357 строки
11 KiB
JSON
357 строки
11 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Perimeter81_CL \n| where eventName_s == \"api.activity.login.fail\"\n| summarize count(releasedBy_email_s) by ip_s, releasedBy_email_s\n| project LoginFailures=count_releasedBy_email_s, Email=releasedBy_email_s, IP=ip_s\n| top 10 by LoginFailures desc nulls last\n| render columnchart kind=stacked",
|
|
"size": 0,
|
|
"title": "Top 10 Login Failures by Email (last 24 hours)",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "categoricalbar",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Email",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Email",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Email",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "LoginFailures",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "Email",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "LoginFailures",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"sizeSettings": "LoginFailures",
|
|
"sizeAggregation": "Sum",
|
|
"legendMetric": "LoginFailures",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"type": "heatmap",
|
|
"colorAggregation": "Sum",
|
|
"nodeColorField": "LoginFailures",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "LoginFailures - By Email"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Perimeter81_CL \n| where eventName_s == \"api.activity.login.fail\"\n| summarize LoginFailures=count() by Name=strcat(releasedBy_firstName_s, \" \", releasedBy_lastName_s)\n| top 10 by LoginFailures desc nulls last\n| render columnchart kind=stacked\n\n\n",
|
|
"size": 0,
|
|
"title": "Top 10 Login Failures by Name (last 24 hours)",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart",
|
|
"sortBy": [],
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Email",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "LoginFailures",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "Email",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "LoginFailures",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"sizeSettings": "LoginFailures",
|
|
"sizeAggregation": "Sum",
|
|
"legendMetric": "LoginFailures",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"type": "heatmap",
|
|
"colorAggregation": "Sum",
|
|
"nodeColorField": "LoginFailures",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "LoginFailures - By Name"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Perimeter81_CL \n| where eventName_s == \"api.activity.application.session.start\"\n| summarize count() by application_name_s\n| project SessionStart=count_, App=application_name_s\n| top 10 by SessionStart desc nulls last",
|
|
"size": 0,
|
|
"title": "Top 10 Applications (by session start, last 24 hours)",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Email",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Email",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Email",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "LoginFailures",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "Email",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "LoginFailures",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"sizeSettings": "LoginFailures",
|
|
"sizeAggregation": "Sum",
|
|
"legendMetric": "LoginFailures",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"type": "heatmap",
|
|
"colorAggregation": "Sum",
|
|
"nodeColorField": "LoginFailures",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "ApplicationSessionStart"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Perimeter81_CL \n| where eventName_s == \"api.activity.vpn.auth\"\n| summarize count() by vpnLocation_name_s\n| project SessionStart=count_, Network=vpnLocation_name_s\n| top 10 by SessionStart desc nulls last",
|
|
"size": 0,
|
|
"title": "Top 10 Networks (by auth, last 24 hours)",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Email",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Email",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Email",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "LoginFailures",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "Email",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "LoginFailures",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"chartSettings": {},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"sizeSettings": "LoginFailures",
|
|
"sizeAggregation": "Sum",
|
|
"legendMetric": "LoginFailures",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"type": "heatmap",
|
|
"colorAggregation": "Sum",
|
|
"nodeColorField": "LoginFailures",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "NetworkAuth"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let starttime = 14d;\nlet endtime = 0d;\nlet timeframe = 1h;\nlet TimeSeriesData =\nPerimeter81_CL\n| where eventName_s == \"api.activity.vpn.auth\"\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| project TimeGenerated, Network=vpnLocation_name_s \n| make-series Total=count() on TimeGenerated from ago(starttime) to ago(endtime) step timeframe by Network;\nTimeSeriesData\n| render timechart ",
|
|
"size": 0,
|
|
"title": "Network Connections over time (last 14 days)",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "NetworkUsage"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let starttime = 14d;\nlet endtime = 0d;\nlet timeframe = 1h;\nlet TimeSeriesData =\nPerimeter81_CL\n| where eventName_s == \"api.activity.application.session.start\"\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| project TimeGenerated, Application=application_name_s \n| make-series Total=count() on TimeGenerated from ago(starttime) to ago(endtime) step timeframe by Application;\nTimeSeriesData\n| render timechart ",
|
|
"size": 0,
|
|
"title": "Application Connections over time (last 14 days)",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "ApplicationUsage"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-Perimeter81OverviewWorkbook",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|