611 строки
53 KiB
JSON
611 строки
53 KiB
JSON
{
|
|
"name": "SymantecThreatsOverviewDashboard_{Workspace_Name}",
|
|
"type": "Microsoft.Portal/dashboards",
|
|
"location": "{Dashboard_Location}",
|
|
"tags": {
|
|
"dashboardKey": "SymantecThreatsOverviewDashboard",
|
|
"hidden-title": "Symantec Threats Overview Dashboard - {Workspace_Name}",
|
|
"version": "1.5",
|
|
"workspaceName": "{Workspace_Name}"
|
|
},
|
|
"properties": {
|
|
"lenses": {
|
|
"0": {
|
|
"order": 0,
|
|
"parts": {
|
|
"0": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 0,
|
|
"colSpan": 1,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "subscriptionId",
|
|
"value": "{Subscription_Id}"
|
|
},
|
|
{
|
|
"name": "resourceGroup",
|
|
"value": "{Resource_Group}"
|
|
},
|
|
{
|
|
"name": "workspaceName",
|
|
"value": "{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "dashboardName",
|
|
"value": "SymantecThreatsOverviewDashboard"
|
|
},
|
|
{
|
|
"name": "menuItemToOpen",
|
|
"value": "Dashboards"
|
|
}
|
|
],
|
|
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
|
|
"defaultMenuItemId": "0"
|
|
}
|
|
},
|
|
"1": {
|
|
"position": {
|
|
"x": 1,
|
|
"y": 0,
|
|
"colSpan": 18,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [],
|
|
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
|
"settings": {
|
|
"content": {
|
|
"settings": {
|
|
"content": "<div style='font-size:300%;'>Symantec Threats Overview</div>\n",
|
|
"title": "",
|
|
"subtitle": ""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"2": {
|
|
"position": {
|
|
"x": 19,
|
|
"y": 0,
|
|
"colSpan": 2,
|
|
"rowSpan": 1
|
|
},
|
|
"metadata": {
|
|
"inputs": [],
|
|
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
|
"settings": {
|
|
"content": {
|
|
"settings": {
|
|
"content": "<img width='65' height='55' src='https://www.symantec.com/content/dam/symantec/images/about/logo-symantec-vertical.png '/> \n\n\n",
|
|
"title": "",
|
|
"subtitle": ""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"3": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 1,
|
|
"colSpan": 7,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "SymantecICDx_CL\n| where connection_url_path_s <> \"\"\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 1 and (type_id_d==8040 or type_id_d==8050))\n| summarize Count=count() by URL=connection_url_path_s\n| sort by Count desc \n| top 20 by Count desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecTreatsOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "308dfa98-a6f1-4ee9-a1a9-4187c757e9f2"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": "{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Top 20 malicious URLs",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "SymantecICDx_CL\n| where connection_url_path_s <> \"\"\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021)) or\n (category_id_d == 1 and (type_id_d==8040 or type_id_d==8050))\n| summarize Count=count() by URL=connection_url_path_s\n| sort by Count desc \n| top 20 by Count desc\n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"4": {
|
|
"position": {
|
|
"x": 7,
|
|
"y": 1,
|
|
"colSpan": 7,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "SymantecICDx_CL\n| where file_name_s <> \"\"\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| summarize Count=count() by File_Name=file_name_s\n| sort by Count desc \n| top 20 by Count desc\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecTreatsOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "b23aeb9d-a81d-489f-b35e-beaff53339fc"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": "{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Top 20 malicious files",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "SymantecICDx_CL\n| where file_name_s <> \"\"\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| summarize Count=count() by File_Name=file_name_s\n| sort by Count desc \n| top 20 by Count desc\n",
|
|
"GridColumnsWidth": {
|
|
"File_Name": "521px",
|
|
"Count": "343px"
|
|
}
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"5": {
|
|
"position": {
|
|
"x": 14,
|
|
"y": 1,
|
|
"colSpan": 7,
|
|
"rowSpan": 8
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "SymantecICDx_CL\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| summarize Count=count() by Source_IP=connection_src_ip_s, bin(TimeGenerated, 1h)\n| sort by Count desc \n| top 10 by Count desc\n| render timechart \n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "TimeGenerated",
|
|
"type": "DateTime"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "Count",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [
|
|
{
|
|
"name": "Source_IP",
|
|
"type": "String"
|
|
}
|
|
],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecTreatsOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "345ccb29-8a8b-4f7f-89b5-bdf9bae5500b"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": "{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsChart"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"value": "Line"
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Top 10 malicious sources",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "let TopMaliciousSource = SymantecICDx_CL\n| where connection_src_ip_s <> \"\"\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| summarize Count = sum(count_d) by Source_IP=connection_src_ip_s\n| sort by Count desc\n| limit 10 \n| project Source_IP;\nSymantecICDx_CL\n| where connection_src_ip_s <> \"\"\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| where connection_src_ip_s in (TopMaliciousSource)\n| summarize Count= sum(count_d) by Source_IP=connection_src_ip_s, bin(TimeGenerated, 1h)\n| render timechart"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"6": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 5,
|
|
"colSpan": 7,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "SymantecICDx_CL\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| summarize Count=count() by Device_Ip=device_ip_s, bin(TimeGenerated, 1h)\n| sort by Count desc \n| top 10 by Count desc\n| render timechart \n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "TimeGenerated",
|
|
"type": "DateTime"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "Count",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [
|
|
{
|
|
"name": "Device_Ip",
|
|
"type": "String"
|
|
}
|
|
],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecTreatsOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "b8d0b412-f12b-4112-8bd1-2bdde8f12dc0"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": "{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsChart"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"value": "Line"
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Top 10 risky Endpoints",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "let TopDevices = SymantecICDx_CL\n| where device_ip_s <> \"\"\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| summarize Count = sum(count_d) by Device_Ip=device_ip_s\n| sort by Count desc\n| limit 10 \n| project Device_Ip;\nSymantecICDx_CL\n| where device_ip_s <> \"\" \n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| where device_ip_s in (TopDevices)\n| summarize Count = sum(count_d) by Device_Ip=device_ip_s, bin(TimeGenerated, 1h)\n| render timechart"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"7": {
|
|
"position": {
|
|
"x": 7,
|
|
"y": 5,
|
|
"colSpan": 7,
|
|
"rowSpan": 4
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "SymantecICDx_CL\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| summarize Count=count() by User_Name=user_name_s, bin(TimeGenerated, 1h)\n| sort by Count desc \n| top 10 by Count desc\n| render timechart \n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"value": {
|
|
"xAxis": {
|
|
"name": "TimeGenerated",
|
|
"type": "DateTime"
|
|
},
|
|
"yAxis": [
|
|
{
|
|
"name": "Count",
|
|
"type": "Int64"
|
|
}
|
|
],
|
|
"splitBy": [
|
|
{
|
|
"name": "User_Name",
|
|
"type": "String"
|
|
}
|
|
],
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/44e4eff8-1fcb-4a22-a7d6-992ac7286382/resourceGroups/ashboards/providers/Microsoft.Portal/dashboards/SymantecTreatsOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "e068f635-6a74-4b9c-9e30-26b5810a12dc"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": "{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsChart"
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"value": "Line"
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Top 10 risky users",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "let TopUsers = SymantecICDx_CL\n| where user_name_s <> \"\"\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| summarize Count = sum(count_d) by User_Name=user_name_s\n| sort by Count desc\n| limit 10 \n| project User_Name;\nSymantecICDx_CL\n| where user_name_s <> \"\"\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| where user_name_s in (TopUsers)\n| summarize Count= sum(count_d) by User_Name=user_name_s, bin(TimeGenerated, 1h)\n| render timechart"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
},
|
|
"8": {
|
|
"position": {
|
|
"x": 0,
|
|
"y": 9,
|
|
"colSpan": 21,
|
|
"rowSpan": 6
|
|
},
|
|
"metadata": {
|
|
"inputs": [
|
|
{
|
|
"name": "ComponentId",
|
|
"value": {
|
|
"SubscriptionId": "{Subscription_Id}",
|
|
"ResourceGroup": "{Resource_Group}",
|
|
"Name": "{Workspace_Name}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Query",
|
|
"value": "let disptypeMap = datatable(disposition_type:string, Action:string)\r\n[\r\n\"1,20\", \"LOGON\",\r\n\"2,20\", \"LOGOFF\",\r\n\"1,21\", \"Create\",\r\n\"2,21\", \"Update\",\r\n\"3,21\", \"Delete\",\r\n\"10,22\", \"User rule override\",\r\n\"20,22\", \"Admin request\",\r\n\"30,22\", \"User policy override\",\r\n\"31,22\", \"User policy override extend time\",\r\n\"32,22\", \"User policy restore manual\",\r\n\"33,22\", \"User policy restore automatic\",\r\n\"40,22\", \"Execution block override\",\r\n\"41,22\", \"User policy override removed\",\r\n\"1,1000\", \"Log\",\r\n\"1,1005\", \"Normal\",\r\n\"2,1005\", \"Overload\",\r\n\"1,1006\", \"Normal\",\r\n\"2,1006\", \"Overload\",\r\n\"1,1007\", \"Normal\",\r\n\"2,1007\", \"Overload\",\r\n\"1,8025\", \"Blocked\",\r\n\"2,8025\", \"Allowed\",\r\n\"3,8025\", \"No Action\",\r\n\"4,8025\", \"Log\",\r\n\"5,8025\", \"Command Script\",\r\n\"6,8025\", \"Corrected\",\r\n\"7,8025\", \"Partially Corrected\",\r\n\"8,8025\", \"Uncorrected\",\r\n\"14,8025\", \"Detected\",\r\n\"1,8031\", \"Blocked\",\r\n\"2,8031\", \"Allowed\",\r\n\"3,8031\", \"No Action\",\r\n\"4,8031\", \"Log\",\r\n\"5,8031\", \"Command Script\",\r\n\"6,8031\", \"Corrected\",\r\n\"7,8031\", \"Partially Corrected\",\r\n\"8,8031\", \"Uncorrected\",\r\n\"10,8031\", \"Delayed (required reboot)\",\r\n\"11,8031\", \"Deleted\",\r\n\"12,8031\", \"Quarantined\",\r\n\"13,8031\", \"Restored\",\r\n\"14,8031\", \"Detected\",\r\n\"1,8030\", \"Blocked\",\r\n\"2,8030\", \"Allowed\",\r\n\"3,8030\", \"No Action\",\r\n\"4,8030\", \"Log\",\r\n\"5,8030\", \"Command Script\",\r\n\"8,8030\", \"Uncorrected\",\r\n\"10,8030\", \"Delayed (required reboot)\",\r\n\"11,8030\", \"Deleted\",\r\n\"14,8030\", \"Detected\",\r\n\"1,8029\", \"Blocked\",\r\n\"2,8029\", \"Allowed\",\r\n\"3,8029\", \"No Action\",\r\n\"4,8029\", \"Log\",\r\n\"5,8029\", \"Command Script\",\r\n\"6,8029\", \"Corrected\",\r\n\"7,8029\", \"Partially Corrected\",\r\n\"8,8029\", \"Uncorrected\",\r\n\"10,8029\", \"Delayed (required reboot)\",\r\n\"11,8029\", \"Deleted\",\r\n\"12,8029\", \"Quarantined\",\r\n\"13,8029\", \"Restored\",\r\n\"14,8029\", \"Detected\",\r\n\"1,8028\", \"Blocked\",\r\n\"2,8028\", \"Allowed\",\r\n\"3,8028\", \"No Action\",\r\n\"4,8028\", \"Log\",\r\n\"5,8028\", \"Command Script\",\r\n\"6,8028\", \"Corrected\",\r\n\"7,8028\", \"Partially Corrected\",\r\n\"8,8028\", \"Uncorrected\",\r\n\"10,8028\", \"Delayed (required reboot)\",\r\n\"11,8028\", \"Deleted\",\r\n\"12,8028\", \"Quarantined\",\r\n\"13,8028\", \"Restored\",\r\n\"14,8028\", \"Detected\",\r\n\"1,8027\", \"Blocked\",\r\n\"2,8027\", \"Allowed\",\r\n\"3,8027\", \"No Action\",\r\n\"4,8027\", \"Log\",\r\n\"5,8027\", \"Command Script\",\r\n\"6,8027\", \"Corrected\",\r\n\"7,8027\", \"Partially Corrected\",\r\n\"8,8027\", \"Uncorrected\",\r\n\"10,8027\", \"Delayed (required reboot)\",\r\n\"11,8027\", \"Deleted\",\r\n\"12,8027\", \"Quarantined\",\r\n\"13,8027\", \"Restored\",\r\n\"14,8027\", \"Detected\",\r\n\"15,8027\", \"Terminated\",\r\n\"1,8032\", \"Blocked\",\r\n\"2,8032\", \"Allowed\",\r\n\"3,8032\", \"No Action\",\r\n\"4,8032\", \"Log\",\r\n\"5,8032\", \"Command Script\",\r\n\"6,8032\", \"Corrected\",\r\n\"7,8032\", \"Partially Corrected\",\r\n\"8,8032\", \"Uncorrected\",\r\n\"10,8032\", \"Delayed (required reboot)\",\r\n\"11,8032\", \"Deleted\",\r\n\"13,8032\", \"Restored\",\r\n\"14,8032\", \"Detected\",\r\n\"1,8033\", \"Blocked\",\r\n\"2,8033\", \"Allowed\",\r\n\"3,8033\", \"No Action\",\r\n\"4,8033\", \"Log\",\r\n\"5,8033\", \"Command Script\",\r\n\"6,8033\", \"Corrected\",\r\n\"7,8033\", \"Partially Corrected\",\r\n\"8,8033\", \"Uncorrected\",\r\n\"10,8033\", \"Delayed (required reboot)\",\r\n\"11,8033\", \"Deleted\",\r\n\"13,8033\", \"Restored\",\r\n\"14,8033\", \"Detected\",\r\n\"1,8026\", \"Blocked\",\r\n\"2,8026\", \"Allowed\",\r\n\"3,8026\", \"No Action\",\r\n\"4,8026\", \"Log\",\r\n\"5,8026\", \"Command Script\",\r\n\"14,8026\", \"Detected\",\r\n\"15,8026\", \"Terminated\",\r\n\"4,8060\", \"Log\",\r\n\"1,8040\", \"Blocked\",\r\n\"2,8040\", \"Allowed\",\r\n\"3,8040\", \"No Action\",\r\n\"4,8040\", \"Log\",\r\n\"4,8045\", \"Log\",\r\n\"10,8045\", \"Delayed\",\r\n\"15,8045\", \"Terminated\",\r\n\"1,8047\", \"Blocked\",\r\n\"2,8047\", \"Allowed\",\r\n\"3,8047\", \"No Action\",\r\n\"4,8047\", \"Log\",\r\n\"5,8047\", \"Command Script\",\r\n\"6,8047\", \"Corrected\",\r\n\"7,8047\", \"Partially Corrected\",\r\n\"8,8047\", \"Uncorrected\",\r\n\"10,8047\", \"Delayed (required reboot)\",\r\n\"11,8047\", \"Deleted\",\r\n\"12,8047\", \"Quarantined\",\r\n\"13,8047\", \"Restored\",\r\n\"14,8047\", \"Detected\",\r\n\"1,8048\", \"Blocked\",\r\n\"2,8048\", \"Allowed\",\r\n\"3,8048\", \"No Action\",\r\n\"4,8048\", \"Log\",\r\n\"5,8048\", \"Command Script\",\r\n\"6,8048\", \"Corrected\",\r\n\"7,8048\", \"Partially Corrected\",\r\n\"8,8048\", \"Uncorrected\",\r\n\"10,8048\", \"Delayed (required reboot)\",\r\n\"11,8048\", \"Deleted\",\r\n\"12,8048\", \"Quarantined\",\r\n\"13,8048\", \"Restored\",\r\n\"14,8048\", \"Detected\",\r\n\"1,8020\", \"Started\",\r\n\"2,8020\", \"Completed\",\r\n\"3,8020\", \"Cancelled\",\r\n\"4,8020\", \"Duration Violation\",\r\n\"5,8020\", \"Pause Violation\",\r\n\"6,8020\", \"Error\",\r\n\"1,8021\", \"Permission\",\r\n\"2,8021\", \"Encrypted\",\r\n\"3,8021\", \"Size\",\r\n\"4,8021\", \"Error\",\r\n\"5,8021\", \"Malformed\",\r\n\"1,8034\", \"Blocked\",\r\n\"2,8034\", \"Allowed\",\r\n\"12,8034\", \"Quarantined\",\r\n\"1,8036\", \"Blocked\",\r\n\"2,8036\", \"Allowed\",\r\n\"1,8037\", \"Blocked\",\r\n\"2,8037\", \"Allowed\",\r\n\"3,8037\", \"No Action\",\r\n\"4,8037\", \"Log\",\r\n\"5,8037\", \"Command Script\",\r\n\"6,8037\", \"Corrected\",\r\n\"7,8037\", \"Partially Corrected\",\r\n\"8,8037\", \"Uncorrected\",\r\n\"10,8037\", \"Delayed (required reboot)\",\r\n\"11,8037\", \"Deleted\",\r\n\"12,8037\", \"Quarantined\",\r\n\"13,8037\", \"Restored\",\r\n\"14,8037\", \"Detected\",\r\n\"1,8038\", \"Blocked\",\r\n\"2,8038\", \"Allowed\",\r\n\"4,8045\", \"Log\",\r\n\"10,8045\", \"Delayed\",\r\n\"15,8045\", \"Terminated\",\r\n\"1,8\", \"Install\",\r\n\"2,8\", \"Remove\",\r\n\"3,8\", \"Update\",\r\n\"4,8\", \"Expire\",\r\n\"5,8\", \"Exceed\",\r\n\"6,8\", \"Report\",\r\n\"7,8\", \"Low Count\",\r\n\"8,8\", \"Expiring\",\r\n\"4,1\", \"Application Log\",\r\n\"1,2\", \"Install\",\r\n\"2,2\", \"Remove\",\r\n\"3,2\", \"Start\",\r\n\"4,2\", \"Stop\",\r\n\"5,2\", \"Heartbeat\",\r\n\"1,3\", \"Code\",\r\n\"2,3\", \"Content\",\r\n\"3,3\", \"Configuration\",\r\n\"4,3\", \"Policy\",\r\n\"1,6\", \"Code\",\r\n\"2,6\", \"Content\",\r\n\"3,6\", \"Configuration\",\r\n\"4,6\", \"Policy\",\r\n\"1,7\", \"E-mail\",\r\n\"2,7\", \"SMS\",\r\n\"1,9\", \"Register\",\r\n\"2,9\", \"Unregister\",\r\n\"1,11\", \"Submitted\",\r\n\"2,11\", \"Queued\",\r\n\"3,11\", \"Started\",\r\n\"4,11\", \"Cancel Requested\",\r\n\"5,11\", \"Completed\",\r\n\"6,11\", \"Canceled\",\r\n\"7,11\", \"Error\",\r\n\"8,11\", \"Rejected\",\r\n\"1,15\", \"Failure\",\r\n\"2,15\", \"Encryption Started\",\r\n\"3,15\", \"Encryption Finished\",\r\n\"10,15\", \"Recovery Key Recycled\",\r\n\"1,40\", \"Install\",\r\n\"2,40\", \"Remove\",\r\n\"3,40\", \"Update\",\r\n\"1,41\", \"Expiring\",\r\n\"2,41\", \"Expired\",\r\n\"1,8080\", \"Exists\",\r\n\"2,8080\", \"Partial\",\r\n\"1,8081\", \"Exists\",\r\n\"2,8081\", \"Partial\",\r\n\"1,8082\", \"Exists\",\r\n\"2,8082\", \"Partial\",\r\n\"1,8085\", \"Exists\",\r\n\"2,8085\", \"Partial\",\r\n\"1,8086\", \"Exists\",\r\n\"2,8086\", \"Partial\",\r\n\"1,8087\", \"Exists\",\r\n\"2,8087\", \"Partial\",\r\n\"1,8089\", \"Exists\",\r\n\"2,8089\", \"Partial\",\r\n\"1,8090\", \"Exists\",\r\n\"2,8090\", \"Partial\",\r\n\"1,8100\", \"Remediation Completed\",\r\n\"2,8100\", \"Partial Remediation\",\r\n\"1,8101\", \"Remediation Completed\",\r\n\"2,8101\", \"Partial Remediation\",\r\n\"1,8105\", \"Remediation Completed\",\r\n\"2,8105\", \"Partial Remediation\",\r\n\"1,8106\", \"Remediation Completed\",\r\n\"2,8106\", \"Partial Remediation\",\r\n\"1,8109\", \"Remediation Completed\",\r\n\"2,8109\", \"Partial Remediation\",\r\n\"1,8110\", \"Remediation Completed\",\r\n\"2,8110\", \"Partial Remediation\",\r\n\"3,8119\", \"Does Not Exists\",\r\n\"4,8119\", \"Error\",\r\n\"5,8119\", \"Unsupported\",\r\n\"1,8107\", \"Remediation Completed\",\r\n\"2,8107\", \"Partial Remediation\",\r\n\"1,8084\", \"Exists\",\r\n\"2,8084\", \"Partial\",\r\n\"1,8083\", \"Exists\",\r\n\"2,8083\", \"Partial\",\r\n\"1,8104\", \"Remediation Completed\",\r\n\"2,8104\", \"Partial Remediation\",\r\n\"1,8103\", \"Remediation Completed\",\r\n\"2,8103\", \"Partial Remediation\",\r\n\"1,8102\", \"Remediation Completed\",\r\n\"2,8102\", \"Partial Remediation\",\r\n\"1,8000\", \"Logon\",\r\n\"2,8000\", \"Logoff\",\r\n\"1,8004\", \"Create\",\r\n\"2,8004\", \"Delete\",\r\n\"4,8004\", \"Rename\",\r\n\"5,8004\", \"Modify\",\r\n\"6,8004\", \"Set Attributes\",\r\n\"7,8004\", \"Set Security\",\r\n\"8,8004\", \"Get Attributes\",\r\n\"9,8004\", \"Get Security\",\r\n\"10,8004\", \"Encrypt\",\r\n\"11,8004\", \"Decrypt\",\r\n\"12,8004\", \"Mount\",\r\n\"13,8004\", \"Unmount\",\r\n\"1,8005\", \"Create Key\",\r\n\"2,8005\", \"Delete Key\",\r\n\"3,8005\", \"Open Key\",\r\n\"4,8005\", \"Rename Key\",\r\n\"5,8005\", \"Set Key Security Descriptor\",\r\n\"6,8005\", \"Restore Key\",\r\n\"1,8006\", \"Get Value\",\r\n\"2,8006\", \"Set Value\",\r\n\"3,8006\", \"Delete Value\",\r\n\"1,8008\", \"Page Allocate\",\r\n\"2,8008\", \"Page Modify\",\r\n\"3,8008\", \"Page Delete\",\r\n\"4,8008\", \"Buffer Overflow\",\r\n\"1,8009\", \"Create\",\r\n\"2,8009\", \"Read\",\r\n\"3,8009\", \"Delete\",\r\n\"5,8010\", \"System Activity\",\r\n\"5,8011\", \"System Activity\",\r\n\"5,8012\", \"System Activity\",\r\n\"5,8013\", \"System Activity\",\r\n\"1,8003\", \"Create\",\r\n\"2,8003\", \"Delete\",\r\n\"3,8003\", \"Open\",\r\n\"4,8003\", \"Rename\",\r\n\"5,8003\", \"Modify\",\r\n\"6,8003\", \"Set Attributes\",\r\n\"7,8003\", \"Set Security\",\r\n\"8,8003\", \"Get Attributes\",\r\n\"9,8003\", \"Get Security\",\r\n\"10,8003\", \"Encrypt\",\r\n\"11,8003\", \"Decrypt\",\r\n\"1,8002\", \"Load\",\r\n\"2,8002\", \"Unload\",\r\n\"1,8035\", \"Blocked\",\r\n\"2,8035\", \"Allowed\",\r\n\"3,8035\", \"No Action\",\r\n\"4,8035\", \"Log\",\r\n\"5,8035\", \"Command Script\",\r\n\"6,8035\", \"Corrected\",\r\n\"7,8035\", \"Partially Corrected\",\r\n\"8,8035\", \"Uncorrected\",\r\n\"10,8035\", \"Delayed (required reboot)\",\r\n\"11,8035\", \"Deleted\",\r\n\"12,8035\", \"Quarantined\",\r\n\"13,8035\", \"Restored\",\r\n\"14,8035\", \"Detected\",\r\n\"1,8050\", \"Blocked\",\r\n\"2,8050\", \"Allowed\",\r\n\"3,8050\", \"Dropped\",\r\n\"4,8050\", \"Deleted\",\r\n\"5,8050\", \"Isolated\",\r\n\"1,8070\", \"Passed\",\r\n\"2,8070\", \"Failed\",\r\n\"3,8070\", \"Soft Fail\",\r\n\"4,8070\", \"Log\",\r\n\"1,8071\", \"Compliance Check\",\r\n\"2,8071\", \"Remediation Check\",\r\n\"1,8001\", \"Launch\",\r\n\"2,8001\", \"Terminate\",\r\n\"3,8001\", \"Open\",\r\n\"4,8001\", \"Inject\",\r\n\"1,8007\", \"Connect\",\r\n\"2,8007\", \"Disconnect\",\r\n\"1,30\", \"Install\",\r\n\"2,30\", \"Remove\",\r\n\"3,30\", \"Update\",\r\n\"1,31\", \"Expiring\",\r\n\"2,31\", \"Expired\",\r\n\"1,32\", \"Low Count\",\r\n\"2,32\", \"Exceeded\",\r\n\"1,9000\", \"Blocked\",\r\n\"2,9000\", \"Allowed\",\r\n\"1,9001\", \"Blocked\",\r\n\"2,9001\", \"Allowed\",\r\n\"12,9001\", \"Quarantined\",\r\n\"1,9002\", \"Blocked\",\r\n\"2,9002\", \"Allowed\",\r\n\"12,9002\", \"Quarantined\",\r\n\"20,9002\", \"Approved\",\r\n\"21,9002\", \"Custom Action\",\r\n\"22,9002\", \"Expunged\",\r\n\"1,9003\", \"Blocked\",\r\n\"2,9003\", \"Allowed\"\r\n];\r\nlet typeMapTable = datatable(type_id_d:double, type_name:string)\r\n [\r\n 1, \"Application Log\",\r\n 2, \"Application Lifecycle\",\r\n 3, \"Update\",\r\n 6, \"Update Available\",\r\n 7, \"User Message\",\r\n 9, \"Registration\",\r\n 11, \"Commmand Activity\",\r\n 15, \"BitLocker\",\r\n 20, \"User Session Audit\",\r\n 21, \"Entity Audit\",\r\n 22, \"Policy Override Audit\",\r\n 40, \"Certificate Lifecycle\",\r\n 41, \"Certificate Expiry\",\r\n 30, \"License Lifecycle\",\r\n 31, \"License Expiry\",\r\n 32, \"License Count\",\r\n 1000, \"Status\",\r\n 1005, \"CPU Usage\",\r\n 1006, \"Memory Usage\",\r\n 1007, \"Throughput\",\r\n 8000, \"User Session Activity\",\r\n 8001, \"Process Activity\",\r\n 8002, \"Module Activity\",\r\n 8003, \"File Activity\",\r\n 8004, \"Directory Activity\",\r\n 8005, \"Registry Key Activity\",\r\n 8006, \"Registry Value Activity\",\r\n 8007, \"Host Network Activity\",\r\n 8008, \"Memory Activity\",\r\n 8009, \"Kernel Activity\",\r\n 8010, \"Network Activity\",\r\n 8011, \"Email Activity\",\r\n 8012, \"Email File Activity\",\r\n 8013, \"Email URL Activity\",\r\n 8014, \"Host Network Traffice Activity\",\r\n 8020, \"Scan\",\r\n 8021, \"Unscannable File\",\r\n 8025, \"Boot Record Detection\",\r\n 8026, \"User Session Detection\",\r\n 8027, \"Process Detection\",\r\n 8028, \"Module Detection\",\r\n 8029, \"Memory Detection\",\r\n 8030, \"Kernel Detection\",\r\n 8031, \"File Detection\",\r\n 8032, \"Registry Key Detection\",\r\n 8033, \"Registry Value Detection\",\r\n 8034, \"Email File Detection\",\r\n 8035, \"Email Detection\",\r\n 8036, \"Email URL Detection\",\r\n 8037, \"Host Network Traffic Detection\",\r\n 8038, \"Peripheral Device Detection\",\r\n 8040, \"Host Network Detection\",\r\n 8045, \"Process Response\",\r\n 8046, \"File Response\",\r\n 8047, \"Registry Key Response\",\r\n 8048, \"Registry Value Response\",\r\n 8050, \"Network Detection\",\r\n 8060, \"Monitored Source\",\r\n 8070, \"Compliance Scan\",\r\n 8071, \"Compliance\",\r\n 8080, \"User Session Query Result\",\r\n 8081, \"Process Query Result\",\r\n 8082, \"Module Query Result\",\r\n 8083, \"File Query Result\",\r\n 8084, \"Directory Query Result\",\r\n 8085, \"Registry Key Query Result\",\r\n 8086, \"Registry Value Query Result\",\r\n 8087, \"Network Query Result\",\r\n 8089, \"Kernel Object Query Result\",\r\n 8090, \"Service Query Result\",\r\n 8100, \"User Session Remediation\",\r\n 8101, \"Process Remediation\",\r\n 8102, \"Module Remediation\",\r\n 8103, \"File Remediation\",\r\n 8104, \"Directory Remediation\",\r\n 8105, \"Registry Key Remediation\",\r\n 8106, \"Registry Value Remediation\",\r\n 8107, \"Network Remediation\",\r\n 8109, \"Kernel Remediation\",\r\n 8110, \"Service Remediation\",\r\n 8119, \"Unsuccessful Remediation Result\",\r\n 9000, \"Content Detection\",\r\n 9001, \"File Content Detection\",\r\n 9002, \"Email Content Detection\",\r\n 9003, \"Instant Message Content Detection\"\r\n ];\r\nSymantecICDX_CL \r\n| where file_name_s <> \"\"\r\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \r\n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\r\n| extend disposition_type = strcat(toint(id_d), \",\", toint(type_id_d)) \r\n| join kind = inner (disptypeMap) on disposition_type\r\n| join kind = inner (typeMapTable) on type_id_d\r\n| extend threat_type_category = strcat(toint(threat_type_id_d),\",\",type_name)\r\n| extend Event_Time = datetime('1970-01-01T00:00:00Z') + (log_time_d/1000)*1s\r\n| summarize Event_Count=count() by Event_Time, Type_Id=type_id_d, Threat_Type_Id=threat_type_id_d, Threat_Type=threat_name_s, Disposition_Id=id_d, Product_Name=product_name_s, Threat_Type_Category=threat_type_category, Username=user_name_s, Action, Type_Name=type_name \r\n| sort by Event_Time, Event_Count desc\r\n"
|
|
},
|
|
{
|
|
"name": "TimeRange",
|
|
"value": "P1D"
|
|
},
|
|
{
|
|
"name": "Version",
|
|
"value": "1.0"
|
|
},
|
|
{
|
|
"name": "DashboardId",
|
|
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/SymantecTreatsOverviewDashboard_{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "PartId",
|
|
"value": "3a19bcf5-1768-486b-8196-55a1af639c80"
|
|
},
|
|
{
|
|
"name": "PartTitle",
|
|
"value": "Analytics"
|
|
},
|
|
{
|
|
"name": "PartSubTitle",
|
|
"value": "{Workspace_Name}"
|
|
},
|
|
{
|
|
"name": "resourceTypeMode",
|
|
"value": "workspace"
|
|
},
|
|
{
|
|
"name": "ControlType",
|
|
"value": "AnalyticsGrid"
|
|
},
|
|
{
|
|
"name": "Dimensions",
|
|
"isOptional": true
|
|
},
|
|
{
|
|
"name": "SpecificChart",
|
|
"isOptional": true
|
|
}
|
|
],
|
|
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
|
"settings": {
|
|
"content": {
|
|
"PartTitle": "Threat details",
|
|
"PartSubTitle": "Symantec Integrated Cyber Defense",
|
|
"Query": "let disptypeMap = datatable(disposition_type:string, Action:string)\n[\n\"1,20\", \"LOGON\",\n\"2,20\", \"LOGOFF\",\n\"1,21\", \"Create\",\n\"2,21\", \"Update\",\n\"3,21\", \"Delete\",\n\"10,22\", \"User rule override\",\n\"20,22\", \"Admin request\",\n\"30,22\", \"User policy override\",\n\"31,22\", \"User policy override extend time\",\n\"32,22\", \"User policy restore manual\",\n\"33,22\", \"User policy restore automatic\",\n\"40,22\", \"Execution block override\",\n\"41,22\", \"User policy override removed\",\n\"1,1000\", \"Log\",\n\"1,1005\", \"Normal\",\n\"2,1005\", \"Overload\",\n\"1,1006\", \"Normal\",\n\"2,1006\", \"Overload\",\n\"1,1007\", \"Normal\",\n\"2,1007\", \"Overload\",\n\"1,8025\", \"Blocked\",\n\"2,8025\", \"Allowed\",\n\"3,8025\", \"No Action\",\n\"4,8025\", \"Log\",\n\"5,8025\", \"Command Script\",\n\"6,8025\", \"Corrected\",\n\"7,8025\", \"Partially Corrected\",\n\"8,8025\", \"Uncorrected\",\n\"14,8025\", \"Detected\",\n\"1,8031\", \"Blocked\",\n\"2,8031\", \"Allowed\",\n\"3,8031\", \"No Action\",\n\"4,8031\", \"Log\",\n\"5,8031\", \"Command Script\",\n\"6,8031\", \"Corrected\",\n\"7,8031\", \"Partially Corrected\",\n\"8,8031\", \"Uncorrected\",\n\"10,8031\", \"Delayed (required reboot)\",\n\"11,8031\", \"Deleted\",\n\"12,8031\", \"Quarantined\",\n\"13,8031\", \"Restored\",\n\"14,8031\", \"Detected\",\n\"1,8030\", \"Blocked\",\n\"2,8030\", \"Allowed\",\n\"3,8030\", \"No Action\",\n\"4,8030\", \"Log\",\n\"5,8030\", \"Command Script\",\n\"8,8030\", \"Uncorrected\",\n\"10,8030\", \"Delayed (required reboot)\",\n\"11,8030\", \"Deleted\",\n\"14,8030\", \"Detected\",\n\"1,8029\", \"Blocked\",\n\"2,8029\", \"Allowed\",\n\"3,8029\", \"No Action\",\n\"4,8029\", \"Log\",\n\"5,8029\", \"Command Script\",\n\"6,8029\", \"Corrected\",\n\"7,8029\", \"Partially Corrected\",\n\"8,8029\", \"Uncorrected\",\n\"10,8029\", \"Delayed (required reboot)\",\n\"11,8029\", \"Deleted\",\n\"12,8029\", \"Quarantined\",\n\"13,8029\", \"Restored\",\n\"14,8029\", \"Detected\",\n\"1,8028\", \"Blocked\",\n\"2,8028\", \"Allowed\",\n\"3,8028\", \"No Action\",\n\"4,8028\", \"Log\",\n\"5,8028\", \"Command Script\",\n\"6,8028\", \"Corrected\",\n\"7,8028\", \"Partially Corrected\",\n\"8,8028\", \"Uncorrected\",\n\"10,8028\", \"Delayed (required reboot)\",\n\"11,8028\", \"Deleted\",\n\"12,8028\", \"Quarantined\",\n\"13,8028\", \"Restored\",\n\"14,8028\", \"Detected\",\n\"1,8027\", \"Blocked\",\n\"2,8027\", \"Allowed\",\n\"3,8027\", \"No Action\",\n\"4,8027\", \"Log\",\n\"5,8027\", \"Command Script\",\n\"6,8027\", \"Corrected\",\n\"7,8027\", \"Partially Corrected\",\n\"8,8027\", \"Uncorrected\",\n\"10,8027\", \"Delayed (required reboot)\",\n\"11,8027\", \"Deleted\",\n\"12,8027\", \"Quarantined\",\n\"13,8027\", \"Restored\",\n\"14,8027\", \"Detected\",\n\"15,8027\", \"Terminated\",\n\"1,8032\", \"Blocked\",\n\"2,8032\", \"Allowed\",\n\"3,8032\", \"No Action\",\n\"4,8032\", \"Log\",\n\"5,8032\", \"Command Script\",\n\"6,8032\", \"Corrected\",\n\"7,8032\", \"Partially Corrected\",\n\"8,8032\", \"Uncorrected\",\n\"10,8032\", \"Delayed (required reboot)\",\n\"11,8032\", \"Deleted\",\n\"13,8032\", \"Restored\",\n\"14,8032\", \"Detected\",\n\"1,8033\", \"Blocked\",\n\"2,8033\", \"Allowed\",\n\"3,8033\", \"No Action\",\n\"4,8033\", \"Log\",\n\"5,8033\", \"Command Script\",\n\"6,8033\", \"Corrected\",\n\"7,8033\", \"Partially Corrected\",\n\"8,8033\", \"Uncorrected\",\n\"10,8033\", \"Delayed (required reboot)\",\n\"11,8033\", \"Deleted\",\n\"13,8033\", \"Restored\",\n\"14,8033\", \"Detected\",\n\"1,8026\", \"Blocked\",\n\"2,8026\", \"Allowed\",\n\"3,8026\", \"No Action\",\n\"4,8026\", \"Log\",\n\"5,8026\", \"Command Script\",\n\"14,8026\", \"Detected\",\n\"15,8026\", \"Terminated\",\n\"4,8060\", \"Log\",\n\"1,8040\", \"Blocked\",\n\"2,8040\", \"Allowed\",\n\"3,8040\", \"No Action\",\n\"4,8040\", \"Log\",\n\"4,8045\", \"Log\",\n\"10,8045\", \"Delayed\",\n\"15,8045\", \"Terminated\",\n\"1,8047\", \"Blocked\",\n\"2,8047\", \"Allowed\",\n\"3,8047\", \"No Action\",\n\"4,8047\", \"Log\",\n\"5,8047\", \"Command Script\",\n\"6,8047\", \"Corrected\",\n\"7,8047\", \"Partially Corrected\",\n\"8,8047\", \"Uncorrected\",\n\"10,8047\", \"Delayed (required reboot)\",\n\"11,8047\", \"Deleted\",\n\"12,8047\", \"Quarantined\",\n\"13,8047\", \"Restored\",\n\"14,8047\", \"Detected\",\n\"1,8048\", \"Blocked\",\n\"2,8048\", \"Allowed\",\n\"3,8048\", \"No Action\",\n\"4,8048\", \"Log\",\n\"5,8048\", \"Command Script\",\n\"6,8048\", \"Corrected\",\n\"7,8048\", \"Partially Corrected\",\n\"8,8048\", \"Uncorrected\",\n\"10,8048\", \"Delayed (required reboot)\",\n\"11,8048\", \"Deleted\",\n\"12,8048\", \"Quarantined\",\n\"13,8048\", \"Restored\",\n\"14,8048\", \"Detected\",\n\"1,8020\", \"Started\",\n\"2,8020\", \"Completed\",\n\"3,8020\", \"Cancelled\",\n\"4,8020\", \"Duration Violation\",\n\"5,8020\", \"Pause Violation\",\n\"6,8020\", \"Error\",\n\"1,8021\", \"Permission\",\n\"2,8021\", \"Encrypted\",\n\"3,8021\", \"Size\",\n\"4,8021\", \"Error\",\n\"5,8021\", \"Malformed\",\n\"1,8034\", \"Blocked\",\n\"2,8034\", \"Allowed\",\n\"12,8034\", \"Quarantined\",\n\"1,8036\", \"Blocked\",\n\"2,8036\", \"Allowed\",\n\"1,8037\", \"Blocked\",\n\"2,8037\", \"Allowed\",\n\"3,8037\", \"No Action\",\n\"4,8037\", \"Log\",\n\"5,8037\", \"Command Script\",\n\"6,8037\", \"Corrected\",\n\"7,8037\", \"Partially Corrected\",\n\"8,8037\", \"Uncorrected\",\n\"10,8037\", \"Delayed (required reboot)\",\n\"11,8037\", \"Deleted\",\n\"12,8037\", \"Quarantined\",\n\"13,8037\", \"Restored\",\n\"14,8037\", \"Detected\",\n\"1,8038\", \"Blocked\",\n\"2,8038\", \"Allowed\",\n\"4,8045\", \"Log\",\n\"10,8045\", \"Delayed\",\n\"15,8045\", \"Terminated\",\n\"1,8\", \"Install\",\n\"2,8\", \"Remove\",\n\"3,8\", \"Update\",\n\"4,8\", \"Expire\",\n\"5,8\", \"Exceed\",\n\"6,8\", \"Report\",\n\"7,8\", \"Low Count\",\n\"8,8\", \"Expiring\",\n\"4,1\", \"Application Log\",\n\"1,2\", \"Install\",\n\"2,2\", \"Remove\",\n\"3,2\", \"Start\",\n\"4,2\", \"Stop\",\n\"5,2\", \"Heartbeat\",\n\"1,3\", \"Code\",\n\"2,3\", \"Content\",\n\"3,3\", \"Configuration\",\n\"4,3\", \"Policy\",\n\"1,6\", \"Code\",\n\"2,6\", \"Content\",\n\"3,6\", \"Configuration\",\n\"4,6\", \"Policy\",\n\"1,7\", \"E-mail\",\n\"2,7\", \"SMS\",\n\"1,9\", \"Register\",\n\"2,9\", \"Unregister\",\n\"1,11\", \"Submitted\",\n\"2,11\", \"Queued\",\n\"3,11\", \"Started\",\n\"4,11\", \"Cancel Requested\",\n\"5,11\", \"Completed\",\n\"6,11\", \"Canceled\",\n\"7,11\", \"Error\",\n\"8,11\", \"Rejected\",\n\"1,15\", \"Failure\",\n\"2,15\", \"Encryption Started\",\n\"3,15\", \"Encryption Finished\",\n\"10,15\", \"Recovery Key Recycled\",\n\"1,40\", \"Install\",\n\"2,40\", \"Remove\",\n\"3,40\", \"Update\",\n\"1,41\", \"Expiring\",\n\"2,41\", \"Expired\",\n\"1,8080\", \"Exists\",\n\"2,8080\", \"Partial\",\n\"1,8081\", \"Exists\",\n\"2,8081\", \"Partial\",\n\"1,8082\", \"Exists\",\n\"2,8082\", \"Partial\",\n\"1,8085\", \"Exists\",\n\"2,8085\", \"Partial\",\n\"1,8086\", \"Exists\",\n\"2,8086\", \"Partial\",\n\"1,8087\", \"Exists\",\n\"2,8087\", \"Partial\",\n\"1,8089\", \"Exists\",\n\"2,8089\", \"Partial\",\n\"1,8090\", \"Exists\",\n\"2,8090\", \"Partial\",\n\"1,8100\", \"Remediation Completed\",\n\"2,8100\", \"Partial Remediation\",\n\"1,8101\", \"Remediation Completed\",\n\"2,8101\", \"Partial Remediation\",\n\"1,8105\", \"Remediation Completed\",\n\"2,8105\", \"Partial Remediation\",\n\"1,8106\", \"Remediation Completed\",\n\"2,8106\", \"Partial Remediation\",\n\"1,8109\", \"Remediation Completed\",\n\"2,8109\", \"Partial Remediation\",\n\"1,8110\", \"Remediation Completed\",\n\"2,8110\", \"Partial Remediation\",\n\"3,8119\", \"Does Not Exists\",\n\"4,8119\", \"Error\",\n\"5,8119\", \"Unsupported\",\n\"1,8107\", \"Remediation Completed\",\n\"2,8107\", \"Partial Remediation\",\n\"1,8084\", \"Exists\",\n\"2,8084\", \"Partial\",\n\"1,8083\", \"Exists\",\n\"2,8083\", \"Partial\",\n\"1,8104\", \"Remediation Completed\",\n\"2,8104\", \"Partial Remediation\",\n\"1,8103\", \"Remediation Completed\",\n\"2,8103\", \"Partial Remediation\",\n\"1,8102\", \"Remediation Completed\",\n\"2,8102\", \"Partial Remediation\",\n\"1,8000\", \"Logon\",\n\"2,8000\", \"Logoff\",\n\"1,8004\", \"Create\",\n\"2,8004\", \"Delete\",\n\"4,8004\", \"Rename\",\n\"5,8004\", \"Modify\",\n\"6,8004\", \"Set Attributes\",\n\"7,8004\", \"Set Security\",\n\"8,8004\", \"Get Attributes\",\n\"9,8004\", \"Get Security\",\n\"10,8004\", \"Encrypt\",\n\"11,8004\", \"Decrypt\",\n\"12,8004\", \"Mount\",\n\"13,8004\", \"Unmount\",\n\"1,8005\", \"Create Key\",\n\"2,8005\", \"Delete Key\",\n\"3,8005\", \"Open Key\",\n\"4,8005\", \"Rename Key\",\n\"5,8005\", \"Set Key Security Descriptor\",\n\"6,8005\", \"Restore Key\",\n\"1,8006\", \"Get Value\",\n\"2,8006\", \"Set Value\",\n\"3,8006\", \"Delete Value\",\n\"1,8008\", \"Page Allocate\",\n\"2,8008\", \"Page Modify\",\n\"3,8008\", \"Page Delete\",\n\"4,8008\", \"Buffer Overflow\",\n\"1,8009\", \"Create\",\n\"2,8009\", \"Read\",\n\"3,8009\", \"Delete\",\n\"5,8010\", \"System Activity\",\n\"5,8011\", \"System Activity\",\n\"5,8012\", \"System Activity\",\n\"5,8013\", \"System Activity\",\n\"1,8003\", \"Create\",\n\"2,8003\", \"Delete\",\n\"3,8003\", \"Open\",\n\"4,8003\", \"Rename\",\n\"5,8003\", \"Modify\",\n\"6,8003\", \"Set Attributes\",\n\"7,8003\", \"Set Security\",\n\"8,8003\", \"Get Attributes\",\n\"9,8003\", \"Get Security\",\n\"10,8003\", \"Encrypt\",\n\"11,8003\", \"Decrypt\",\n\"1,8002\", \"Load\",\n\"2,8002\", \"Unload\",\n\"1,8035\", \"Blocked\",\n\"2,8035\", \"Allowed\",\n\"3,8035\", \"No Action\",\n\"4,8035\", \"Log\",\n\"5,8035\", \"Command Script\",\n\"6,8035\", \"Corrected\",\n\"7,8035\", \"Partially Corrected\",\n\"8,8035\", \"Uncorrected\",\n\"10,8035\", \"Delayed (required reboot)\",\n\"11,8035\", \"Deleted\",\n\"12,8035\", \"Quarantined\",\n\"13,8035\", \"Restored\",\n\"14,8035\", \"Detected\",\n\"1,8050\", \"Blocked\",\n\"2,8050\", \"Allowed\",\n\"3,8050\", \"Dropped\",\n\"4,8050\", \"Deleted\",\n\"5,8050\", \"Isolated\",\n\"1,8070\", \"Passed\",\n\"2,8070\", \"Failed\",\n\"3,8070\", \"Soft Fail\",\n\"4,8070\", \"Log\",\n\"1,8071\", \"Compliance Check\",\n\"2,8071\", \"Remediation Check\",\n\"1,8001\", \"Launch\",\n\"2,8001\", \"Terminate\",\n\"3,8001\", \"Open\",\n\"4,8001\", \"Inject\",\n\"1,8007\", \"Connect\",\n\"2,8007\", \"Disconnect\",\n\"1,30\", \"Install\",\n\"2,30\", \"Remove\",\n\"3,30\", \"Update\",\n\"1,31\", \"Expiring\",\n\"2,31\", \"Expired\",\n\"1,32\", \"Low Count\",\n\"2,32\", \"Exceeded\",\n\"1,9000\", \"Blocked\",\n\"2,9000\", \"Allowed\",\n\"1,9001\", \"Blocked\",\n\"2,9001\", \"Allowed\",\n\"12,9001\", \"Quarantined\",\n\"1,9002\", \"Blocked\",\n\"2,9002\", \"Allowed\",\n\"12,9002\", \"Quarantined\",\n\"20,9002\", \"Approved\",\n\"21,9002\", \"Custom Action\",\n\"22,9002\", \"Expunged\",\n\"1,9003\", \"Blocked\",\n\"2,9003\", \"Allowed\"\n];\nlet typeMapTable = datatable(type_id_d:double, type_name:string)\n [\n 1, \"Application Log\",\n 2, \"Application Lifecycle\",\n 3, \"Update\",\n 6, \"Update Available\",\n 7, \"User Message\",\n 9, \"Registration\",\n 11, \"Commmand Activity\",\n 15, \"BitLocker\",\n 20, \"User Session Audit\",\n 21, \"Entity Audit\",\n 22, \"Policy Override Audit\",\n 40, \"Certificate Lifecycle\",\n 41, \"Certificate Expiry\",\n 30, \"License Lifecycle\",\n 31, \"License Expiry\",\n 32, \"License Count\",\n 1000, \"Status\",\n 1005, \"CPU Usage\",\n 1006, \"Memory Usage\",\n 1007, \"Throughput\",\n 8000, \"User Session Activity\",\n 8001, \"Process Activity\",\n 8002, \"Module Activity\",\n 8003, \"File Activity\",\n 8004, \"Directory Activity\",\n 8005, \"Registry Key Activity\",\n 8006, \"Registry Value Activity\",\n 8007, \"Host Network Activity\",\n 8008, \"Memory Activity\",\n 8009, \"Kernel Activity\",\n 8010, \"Network Activity\",\n 8011, \"Email Activity\",\n 8012, \"Email File Activity\",\n 8013, \"Email URL Activity\",\n 8014, \"Host Network Traffice Activity\",\n 8020, \"Scan\",\n 8021, \"Unscannable File\",\n 8025, \"Boot Record Detection\",\n 8026, \"User Session Detection\",\n 8027, \"Process Detection\",\n 8028, \"Module Detection\",\n 8029, \"Memory Detection\",\n 8030, \"Kernel Detection\",\n 8031, \"File Detection\",\n 8032, \"Registry Key Detection\",\n 8033, \"Registry Value Detection\",\n 8034, \"Email File Detection\",\n 8035, \"Email Detection\",\n 8036, \"Email URL Detection\",\n 8037, \"Host Network Traffic Detection\",\n 8038, \"Peripheral Device Detection\",\n 8040, \"Host Network Detection\",\n 8045, \"Process Response\",\n 8046, \"File Response\",\n 8047, \"Registry Key Response\",\n 8048, \"Registry Value Response\",\n 8050, \"Network Detection\",\n 8060, \"Monitored Source\",\n 8070, \"Compliance Scan\",\n 8071, \"Compliance\",\n 8080, \"User Session Query Result\",\n 8081, \"Process Query Result\",\n 8082, \"Module Query Result\",\n 8083, \"File Query Result\",\n 8084, \"Directory Query Result\",\n 8085, \"Registry Key Query Result\",\n 8086, \"Registry Value Query Result\",\n 8087, \"Network Query Result\",\n 8089, \"Kernel Object Query Result\",\n 8090, \"Service Query Result\",\n 8100, \"User Session Remediation\",\n 8101, \"Process Remediation\",\n 8102, \"Module Remediation\",\n 8103, \"File Remediation\",\n 8104, \"Directory Remediation\",\n 8105, \"Registry Key Remediation\",\n 8106, \"Registry Value Remediation\",\n 8107, \"Network Remediation\",\n 8109, \"Kernel Remediation\",\n 8110, \"Service Remediation\",\n 8119, \"Unsuccessful Remediation Result\",\n 9000, \"Content Detection\",\n 9001, \"File Content Detection\",\n 9002, \"Email Content Detection\",\n 9003, \"Instant Message Content Detection\"\n ];\nSymantecICDx_CL\n| where file_name_s <> \"\"\n| where threat_id_d <> \"\" and threat_name_s <> \"\" and threat_type_id_d <> \"\" \n| where (category_id_d == 1 and (type_id_d==8031 or type_id_d==8046 or type_id_d==8028 or type_id_d==8021))\n| extend disposition_type = strcat(toint(id_d), \",\", toint(type_id_d)) \n| join kind = inner (disptypeMap) on disposition_type\n| join kind = inner (typeMapTable) on type_id_d\n| extend threat_type_category = strcat(toint(threat_type_id_d),\",\",type_name)\n| extend Event_Time = datetime('1970-01-01T00:00:00Z') + (log_time_d/1000)*1s\n| summarize Event_Count= sum(count_d) by Event_Time, Type_Id=type_id_d, Threat_Type_Id=threat_type_id_d, Threat_Type=threat_name_s, Disposition_Id=id_d, Product_Name=product_name_s, Threat_Type_Category=threat_type_category, Username=user_name_s, Action, Type_Name=type_name \n| sort by Event_Time, Event_Count desc \n"
|
|
}
|
|
},
|
|
"asset": {
|
|
"idInputName": "ComponentId",
|
|
"type": "ApplicationInsights"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|