2759 строки
158 KiB
JSON
2759 строки
158 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"value::all"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "26d2fea7-3646-4993-b79f-6722f9ef8ddb",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DefaultSubscription_Internal",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\n| take 1\n| project subscriptionId",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "55d3ab63-6e1f-4d02-8d9e-2225526689c7",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Subscription",
|
|
"type": 6,
|
|
"query": "summarize by subscriptionId\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
|
|
"crossComponentResources": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "95a45501-31b5-4ea2-bcb3-eb208e0080e2",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspace",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"query": "where type =~ \"microsoft.operationalinsights/workspaces\"\r\n| where '{Subscription}' has subscriptionId",
|
|
"crossComponentResources": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "7d597ad7-4a2a-45ed-a4fe-7ee32de0fc22",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"label": "Time Range",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
},
|
|
{
|
|
"id": "9a199167-2dde-49dd-8f01-23e9d1fa8151",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "InternalRG",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "where type =~ \"microsoft.operationalinsights/workspaces\"\r\n| where id =~ \"{Workspace}\"\r\n| project resourceGroup",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "c4470c37-5a8a-4ecd-8ece-5e98db8e8a92",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Help",
|
|
"label": "Show Help",
|
|
"type": 10,
|
|
"description": "This will show some help information to help you understand the page you are on",
|
|
"isRequired": true,
|
|
"value": "Yes",
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "100",
|
|
"name": "WSSelector"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Tables and Usage",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Select the table for which you want to see:\r\n- in which scheduled analytic rule in the {Workspace:label} workspace the specified table is used \r\n- which saved searches from {Workspace:label} run on the table\r\n- whether a bookmark in {Workspace:label} uses the table\r\n- whether the table was used in queries performed from the portal, workbooks, logic apps, etc in the selected time range",
|
|
"style": "info"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
"name": "HelpNote"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"id": "020e50e2-cc1c-491f-9e28-aecdbc0fdba2",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Analytics",
|
|
"subTarget": "analytics",
|
|
"preText": "Analytics",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "38de0079-5552-4eda-8655-c927e052363a",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Saved searches and Hunting queries",
|
|
"subTarget": "hunting",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "fcdb8707-248f-484f-8886-24e4ae9ffd81",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Searches and queries",
|
|
"subTarget": "searches",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Usage\r\n| distinct DataType",
|
|
"size": 0,
|
|
"title": "Tables with activity in the {TimeRange:label} ",
|
|
"noDataMessage": "No tables were used in this period",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "DataType",
|
|
"exportParameterName": "TableName",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "DataType",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "DataType",
|
|
"label": " "
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "DataType",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"customWidth": "33",
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isNotEqualTo",
|
|
"value": "searches"
|
|
},
|
|
"name": "TablesUsage"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": " let TNameTable = datatable (NameOfTable: string) ['{TableName}'];\r\n TNameTable",
|
|
"size": 0,
|
|
"title": "Table with only TableName as content",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"name": "CreationOfTableName"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Summary of analytic rules for the {TableName} table",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2021-10-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"RuleName\"},{\"path\":\"$.properties.description\",\"columnid\":\"Description\"},{\"path\":\"$.properties.enabled\",\"columnid\":\"Enabled\"},{\"path\":\"$.properties.query\",\"columnid\":\"Query\"},{\"path\":\"$.properties.tactics\",\"columnid\":\"Tactics\"},{\"path\":\"$.properties.severity\",\"columnid\":\"Severity\"},{\"path\":\"$.properties.queryPeriod\",\"columnid\":\"QueryPeriod\"},{\"path\":\"$.properties.queryFrequency\",\"columnid\":\"QueryFrequency\"},{\"path\":\"$.properties.query\",\"columnid\":\"TableUsed\",\"columnType\":\"string\",\"substringRegexMatch\":\"[\\\\s\\\\S]*{TableName}[\\\\s\\\\S]*\",\"substringReplace\":\"{TableName}\"},{\"path\":\"$.properties.alertRuleTemplateName\",\"columnid\":\"TemplateID\"},{\"path\":\"$.properties.lastModifiedUtc\",\"columnid\":\"LastModifiedOn\"}]}}]}",
|
|
"size": 0,
|
|
"title": "All Analytic rules",
|
|
"noDataMessage": "No analytic rules are defined ",
|
|
"exportParameterName": "TestQ",
|
|
"exportToExcelOptions": "all",
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "RuleName",
|
|
"formatter": 1
|
|
},
|
|
{
|
|
"columnMatch": "Description",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Enabled",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "success",
|
|
"text": "Enabled"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "disabled",
|
|
"text": "Disabled"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "0ch"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 512,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "RuleName",
|
|
"label": "Rule name"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [],
|
|
"graphSettings": {
|
|
"type": 0
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong"
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"name": "All Analytic rules"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"All Analytic rules\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[All Analytic rules].Enabled\",\"mergedName\":\"Enabled\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"Static 1\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"Enabled\",\"operator\":\"isNotNull\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"1\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"column\"}}]},{\"originalName\":\"[Added column]\",\"mergedName\":\"Enabled or Disabled\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"Enabled\",\"operator\":\"==\",\"rightValType\":\"static\",\"rightVal\":\"true\",\"resultValType\":\"static\",\"resultVal\":\"enabled\"}},{\"criteriaContext\":{\"leftOperand\":\"Enabled\",\"operator\":\"!=\",\"rightValType\":\"static\",\"rightVal\":\"true\",\"resultValType\":\"static\",\"resultVal\":\"disabled\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"column\"}}]},{\"originalName\":\"[All Analytic rules].TemplateID\",\"mergedName\":\"TemplateID\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules].LastModifiedOn\",\"mergedName\":\"LastModifiedOn\",\"fromId\":\"unknown\"},{\"originalName\":\"[CreationOfTableName].NameOfTable\"},{\"originalName\":\"[All Analytic rules].RuleName\"},{\"originalName\":\"[All Analytic rules].Description\"},{\"originalName\":\"[All Analytic rules].Query\"},{\"originalName\":\"[All Analytic rules].Tactics\"},{\"originalName\":\"[All Analytic rules].Severity\"},{\"originalName\":\"[All Analytic rules].QueryPeriod\"},{\"originalName\":\"[All Analytic rules].QueryFrequency\"},{\"originalName\":\"[All Analytic rules].TableUsed\"}]}",
|
|
"size": 0,
|
|
"title": "{TableName}: Enabled vs Disabled rules",
|
|
"noDataMessage": "Currently there are no rules which use this table",
|
|
"showRefreshButton": true,
|
|
"queryType": 7,
|
|
"visualization": "categoricalbar",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Table Name ",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Click to open query and view additional information",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Query Period",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query Frequency",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Enabled",
|
|
"label": "Status",
|
|
"comment": ""
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Enabled",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Static 1",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"xAxis": "Enabled or Disabled",
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "enabled",
|
|
"color": "green"
|
|
},
|
|
{
|
|
"seriesName": "disabled",
|
|
"color": "gray"
|
|
}
|
|
],
|
|
"xSettings": {
|
|
"numberFormatSettings": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": true
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "25",
|
|
"name": "RulesWithTable - Chart - Enabled vs Disabled",
|
|
"styleSettings": {
|
|
"maxWidth": "25"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"All Analytic rules\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[All Analytic rules].Severity\",\"mergedName\":\"Severity\",\"fromId\":\"unknown\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"Static 1\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"Severity\",\"operator\":\"isNotNull\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"1\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"column\"}}]},{\"originalName\":\"[All Analytic rules].TemplateID\",\"mergedName\":\"TemplateID\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules].LastModifiedOn\",\"mergedName\":\"LastModifiedOn\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules].Test\"},{\"originalName\":\"[All Analytic rules].EventIDEquals\"},{\"originalName\":\"[All Analytic rules].EventIDList\"},{\"originalName\":\"[All Analytic rules].test\"},{\"originalName\":\"[All Analytic rules].TableUsed\"},{\"originalName\":\"[CreationOfTableName].NameOfTable\"},{\"originalName\":\"[All Analytic rules].RuleName\"},{\"originalName\":\"[All Analytic rules].Description\"},{\"originalName\":\"[All Analytic rules].Enabled\"},{\"originalName\":\"[All Analytic rules].Query\"},{\"originalName\":\"[All Analytic rules].QueryPeriod\"},{\"originalName\":\"[All Analytic rules].QueryFrequency\"},{\"originalName\":\"[All Analytic rules].Tactics\"}]}",
|
|
"size": 0,
|
|
"title": "{TableName}: Severity of all the rules (enabled and disabled)",
|
|
"noDataMessage": "Currently there are no rules which use this table",
|
|
"showRefreshButton": true,
|
|
"queryType": 7,
|
|
"visualization": "categoricalbar",
|
|
"gridSettings": {
|
|
"filter": true
|
|
},
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Table Name ",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Static value 1",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"xAxis": "Severity",
|
|
"yAxis": [
|
|
"Static 1"
|
|
],
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "Medium",
|
|
"color": "redBright"
|
|
},
|
|
{
|
|
"seriesName": "High",
|
|
"color": "orange"
|
|
},
|
|
{
|
|
"seriesName": "Low",
|
|
"color": "yellow"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "25",
|
|
"name": "RulesWithTable - Severity - Chart",
|
|
"styleSettings": {
|
|
"maxWidth": "25"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"name": "Charts for rules"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"All Analytic rules\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[CreationOfTableName].NameOfTable\",\"mergedName\":\"Table Name \",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules].RuleName\",\"mergedName\":\"Rule name\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules].Description\",\"mergedName\":\"Description\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules].Enabled\",\"mergedName\":\"Enabled\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules].Severity\",\"mergedName\":\"Severity\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules].Query\",\"mergedName\":\"Query\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules].QueryPeriod\",\"mergedName\":\"Query Period\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules].QueryFrequency\",\"mergedName\":\"Query Frequency\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules].Tactics\",\"mergedName\":\"Tactics\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules].Version\",\"mergedName\":\"Version\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules].TemplateID\",\"mergedName\":\"TemplateID\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules].LastModifiedOn\",\"mergedName\":\"LastModifiedOn\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules].Test\"},{\"originalName\":\"[All Analytic rules].EventIDEquals\"},{\"originalName\":\"[All Analytic rules].EventIDList\"},{\"originalName\":\"[All Analytic rules].test\"},{\"originalName\":\"[All Analytic rules].TableUsed\"}]}",
|
|
"size": 0,
|
|
"title": "All the rules that use {TableName} table",
|
|
"noDataMessage": "Currently there are no rules which use this table",
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Table Name ",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Enabled",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "success",
|
|
"text": "Enabled"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "disabled",
|
|
"text": "Disabled"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Click to open query and view additional information",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Query Period",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query Frequency",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Rule name",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Enabled",
|
|
"label": "Status",
|
|
"comment": ""
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Rule name",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"name": "RulesWithTable",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "EventID used in the scheduled analytic rules",
|
|
"expandable": true,
|
|
"expanded": true,
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "This view shows you when the EventID condition used in the rule. <br />\r\nIt is able to look for \"EventID ==\" and \"EventID in ()\" <br />\r\n\r\n**Disclaimer**: <br />\r\n* It will only match on the first condition it and will not look for further matches. This means that SecurityEvent | where EventID == 1453 or EventID == 1698` will only match on the first condition. <br />\r\n* It will show the event even if your condition is excluding the event (e.g. `not( not ( where eventId== 1234))`)\r\n* If the event is not specified because it is part of a range, the event will not be matched (e.g. event 4625 will not be found if your query is checking for `EventID between (4624 .. 4627)`)\r\n\r\n**NOTE:** This information group is only visible when you are looking at rules that include the *SecurityEvent* table. <br />",
|
|
"style": "warning"
|
|
},
|
|
"name": "EventIDText"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"RuleName\"},{\"path\":\"$.properties.query\",\"columnid\":\"Query\"},{\"path\":\"$.properties.query\",\"columnid\":\"EventID\",\"columnType\":\"long\",\"substringRegexMatch\":\"[\\\\s\\\\S]*?EventID[\\\\s]?==[\\\\s]?[\\\"]?[']?([0-9]*)[\\\\s\\\\S]*\",\"substringReplace\":\"$1\"},{\"path\":\"$.properties.query\",\"columnid\":\"EventIDList\",\"columnType\":\"string\",\"substringRegexMatch\":\"[\\\\s\\\\S]*?EventID in \\\\((([\\\"]?[']?[0-9]*[\\\"]?[,]?[\\\\s]?)*)\\\\)[\\\\s\\\\S]*\",\"substringReplace\":\"$1\"},{\"path\":\"$.properties.query\",\"columnid\":\"EventIDBetween\",\"columnType\":\"string\",\"substringRegexMatch\":\"[\\\\s\\\\S]*?EventID between \\\\([\\\\s]?([0-9]*[\\\\s]? \\\\.\\\\.[\\\\s]? [0-9]*)[\\\\s]?\\\\)[\\\\s\\\\S]*\",\"substringReplace\":\"$1\"},{\"path\":\"$.properties.query\",\"columnid\":\"MultipleEventID\",\"substringRegexMatch\":\"([\\\\s\\\\S]*?(?:EventID[\\\\s]?==)|(?:EventID in)|(?:EventID between)[\\\\s\\\\S]*?){2}\",\"substringReplace\":\"Multiple\"},{\"path\":\"$.properties.query\",\"columnid\":\"TableUsed\",\"substringRegexMatch\":\"[\\\\s\\\\S]*SecurityEvent[\\\\s\\\\S]*\",\"substringReplace\":\"SecurityEvent\"}]}}]}",
|
|
"size": 0,
|
|
"title": "EventIDs found in all the rules",
|
|
"noDataMessage": "No analytic rules are defined ",
|
|
"exportParameterName": "TestQ",
|
|
"exportToExcelOptions": "all",
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "RuleName",
|
|
"formatter": 1
|
|
},
|
|
{
|
|
"columnMatch": "Description",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Enabled",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "success",
|
|
"text": "Enabled"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "disabled",
|
|
"text": "Disabled"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "0ch"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 512
|
|
},
|
|
"sortBy": [],
|
|
"graphSettings": {
|
|
"type": 0
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong"
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"name": "EventIDFoundTableIndependent"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"EventIDFoundTableIndependent\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[CreationOfTableName].NameOfTable\",\"mergedName\":\"NameOfTable\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[EventIDFoundTableIndependent].RuleName\",\"mergedName\":\"Rule Name\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[EventIDFoundTableIndependent].Query\",\"mergedName\":\"Query\",\"fromId\":\"unknown\"},{\"originalName\":\"[EventIDFoundTableIndependent].EventID\",\"mergedName\":\"EventID with the equals comparison\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[EventIDFoundTableIndependent].EventIDList\",\"mergedName\":\"EventIDList with the in-operator\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[EventIDFoundTableIndependent].EventIDBetween\",\"mergedName\":\"EventIDBetween\",\"fromId\":\"unknown\"},{\"originalName\":\"[EventIDFoundTableIndependent].MultipleEventID\",\"mergedName\":\"Multiple Event IDs used \",\"fromId\":\"unknown\"},{\"originalName\":\"[EventIDFoundTableIndependent].TableUsed\"}]}",
|
|
"size": 0,
|
|
"title": "EventIDs found in the rules",
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "NameOfTable",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "CellDetails",
|
|
"linkLabel": "Click to see the full query",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventID with the equals comparison",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "NaN",
|
|
"representation": "more",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Blank",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventIDList with the in-operator",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "regex",
|
|
"thresholdValue": "^\\s*[[0-9]*[,]]*",
|
|
"representation": "Blank",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Blank",
|
|
"text": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventIDBetween",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "regex",
|
|
"thresholdValue": "^\\s*[[0-9]*[\\s]*[\\.]{2}[\\s]*[0-9]*",
|
|
"representation": "Blank",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Blank",
|
|
"text": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Multiple Event IDs used ",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "regex",
|
|
"thresholdValue": "Multiple .*",
|
|
"representation": "2",
|
|
"text": "Multiple conditions found on EventID. Please review the query."
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Blank",
|
|
"text": ""
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "EventIDList with the in-operator",
|
|
"label": "EventID with the in-operator"
|
|
},
|
|
{
|
|
"columnId": "EventIDBetween",
|
|
"label": "EventID with the between-operator"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"name": "EventIDs "
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "does not work on between values\r\n\r\ndo not use spaces and one value at a time\r\n\r\nalso this will also match if you search for 233 and the number is 4233, but not sure if I should fix it since this could actually be usefull\r\n\r\nwe could show the in between operator as an option? lets discuss during our call",
|
|
"style": "warning"
|
|
},
|
|
"name": "EventIDText - Copy"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "505d8786-c967-489f-8926-02d23c31c9fd",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SearchEventIDRules",
|
|
"label": "Search for eventID ",
|
|
"type": 1,
|
|
"description": "You can search all your rules to see if this EventID appears in the rules (one EventID only)",
|
|
"value": "233",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "SearchParameter - EventIDRules"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"RuleName\"},{\"path\":\"$.properties.query\",\"columnid\":\"Query\"},{\"path\":\"$.properties.query\",\"columnid\":\"SearchEventID\",\"columnType\":\"long\",\"substringRegexMatch\":\"[\\\\s\\\\S]*?EventID[\\\\s\\\\S]*?({SearchEventIDRules})[\\\\s\\\\S]*\",\"substringReplace\":\"$1\"},{\"path\":\"$.properties.query\",\"columnid\":\"TableUsed\",\"substringRegexMatch\":\"[\\\\s\\\\S]*SecurityEvent[\\\\s\\\\S]*\",\"substringReplace\":\"SecurityEvent\"}]}}]}",
|
|
"size": 0,
|
|
"title": "Search EventID: {SearchEventIDRules}",
|
|
"noDataMessage": "No analytic rules are defined ",
|
|
"exportToExcelOptions": "all",
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "RuleName",
|
|
"formatter": 1
|
|
},
|
|
{
|
|
"columnMatch": "Description",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Enabled",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "success",
|
|
"text": "Enabled"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "disabled",
|
|
"text": "Disabled"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "0ch"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 512
|
|
},
|
|
"sortBy": [],
|
|
"graphSettings": {
|
|
"type": 0
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong"
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"name": "SearchEventIDRules"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"SearchEventIDRules\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[SearchEventIDRules].RuleName\",\"mergedName\":\"RuleName\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[SearchEventIDRules].Query\",\"mergedName\":\"Query\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[SearchEventIDRules].SearchEventID\",\"mergedName\":\"SearchEventID\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[SearchEventIDRules].TableUsed\",\"mergedName\":\"TableUsed\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[CreationOfTableName].NameOfTable\"}]}",
|
|
"size": 0,
|
|
"title": "EventID {SearchEventIDRules} found in the rules",
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "CellDetails",
|
|
"linkLabel": "Click to see the full query",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SearchEventID",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "is Empty",
|
|
"representation": "failed",
|
|
"text": "Not found"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "success",
|
|
"text": "Found {0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TableUsed",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_thresholds_SearchEventID_2",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "RuleName",
|
|
"label": "Rule Name"
|
|
},
|
|
{
|
|
"columnId": "SearchEventID",
|
|
"label": "Found the EventID"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_thresholds_SearchEventID_2",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"name": "FoundEventIDRules"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "TableName",
|
|
"comparison": "isEqualTo",
|
|
"value": "SecurityEvent"
|
|
},
|
|
"name": "EventID",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "analytics"
|
|
},
|
|
"name": "Rules"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "This section shows information about templates available for the {TableName} table.\r\nThe templates you see below are available for you to create.\r\nYou can do this from Analytics > Rule templates. Select the rule you want to deploy and then select Create rule.",
|
|
"style": "info"
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
},
|
|
{
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "analytics"
|
|
}
|
|
],
|
|
"name": "Available templates explained"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Information about the templates with {TableName} table",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRuleTemplates\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2021-10-01-preview\"},{\"key\":\"\",\"value\":\"\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"RuleName\"},{\"path\":\"$.properties.description\",\"columnid\":\"Description\"},{\"path\":\"$.properties.query\",\"columnid\":\"Query\"},{\"path\":\"$.properties.tactics\",\"columnid\":\"Tactics\"},{\"path\":\"$.properties.severity\",\"columnid\":\"Severity\"},{\"path\":\"$.properties.queryPeriod\",\"columnid\":\"QueryPeriod\"},{\"path\":\"$.properties.queryFrequency\",\"columnid\":\"QueryFrequency\"},{\"path\":\"$.properties.status\",\"columnid\":\"Status\"},{\"path\":\"$.properties.query\",\"columnid\":\"TableUsed\",\"columnType\":\"string\",\"substringRegexMatch\":\"[\\\\s\\\\S]*{TableName}[\\\\s\\\\S]*\",\"substringReplace\":\"{TableName}\"},{\"path\":\"$.properties.version\",\"columnid\":\"Version\"},{\"path\":\"$.properties.lastUpdatedDateUTC\",\"columnid\":\"LastModifiedOn\"},{\"path\":\"$.name\",\"columnid\":\"TemplateId\"},{\"path\":\"$.kind\",\"columnid\":\"AnalyticKind\"}]}}]}",
|
|
"size": 0,
|
|
"title": "All Analytic rule templates",
|
|
"noDataMessage": "No templates are defined ",
|
|
"exportParameterName": "TestQ",
|
|
"exportToExcelOptions": "all",
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "RuleName",
|
|
"formatter": 1
|
|
},
|
|
{
|
|
"columnMatch": "Description",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Enabled",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "success",
|
|
"text": "Enabled"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "disabled",
|
|
"text": "Disabled"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "0ch"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 512,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "RuleName",
|
|
"label": "Rule name"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [],
|
|
"graphSettings": {
|
|
"type": 0
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong"
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"name": "All Analytic rules templates"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"All Analytic rules templates\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[All Analytic rules templates].Status\",\"mergedName\":\"Status\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"Static 1\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"Status\",\"operator\":\"isNotNull\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"1\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"column\"}}]},{\"originalName\":\"[All Analytic rules templates].Version\",\"mergedName\":\"Version\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].LastModifiedOn\",\"mergedName\":\"LastModifiedOn\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].TemplateId\",\"mergedName\":\"TemplateId\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].AnalyticKind\",\"mergedName\":\"AnalyticKind\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].Version\",\"mergedName\":\"Version\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].LastModifiedOn\",\"mergedName\":\"LastModifiedOn\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].TemplateId\",\"mergedName\":\"TemplateId\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].AnalyticKind\",\"mergedName\":\"AnalyticKind\",\"fromId\":\"unknown\"},{\"originalName\":\"[CreationOfTableName].NameOfTable\"},{\"originalName\":\"[All Analytic rules templates].RuleName\"},{\"originalName\":\"[All Analytic rules templates].Query\"},{\"originalName\":\"[All Analytic rules templates].Description\"},{\"originalName\":\"[All Analytic rules templates].Tactics\"},{\"originalName\":\"[All Analytic rules templates].Severity\"},{\"originalName\":\"[All Analytic rules templates].QueryPeriod\"},{\"originalName\":\"[All Analytic rules templates].QueryFrequency\"},{\"originalName\":\"[All Analytic rules templates].TableUsed\"}]}",
|
|
"size": 0,
|
|
"title": "{TableName}: Available vs Installed templates",
|
|
"noDataMessage": "Currently there are no rules which use this table",
|
|
"showRefreshButton": true,
|
|
"queryType": 7,
|
|
"visualization": "categoricalbar",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Table Name ",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Click to open query and view additional information",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Query Period",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query Frequency",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Enabled",
|
|
"label": "Status",
|
|
"comment": ""
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [],
|
|
"chartSettings": {
|
|
"xAxis": "Status"
|
|
}
|
|
},
|
|
"customWidth": "25",
|
|
"name": "TemplatesWithTable - Chart - Available",
|
|
"styleSettings": {
|
|
"maxWidth": "25"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"All Analytic rules templates\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[All Analytic rules templates].Severity\",\"mergedName\":\"Severity\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"Added column\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"Severity\",\"operator\":\"isNotNull\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"1\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"column\"}}]},{\"originalName\":\"[All Analytic rules templates].Version\",\"mergedName\":\"Version\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].LastModifiedOn\",\"mergedName\":\"LastModifiedOn\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].TemplateId\",\"mergedName\":\"TemplateId\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].AnalyticKind\",\"mergedName\":\"AnalyticKind\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].Version\",\"mergedName\":\"Version\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].LastModifiedOn\",\"mergedName\":\"LastModifiedOn\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].TemplateId\",\"mergedName\":\"TemplateId\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].AnalyticKind\",\"mergedName\":\"AnalyticKind\",\"fromId\":\"unknown\"},{\"originalName\":\"[CreationOfTableName].NameOfTable\"},{\"originalName\":\"[All Analytic rules templates].RuleName\"},{\"originalName\":\"[All Analytic rules templates].Description\"},{\"originalName\":\"[All Analytic rules templates].Query\"},{\"originalName\":\"[All Analytic rules templates].Tactics\"},{\"originalName\":\"[All Analytic rules templates].QueryPeriod\"},{\"originalName\":\"[All Analytic rules templates].QueryFrequency\"},{\"originalName\":\"[All Analytic rules templates].Status\"},{\"originalName\":\"[All Analytic rules templates].TableUsed\"}]}",
|
|
"size": 0,
|
|
"title": "{TableName}: Severity of all the templates (available and installed)",
|
|
"noDataMessage": "Currently there are no rules which use this table",
|
|
"showRefreshButton": true,
|
|
"queryType": 7,
|
|
"visualization": "categoricalbar",
|
|
"gridSettings": {
|
|
"filter": true
|
|
},
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Table Name ",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Static value 1",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {
|
|
"xAxis": "Severity",
|
|
"seriesLabelSettings": [
|
|
{
|
|
"seriesName": "Medium",
|
|
"color": "orange"
|
|
},
|
|
{
|
|
"seriesName": "High",
|
|
"color": "redBright"
|
|
},
|
|
{
|
|
"seriesName": "Low",
|
|
"color": "yellow"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "25",
|
|
"name": "TemplatesWithTable - Severity - Chart",
|
|
"styleSettings": {
|
|
"maxWidth": "25"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"name": "Charts for templates"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "EventID used in the template analytic rules",
|
|
"expandable": true,
|
|
"expanded": true,
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "This view shows you when the EventID condition used in the rule. <br />\r\nIt is able to look for \"EventID ==\" and \"EventID in ()\" <br />\r\n\r\n**Disclaimer**: <br />\r\n* It will only match on the first condition it and will not look for further matches. This means that SecurityEvent | where EventID == 1453 or EventID == 1698` will only match on the first condition. <br />\r\n* It will show the event even if your condition is excluding the event (e.g. `not( not ( where eventId== 1234))`)\r\n* If the event is not specified because it is part of a range, the event will not be matched (e.g. event 4625 will not be found if your query is checking for `EventID between (4624 .. 4627)`)\r\n\r\n**NOTE:** This information group is only visible when you are looking at rules that include the *SecurityEvent* table. <br />",
|
|
"style": "warning"
|
|
},
|
|
"name": "TemplateEventIDText"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRuleTemplates\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"RuleName\"},{\"path\":\"$.properties.query\",\"columnid\":\"Query\"},{\"path\":\"$.properties.query\",\"columnid\":\"EventID\",\"columnType\":\"long\",\"substringRegexMatch\":\"[\\\\s\\\\S]*?EventID[\\\\s]?==[\\\\s]?[\\\"]?[']?([0-9]*)[\\\\s\\\\S]*\",\"substringReplace\":\"$1\"},{\"path\":\"$.properties.query\",\"columnid\":\"EventIDList\",\"columnType\":\"string\",\"substringRegexMatch\":\"[\\\\s\\\\S]*?EventID in \\\\((([\\\"]?[']?[0-9]*[\\\"]?[,]?[\\\\s]?)*)\\\\)[\\\\s\\\\S]*\",\"substringReplace\":\"$1\"},{\"path\":\"$.properties.query\",\"columnid\":\"EventIDBetween\",\"columnType\":\"string\",\"substringRegexMatch\":\"[\\\\s\\\\S]*?EventID between \\\\([\\\\s]?([0-9]*[\\\\s]? \\\\.\\\\.[\\\\s]? [0-9]*)[\\\\s]?\\\\)[\\\\s\\\\S]*\"},{\"path\":\"$.properties.query\",\"columnid\":\"MultipleEventID\",\"substringRegexMatch\":\"([\\\\s\\\\S]*?(?:EventID[\\\\s]?==)|(?:EventID in)|(?:EventID between)[\\\\s\\\\S]*?){2}\",\"substringReplace\":\"Multiple\"},{\"path\":\"$.properties.query\",\"columnid\":\"TableUsed\",\"substringRegexMatch\":\"[\\\\s\\\\S]*SecurityEvent[\\\\s\\\\S]*\",\"substringReplace\":\"SecurityEvent\"}]}}]}",
|
|
"size": 0,
|
|
"title": "EventIDs found in all the templates",
|
|
"noDataMessage": "No template rules are defined ",
|
|
"exportParameterName": "TestQ",
|
|
"exportToExcelOptions": "all",
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "RuleName",
|
|
"formatter": 1
|
|
},
|
|
{
|
|
"columnMatch": "Description",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Enabled",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "success",
|
|
"text": "Enabled"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "disabled",
|
|
"text": "Disabled"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "0ch"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 512
|
|
},
|
|
"sortBy": [],
|
|
"graphSettings": {
|
|
"type": 0
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong"
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"name": "TemplateEventIDFoundTableIndependent"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"TemplateEventIDFoundTableIndependent\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[EventIDFoundTableIndependent].Query\",\"mergedName\":\"Query\",\"fromId\":\"unknown\"},{\"originalName\":\"[CreationOfTableName].NameOfTable\",\"mergedName\":\"Table Name\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[TemplateEventIDFoundTableIndependent].RuleName\",\"mergedName\":\"Rule Name\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[TemplateEventIDFoundTableIndependent].Query\",\"mergedName\":\"Query\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[TemplateEventIDFoundTableIndependent].EventID\",\"mergedName\":\"EventID with the equals comparison\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[TemplateEventIDFoundTableIndependent].EventIDList\",\"mergedName\":\"EventIDList with the in-operator\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[TemplateEventIDFoundTableIndependent].EventIDBetween\",\"mergedName\":\"EventIDBetween\",\"fromId\":\"unknown\"},{\"originalName\":\"[TemplateEventIDFoundTableIndependent].MultipleEventID\",\"mergedName\":\"MultipleEventID\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[TemplateEventIDFoundTableIndependent].TableUsed\"}]}",
|
|
"size": 0,
|
|
"title": "EventIDs found in the templates of rules",
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Table Name",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "CellDetails",
|
|
"linkLabel": "Click to see the full query",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventID with the equals comparison",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "NaN",
|
|
"representation": "more",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Blank",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventIDList with the in-operator",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "regex",
|
|
"thresholdValue": "^\\s*[[0-9]*[,]]*",
|
|
"representation": "Blank",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Blank",
|
|
"text": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "EventIDBetween",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "regex",
|
|
"thresholdValue": "^\\s*[[0-9]*[\\s]*[\\.]{2}[\\s]*[0-9]*",
|
|
"representation": "Blank",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Blank",
|
|
"text": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "MultipleEventID",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "regex",
|
|
"thresholdValue": "Multiple .*",
|
|
"representation": "2",
|
|
"text": "Multiple conditions found on EventID. Please review the query."
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "Blank",
|
|
"text": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TableUsed",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "EventIDList with the in-operator",
|
|
"label": "EventID with the in-operator"
|
|
},
|
|
{
|
|
"columnId": "EventIDBetween",
|
|
"label": "EventID with the between-operator"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"showPin": false,
|
|
"name": "TemplateEventIDs "
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "does not work on between values\r\n\r\ndo not use spaces and one value at a time\r\n\r\nalso this will also match if you search for 233 and the number is 4233, but not sure if I should fix it since this could actually be usefull\r\n\r\nwe could show the in between operator as an option? lets discuss during our call",
|
|
"style": "warning"
|
|
},
|
|
"name": "EventIDText"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "505d8786-c967-489f-8926-02d23c31c9fd",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SearchEventIDTemplate",
|
|
"label": "Search for eventID ",
|
|
"type": 1,
|
|
"description": "You can search all the templates to see if this EventID appears in the template (one EventID only)",
|
|
"value": "4663",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "SearchParameter - EventIDTemplates"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRuleTemplates\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"RuleName\"},{\"path\":\"$.properties.query\",\"columnid\":\"Query\"},{\"path\":\"$.properties.query\",\"columnid\":\"SearchEventID\",\"columnType\":\"long\",\"substringRegexMatch\":\"[\\\\s\\\\S]*?EventID[\\\\s\\\\S]*?({SearchEventIDTemplate})[\\\\s\\\\S]*\",\"substringReplace\":\"$1\"},{\"path\":\"$.properties.query\",\"columnid\":\"TableUsed\",\"substringRegexMatch\":\"[\\\\s\\\\S]*SecurityEvent[\\\\s\\\\S]*\",\"substringReplace\":\"SecurityEvent\"}]}}]}",
|
|
"size": 0,
|
|
"title": "Search EventID: {SearchEventIDTemplate}",
|
|
"noDataMessage": "No template rules are defined ",
|
|
"exportParameterName": "TestQ",
|
|
"exportToExcelOptions": "all",
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "RuleName",
|
|
"formatter": 1
|
|
},
|
|
{
|
|
"columnMatch": "Description",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Enabled",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "success",
|
|
"text": "Enabled"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "disabled",
|
|
"text": "Disabled"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "0ch"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 512
|
|
},
|
|
"sortBy": [],
|
|
"graphSettings": {
|
|
"type": 0
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong"
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"name": "SearchEventIDTemplate"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"SearchEventIDTemplate\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[SearchEventIDTemplate].RuleName\",\"mergedName\":\"RuleName\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[SearchEventIDTemplate].Query\",\"mergedName\":\"Query\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[SearchEventIDTemplate].SearchEventID\",\"mergedName\":\"SearchEventID\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[SearchEventIDTemplate].TableUsed\",\"mergedName\":\"TableUsed\",\"fromId\":\"d3bfe37c-803a-4215-b587-8c8db14580b6\"},{\"originalName\":\"[CreationOfTableName].NameOfTable\"}]}",
|
|
"size": 0,
|
|
"title": "EventID {SearchEventIDTemplate} found in the templates",
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "CellDetails",
|
|
"linkLabel": "Click to see the full query",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SearchEventID",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "is Empty",
|
|
"representation": "failed",
|
|
"text": "Not found"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "success",
|
|
"text": "Found {0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TableUsed",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_thresholds_SearchEventID_2",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "RuleName",
|
|
"label": "Rule Name"
|
|
},
|
|
{
|
|
"columnId": "SearchEventID",
|
|
"label": "Found the EventID"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "$gen_thresholds_SearchEventID_2",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"name": "FoundEventIDTemplate"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "TableName",
|
|
"comparison": "isEqualTo",
|
|
"value": "SecurityEvent"
|
|
},
|
|
"name": "EventID - Template",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2021-10-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"Name\"},{\"path\":\"$.properties.lastModifiedUtc\",\"columnid\":\"LastModified\"},{\"path\":\"$.properties.alertRuleTemplateName\",\"columnid\":\"TemplateId\"}]}}]}",
|
|
"size": 0,
|
|
"title": "All enabled/disabled analytics",
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"rowLimit": 512
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"showPin": false,
|
|
"name": "All analytics enabled/disabled"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"All Analytic rules templates\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[CreationOfTableName].NameOfTable\",\"mergedName\":\"Table Name\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules templates].RuleName\",\"mergedName\":\"Rule name\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules templates].Description\",\"mergedName\":\"Description\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules templates].Status\",\"mergedName\":\"Installed?\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].Query\",\"mergedName\":\"Query\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules templates].Tactics\",\"mergedName\":\"Tactics\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules templates].Severity\",\"mergedName\":\"Severity\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules templates].QueryPeriod\",\"mergedName\":\"Query Period\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules templates].QueryFrequency\",\"mergedName\":\"Query Frequency\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Analytic rules templates].Version\",\"mergedName\":\"Version\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].LastModifiedOn\",\"mergedName\":\"LastModifiedOn\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].TemplateId\",\"mergedName\":\"TemplateId\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].AnalyticKind\",\"mergedName\":\"AnalyticKind\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].TableUsed\"}]}",
|
|
"size": 0,
|
|
"title": "All the template rules that use {TableName} table",
|
|
"noDataMessage": "Currently there are no templates which use this table",
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Table Name",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Installed?",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Click to open query and view additional information",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query Period",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query Frequency",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Version",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "LastModifiedOn",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "AnalyticKind",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "NameOfTable",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Table Name ",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Enabled",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "success",
|
|
"text": "Enabled"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "disabled",
|
|
"text": "Disabled"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Rule name",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Rule name",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"name": "TemplateRulesWithTable",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "The following section compares your analytics against their templates and it will tell you whether you should check your analytic for updates based on the last time your analytic was edited versus the last modified time of the template.\r\nSelect TemplateID on the dropdown to compare analytics against templates based on ID (relevant if you created your analytics directly from the Create button on the templates). You can select Name if you created them from scratch but used the same name from the template.",
|
|
"style": "info"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "analytics"
|
|
},
|
|
"name": "text - 13"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "81f2fdb6-1261-405d-96f5-b52c839570d5",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "compare",
|
|
"label": "Compare",
|
|
"type": 10,
|
|
"description": "Compares your analytics against the templates based on the template ID",
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [],
|
|
"showDefault": false
|
|
},
|
|
"jsonData": "[{ \"value\": \"templateid\", \"label\": \"Template ID\", \"selected\": \"templateid\"},\r\n {\"value\": \"name\", \"label\": \"Name\", \"selected\": \"name\" }]",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 10"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Below you will find all analytics created from templates. Use the Updates column to see if the template has been updated since you lasted edited your analytic.",
|
|
"style": "info"
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "analytics"
|
|
},
|
|
{
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
}
|
|
],
|
|
"name": "Help - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\",\"mergeType\":\"innerunique\",\"leftTable\":\"TemplateRulesWithTable\",\"rightTable\":\"All analytics enabled/disabled\",\"leftColumn\":\"TemplateId\",\"rightColumn\":\"TemplateId\"}],\"projectRename\":[{\"originalName\":\"[TemplateRulesWithTable].Rule name\",\"mergedName\":\"Name\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"Updates\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"AnalyticLastModified\",\"operator\":\">\",\"rightValType\":\"column\",\"rightVal\":\"TemplateLastModifiedOn\",\"resultValType\":\"static\",\"resultVal\":\"Up to date\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"Check for updates!\"}}]},{\"originalName\":\"[All analytics enabled/disabled].LastModified\",\"mergedName\":\"AnalyticLastModified\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].LastModifiedOn\",\"mergedName\":\"TemplateLastModifiedOn\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Table Name\",\"mergedName\":\"Table Name\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Description\",\"mergedName\":\"Description\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Query\",\"mergedName\":\"Query\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Tactics\",\"mergedName\":\"Tactics\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Severity\",\"mergedName\":\"Severity\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Query Period\",\"mergedName\":\"Query Period\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Query Frequency\",\"mergedName\":\"Query Frequency\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Version\",\"mergedName\":\"Version\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].TemplateId\",\"mergedName\":\"TemplateId\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[All analytics enabled/disabled].TemplateId\",\"mergedName\":\"TemplateId1\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].AnalyticKind\"},{\"originalName\":\"[TemplateRulesWithTable].Installed?\"},{\"originalName\":\"[All analytics enabled/disabled].Name\"}]}",
|
|
"size": 1,
|
|
"title": "Analytics created from templates that use {TableName} - Comparison based on analytic name",
|
|
"showExportToExcel": true,
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Updates",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Check for updates!",
|
|
"representation": "warning",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "contains",
|
|
"thresholdValue": "action",
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
},
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
},
|
|
"tooltipFormat": {}
|
|
},
|
|
{
|
|
"columnMatch": "AnalyticLastModified",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"formatName": "shortDatePattern"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TemplateLastModifiedOn",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"formatName": "shortDatePattern"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Name",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Description",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Click to view the query and additional details",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query Period",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query Frequency",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Version",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "TemplateId",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "TemplateId1",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Added column1",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Rule name",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Installed?",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Description1",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Name",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Name",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "analytics"
|
|
},
|
|
{
|
|
"parameterName": "compare",
|
|
"comparison": "isEqualTo",
|
|
"value": "name"
|
|
}
|
|
],
|
|
"name": "Analytics containing tables created from templates - analytic name"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\",\"mergeType\":\"innerunique\",\"leftTable\":\"TemplateRulesWithTable\",\"rightTable\":\"All analytics enabled/disabled\",\"leftColumn\":\"Rule name\",\"rightColumn\":\"Name\"}],\"projectRename\":[{\"originalName\":\"[All analytics enabled/disabled].Name\",\"mergedName\":\"Name\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"Updates\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"AnalyticLastModified\",\"operator\":\">\",\"rightValType\":\"column\",\"rightVal\":\"TemplateLastModifiedOn\",\"resultValType\":\"static\",\"resultVal\":\"Up to date\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"Check for updates!\"}}]},{\"originalName\":\"[All analytics enabled/disabled].LastModified\",\"mergedName\":\"AnalyticLastModified\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].LastModifiedOn\",\"mergedName\":\"TemplateLastModifiedOn\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Version\",\"mergedName\":\"Version\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[All analytics enabled/disabled].TemplateId\",\"mergedName\":\"TemplateId\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Query\",\"mergedName\":\"Query\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Table Name\",\"mergedName\":\"Table Name\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Rule name\",\"mergedName\":\"Rule name\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Description\",\"mergedName\":\"Description\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Installed?\",\"mergedName\":\"Installed?\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Tactics\",\"mergedName\":\"Tactics\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Severity\",\"mergedName\":\"Severity\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Query Period\",\"mergedName\":\"Query Period\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].Query Frequency\",\"mergedName\":\"Query Frequency\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[TemplateRulesWithTable].TemplateId\",\"mergedName\":\"TemplateId\",\"fromId\":\"cba4a009-fcf5-4b79-92a7-9002e37ee0a8\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"Added column1\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"AnalyticKind\",\"operator\":\"notContains\",\"rightValType\":\"static\",\"rightVal\":\"Scheduled\",\"resultValType\":\"static\",\"resultVal\":\"No action required\"}},{\"criteriaContext\":{\"leftOperand\":\"AnalyticLastModified\",\"operator\":\">\",\"rightValType\":\"column\",\"rightVal\":\"TemplateLastModifiedOn\",\"resultValType\":\"static\",\"resultVal\":\"Up to date\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"Check for updates!\"}}]},{\"originalName\":\"[All analytics enabled/disabled].TemplateId2\",\"mergedName\":\"TemplateId2\",\"fromId\":\"unknown\"},{\"originalName\":\"[TemplateRulesWithTable].AnalyticKind\"}]}",
|
|
"size": 1,
|
|
"title": "Analytics created from templates that use {TableName} - Comparison based on template ID",
|
|
"showExportToExcel": true,
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Updates",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Check for updates!",
|
|
"representation": "warning",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "contains",
|
|
"thresholdValue": "action",
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
},
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
},
|
|
"tooltipFormat": {}
|
|
},
|
|
{
|
|
"columnMatch": "AnalyticLastModified",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"formatName": "shortDatePattern"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TemplateLastModifiedOn",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"formatName": "shortDatePattern"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Version",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "TemplateId",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Click to view the query and additional details",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Table Name",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Rule name",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Description",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Installed?",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query Period",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query Frequency",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Added column1",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Description1",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Name",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Name",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "analytics"
|
|
},
|
|
{
|
|
"parameterName": "compare",
|
|
"comparison": "isEqualTo",
|
|
"value": "templateid"
|
|
}
|
|
],
|
|
"name": "Analytics containing tables created from templates TEMPLATEID"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "This section contains all analytics created from templates. Use the Updates column to check which templates were updated after you last modified your analytic.",
|
|
"style": "info"
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "analytics"
|
|
},
|
|
{
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
}
|
|
],
|
|
"name": "text - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\",\"mergeType\":\"innerunique\",\"leftTable\":\"All analytics enabled/disabled\",\"rightTable\":\"All Analytic rules templates\",\"leftColumn\":\"Name\",\"rightColumn\":\"RuleName\"}],\"projectRename\":[{\"originalName\":\"[All analytics enabled/disabled].Name\",\"mergedName\":\"Name\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"Updates\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"AnalyticKind\",\"operator\":\"notContains\",\"rightValType\":\"static\",\"rightVal\":\"Scheduled\",\"resultValType\":\"static\",\"resultVal\":\"No action required\"}},{\"criteriaContext\":{\"leftOperand\":\"AnalyticLastModified\",\"operator\":\">\",\"rightValType\":\"column\",\"rightVal\":\"TemplateLastModified\",\"resultValType\":\"static\",\"resultVal\":\"Up to date\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"Check for updates!\"}}]},{\"originalName\":\"[All analytics enabled/disabled].LastModified\",\"mergedName\":\"AnalyticLastModified\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].LastModifiedOn\",\"mergedName\":\"TemplateLastModified\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Version\",\"mergedName\":\"Version\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].RuleName\",\"mergedName\":\"Rule name\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All analytics enabled/disabled].TemplateId\",\"mergedName\":\"TemplateId\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Description\",\"mergedName\":\"Description\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Query\",\"mergedName\":\"Query\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Tactics\",\"mergedName\":\"Tactics\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Severity\",\"mergedName\":\"Severity\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].QueryPeriod\",\"mergedName\":\"QueryPeriod\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].QueryFrequency\",\"mergedName\":\"QueryFrequency\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Status\",\"mergedName\":\"Status\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].TableUsed\",\"mergedName\":\"TableUsed\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].TemplateId\",\"mergedName\":\"TemplateId1\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All analytics enabled/disabled].TemplateId2\",\"mergedName\":\"TemplateId2\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].AnalyticKind\",\"mergedName\":\"AnalyticKind\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].TableUsed\"},{\"originalName\":\"[All Analytic rules templates].Query\"},{\"originalName\":\"[All Analytic rules templates].Tactics\"},{\"originalName\":\"[All Analytic rules templates].QueryPeriod\"},{\"originalName\":\"[All Analytic rules templates].QueryFrequency\"}]}",
|
|
"size": 0,
|
|
"title": "All analytics created from templates - Comparison based on analytic name",
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Name",
|
|
"formatter": 0,
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Updates",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Check for updates!",
|
|
"representation": "warning",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "contains",
|
|
"thresholdValue": "action",
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
},
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
},
|
|
"tooltipFormat": {}
|
|
},
|
|
{
|
|
"columnMatch": "LastModified",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"formatName": "shortDatePattern"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Version",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Rule name",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "TemplateId",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Description",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Click to view query and additional details",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "QueryPeriod",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "QueryFrequency",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Status",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "TableUsed",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "TemplateId1",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "LastModifiedAnalytic",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"showUtcTime": null,
|
|
"formatName": "shortDatePattern"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LastModifiedTemplate",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"showUtcTime": null,
|
|
"formatName": "shortDatePattern"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 512,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "AnalyticKind",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "AnalyticKind",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "analytics"
|
|
},
|
|
{
|
|
"parameterName": "compare",
|
|
"comparison": "isEqualTo",
|
|
"value": "name"
|
|
}
|
|
],
|
|
"name": "Templates status - analytic name"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\",\"mergeType\":\"innerunique\",\"leftTable\":\"All analytics enabled/disabled\",\"rightTable\":\"All Analytic rules templates\",\"leftColumn\":\"TemplateId\",\"rightColumn\":\"TemplateId\"}],\"projectRename\":[{\"originalName\":\"[All analytics enabled/disabled].Name\",\"mergedName\":\"Name\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"Updates\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"AnalyticKind\",\"operator\":\"notContains\",\"rightValType\":\"static\",\"rightVal\":\"Scheduled\",\"resultValType\":\"static\",\"resultVal\":\"No action required\"}},{\"criteriaContext\":{\"leftOperand\":\"AnalyticLastModified\",\"operator\":\">\",\"rightValType\":\"column\",\"rightVal\":\"TemplateLastModified\",\"resultValType\":\"static\",\"resultVal\":\"Up to date\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"Check for updates!\"}}]},{\"originalName\":\"[All analytics enabled/disabled].LastModified\",\"mergedName\":\"AnalyticLastModified\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].LastModifiedOn\",\"mergedName\":\"TemplateLastModified\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All analytics enabled/disabled].TemplateId2\",\"mergedName\":\"TemplateId2\",\"fromId\":\"unknown\"},{\"originalName\":\"[All analytics enabled/disabled].TemplateId\",\"mergedName\":\"TemplateId\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].RuleName\",\"mergedName\":\"Rule name\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Description\",\"mergedName\":\"Description\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Query\",\"mergedName\":\"Query\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Tactics\",\"mergedName\":\"Tactics\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Severity\",\"mergedName\":\"Severity\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].QueryPeriod\",\"mergedName\":\"QueryPeriod\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].QueryFrequency\",\"mergedName\":\"QueryFrequency\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Status\",\"mergedName\":\"Status\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].TableUsed\",\"mergedName\":\"TableUsed\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].Version\",\"mergedName\":\"Version\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].TemplateId\",\"mergedName\":\"TemplateId1\",\"fromId\":\"95515c63-609e-4fb5-9d73-a73f34d1d1c9\"},{\"originalName\":\"[All Analytic rules templates].AnalyticKind\",\"mergedName\":\"AnalyticKind\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Analytic rules templates].TableUsed\"},{\"originalName\":\"[All Analytic rules templates].Query\"},{\"originalName\":\"[All Analytic rules templates].Tactics\"},{\"originalName\":\"[All Analytic rules templates].QueryPeriod\"},{\"originalName\":\"[All Analytic rules templates].QueryFrequency\"}]}",
|
|
"size": 0,
|
|
"title": "All analytics created from templates - Comparison based on template ID",
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Name",
|
|
"formatter": 0,
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Updates",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Check for updates!",
|
|
"representation": "warning",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "contains",
|
|
"thresholdValue": "action",
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
},
|
|
"numberFormat": {
|
|
"unit": 0,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
},
|
|
"tooltipFormat": {}
|
|
},
|
|
{
|
|
"columnMatch": "LastModified",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"showUtcTime": null,
|
|
"formatName": "shortDatePattern"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TemplateId",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Rule name",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Description",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Click to view query and additional details",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "QueryPeriod",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "QueryFrequency",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Status",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "TableUsed",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Version",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "TemplateId1",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "LastModifiedAnalytic",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"showUtcTime": null,
|
|
"formatName": "shortDatePattern"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LastModifiedTemplate",
|
|
"formatter": 6,
|
|
"dateFormat": {
|
|
"showUtcTime": null,
|
|
"formatName": "shortDatePattern"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 512,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "AnalyticKind",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "AnalyticKind",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "analytics"
|
|
},
|
|
{
|
|
"parameterName": "compare",
|
|
"comparison": "isEqualTo",
|
|
"value": "templateid"
|
|
}
|
|
],
|
|
"name": "Templates status - templateid"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "analytics"
|
|
},
|
|
"name": "Templates"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Information about saved searches for {TableName} table",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/savedSearches\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-08-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"DisplayName\"},{\"path\":\"$.properties.category\",\"columnid\":\"Category\"},{\"path\":\"$.properties.functionAlias\",\"columnid\":\"FunctionAlias\"},{\"path\":\"$.properties.query\",\"columnid\":\"Query\"},{\"path\":\"$.properties.query\",\"columnid\":\"TableUsed\",\"columnType\":\"string\",\"substringRegexMatch\":\"([\\\\s\\\\S]*){TableName}([\\\\s\\\\S]*)\",\"substringReplace\":\"{TableName}\"}]}}]}",
|
|
"size": 0,
|
|
"title": "All Saved searches",
|
|
"noDataMessage": "No analytic rules are defined ",
|
|
"exportToExcelOptions": "all",
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Enabled",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "success",
|
|
"text": "Enabled"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "disabled",
|
|
"text": "Disabled"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "0ch"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 512,
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "DisplayName",
|
|
"label": "Display Name"
|
|
},
|
|
{
|
|
"columnId": "FunctionAlias",
|
|
"label": "Function Alias"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [],
|
|
"graphSettings": {
|
|
"type": 0
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong"
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"name": "All Saved searches"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"All Saved searches\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[CreationOfTableName].NameOfTable\",\"mergedName\":\"Name Of Table\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Saved searches].DisplayName\",\"mergedName\":\"Display Name\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Saved searches].Category\",\"mergedName\":\"Category\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Saved searches].FunctionAlias\",\"mergedName\":\"Function Alias\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Saved searches].Query\",\"mergedName\":\"Query\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e9371b2\"},{\"originalName\":\"[All Saved searches].TableUsed\"}]}",
|
|
"size": 0,
|
|
"title": "All the saved searches that use {TableName} table",
|
|
"noDataMessage": "Currently there are no saved searches which use this table",
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Click to open query and view additional information",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TableUsed",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"filter": true
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"name": "SavedSearchesWithTable",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/bookmarks\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"DisplayName\"},{\"path\":\"$.properties.incidentInfo.title\",\"columnid\":\"Incident\"},{\"path\":\"$.properties.notes\",\"columnid\":\"Notes\"},{\"path\":\"$.properties.query\",\"columnid\":\"Query\"},{\"path\":\"$.properties.updatedBy\",\"columnid\":\"Updated\"},{\"path\":\"$.properties.labels\",\"columnid\":\"Labels\"},{\"path\":\"$.properties.created\",\"columnid\":\"CreatedOn\"},{\"path\":\"$.properties.query\",\"columnid\":\"TableUsed\",\"columnType\":\"string\",\"substringRegexMatch\":\"([\\\\s\\\\S]*){TableName}([\\\\s\\\\S]*)\",\"substringReplace\":\"{TableName}\"}]}}]}",
|
|
"size": 0,
|
|
"title": "All Bookmarks",
|
|
"noDataMessage": "No analytic rules are defined ",
|
|
"exportToExcelOptions": "all",
|
|
"queryType": 12,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Enabled",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "true",
|
|
"representation": "success",
|
|
"text": "Enabled"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "disabled",
|
|
"text": "Disabled"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Tactics",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "0ch"
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 512,
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Notes",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "DisplayName",
|
|
"label": "Bookmark Name"
|
|
},
|
|
{
|
|
"columnId": "Incident",
|
|
"label": "Related to incident"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Notes",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"graphSettings": {
|
|
"type": 0
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong"
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "0",
|
|
"comparison": "isEqualTo",
|
|
"value": "0"
|
|
},
|
|
"name": "All Bookmarks"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"ba59820e-a7dc-4134-adc5-d3279e93727c\",\"mergeType\":\"innerunique\",\"leftTable\":\"CreationOfTableName\",\"rightTable\":\"All Bookmarks\",\"leftColumn\":\"NameOfTable\",\"rightColumn\":\"TableUsed\"}],\"projectRename\":[{\"originalName\":\"[CreationOfTableName].NameOfTable\",\"mergedName\":\"Name Of Table\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e93727c\"},{\"originalName\":\"[All Bookmarks].DisplayName\",\"mergedName\":\"Bookmark Name\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e93727c\"},{\"originalName\":\"[All Bookmarks].Query\",\"mergedName\":\"Query\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e93727c\"},{\"originalName\":\"[All Bookmarks].CreatedOn\",\"mergedName\":\"CreatedOn\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Bookmarks].Updated\",\"mergedName\":\"Updated\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Bookmarks].Labels\",\"mergedName\":\"Labels\",\"fromId\":\"unknown\"},{\"originalName\":\"[All Bookmarks].Incident\",\"mergedName\":\"Related to incident\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e93727c\"},{\"originalName\":\"[All Bookmarks].Notes\",\"mergedName\":\"Notes\",\"fromId\":\"ba59820e-a7dc-4134-adc5-d3279e93727c\"},{\"originalName\":\"[TablesUsage].DataType\"},{\"originalName\":\"[All Bookmarks].test\"},{\"originalName\":\"[All Bookmarks].TableUsed\"}]}",
|
|
"size": 0,
|
|
"title": "All the bookmarks that use {TableName} table",
|
|
"noDataMessage": "Currently there are no bookmarks which use this table",
|
|
"queryType": 7,
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Query",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "GenericDetails",
|
|
"linkLabel": "Click to open query and view additional information",
|
|
"linkIsContextBlade": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TableUsed",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Updated",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Labels",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "CreatedOn",
|
|
"formatter": 5
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"showPin": false,
|
|
"name": "BookmarksWithTable",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "hunting"
|
|
},
|
|
"name": "Saved searches"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "The following table shows the number of queries or searches that have been performed from different places against your tables in the time range selected at the top.",
|
|
"style": "info"
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "searches"
|
|
},
|
|
{
|
|
"parameterName": "Help",
|
|
"comparison": "isEqualTo",
|
|
"value": "Yes"
|
|
}
|
|
],
|
|
"name": "searches help"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let Tables = Usage| summarize by DataType;\r\nlet Rest=dynamic([\"ASC_Portal\",\"ASI_Portal\",\"Sentinel-Investigation-Queries\",\"Sentinel-analyticsManagement-customerQuery\", \"AppInsightsPortalExtension\",\"AzureMonitorLogsConnector\",\"AppAnalytics\",\"IbizaExtension\",\"AzureInformationProtection\"]);\r\nLAQueryLogs\r\n| where RequestClientApp in (Rest)\r\n| where QueryText !startswith 'search'\r\n| where QueryText !startswith 'union'\r\n| where QueryText !startswith \"top\"\r\n| extend thisisnteasy = split(QueryText,' ')\r\n| mv-expand thisisnteasy\r\n| extend Table = tostring(thisisnteasy)\r\n| join kind=leftsemi Tables on $left.Table == $right.DataType\r\n| summarize MSDefenderForCloud = countif(RequestClientApp == \"ASC_Portal\"), MicrosoftSentinel = countif(RequestClientApp == \"ASI_Portal\" or RequestClientApp == \"Sentinel-Investigation-Queries\" or RequestClientApp == \"Sentinel-analyticsManagement-customerQuery\"), AppInsights = countif(RequestClientApp == \"AppInsightsPortalExtension\"), LogicApps = countif(RequestClientApp == \"AzureMonitorLogsConnector\"), LogsUI = countif(RequestClientApp == \"AppAnalytics\"), AzureDashboard = countif(RequestClientApp == \"IbizaExtension\"), AIP = countif(RequestClientApp == \"AzureInformationProtection\"), Other = countif(RequestClientApp !in (Rest)) by Table",
|
|
"size": 0,
|
|
"title": "Searches run in {TimeRange:label}",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "searches"
|
|
},
|
|
"name": "Searches table"
|
|
}
|
|
]
|
|
},
|
|
"name": "TablesRules"
|
|
}
|
|
],
|
|
"fallbackResourceIds": [],
|
|
"fromTemplateId": "sentinel-LogSources&AnalyticRulesCoverage",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|