Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Dashboards/CyberArk_Dashboard.json

919 строки
32 KiB
JSON
Исходник Ответственный История

{
"name": "CyberArkDashboard-{Workspace_Name}",
"type": "Microsoft.Portal/dashboards",
"location": "{Dashboard_Location}",
"tags": {
"dashboardKey": "CyberArkDashboard",
"hidden-title": "CyberArk Dashboard - Performance Dashboard - {Workspace_Name}",
"version": "1.0",
"workspaceName": "{Workspace_Name}"
},
"properties": {
"lenses": {
"0": {
"order": 0,
"parts": {
"0": {
"position": {
"x": 1,
"y": 0,
"colSpan": 23,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style=\"font-size:250%;\">CyberArk dashboard- to use this download the CyberArk parsers from the Azure Sentinel GitHub repository</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"1": {
"position": {
"x": 0,
"y": 1,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "CyberArk_CPM\r\n| where ticketID contains \"Error\"\r\n| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)\r\n| sort by TimeGenerated desc\r\n| render timechart \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "AggregatedValue",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CyberArk_{Workspace_Name}"
},
{
"name": "PartId",
"value": "69326025-f55b-48a4-ae5d-b587b6141236"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "CPM errors",
"PartSubTitle": "Number of CPM errors - every 2 hours"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"2": {
"position": {
"x": 6,
"y": 1,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "CyberArk_Syslog | search ticketID contains \"error\" | summarize AggregatedValue = count() by destinationUserName\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "destinationUserName",
"type": "String"
},
"yAxis": [
{
"name": "AggregatedValue",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CyberArk_{Workspace_Name}"
},
{
"name": "PartId",
"value": "7ea560fe-1dba-432c-8a44-4e780ec0043d"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "CPM errors, by account",
"PartSubTitle": "Accounts, by username, that have a CPM error"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"3": {
"position": {
"x": 12,
"y": 1,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "CyberArk_Access \r\n| where ProcessID == 7\r\n| where sourceUserName contains \"administrator\"\r\n| distinct sourceHostName, deviceAddress, TimeGenerated\r\n//| summarize count() by sourceHostName, deviceAddress, TimeGenerated\r\n//| render timechart \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CyberArk_{Workspace_Name}"
},
{
"name": "PartId",
"value": "6e1a34a2-e745-4980-bc82-88946e257c6b"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Administrator account",
"PartSubTitle": "Identified logon with \"Administrator\" account "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"4": {
"position": {
"x": 18,
"y": 1,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "CyberArk_PSM | where ProcessID == 300\r\n| summarize count() by destinationHostName\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "destinationHostName",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CyberArk_{Workspace_Name}"
},
{
"name": "PartId",
"value": "03f1df76-7209-4c92-8724-beed5210b91d"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Endpoints most connected to",
"PartSubTitle": "# of PSM connections, by endpoint"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"5": {
"position": {
"x": 0,
"y": 5,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "CyberArk_CPM \r\n| where MessageID in (22,24,31,414,416,418)\r\n| distinct deviceAction, destinationUserName, fileName, safeName, TimeGenerated, Message\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CyberArk_{Workspace_Name}"
},
{
"name": "PartId",
"value": "6f52a9f5-2aa9-4808-9356-e3b6f7009b95"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Successful CPM operations",
"PartSubTitle": "Accounts with successful CPM action"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"6": {
"position": {
"x": 12,
"y": 5,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "CyberArk_Syslog \r\n| where ProcessID in (295,428)\r\n| where safeName !contains \"PSMSessions\"\r\n| where safeName !contains \"PVWAConfig\"\r\n| where safeName !contains \"PasswordManagerShared\"\r\n| where safeName !contains \"VaultInternal\"\r\n| where safeName !contains \"PasswordManager\"\r\n| where safeName !contains \"PVWAPrivateUserPrefs\"\r\n| where safeName !contains \"ConjurSync\"\r\n| where safeName !contains \"SharedAuth_Internal\"\r\n| where safeName !contains \"PSM\"\r\n| where sourceUserName !contains \"PasswordManager\"\r\n| summarize count() by fileName, safeName\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "fileName",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "safeName",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CyberArk_{Workspace_Name}"
},
{
"name": "PartId",
"value": "4e22fee0-a440-4e91-b34f-4be6bb8968aa"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Account objects accessed",
"PartSubTitle": "Accounts that have been accessed, by objectName"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"7": {
"position": {
"x": 0,
"y": 9,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "CyberArk_CPM \r\n| where deviceAction contains \"disable\"\r\n| summarize count() by fileName, safeName, destinationUserName, ticketID\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CyberArk_{Workspace_Name}"
},
{
"name": "PartId",
"value": "71681a83-c94a-4450-9d86-f31b760d182d"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Disabled accounts",
"PartSubTitle": "Accounts that have been disabled by the CPM, with error"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"8": {
"position": {
"x": 12,
"y": 9,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "CyberArk_Syslog \r\n| where ProcessID in (295,428)\r\n| where safeName !contains \"PSMSessions\"\r\n| where safeName !contains \"PVWAConfig\"\r\n| where safeName !contains \"PasswordManagerShared\"\r\n| where safeName !contains \"VaultInternal\"\r\n| where safeName !contains \"PasswordManager\"\r\n| where safeName !contains \"PVWAPrivateUserPrefs\"\r\n| where safeName !contains \"ConjurSync\"\r\n| where safeName !contains \"SharedAuth_Internal\"\r\n| where safeName !contains \"PSM\"\r\n| where sourceUserName !contains \"PasswordManager\"\r\n| summarize count() by sourceUserName, TimeGenerated\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "sourceUserName",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CyberArk_{Workspace_Name}"
},
{
"name": "PartId",
"value": "66929e24-f09d-4b65-8775-0befa430cc13"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Users accessing accounts",
"PartSubTitle": "Users and the number of times they have accessed accounts"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"9": {
"position": {
"x": 0,
"y": 13,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "CyberArk_PSM | where ProcessID in (359,360,361,412,411) | summarize audit=makeset(Reason) by externalId, destinationUserName, sourceUserName\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CyberArk_{Workspace_Name}"
},
{
"name": "PartId",
"value": "80442d3e-7c13-4b75-9fc0-e9e3db1d8db9"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Audit information",
"PartSubTitle": "Keystroke and applications during PSM connections, by connection GUID"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"10": {
"position": {
"x": 12,
"y": 13,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "CyberArk_Syslog \r\n| where ProcessID in (295,428)\r\n| where safeName contains \"ConjurSync\"\r\n| where sourceUserName contains \"Sync_components\"\r\n| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)\r\n| sort by TimeGenerated desc\r\n| render timechart \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "AggregatedValue",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CyberArk_{Workspace_Name}"
},
{
"name": "PartId",
"value": "3c77583e-80e0-4b94-82dc-3813c7081a09"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Conjur Vault syncs",
"PartSubTitle": "Number of Vault syncs to Conjur - every 2 hours"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"11": {
"position": {
"x": 0,
"y": 0,
"colSpan": 1,
"rowSpan": 1
},
"metadata": {
"inputs": [
{
"name": "subscriptionId",
"value": "{Subscription_Id}"
},
{
"name": "resourceGroup",
"value": "{Resource_Group}"
},
{
"name": "workspaceName",
"value": "{Workspace_Name}"
},
{
"name": "dashboardName",
"value": "CyberArk"
},
{
"name": "menuItemToOpen",
"value": "Dashboards"
}
],
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
"defaultMenuItemId": "0"
}
}
}
}
}
}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку