Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/UnifiSG.json

891 строка
39 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "43936bfc-5e25-43c1-802e-b51f4ed995a9",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Parameters"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Firewall",
"subTarget": "Firewall",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "DNS",
"subTarget": "DNS",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "DHCP",
"subTarget": "DHCP",
"style": "link"
}
]
},
"name": "links - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"Firewall\";\ndata\n| summarize Count = count() by DeviceAction\n| join kind = inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\n on DeviceAction\n | project-away TimeGenerated\n| extend Actions = DeviceAction\n| union (\n data \n | summarize Count = count() \n | extend jkey = 1\n | join kind=inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\n | extend jkey = 1) on jkey\n | extend DeviceAction = 'All', Actions = '*'\n)\n| extend Order = iif(DeviceAction == \"All\", 0, iff(DeviceAction == \"Allow\", 1, 2))\n| order by Order asc\n",
"size": 4,
"title": "Event Counts",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DeviceAction",
"exportParameterName": "FWActionPicker",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Firewall"
},
"name": "Event Counts"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"Firewall\"\n| where DeviceAction == '{FWActionPicker}' or '{FWActionPicker}' == \"All\";\ndata\n| summarize Count = count() by DeviceAction, bin(TimeGenerated, 5m)\n",
"size": 0,
"showAnalytics": true,
"title": "Event Counts over Time",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "Count",
"sizeAggregation": "Sum",
"legendMetric": "Count",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "Count",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Firewall"
},
"name": "Event Counts over Time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"Firewall\"\n| extend AdditionalExtensions = extract_all(@\"(?P<key>\\w+)=(?P<value>[a-zA-Z0-9-_:/@. ]+)\", dynamic([\"key\",\"value\"]), AdditionalExtensions)\n| mv-apply AdditionalExtensions on (\n summarize AdditionalExtensionsParsed = make_bag(pack(tostring(AdditionalExtensions[0]), AdditionalExtensions[1]))\n);\ndata\n| where DeviceInboundInterface == \"eth2\" and DeviceAction == \"Drop\" \n| summarize count() by SourceIP, sourceGeoCountryName = tostring(parse_json(AdditionalExtensionsParsed).sourceGeoCountryName)\n| join kind=inner (\n data\n | make-series Trend=count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by SourceIP\n | project-away TimeGenerated\n) on SourceIP\n| project SourceIP, Country = sourceGeoCountryName, Count = count_, Trend\n| sort by Count desc\n| take 10\n\n\n",
"size": 0,
"showAnalytics": true,
"title": "Top 10 blocked by Source IP (Inbound)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "SourceIP",
"exportParameterName": "FWSourceIPBlockedPicker",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Firewall"
},
"customWidth": "50",
"name": "Top 10 blocked by Source IP (Inbound)"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"Firewall\"\n| extend AdditionalExtensions = extract_all(@\"(?P<key>\\w+)=(?P<value>[a-zA-Z0-9-_:/@. ]+)\", dynamic([\"key\",\"value\"]), AdditionalExtensions)\n| mv-apply AdditionalExtensions on (\n summarize AdditionalExtensionsParsed = make_bag(pack(tostring(AdditionalExtensions[0]), AdditionalExtensions[1]))\n)\n| where SourceIP == '{FWSourceIPBlockedPicker}' or '{FWSourceIPBlockedPicker}' == \"All\";\ndata\n| where DeviceAction == \"Drop\" \n| extend Direction = iff(DeviceInboundInterface == \"eth2\", \"Inbound\", \"Outbound\")\n| summarize count() by DestinationPort, Direction\n| join kind=inner (\n data\n | make-series Trend=count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by DestinationPort\n | project-away TimeGenerated\n) on DestinationPort\n| project DestinationPort , Direction, Count = count_, Trend\n| sort by Count desc\n| take 10\n",
"size": 0,
"title": "Top 10 Blocked Ports",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Firewall"
},
"customWidth": "50",
"name": "Top 10 Blocked Ports"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"Firewall\"\n| extend AdditionalExtensions = extract_all(@\"(?P<key>\\w+)=(?P<value>[a-zA-Z0-9-_:/@. ]+)\", dynamic([\"key\",\"value\"]), AdditionalExtensions)\n| mv-apply AdditionalExtensions on (\n summarize AdditionalExtensionsParsed = make_bag(pack(tostring(AdditionalExtensions[0]), AdditionalExtensions[1]))\n);\ndata\n| where DeviceInboundInterface == \"eth2\" and DeviceAction == \"Allow\" \n| summarize count() by SourceIP, sourceGeoCountryName = tostring(parse_json(AdditionalExtensionsParsed).sourceGeoCountryName)\n| join kind=inner (\n data\n | make-series Trend=count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by SourceIP\n | project-away TimeGenerated\n) on SourceIP\n| project SourceIP, Country = sourceGeoCountryName, Count = count_, Trend\n| sort by Count desc\n| take 10\n\n\n",
"size": 0,
"title": "Top 10 allowed by Source IP (Inbound)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "SourceIP",
"exportParameterName": "FWSourceIPAllowedPicker",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Firewall"
},
"customWidth": "50",
"name": "Top 10 allowed by Source IP (Inbound)"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"Firewall\"\n| where SourceIP == '{FWSourceIPAllowedPicker}' or '{FWSourceIPAllowedPicker}' == \"All\"\n| extend AdditionalExtensions = extract_all(@\"(?P<key>\\w+)=(?P<value>[a-zA-Z0-9-_:/@. ]+)\", dynamic([\"key\",\"value\"]), AdditionalExtensions)\n| mv-apply AdditionalExtensions on (\n summarize AdditionalExtensionsParsed = make_bag(pack(tostring(AdditionalExtensions[0]), AdditionalExtensions[1]))\n);\ndata\n| where DeviceAction == \"Allow\" \n| extend Direction = iff(DeviceInboundInterface == \"eth2\", \"Inbound\", \"Outbound\")\n| summarize count() by DestinationPort, Direction\n| join kind=inner (\n data\n | make-series Trend=count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by DestinationPort\n | project-away TimeGenerated\n) on DestinationPort\n| project DestinationPort, Direction, Count = count_, Trend\n| sort by Count desc\n| take 10\n\n\n",
"size": 0,
"title": "Top 10 Allowed Ports",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Firewall"
},
"customWidth": "50",
"name": "Top 10 Allowed Ports"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"Firewall\"\n| extend AdditionalExtensions = extract_all(@\"(?P<key>\\w+)=(?P<value>[a-zA-Z0-9-_:/@. ]+)\", dynamic([\"key\",\"value\"]), AdditionalExtensions)\n| mv-apply AdditionalExtensions on (\n summarize AdditionalExtensionsParsed = make_bag(pack(tostring(AdditionalExtensions[0]), AdditionalExtensions[1]))\n);\ndata\n| where DeviceInboundInterface == \"eth2\"\n| extend SourceGeoLongitude = tostring(parse_json(AdditionalExtensionsParsed).sourceGeoLongitude),\n SourceGeoLatitude = tostring(parse_json(AdditionalExtensionsParsed).sourceGeoLatitude),\n SourceGeoCountryName = tostring(parse_json(AdditionalExtensionsParsed).sourceGeoCountryName)\n",
"size": 0,
"showAnalytics": true,
"title": "Map of Inbound Sources",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "LatLong",
"latitude": "SourceGeoLatitude",
"longitude": "SourceGeoLongitude",
"sizeSettings": "SourceGeoCountryName",
"sizeAggregation": "Count",
"labelSettings": "SourceGeoCountryName",
"legendMetric": "SourceGeoCountryName",
"legendAggregation": "Count",
"itemColorSettings": {
"nodeColorField": "SourceGeoCountryName",
"colorAggregation": "Count",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Firewall"
},
"showPin": true,
"name": "InboundSourceLocations",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"Firewall\"\n| extend AdditionalExtensions = extract_all(@\"(?P<key>\\w+)=(?P<value>[a-zA-Z0-9-_:/@. ]+)\", dynamic([\"key\",\"value\"]), AdditionalExtensions)\n| mv-apply AdditionalExtensions on (\n summarize AdditionalExtensionsParsed = make_bag(pack(tostring(AdditionalExtensions[0]), AdditionalExtensions[1]))\n);\ndata\n| where DeviceInboundInterface == \"eth2\"\n| extend SourceGeoCountryName = tostring(parse_json(AdditionalExtensionsParsed).sourceGeoCountryName)\n| summarize count() by SourceIP, SourceGeoCountryName, DeviceAction\n| join kind=inner (\n data\n | make-series Trend=count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by SourceIP\n | project-away TimeGenerated\n) on SourceIP\n| project SourceIP, Country = SourceGeoCountryName, Action = DeviceAction, Count = count_, Trend\n| sort by Count desc\n",
"size": 0,
"title": "Top IP by Geo",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "IP",
"formatter": 1
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Country"
],
"expandTopLevel": true
}
},
"sortBy": []
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Firewall"
},
"customWidth": "50",
"name": "Top IP by Geo"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"Firewall\";\ndata\n//| where DeviceEventClassID == \"IPS\"\n| where DeviceAction == \"BLOCK\"\n| extend Direction = iff(DeviceInboundInterface == \"eth2\", \"Inbound\", \"OutBound\")\n| summarize Count = count() by SourceIP, Direction, DestinationIP\n| join kind=inner (\n data\n | make-series Trend=count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by SourceIP\n | project-away TimeGenerated\n) on SourceIP\n| project SourceIP, DestinationIP, Count, Trend\n| sort by Count desc\n",
"size": 0,
"title": "IPS Events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "hotCold"
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"SourceIP"
]
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Firewall"
},
"customWidth": "50",
"name": "IPS Events"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"DNS\";\ndata\n| summarize Count = count() by DeviceAction\n| join kind = inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\n on DeviceAction\n | project-away TimeGenerated\n| extend Actions = DeviceAction\n| union (\n data \n | summarize Count = count() \n | extend jkey = 1\n | join kind=inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\n | extend jkey = 1) on jkey\n | extend DeviceAction = 'All', Actions = '*'\n)\n| extend Order = iif(DeviceAction == \"All\", 0, iff(DeviceAction == \"Allow\", 1, 2))\n| order by Order asc\n",
"size": 4,
"title": "Action Counts",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DeviceAction",
"exportParameterName": "DNSActionPicker",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "DNS"
},
"name": "DNS Action Counts"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"DNS\"\n| extend AdditionalExtensions = extract_all(@\"(?P<key>\\w+)=(?P<value>[a-zA-Z0-9-_:/@. ]+)\", dynamic([\"key\",\"value\"]), AdditionalExtensions)\n| mv-apply AdditionalExtensions on (\n summarize AdditionalExtensionsParsed = make_bag(pack(tostring(AdditionalExtensions[0]), AdditionalExtensions[1]))\n);\ndata\n| where DeviceAction == \"query\"\n| extend QueryType = tostring(parse_json(AdditionalExtensionsParsed).querytype)\n| summarize Count = count() by Type = QueryType\n\n",
"size": 4,
"title": "Query Types",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "QueryType",
"exportParameterName": "DNSQueryPicker",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"titleContent": {
"columnMatch": "action_s",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "DNS"
},
"name": "DNS - Query Types"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"DNS\"\n| extend AdditionalExtensions = extract_all(@\"(?P<key>\\w+)=(?P<value>[a-zA-Z0-9-_:/@. ]+)\", dynamic([\"key\",\"value\"]), AdditionalExtensions)\n| mv-apply AdditionalExtensions on (\n summarize AdditionalExtensionsParsed = make_bag(pack(tostring(AdditionalExtensions[0]), AdditionalExtensions[1]))\n)\n| extend QueryType = tostring(parse_json(AdditionalExtensionsParsed).querytype)\n| where DeviceAction == '{DNSActionPicker}' or '{DNSActionPicker}' == \"All\";\ndata\n| summarize Count = count() by Action = DeviceAction, bin(TimeGenerated, 1m)",
"size": 0,
"title": "DNS Requests Over Time",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "DNS"
},
"name": "DNS Requests Over Time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"DNS\"\n| where DeviceAction == '{DNSActionPicker}' or '{DNSActionPicker}' == \"All\";\ndata\n| where isnotempty(DestinationDnsDomain)\n| summarize Count = count() by DestinationDnsDomain\n| join kind=inner (\n data\n | make-series Trend=count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by DestinationDnsDomain\n | project-away TimeGenerated\n) on DestinationDnsDomain\n| project Domain = DestinationDnsDomain, Count, Trend\n| order by Count\n",
"size": 0,
"title": "Top Domain Names",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DomainName",
"exportParameterName": "DNSDomainNamePicker",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "DNS"
},
"name": "Top Domain Names",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"DNS\"\n| where DeviceAction == '{DNSActionPicker}' or '{DNSActionPicker}' == \"All\"\n| where DestinationDnsDomain == '{DNSDomainNamePicker}' or '{DNSDomainNamePicker}' == \"All\";\ndata\n| where isnotempty(DestinationDnsDomain)\n| summarize Count = count() by SourceIP\n| join kind=inner (\n data\n | make-series Trend=count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by SourceIP\n | project-away TimeGenerated\n) on SourceIP\n| project SourceIP, Count, Trend\n| order by Count",
"size": 0,
"title": "Top Clients",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "SourceIP",
"exportParameterName": "DNSSourceIPPicker",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "DNS"
},
"name": "Top Clients",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"DNS\"\n| where DeviceAction == '{DNSActionPicker}' or '{DNSActionPicker}' == \"All\"\n| where DestinationDnsDomain == '{DNSDomainNamePicker}' or '{DNSDomainNamePicker}' == \"All\";\ndata\n| extend NameParts = split(DestinationDnsDomain, '.')\n| extend Top_Level_Domain = strcat(NameParts[toint(array_length(NameParts)-2)],'.',NameParts[toint(array_length(NameParts)-1)])\n| summarize SubDomainCount = count() by Top_Level_Domain, DestinationDnsDomain\n| join kind= inner (\n data\n | extend NameParts = split(DestinationDnsDomain, '.')\n | extend Top_Level_Domain = strcat(NameParts[toint(array_length(NameParts)-2)],'.',NameParts[toint(array_length(NameParts)-1)])\n | extend Top_Level_Domain = iif(strlen(Top_Level_Domain)<7, strcat(NameParts[toint(array_length(NameParts)-3)],'.',Top_Level_Domain),Top_Level_Domain)\n | summarize Total_Sub_Domains = count() by Top_Level_Domain\n) on Top_Level_Domain\n| extend pk = SubDomainCount/todouble(Total_Sub_Domains)\n| extend h1= -log2(pk)*pk\n| summarize Sub_Domain_Entropy = sum(h1), Total_Sub_Domains = any(Total_Sub_Domains) , Domain_List = make_list(DestinationDnsDomain) by Top_Level_Domain\n| order by Sub_Domain_Entropy desc\n\n",
"size": 0,
"title": "Domain Entropy",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Sub_Domain_Entropy",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Total_Sub_Domains",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "DNS"
},
"name": "Domain Entropy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"DHCP\";\ndata\n| summarize Count = count() by DeviceAction\n| join kind = inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\n on DeviceAction\n | project-away TimeGenerated\n| extend Actions = DeviceAction\n| union (\n data \n | summarize Count = count() \n | extend jkey = 1\n | join kind=inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\n | extend jkey = 1) on jkey\n | extend DeviceAction = 'All', Actions = '*'\n)\n| extend Order = iif(DeviceAction == \"All\", 0, iff(DeviceAction == \"Allow\", 1, 2))\n| order by Order asc\n",
"size": 4,
"title": "DHCP Actions",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DeviceAction",
"exportParameterName": "DHCPActionPicker",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"name": "DHCPActions"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"DHCP\"\n| where DeviceAction == '{DHCPActionPicker}' or '{DHCPActionPicker}' == \"All\";\ndata\n| summarize Count = count() by DeviceAction, bin(TimeGenerated, 5m)\n",
"size": 0,
"title": "DHCP Actions over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"name": "DHCPActionsOverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"DHCP\"\n| where DeviceAction == '{DHCPActionPicker}' or '{DHCPActionPicker}' == \"All\";\ndata\n| where DeviceAction == \"DHCPREQUEST\" or DeviceAction == \"DHCPINFORM\" or DeviceAction == \"DHCPDISCOVER\"\n| summarize Count = count() by DeviceAction, bin(TimeGenerated, 5m)\n",
"size": 0,
"title": "DHCP Requests by Type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "DHCPRequestsByType"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\n| where DeviceVendor == \"Unifi\" and DeviceEventClassID == \"DHCP\"\n| where DeviceAction == '{DHCPActionPicker}' or '{DHCPActionPicker}' == \"All\";\ndata\n| where DeviceAction == \"DHCPPACK\" or DeviceAction == \"DHCPOFFER\"\n| summarize Count = count() by DeviceAction, bin(TimeGenerated, 5m)\n",
"size": 0,
"title": "DHCP Responses by Type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "DHCPResponsesbyType"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "DHCP"
},
"name": "DHCP"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-UnifSG",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку