||
],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "6c479c3a-08af-4814-aed6-d92fa263d9cb"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Outbound traffic connection, by time",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"12": {
|
||
"position": {
|
||
"x": 12,
|
||
"y": 10,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//allowd vs denied for in bound\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains 'inbound'\n| where SimplifiedDeviceAction in ('Deny', 'Allow')\n| summarize TrafficVolume=count() by SimplifiedDeviceAction, TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "TrafficVolume",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [
|
||
{
|
||
"name": "SimplifiedDeviceAction",
|
||
"type": "String"
|
||
}
|
||
],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "6b76c1d9-8896-4cb0-8cc7-29e599fca0fd"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Inbound traffic events, by time",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"13": {
|
||
"position": {
|
||
"x": 18,
|
||
"y": 10,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Communication direction count\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection != ''\n| summarize DirectionVolume=count() by CommunicationDirection\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "CommunicationDirection",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "DirectionVolume",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "f0dc387c-fe5e-4ec2-a418-a4d314a5e3c1"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Summary of inbound and outbound traffic",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"14": {
|
||
"position": {
|
||
"x": 24,
|
||
"y": 10,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Reason for packet Drop time trend\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '733100'\n| extend TraficType= extract('%ASA-4-733100: \\\\[(.*?)\\\\]',1,Message)\n| summarize AttackCount=count() by TraficType, TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "AttackCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [
|
||
{
|
||
"name": "TraficType",
|
||
"type": "String"
|
||
}
|
||
],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "2d3b7b1c-cfd0-4bb8-ad55-578d74c3a15d"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Reason for packet drop, by time",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"15": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 14,
|
||
"colSpan": 25,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [],
|
||
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
||
"settings": {
|
||
"content": {
|
||
"settings": {
|
||
"content": "<div style='font-size:300%;'>Top 5 allowed and blocked ports</div>\n",
|
||
"title": "",
|
||
"subtitle": " "
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"16": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 15,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//top 5 port inbound Allow \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '106100' \n| where SimplifiedDeviceAction == 'Allow' \n| where Message contains ' -> inside' \n| extend DestinationPortS=tostring(DestinationPort) \n| summarize PortCount=count() by DestinationPortS \n| top 5 by PortCount desc"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "DestinationPortS",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "PortCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "eb8b5c71-cb66-4b8c-a05e-e128d1c24005"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 allowed inbound ports",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"17": {
|
||
"position": {
|
||
"x": 6,
|
||
"y": 15,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//top 5 port inbound deny\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains 'inbound'\n| where SimplifiedDeviceAction == 'Deny'\n| extend DestinationPortS=tostring(DestinationPort)\n| summarize PortCount=count() by DestinationPortS\n| top 5 by PortCount desc\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "DestinationPortS",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "PortCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "3ea9408e-4fda-4e29-90cf-c8fc01db6b74"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 blocked inbound ports",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"18": {
|
||
"position": {
|
||
"x": 12,
|
||
"y": 15,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//top 5 port outbound Allow\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '106100'\n| where SimplifiedDeviceAction == 'Allow'\n| where Message contains ' -> management'\n| extend DestinationPortS=tostring(DestinationPort)\n| summarize PortCount=count() by DestinationPortS\n| top 5 by PortCount desc\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "DestinationPortS",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "PortCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "beaae82d-5eb9-45f9-a31c-1f96dec4eae4"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 allowed outbound ports",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"19": {
|
||
"position": {
|
||
"x": 18,
|
||
"y": 15,
|
||
"colSpan": 7,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Top 5 Outbound Ports Denied \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco'"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "7678ddf2-f79c-49e8-946f-4427c72006be"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 denied outbound ports",
|
||
"PartSubTitle": " ",
|
||
"Query": "//Top 5 Outbound Ports Denied\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains 'outbound'\n| where SimplifiedDeviceAction == 'Deny' \n| extend DestinationPortS=tostring(DestinationPort) \n| summarize PortCount=count() by DestinationPortS\n| top 5 by PortCount desc "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"20": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 19,
|
||
"colSpan": 25,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [],
|
||
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
||
"settings": {
|
||
"content": {
|
||
"settings": {
|
||
"content": "<div style='font-size:300%;'>Top 5 allowed and blocked IP addresses</div>",
|
||
"title": "",
|
||
"subtitle": " "
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"21": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 20,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//top 5 protocol Deny\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where Protocol != ''\n| where SimplifiedDeviceAction == 'Deny'\n| summarize ProtocolCount= count() by Protocol\n| top 5 by ProtocolCount\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "Protocol",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "ProtocolCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "cafb54c2-f6ea-4fcc-a5a4-bdf0f3a88da4"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 denied protocols",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"22": {
|
||
"position": {
|
||
"x": 6,
|
||
"y": 20,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//top 5 protocol Allow\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where Protocol != ''\n| where SimplifiedDeviceAction == 'Allow'\n| summarize ProtocolCount= count() by Protocol\n| top 5 by ProtocolCount\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "Protocol",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "ProtocolCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "cb958e69-b8cb-4e78-9bf1-0510feaccf0e"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 allowed protocols",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"23": {
|
||
"position": {
|
||
"x": 12,
|
||
"y": 20,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Top 5 Inbound Destination IP Addresses Blocked \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'inbound' \n| where SimplifiedDeviceAction == 'Deny' \n| summarize IpCount= count() by DestinationIP \n| top 5 by IpCount desc nulls last \n"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "66d7c8bd-58bf-4b6f-bb4e-2c76f2a2782f"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 blocked inbound destination IP addresses",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"24": {
|
||
"position": {
|
||
"x": 18,
|
||
"y": 20,
|
||
"colSpan": 7,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Top 5 Inbound Destination IP Addresses Allowed \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'inbound' \n| where DestinationIP != '' \n| where SimplifiedDeviceAction == 'Allow' or SimplifiedDeviceAction == 'Built' \n| summarize IpCount= count() by DestinationIP \n| top 5 by IpCount desc nulls last"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "80ffa6c5-fc20-4f72-9938-547dd8b0b80e"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 allowed inbound destination IP addresses",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"25": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 24,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//top 5 outbound deny dst ip\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '106100'\n| where SimplifiedDeviceAction == 'Deny'\n| where Message contains ' -> management'\n| summarize IpCount= count() by DestinationIP\n| top 5 by IpCount desc nulls last\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "DestinationIP",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "IpCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "4db3575b-7a7e-4add-b14e-7d0aceeb1633"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 denied outbound destination IP addresses",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"26": {
|
||
"position": {
|
||
"x": 6,
|
||
"y": 24,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//top 5 outbound Allow dst ip\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '106100'\n| where SimplifiedDeviceAction == 'Allow'\n| where Message contains ' -> management'\n| summarize IpCount= count() by DestinationIP\n| top 5 by IpCount desc nulls last\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "DestinationIP",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "IpCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "3845c029-779e-468e-9eb5-aa0ab1d373bc"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 allowed outbound destination IP addresses",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"27": {
|
||
"position": {
|
||
"x": 12,
|
||
"y": 24,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Top 5 Inbound Source IP Addresses Denied \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'inbound' \n| where SimplifiedDeviceAction == 'Deny' \n| summarize IpCount= count() by SourceIP \n| top 5 by IpCount desc nulls last"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "14d65713-9485-4d9a-9044-c8399596886c"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 denied inbound source IP addresses",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"28": {
|
||
"position": {
|
||
"x": 18,
|
||
"y": 24,
|
||
"colSpan": 7,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Top 5 Outbound Source IP Addresses Allowed \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'outbound' \n| where SimplifiedDeviceAction == 'Built' \n| summarize IpCount= count() by SourceIP \n| top 5 by IpCount desc nulls last"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "f1eccf54-99d1-4f31-b9c3-bd3aa0e58e87"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 allowed outbound source IP addresses",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"29": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 28,
|
||
"colSpan": 25,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [],
|
||
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
||
"settings": {
|
||
"content": {
|
||
"settings": {
|
||
"content": "<div style='font-size:300%;'>Firewall management</div>\n",
|
||
"title": "",
|
||
"subtitle": " "
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"30": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 29,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//top 10 commands\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '111008'\n| extend CommandExecuted= extract('%ASA-5-111008: User '.*?' executed the '(.*?)' command.',1,Message)\n| summarize Count= count() by CommandExecuted\n| top 5 by Count desc\n"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "c4ceeb6d-4b09-4ca8-9e7a-22447327dde4"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 commands executed on firewall",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"31": {
|
||
"position": {
|
||
"x": 6,
|
||
"y": 29,
|
||
"colSpan": 5,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Top 5 Source IP Addresses By Failed Authentication \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '611102' \n| extend IPAddress= extract('%ASA-6-611102:.*: IP address: (.*?), Uname.*',1,Message) \n| summarize IPAddressCount=count() by IPAddress \n| top 5 by IPAddressCount desc"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "85b3f777-a756-4233-8b62-e1330c415bd5"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 source IP addresses, by failed authentication",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"32": {
|
||
"position": {
|
||
"x": 11,
|
||
"y": 29,
|
||
"colSpan": 5,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Login Attempts For Nonexistent User Account \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '113015' \n| extend ipaddress=extract('%ASA-6-113015:.*: user IP = (.*)$',1,Message) \n| summarize IPCount=count() by ipaddress \n| top 5 by IPCount desc"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "24deded9-5ff5-41aa-b568-636af82c9def"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Logon attempts to nonexistent user account, by source IP address",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"33": {
|
||
"position": {
|
||
"x": 16,
|
||
"y": 29,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Top 5 SSH Failed Attempt By Source IP \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '315011' \n| extend IP= extract('%ASA-6-315011: SSH session from (.*) on',1,Message) \n| summarize ReasonCount=count() by IP \n| top 5 by ReasonCount desc"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "ac387c57-98d0-4822-93f6-3c2f296d9ac1"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 SSH failed attempts, by source IP address",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"34": {
|
||
"position": {
|
||
"x": 22,
|
||
"y": 29,
|
||
"colSpan": 3,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "//Authentocation Success\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '113012'\n| extend UserName= extract('%ASA-6-113012:.*: user = (.*)$',1,Message)\n| summarize UserCount=count() by UserName\n| top 5 by UserCount desc\n"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "UserName",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "UserCount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "83678fda-fe05-4a83-b61f-c457740a84bf"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Bar"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Top 5 successfully authenticated users",
|
||
"PartSubTitle": " "
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"35": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 0,
|
||
"colSpan": 1,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "subscriptionId",
|
||
"value": "{Subscription_Id}"
|
||
},
|
||
{
|
||
"name": "resourceGroup",
|
||
"value": "{Resource_Group}"
|
||
},
|
||
{
|
||
"name": "workspaceName",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "dashboardName",
|
||
"value": "CiscoDashboard"
|
||
},
|
||
{
|
||
"name": "menuItemToOpen",
|
||
"value": "Dashboards"
|
||
}
|
||
],
|
||
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
|
||
"defaultMenuItemId": "0"
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|