Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/AlsidIoA.json

386 строки
12 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "be5a3a6e-51b1-4c1a-86f9-0847b3bd1dd5",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"description": "Specify the time range on which to query the data",
"isRequired": true,
"value": {
"durationMs": 7776000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": false
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "876a8c8a-7378-475b-800b-bf7560a5f80b",
"version": "KqlParameterItem/1.0",
"name": "SamplingPeriod",
"label": "Sampling Period",
"type": 4,
"description": "Specify the sampling period for the time charts",
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 3"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "afad_parser()\r\n| where MessageType == 2\r\n| summarize AlertCount = count() by Explanation, Codename",
"size": 3,
"title": "Detected IoAs list with codenames explanations",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Codename",
"formatter": 1
},
"leftContent": {
"columnMatch": "AlertCount",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"rightContent": {
"columnMatch": "Explanation"
},
"showBorder": false,
"size": "full"
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Explanation",
"formatter": 1
},
"centerContent": {
"columnMatch": "AlertCount",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "100",
"name": "query - 4"
}
]
},
"name": "group - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "afad_parser()\n| where MessageType == 2\n| summarize AlertCount = count() by Codename",
"size": 3,
"title": "IoAs chart",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"yAxis": [
"AlertCount"
],
"group": "Codename",
"createOtherGroup": 20,
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"customWidth": "40",
"name": "Piechart"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "afad_parser\r\n| where MessageType == 2\r\n| summarize by Time, Codename, SourceHostname, SourceIP, DestinationHostname, DestinationIP",
"size": 2,
"title": "Triggered IoA alerts list",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DevianceID",
"exportParameterName": "SelectedDevianceID",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"sortBy": []
},
"customWidth": "60",
"showPin": false,
"name": "query - 3",
"styleSettings": {
"margin": "0px",
"padding": "0px"
}
}
]
},
"name": "IoAs",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "afad_parser()\r\n| where MessageType == 2\r\n| summarize AlertCount = count() by Severity",
"size": 0,
"title": "IoAs severity chart",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "graph",
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "Severity",
"formatter": 1
},
"centerContent": {
"columnMatch": "AlertCount",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "Severity",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "Severity",
"type": 1,
"colorPalette": "default"
},
"hivesMargin": 5
}
},
"customWidth": "25",
"name": "query - 1",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let threshold = 1;\r\nlet SeverityTable=datatable(Severity:string,Level:int) [\r\n\"low\", 1,\r\n\"medium\", 2,\r\n\"high\", 3,\r\n\"critical\", 4\r\n];\r\nafad_parser\r\n| where MessageType == 2 \r\n| lookup kind=leftouter SeverityTable on Severity\r\n| where Level >= ['threshold']\r\n| summarize Count = count() by bin(Time, {SamplingPeriod:seconds}), Severity",
"size": 0,
"title": "Alerts raised over time grouped by severity",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"chartSettings": {
"showLegend": true
}
},
"customWidth": "75",
"name": "query - 2"
}
]
},
"name": "Severity",
"styleSettings": {
"showBorder": true
}
}
],
"fromTemplateId": "sentinel-Alsid for AD | Indicators of Attack",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку