Azure-Sentinel/Dashboards/Cisco.json

2670 строки
96 KiB
JSON
Исходник Ответственный История

Этот файл содержит невидимые символы Юникода!

Этот файл содержит невидимые символы Юникода, которые могут быть отображены не так, как показано ниже. Если это намеренно, можете спокойно проигнорировать это предупреждение. Используйте кнопку Экранировать, чтобы показать скрытые символы.

{
"name": "CiscoDashboard_{Workspace_Name}",
"type": "Microsoft.Portal/dashboards",
"location": "{Dashboard_Location}",
"tags": {
"dashboardKey": "CiscoDashboard",
"hidden-title": "Cisco - {Workspace_Name}",
"version": "1.2",
"workspaceName": "{Workspace_Name}"
},
"properties": {
"lenses": {
"0": {
"order": 0,
"parts": {
"0": {
"position": {
"x": 1,
"y": 0,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Cisco overview</div>\n\n",
"title": "",
"subtitle": " "
}
}
}
}
},
"1": {
"position": {
"x": 19,
"y": 0,
"colSpan": 6,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<img width='450' height='50' src='https://bitwizards.com/bitwizards/media/blogs/jeff-mitchell/2015/may/cisco-router/2015-05-05-topimage.jpg'/>\n",
"title": "",
"subtitle": " "
}
}
}
}
},
"2": {
"position": {
"x": 0,
"y": 1,
"colSpan": 13,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//severity count\nCommonSecurityLog\n| where DeviceVendor =~ 'Cisco'\n| where DeviceProduct =~ 'ASA'\n| summarize SeverityVolume= count() by LogSeverity\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "LogSeverity",
"type": "String"
},
"yAxis": [
{
"name": "SeverityVolume",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "d669fb39-3d3c-4109-8019-08f17d5ae112"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Traffic, by event severity",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"3": {
"position": {
"x": 13,
"y": 1,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//no. of concurrent sessions\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '302010'\n| extend ConcurrentSession= extract('%ASA-6-302010: ([0-9]*?) in use,',1,Message)\n| summarize AvgSession=avg(toint(ConcurrentSession)) by TimeGenerated\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "AvgSession",
"type": "Double"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "a396b4a0-be52-4965-bb96-a0cd793540eb"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Average concurrent sessions, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"4": {
"position": {
"x": 19,
"y": 1,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Count by Action\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceAction != ''\n| summarize ActionCount= count() by SimplifiedDeviceAction\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "SimplifiedDeviceAction",
"type": "String"
},
"yAxis": [
{
"name": "ActionCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ff598f07-4502-4992-9164-7fc607d3b625"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Summary of firewall events",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"5": {
"position": {
"x": 0,
"y": 5,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Max Sessions\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '302010'\n| extend MaxSessions= extract('%ASA-6-302010:.*, ([0-9].*?) most used',1,Message)\n| summarize AvgSession=avg(toint(MaxSessions)) by TimeGenerated\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "AvgSession",
"type": "Double"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "9e0f12d6-a118-4163-8826-1864f3bd6007"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Average max concurrent sessions, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"6": {
"position": {
"x": 6,
"y": 5,
"colSpan": 7,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//volume by time\nCommonSecurityLog\n| where DeviceVendor =~ 'Cisco'\n| where DeviceProduct =~ 'ASA'\n| summarize Volme=count() by TimeGenerated\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Volme",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "0a05ab08-5e9d-4073-8cba-1fd25c08a2a2"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Event trends, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"7": {
"position": {
"x": 13,
"y": 5,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//severity by time\nCommonSecurityLog\n| where DeviceVendor =~ 'Cisco'\n| where DeviceProduct =~ 'ASA'\n| summarize SeverityVolume= count() by LogSeverity, TimeGenerated\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "SeverityVolume",
"type": "Int64"
}
],
"splitBy": [
{
"name": "LogSeverity",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "97999b99-b3a8-4c07-8970-f3299f7cd50a"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Event severity, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"8": {
"position": {
"x": 19,
"y": 5,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 5 reason for packet drop\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '733100'\n| extend TraficType= extract('%ASA-4-733100: \\\\[(.*?)\\\\]',1,Message)\n| summarize AttackCount=count() by TraficType\n| top 5 by AttackCount desc\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TraficType",
"type": "String"
},
"yAxis": [
{
"name": "AttackCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "c179ca70-97c8-4398-b366-be6d295b5d9d"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 reasons for packet drop",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"9": {
"position": {
"x": 0,
"y": 9,
"colSpan": 25,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Firewall log trends and activities</div>",
"title": "",
"subtitle": " "
}
}
}
}
},
"10": {
"position": {
"x": 0,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Communication direction count by time\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection != ''\n| summarize DirectionVolume=count() by CommunicationDirection, TimeGenerated\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "DirectionVolume",
"type": "Int64"
}
],
"splitBy": [
{
"name": "CommunicationDirection",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ecdf022f-f258-4d0b-a9f5-2e87a5c57d89"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Inbound Outbound Time Trend",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"11": {
"position": {
"x": 6,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//out bound\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains 'outbound'\n| summarize TrafficVolume=count() by SimplifiedDeviceAction, TimeGenerated\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "TrafficVolume",
"type": "Int64"
}
],
"splitBy": [
{
"name": "SimplifiedDeviceAction",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "6c479c3a-08af-4814-aed6-d92fa263d9cb"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Outbound traffic connection, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"12": {
"position": {
"x": 12,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//allowd vs denied for in bound\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains 'inbound'\n| where SimplifiedDeviceAction in ('Deny', 'Allow')\n| summarize TrafficVolume=count() by SimplifiedDeviceAction, TimeGenerated\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "TrafficVolume",
"type": "Int64"
}
],
"splitBy": [
{
"name": "SimplifiedDeviceAction",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "6b76c1d9-8896-4cb0-8cc7-29e599fca0fd"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Inbound traffic events, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"13": {
"position": {
"x": 18,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Communication direction count\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection != ''\n| summarize DirectionVolume=count() by CommunicationDirection\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "CommunicationDirection",
"type": "String"
},
"yAxis": [
{
"name": "DirectionVolume",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "f0dc387c-fe5e-4ec2-a418-a4d314a5e3c1"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Summary of inbound and outbound traffic",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"14": {
"position": {
"x": 24,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Reason for packet Drop time trend\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '733100'\n| extend TraficType= extract('%ASA-4-733100: \\\\[(.*?)\\\\]',1,Message)\n| summarize AttackCount=count() by TraficType, TimeGenerated\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "AttackCount",
"type": "Int64"
}
],
"splitBy": [
{
"name": "TraficType",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "2d3b7b1c-cfd0-4bb8-ad55-578d74c3a15d"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Reason for packet drop, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"15": {
"position": {
"x": 0,
"y": 14,
"colSpan": 25,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Top 5 allowed and blocked ports</div>\n",
"title": "",
"subtitle": " "
}
}
}
}
},
"16": {
"position": {
"x": 0,
"y": 15,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 5 port inbound Allow \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '106100' \n| where SimplifiedDeviceAction == 'Allow' \n| where Message contains ' -> inside' \n| extend DestinationPortS=tostring(DestinationPort) \n| summarize PortCount=count() by DestinationPortS \n| top 5 by PortCount desc"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "DestinationPortS",
"type": "String"
},
"yAxis": [
{
"name": "PortCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "eb8b5c71-cb66-4b8c-a05e-e128d1c24005"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 allowed inbound ports",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"17": {
"position": {
"x": 6,
"y": 15,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 5 port inbound deny\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains 'inbound'\n| where SimplifiedDeviceAction == 'Deny'\n| extend DestinationPortS=tostring(DestinationPort)\n| summarize PortCount=count() by DestinationPortS\n| top 5 by PortCount desc\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "DestinationPortS",
"type": "String"
},
"yAxis": [
{
"name": "PortCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "3ea9408e-4fda-4e29-90cf-c8fc01db6b74"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 blocked inbound ports",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"18": {
"position": {
"x": 12,
"y": 15,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 5 port outbound Allow\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '106100'\n| where SimplifiedDeviceAction == 'Allow'\n| where Message contains ' -> management'\n| extend DestinationPortS=tostring(DestinationPort)\n| summarize PortCount=count() by DestinationPortS\n| top 5 by PortCount desc\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "DestinationPortS",
"type": "String"
},
"yAxis": [
{
"name": "PortCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "beaae82d-5eb9-45f9-a31c-1f96dec4eae4"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 allowed outbound ports",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"19": {
"position": {
"x": 18,
"y": 15,
"colSpan": 7,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Top 5 Outbound Ports Denied \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco'"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "7678ddf2-f79c-49e8-946f-4427c72006be"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 denied outbound ports",
"PartSubTitle": " ",
"Query": "//Top 5 Outbound Ports Denied\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains   'outbound'\n| where SimplifiedDeviceAction == 'Deny' \n| extend DestinationPortS=tostring(DestinationPort)  \n| summarize PortCount=count() by DestinationPortS\n| top 5 by PortCount desc "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"20": {
"position": {
"x": 0,
"y": 19,
"colSpan": 25,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Top 5 allowed and blocked IP addresses</div>",
"title": "",
"subtitle": " "
}
}
}
}
},
"21": {
"position": {
"x": 0,
"y": 20,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 5 protocol Deny\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where Protocol != ''\n| where SimplifiedDeviceAction == 'Deny'\n| summarize ProtocolCount= count() by Protocol\n| top 5 by ProtocolCount\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Protocol",
"type": "String"
},
"yAxis": [
{
"name": "ProtocolCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "cafb54c2-f6ea-4fcc-a5a4-bdf0f3a88da4"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 denied protocols",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"22": {
"position": {
"x": 6,
"y": 20,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 5 protocol Allow\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where Protocol != ''\n| where SimplifiedDeviceAction == 'Allow'\n| summarize ProtocolCount= count() by Protocol\n| top 5 by ProtocolCount\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Protocol",
"type": "String"
},
"yAxis": [
{
"name": "ProtocolCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "cb958e69-b8cb-4e78-9bf1-0510feaccf0e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 allowed protocols",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"23": {
"position": {
"x": 12,
"y": 20,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Top 5 Inbound Destination IP Addresses Blocked \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'inbound' \n| where SimplifiedDeviceAction == 'Deny' \n| summarize IpCount= count() by DestinationIP \n| top 5 by IpCount desc nulls last \n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "66d7c8bd-58bf-4b6f-bb4e-2c76f2a2782f"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 blocked inbound destination IP addresses",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"24": {
"position": {
"x": 18,
"y": 20,
"colSpan": 7,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Top 5 Inbound Destination IP Addresses Allowed \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'inbound' \n| where DestinationIP != '' \n| where SimplifiedDeviceAction == 'Allow' or SimplifiedDeviceAction == 'Built' \n| summarize IpCount= count() by DestinationIP \n| top 5 by IpCount desc nulls last"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "80ffa6c5-fc20-4f72-9938-547dd8b0b80e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 allowed inbound destination IP addresses",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"25": {
"position": {
"x": 0,
"y": 24,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 5 outbound deny dst ip\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '106100'\n| where SimplifiedDeviceAction == 'Deny'\n| where Message contains ' -> management'\n| summarize IpCount= count() by DestinationIP\n| top 5 by IpCount desc nulls last\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "DestinationIP",
"type": "String"
},
"yAxis": [
{
"name": "IpCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "4db3575b-7a7e-4add-b14e-7d0aceeb1633"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 denied outbound destination IP addresses",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"26": {
"position": {
"x": 6,
"y": 24,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 5 outbound Allow dst ip\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '106100'\n| where SimplifiedDeviceAction == 'Allow'\n| where Message contains ' -> management'\n| summarize IpCount= count() by DestinationIP\n| top 5 by IpCount desc nulls last\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "DestinationIP",
"type": "String"
},
"yAxis": [
{
"name": "IpCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "3845c029-779e-468e-9eb5-aa0ab1d373bc"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 allowed outbound destination IP addresses",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"27": {
"position": {
"x": 12,
"y": 24,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Top 5 Inbound Source IP Addresses Denied \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'inbound' \n| where SimplifiedDeviceAction == 'Deny' \n| summarize IpCount= count() by SourceIP \n| top 5 by IpCount desc nulls last"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "14d65713-9485-4d9a-9044-c8399596886c"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 denied inbound source IP addresses",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"28": {
"position": {
"x": 18,
"y": 24,
"colSpan": 7,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Top 5 Outbound Source IP Addresses Allowed \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'outbound' \n| where SimplifiedDeviceAction == 'Built' \n| summarize IpCount= count() by SourceIP \n| top 5 by IpCount desc nulls last"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "f1eccf54-99d1-4f31-b9c3-bd3aa0e58e87"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 allowed outbound source IP addresses",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"29": {
"position": {
"x": 0,
"y": 28,
"colSpan": 25,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Firewall management</div>\n",
"title": "",
"subtitle": " "
}
}
}
}
},
"30": {
"position": {
"x": 0,
"y": 29,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//top 10 commands\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '111008'\n| extend CommandExecuted= extract('%ASA-5-111008: User '.*?' executed the '(.*?)' command.',1,Message)\n| summarize Count= count() by CommandExecuted\n| top 5 by Count desc\n"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "c4ceeb6d-4b09-4ca8-9e7a-22447327dde4"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 commands executed on firewall",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"31": {
"position": {
"x": 6,
"y": 29,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Top 5 Source IP Addresses By Failed Authentication \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '611102' \n| extend IPAddress= extract('%ASA-6-611102:.*: IP address: (.*?), Uname.*',1,Message) \n| summarize IPAddressCount=count() by IPAddress \n| top 5 by IPAddressCount desc"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "85b3f777-a756-4233-8b62-e1330c415bd5"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 source IP addresses, by failed authentication",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"32": {
"position": {
"x": 11,
"y": 29,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Login Attempts For Nonexistent User Account \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '113015' \n| extend ipaddress=extract('%ASA-6-113015:.*: user IP = (.*)$',1,Message) \n| summarize IPCount=count() by ipaddress \n| top 5 by IPCount desc"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "24deded9-5ff5-41aa-b568-636af82c9def"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Logon attempts to nonexistent user account, by source IP address",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"33": {
"position": {
"x": 16,
"y": 29,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Top 5 SSH Failed Attempt By Source IP \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '315011' \n| extend IP= extract('%ASA-6-315011: SSH session from (.*) on',1,Message) \n| summarize ReasonCount=count() by IP \n| top 5 by ReasonCount desc"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ac387c57-98d0-4822-93f6-3c2f296d9ac1"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 SSH failed attempts, by source IP address",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"34": {
"position": {
"x": 22,
"y": 29,
"colSpan": 3,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "//Authentocation Success\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '113012'\n| extend UserName= extract('%ASA-6-113012:.*: user = (.*)$',1,Message)\n| summarize UserCount=count() by UserName\n| top 5 by UserCount desc\n"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "UserName",
"type": "String"
},
"yAxis": [
{
"name": "UserCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "83678fda-fe05-4a83-b61f-c457740a84bf"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "TimeRange",
"value": "P1D"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top 5 successfully authenticated users",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"35": {
"position": {
"x": 0,
"y": 0,
"colSpan": 1,
"rowSpan": 1
},
"metadata": {
"inputs": [
{
"name": "subscriptionId",
"value": "{Subscription_Id}"
},
{
"name": "resourceGroup",
"value": "{Resource_Group}"
},
{
"name": "workspaceName",
"value": "{Workspace_Name}"
},
{
"name": "dashboardName",
"value": "CiscoDashboard"
},
{
"name": "menuItemToOpen",
"value": "Dashboards"
}
],
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
"defaultMenuItemId": "0"
}
}
}
}
}
}
}