Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/LogAnalyticsQueryAnalysis.json

531 строка
18 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "ccd5adcd-8d59-4cfe-99ec-98075de2e253",
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
"crossComponentResources": [
"value::selected"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "1ca69445-60fc-4806-b43d-ac7e6aad630a",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\r\n",
"crossComponentResources": [
"value::selected"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"label": "☁️ Subscription"
},
{
"id": "e94aafa3-c5d9-4523-89f0-4e87aa754511",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"label": "🗂️ Workspace",
"type": 5,
"isRequired": true,
"query": "resources\n| where type =~ 'microsoft.operationalinsights/workspaces' \n//| where subscriptionId == '{Subscription:id}'\n| project id",
"crossComponentResources": [
"{Subscription}"
],
"value": "",
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "c4b69c01-2263-4ada-8d9c-43433b739ff3",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"label": "⏱️ Time Range"
},
{
"id": "c71f3009-a3f4-4aa5-aaf0-d0f667100e56",
"version": "KqlParameterItem/1.0",
"name": "Help",
"label": "📖 Help",
"type": 10,
"description": "This will show some help information to help you understand the page you are on",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces' \r\n| where id has \"{Workspace}\"\r\n| extend state = trim(' ', tostring(properties.provisioningState))\r\n\t\t,sku = trim(' ', tostring(properties.sku.name))\r\n ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\r\n\t\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\r\n\t\t,dailyquotaGB = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\r\n| extend dailyquotaGB = iif(dailyquotaGB !=-1.0, dailyquotaGB,\"Not set\")\r\n| extend skuUpdate = iif(strlen(skuUpdate) > 0, skuUpdate,\"Unknown\")\r\n| extend sentinel = iif(toint(retentionDays) < 90,\"If you have Sentinel, you can change your retention to 90days (free)?\",\"\")\r\n| project ['Log Analytics Workspace Name']=id, ['Resource Group']=resourceGroup, location, ['Data Retention(days)']=retentionDays, ['Last known SKU update']=skuUpdate, ['Daily Data Cap']=dailyquotaGB, ['Licence']=sku, ['Commitment Tier']=properties.sku.capacityReservationLevel, ['Notes'] = sentinel",
"size": 4,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Data Retention(days)",
"formatter": 0,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Last known SKU update",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "is Empty",
"thresholdValue": "\" \"",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Daily Data Cap",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "not set",
"representation": "Unavailable",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "1",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Data Retention",
"formatter": 0,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
]
}
},
"name": "query - 18"
},
{
"type": 1,
"content": {
"json": "## Workspace Usage Report \r\n### Change Log\r\nUse this report to analyze the LAQueryLogs.\r\n\r\n|Version|Description|\r\n|---|---|\r\n|v1.0|Initial Workbook Created| \r\n\r\n"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Change Log"
},
"name": "text - 0"
},
{
"type": 1,
"content": {
"json": "## Usage\r\n\t- Please select your **Subscription** and **Workspace**\r\n\t- Time Range: is the time you wish to query back to. i.e 7days from now, into the past."
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 0 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ResponseRowCountStats = toscalar(LAQueryLogs | summarize makelist(ResponseRowCount));\r\nLAQueryLogs\r\n| summarize avg(ResponseRowCount)\r\n| extend ResponseRowCountStats = ResponseRowCountStats\r\n",
"size": 4,
"title": "Average Response Row Count",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "avg_ResponseRowCount",
"formatter": 12,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 23,
"options": {
"style": "decimal"
}
}
},
"subtitleContent": {
"columnMatch": "ResponseRowCountStats",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 4 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ResponseDurationMsStats = toscalar(LAQueryLogs | summarize makelist(ResponseDurationMs));\r\nLAQueryLogs\r\n| summarize avg(ResponseDurationMs)\r\n| extend ResponseDurationMsStats = ResponseDurationMsStats",
"size": 4,
"title": "Average Response Duration",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "avg_ResponseDurationMs",
"formatter": 12,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 23,
"options": {
"style": "decimal"
}
}
},
"subtitleContent": {
"columnMatch": "ResponseDurationMsStats",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 4 - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let StatsCPUTimeMsStats = toscalar(LAQueryLogs | summarize makelist(StatsCPUTimeMs));\r\nLAQueryLogs\r\n| summarize avg(StatsCPUTimeMs)\r\n| extend StatsCPUTimeMsStats = StatsCPUTimeMsStats",
"size": 4,
"title": "Average CPU Time",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "avg_StatsCPUTimeMs",
"formatter": 12,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 23,
"options": {
"style": "decimal"
}
}
},
"subtitleContent": {
"columnMatch": "StatsCPUTimeMsStats",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 4 - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "LAQueryLogs\r\n| summarize count() by RequestClientApp",
"size": 4,
"title": "Type of Request Client App",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "LAQueryLogs\r\n| summarize [\"Response Row Count\"]=sum(ResponseDurationMs) by QueryText\r\n| order by [\"Response Row Count\"] desc\r\n| take 10",
"size": 1,
"title": "Top 10 Queries to provide highest number of results",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "unstackedbar",
"gridSettings": {
"formatters": [
{
"columnMatch": "Response Row Count",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
],
"filter": true
},
"tileSettings": {
"titleContent": {
"columnMatch": "avg_ResponseDurationMs",
"formatter": 12,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 23,
"options": {
"style": "decimal"
}
}
},
"showBorder": false
}
},
"name": "query - 4 - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "LAQueryLogs\r\n| summarize [\"Query Count\"]=count() by AADEmail\r\n| order by [\"Query Count\"] desc \r\n| take 10",
"size": 1,
"title": "Top 10 Users based on queries",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Query Count",
"formatter": 8,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "30",
"name": "query - 4 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "LAQueryLogs\r\n| summarize [\"Number of Responses\"] = sum(ResponseRowCount), [\"Responses\"] = makelist(ResponseRowCount) by AADEmail\r\n| order by [\"Number of Responses\"]\r\n| take 10",
"size": 1,
"title": "Top 10 Users based on response",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Number of Responses",
"formatter": 8,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Responses",
"formatter": 21,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "40",
"name": "query - 4 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "LAQueryLogs\r\n| summarize count() by ResponseCode\r\n| extend ResponseCode = tostring(ResponseCode)",
"size": 1,
"title": "Query Responses",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "20",
"name": "query - 4 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "LAQueryLogs\r\n| summarize count() by bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Query Over Time",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "LAQueryLogs\r\n| summarize sum(ResponseRowCount) by bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Query Response Over Time",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 6 - Copy"
}
],
"fallbackResourceIds": [],
"fromTemplateId": "sentinel-LogAnalyticsQueryAnalysis",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку