Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Dashboards/Insecure_Protocols.json

2017 строки
71 KiB
JSON
Исходник Ответственный История

{
"name": "InsecureProtocolsDashboard_{Workspace_Name}",
"type": "Microsoft.Portal/dashboards",
"location": "{Dashboard_Location}",
"tags": {
"dashboardKey": "InsecureProtocolsDashboard",
"hidden-title": "Insecure Protocols - {Workspace_Name}",
"version": "1.5",
"workspaceName": "{Workspace_Name}"
},
"properties": {
"lenses": {
"0": {
"order": 0,
"parts": {
"0": {
"position": {
"x": 1,
"y": 0,
"colSpan": 17,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Insecure Protocols overview</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"1": {
"position": {
"x": 0,
"y": 1,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SecurityEvent\n| union Event\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest')\n| summarize Count=count() by tostring(EventID)\n| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))\n| project Protocol, Count\n| sort by Count desc"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Protocol",
"type": "String"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ebb45159-813b-4474-9317-b4b092adbe9f"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Insecure protocols",
"PartSubTitle": "Summary"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"2": {
"position": {
"x": 9,
"y": 1,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SecurityEvent\n| union Event\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest')\n| summarize Count=count() by bin(TimeGenerated, 1h), tostring(EventID)\n| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))\n| project Protocol, Count, TimeGenerated \n| sort by Count desc"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Protocol",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "0b7eee52-acc4-4c65-be21-18240391bffd"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Area"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Insecure protocols, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"3": {
"position": {
"x": 0,
"y": 5,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Insecure LDAP</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"4": {
"position": {
"x": 0,
"y": 6,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "Event \n | where EventID == 2889 \n | project ParameterXml, DomainController=Computer , TimeGenerated, EventID \n | parse ParameterXml with * '<Param>' IPAddress ':' * \n | parse ParameterXml with * '><Param>' Account '</' * \n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>' \n | summarize QueryCount = count(EventID) by LDAPClient=IPAddress \n | top 10 by QueryCount \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "LDAPClient",
"type": "String"
},
"yAxis": [
{
"name": "QueryCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "25e0aa7a-4784-4893-a6ac-c1c2e18839a2"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Insecure LDAP, by client",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"5": {
"position": {
"x": 5,
"y": 6,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "Event \n | where EventID == 2889 \n | project ParameterXml, DomainController=Computer , TimeGenerated, EventID \n | parse ParameterXml with * '<Param>' IPAddress ':' * \n | parse ParameterXml with * '><Param>' Account '</' * \n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>' \n | summarize QueryCount = count(EventID) by HourGenerated=bin(TimeGenerated, 1h) \n | render timechart \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "HourGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "QueryCount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "0adc552d-b2e8-4d63-b737-b603fd106db1"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Area"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Insecure LDAP, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"6": {
"position": {
"x": 11,
"y": 6,
"colSpan": 7,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "Event \n | where EventID == 2889 \n | project ParameterXml, DomainController=Computer , TimeGenerated, EventID \n | parse ParameterXml with * '<Param>' IPAddress ':' * \n | parse ParameterXml with * '><Param>' Account '</' * \n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>' \n | summarize QueryCount = count(EventID) by Account, IPAddress \n | sort by QueryCount desc nulls last \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "c610b568-f3dd-43cd-875b-37be59cba1fb"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Insecure LDAP, by details",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"7": {
"position": {
"x": 0,
"y": 10,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>NTLM v1</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"8": {
"position": {
"x": 0,
"y": 11,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SecurityEvent \n| where EventID == 4624 \n| where AuthenticationPackageName == 'NTLM' \n| where LmPackageName == 'NTLM V1' \n| where Account !contains 'ANONYMOUS LOGON' \n| summarize Count = count() by WorkstationName, Computer \n| top 5 by Count desc \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "WorkstationName",
"type": "String"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Computer",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "b9ee7aa7-5f15-45d5-9639-03629fd5ef5e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "NTLM v1 events, by Source and server",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"9": {
"position": {
"x": 6,
"y": 11,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SecurityEvent \n| where EventID == 4624 \n| where AuthenticationPackageName == 'NTLM' \n| where LmPackageName == 'NTLM V1' \n| where Account !contains 'ANONYMOUS LOGON' \n| summarize Count=count() by Day=bin(TimeGenerated, 1h) \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Day",
"type": "DateTime"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "acc6ded7-f670-4198-b62c-b76bafb68b4e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Area"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "NTLM v1 events, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"10": {
"position": {
"x": 11,
"y": 11,
"colSpan": 7,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SecurityEvent \n| where EventID == 4624 \n| where AuthenticationPackageName == 'NTLM' \n| where LmPackageName == 'NTLM V1' \n| where Account !contains 'ANONYMOUS LOGON' \n| summarize Count = count() by Account, WorkstationName, DC=Computer \n| sort by Count desc \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "9f987061-5241-42e6-9cd0-5a00428d7d22"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "NTLM v1 events details",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"11": {
"position": {
"x": 0,
"y": 15,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>SMB v1</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"12": {
"position": {
"x": 0,
"y": 16,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "Event \n| where EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit' \n| parse ParameterXml with * '<Param>' ClientAddress '</' * \n| extend Client = replace(@'>', @'', replace(@'\\]', @'', replace(@'\\[', @'', replace(@'<!\\[CDATA', @'', ClientAddress)))) \n| summarize Count=count() by Client, SMBServer=Computer \n| top 5 by Count desc nulls last \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Client",
"type": "String"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [
{
"name": "SMBServer",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "8ce8d889-1a10-487e-a5b2-de28f20016f0"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "SMB v1 events, by client and SMB server",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"13": {
"position": {
"x": 6,
"y": 16,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "Event \n| where EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit' \n| parse ParameterXml with * '<Param>' ClientAddress '</' * \n| summarize Count=count() by bin(TimeGenerated, 1h) \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "909a8543-d3b9-481e-94ef-058920acce9a"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Area"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "SMB v1 events, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"14": {
"position": {
"x": 11,
"y": 16,
"colSpan": 7,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "Event\n| where EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit'\n| parse ParameterXml with * '<Param>' ClientAddress '</' *\n| extend Client = replace(@'>', @'', replace(@'\\]', @'', replace(@'\\[', @'', replace(@'<!\\[CDATA', @'', ClientAddress))))\n| summarize Count=count() by Client, SMBServer=Computer\n| sort by Count desc\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "f2f1e9a2-a186-4904-bccc-0ef089eef067"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "SMB v1 event details",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"15": {
"position": {
"x": 0,
"y": 20,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:240%;'>Kerberos weak ciphers</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"16": {
"position": {
"x": 0,
"y": 21,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n//| where TicketEncryptionType != \"0x17\" //RC4\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n| summarize Count=count() by Cipher, bin(TimeGenerated, 1h)\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Cipher",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "c0d62167-5b61-4df1-8d55-10112f7cde71"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Area"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Kerberos weak ciphers, by time and cipher",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"17": {
"position": {
"x": 6,
"y": 21,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n//| where TicketEncryptionType != \"0x17\" //RC4\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n| summarize Count=count() by Cipher, IpAddress, TargetUserName , ServiceName, Computer\r\n| sort by Count desc\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "1625086b-bdb4-4b52-a062-68712b6a2e06"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Kerberos weak ciphers event details",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"18": {
"position": {
"x": 0,
"y": 25,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>WDigest</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"19": {
"position": {
"x": 0,
"y": 26,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SecurityEvent \n| where EventID == 4624 or EventID == 4776 \n| where Level == 8 \n| where PackageName contains 'WDigest' \n| summarize Count=count() by Workstation, TargetAccount \n| sort by Count desc \n| top 5 by Count\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Workstation",
"type": "String"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [
{
"name": "TargetAccount",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "08013eb2-b7e9-4f53-bd35-381c417193bc"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "WDigest, by workstation and account",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"20": {
"position": {
"x": 6,
"y": 26,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SecurityEvent \n| where EventID == 4624 or EventID == 4776 \n| where Level == 8 \n| where PackageName contains 'WDigest' \n| summarize Count=count() by bin(TimeGenerated, 1h), Workstation\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Workstation",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "0106ca3e-973c-4838-b828-e609a9281464"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Area"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "WDigest, by time and workstation",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"21": {
"position": {
"x": 11,
"y": 26,
"colSpan": 7,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SecurityEvent\n| where EventID == 4624 or EventID == 4776\n| where Level == 8\n| where PackageName contains 'WDigest'\n| summarize Count=count() by TargetAccount, Workstation, WDigestServer=Computer \n| sort by Count desc"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/InsecureProtocolsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "8c0206a5-c57f-4dd6-8b48-47527cb850aa"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "WDigest event details",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"22": {
"position": {
"x": 0,
"y": 30,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Azure AD Legacy Auth</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"23": {
"position": {
"x": 0,
"y": 31,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SigninLogs\n| where ClientAppUsed in ('Other clients; Older Office clients', 'Other clients', 'Other clients; IMAP', 'Other clients; POP', 'Other clients; SMTP')\n| summarize count() by UserPrincipalName, ClientAppUsed //doughnut\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "UserPrincipalName",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "PartId",
"value": "a6f55611-9627-4eb0-981e-11332cb08bdb"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "DashboardId",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Legacy Auth",
"PartSubTitle": "by Account"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"24": {
"position": {
"x": 6,
"y": 31,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SigninLogs\n| where ClientAppUsed in ('Other clients; Older Office clients', 'Other clients', 'Other clients; IMAP', 'Other clients; POP', 'Other clients; SMTP')\n| summarize count() by IPAddress,ClientAppUsed //doughnut\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "IPAddress",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "PartId",
"value": "38344e79-7899-4458-b34b-acbc2f36892d"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "DashboardId",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Legacy Auth",
"PartSubTitle": "by IP Address"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"25": {
"position": {
"x": 12,
"y": 31,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SigninLogs\n| where ClientAppUsed in ('Other clients; Older Office clients', 'Other clients', 'Other clients; IMAP', 'Other clients; POP', 'Other clients; SMTP')\n| summarize count() by tostring(CountryOrRegion=LocationDetails.countryOrRegion), ClientAppUsed //bar\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "CountryOrRegion",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "ClientAppUsed",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "PartId",
"value": "02c16520-afd1-4ec0-8389-36d8da128c1d"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "DashboardId",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Legacy Auth",
"PartSubTitle": "by Country/Region"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"26": {
"position": {
"x": 18,
"y": 31,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SigninLogs\n| where ClientAppUsed in ('Other clients; Older Office clients', 'Other clients', 'Other clients; IMAP', 'Other clients; POP', 'Other clients; SMTP')\n| summarize count() by ClientAppUsed, UserPrincipalName //bar\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "ClientAppUsed",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "UserPrincipalName",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "PartId",
"value": "9dbdaf50-5a4a-4fdc-a20c-62a8bc32de2e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
},
{
"name": "DashboardId",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Legacy Auth",
"PartSubTitle": "by AuthType"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"27": {
"position": {
"x": 24,
"y": 31,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "SigninLogs\n| where ClientAppUsed in ('Other clients; Older Office clients', 'Other clients', 'Other clients; IMAP', 'Other clients; POP', 'Other clients; SMTP')\n| summarize count() by UserPrincipalName, IPAddress, ClientAppUsed //table\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "PartId",
"value": "90229a52-d557-454c-ab57-1eba91c87638"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": "{Workspace_Name}"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "DashboardId",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Legacy Auth",
"PartSubTitle": "Details"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"28": {
"position": {
"x": 0,
"y": 0,
"colSpan": 1,
"rowSpan": 1
},
"metadata": {
"inputs": [
{
"name": "subscriptionId",
"value": "{Subscription_Id}"
},
{
"name": "resourceGroup",
"value": "{Resource_Group}"
},
{
"name": "workspaceName",
"value": "{Workspace_Name}"
},
{
"name": "dashboardName",
"value": "InsecureProtocolsDashboard"
},
{
"name": "menuItemToOpen",
"value": "Dashboards"
}
],
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
"defaultMenuItemId": "0"
}
}
}
}
}
}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку