1329 строки
50 KiB
JSON
1329 строки
50 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Azure DDoS Protection Workbook\n---\n"
|
|
},
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"id": "2647367d-91d2-4325-8923-6de1e66ba14f",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "DDoS Summary",
|
|
"subTarget": "DDoS Summary",
|
|
"preText": "DDoS Summary",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "cf2e2031-1a40-42e2-b7f9-66bdf68e7b41",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "DDoS Metrics",
|
|
"subTarget": "DDoS Metrics",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "e9425dcf-63f3-4cc7-afda-2682cafb513b",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "DDoS Investigation",
|
|
"subTarget": "DDoS Investigate",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 23"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "f9e7e362-f017-409a-8b8d-52da17b2df7c",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspaces",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id, name\r\n| order by name desc",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"value": [],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
]
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
{
|
|
"id": "e04e88aa-42d1-4bd4-a15d-33e4b161e108",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
},
|
|
{
|
|
"id": "8ae1c617-04d0-4918-ac8e-4ba9083300f3",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Resource",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "where type =~ 'Microsoft.Network/PublicIPAddresses'\r\n| project id",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "",
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"label": "Public IP Addresses"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "DDoS Summary",
|
|
"comparison": "isEqualTo"
|
|
},
|
|
"name": "parameters - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Category == \"DDoSProtectionNotifications\" or Category == \"DDoSMitigationReports\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| extend TrafficOverview = coalesce(parse_json(column_ifexists(\"TrafficOverview_s\",\"\")),parse_json(AdditionalFields[\"TrafficOverview\"]))\r\n| extend TrafficOverview = parse_json(tostring(TrafficOverview))\r\n| extend TotalTCPPackets = todouble(TrafficOverview.Total_TCP_packets)\r\n| extend TotalTCPPacketsDropped = todouble(TrafficOverview.Total_TCP_packets_dropped)\r\n| extend TotalUDPPackets = todouble(TrafficOverview.Total_UDP_packets)\r\n| extend TotalUDPPacketsDropped = todouble(TrafficOverview.Total_UDP_packets_dropped)\r\n| extend TotalOtherPackets = todouble(TrafficOverview.Total_other_packets)\r\n| extend TotalOtherPacketsDropped = todouble(TrafficOverview.Total_other_packets_dropped)\r\n| extend TotalPackets = todouble(TrafficOverview.Total_packets)\r\n| extend TotalPacketsDropped = todouble(TrafficOverview.Total_packets_dropped)\r\n| summarize sum(TotalPacketsDropped), sum(TotalPackets), sum(TotalUDPPackets),sum(TotalUDPPacketsDropped),sum(TotalOtherPackets),sum(TotalOtherPacketsDropped),sum(TotalTCPPackets),sum(TotalTCPPacketsDropped)\r\n| extend TotalPackets = sum_TotalPackets , TotalPacketsDropped = sum_TotalPacketsDropped, TotalUDPPackets = sum_TotalUDPPackets, TotalUDPPacketsDropped = sum_TotalUDPPacketsDropped, TotalOtherPackets = sum_TotalOtherPackets, TotalOtherPacketsDropped = sum_TotalOtherPacketsDropped, TotalTCPPackets = sum_TotalTCPPackets, TotalTCPPacketsDropped = sum_TotalTCPPacketsDropped\r\n| project TotalPackets, TotalPacketsDropped, TotalTCPPackets, TotalTCPPacketsDropped, TotalUDPPackets, TotalUDPPacketsDropped, TotalOtherPackets, TotalOtherPacketsDropped \r\n| evaluate narrow()\r\n| extend TableName = Column\r\n| extend Count = Value\r\n| project TableName, Count",
|
|
"size": 4,
|
|
"title": "Traffic Overview",
|
|
"noDataMessage": "You do not have DDOS enabled",
|
|
|
|
|
|
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "tiles",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Count",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Count",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false
|
|
}
|
|
}
|
|
},
|
|
"subtitleContent": {
|
|
"columnMatch": "TableName"
|
|
},
|
|
"showBorder": true,
|
|
"size": "auto"
|
|
}
|
|
},
|
|
"customWidth": "100",
|
|
"name": "Traffic Overview"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| sort by TimeGenerated desc\r\n| extend TopAttackVector = coalesce(tostring(parse_json(column_ifexists(\"AttackVectors_s\",\"\"))[0]), AdditionalFields[\"AttackVectors\"])\r\n| extend TrafficOverview = coalesce(parse_json(column_ifexists(\"TrafficOverview_s\",\"\")),parse_json(AdditionalFields[\"TrafficOverview\"]))\r\n| extend TrafficOverview = parse_json(tostring(TrafficOverview))\r\n| extend TotalPackets = todouble(TrafficOverview.Total_packets)\r\n| extend Total_packets_dropped_ = todouble(TrafficOverview.Total_packets_dropped)\r\n| where TotalPackets > 0\r\n| where TopAttackVector <> \"\"\r\n| take 10\r\n| project TimeGenerated , TopAttackVector , TotalPackets, TotalPacketsDropped = Total_packets_dropped_ , ResourceId , IPAddress, Resource\r\n\r\n",
|
|
"size": 1,
|
|
"title": "Last Ten DDoS Attack Reports, select attack to provide resource lookup",
|
|
"noDataMessage": "No DDoS Attacks Mitigated in~ Selected TimeRange",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "IPAddress",
|
|
"parameterName": "IPAddress",
|
|
"parameterType": 1
|
|
},
|
|
{
|
|
"fieldName": "ResourceId",
|
|
"parameterName": "ResourceId",
|
|
"parameterType": 1,
|
|
"defaultValue": "ResourceId"
|
|
},
|
|
{
|
|
"fieldName": "Resource",
|
|
"parameterName": "AttackReport",
|
|
"parameterType": 1,
|
|
"defaultValue": "/"
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TotalPackets",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "coldHot"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumSignificantDigits": 4
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TotalPacketsDropped",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "coldHot"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumSignificantDigits": 4
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Resource",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "Total_packets_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "hotCold"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumSignificantDigits": 4
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Total_packets_dropped_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "hotCold"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"maximumSignificantDigits": 4
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "IPAddress",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
}
|
|
},
|
|
"subtitleContent": {
|
|
"columnMatch": "TopAttackVector",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Resource"
|
|
},
|
|
"rightContent": {
|
|
"columnMatch": "TimeGenerated"
|
|
},
|
|
"showBorder": true,
|
|
"size": "auto"
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Resources\r\n| where properties contains \"{AttackReport}\"\r\n| project id, name, type, tenantId, location, resourceGroup, subscriptionId",
|
|
"size": 1,
|
|
"title": "Resource Lookup, based on Most Recent DDoS Attack Report",
|
|
"noDataMessage": "Unable to find resources",
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"crossComponentResources": [
|
|
"value::selected"
|
|
]
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 24"
|
|
},
|
|
{
|
|
"type": 10,
|
|
"content": {
|
|
"chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328",
|
|
"version": "MetricsItem/2.0",
|
|
"size": 0,
|
|
"chartType": 2,
|
|
"resourceType": "microsoft.network/publicipaddresses",
|
|
"metricScope": 0,
|
|
"resourceParameter": "Resource",
|
|
"resourceIds": [
|
|
"{Resource}"
|
|
],
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"metrics": [
|
|
{
|
|
"namespace": "microsoft.network/publicipaddresses",
|
|
"metric": "microsoft.network/publicipaddresses--PacketCount",
|
|
"aggregation": 4,
|
|
"splitBy": null
|
|
}
|
|
],
|
|
"title": "Public IP Address Packet Count (Average)",
|
|
"gridSettings": {
|
|
"rowLimit": 10000
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Metrics"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "metric - 25 - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 10,
|
|
"content": {
|
|
"chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328",
|
|
"version": "MetricsItem/2.0",
|
|
"size": 0,
|
|
"chartType": 2,
|
|
"resourceType": "microsoft.network/publicipaddresses",
|
|
"metricScope": 0,
|
|
"resourceParameter": "Resource",
|
|
"resourceIds": [
|
|
"{Resource}"
|
|
],
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"metrics": [
|
|
{
|
|
"namespace": "microsoft.network/publicipaddresses",
|
|
"metric": "microsoft.network/publicipaddresses--ByteCount",
|
|
"aggregation": 4,
|
|
"splitBy": null
|
|
}
|
|
],
|
|
"title": "Public IP Address Byte Count (Average)",
|
|
"gridSettings": {
|
|
"rowLimit": 10000
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Metrics"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "metric - 25 - Copy - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 10,
|
|
"content": {
|
|
"chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328",
|
|
"version": "MetricsItem/2.0",
|
|
"size": 0,
|
|
"chartType": 2,
|
|
"resourceType": "microsoft.network/publicipaddresses",
|
|
"metricScope": 0,
|
|
"resourceParameter": "Resource",
|
|
"resourceIds": [
|
|
"{Resource}"
|
|
],
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"metrics": [
|
|
{
|
|
"namespace": "microsoft.network/publicipaddresses",
|
|
"metric": "microsoft.network/publicipaddresses--DDoSTriggerSYNPackets",
|
|
"aggregation": 3,
|
|
"splitBy": null
|
|
}
|
|
],
|
|
"title": "Inbound SYN Packets to trigger DDoS (MAX)",
|
|
"gridSettings": {
|
|
"rowLimit": 10000
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Metrics"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "metric - 25"
|
|
},
|
|
{
|
|
"type": 10,
|
|
"content": {
|
|
"chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328",
|
|
"version": "MetricsItem/2.0",
|
|
"size": 0,
|
|
"chartType": 2,
|
|
"resourceType": "microsoft.network/publicipaddresses",
|
|
"metricScope": 0,
|
|
"resourceParameter": "Resource",
|
|
"resourceIds": [
|
|
"{Resource}"
|
|
],
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"metrics": [
|
|
{
|
|
"namespace": "microsoft.network/publicipaddresses",
|
|
"metric": "microsoft.network/publicipaddresses--DDoSTriggerTCPPackets",
|
|
"aggregation": 3,
|
|
"splitBy": null
|
|
}
|
|
],
|
|
"title": "Inbound TCP Packets to trigger DDoS (MAX)",
|
|
"gridSettings": {
|
|
"rowLimit": 10000
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Metrics"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "metric - 25 - Copy"
|
|
},
|
|
{
|
|
"type": 10,
|
|
"content": {
|
|
"chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328",
|
|
"version": "MetricsItem/2.0",
|
|
"size": 0,
|
|
"chartType": 2,
|
|
"resourceType": "microsoft.network/publicipaddresses",
|
|
"metricScope": 0,
|
|
"resourceParameter": "Resource",
|
|
"resourceIds": [
|
|
"{Resource}"
|
|
],
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"metrics": [
|
|
{
|
|
"namespace": "microsoft.network/publicipaddresses",
|
|
"metric": "microsoft.network/publicipaddresses--DDoSTriggerUDPPackets",
|
|
"aggregation": 3,
|
|
"splitBy": null
|
|
}
|
|
],
|
|
"title": "Inbound UDP Packets to trigger DDoS (MAX)",
|
|
"gridSettings": {
|
|
"rowLimit": 10000
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Metrics"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "metric - 25 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 10,
|
|
"content": {
|
|
"chartId": "workbookd3c031a7-09cf-4cfd-bdec-ab452c540328",
|
|
"version": "MetricsItem/2.0",
|
|
"size": 0,
|
|
"chartType": 2,
|
|
"resourceType": "microsoft.network/publicipaddresses",
|
|
"metricScope": 0,
|
|
"resourceParameter": "Resource",
|
|
"resourceIds": [
|
|
"{Resource}"
|
|
],
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"metrics": [
|
|
{
|
|
"namespace": "microsoft.network/publicipaddresses",
|
|
"metric": "microsoft.network/publicipaddresses--IfUnderDDoSAttack",
|
|
"aggregation": 3,
|
|
"splitBy": null
|
|
}
|
|
],
|
|
"title": "Under DDoS Attack or Not (MAX)",
|
|
"gridSettings": {
|
|
"rowLimit": 10000
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Metrics"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "metric - 25 - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend Protocols_s = coalesce(parse_json(column_ifexists(\"Protocols_s\",\"\")),parse_json(AdditionalFields[\"Protocols\"]))\r\n| extend Protocols_s = parse_json(tostring(Protocols_s))\r\n| where Protocols_s <> \"{}\" \r\n| extend DynamicProtocols = todynamic(Protocols_s)\r\n| project DynamicProtocols\r\n| as T\r\n| mv-apply DynamicProtocols on (extend Protocol = tostring(bag_keys(DynamicProtocols)[0])\r\n| project Protocol, value = todouble(DynamicProtocols[Protocol]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T | count), 3)) by Protocol\r\n| extend PercDec = todouble(Percentage)\r\n| render piechart\r\n",
|
|
"size": 0,
|
|
"title": "Protocols",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "piechart",
|
|
"chartSettings": {
|
|
"ySettings": {
|
|
"unit": 1,
|
|
"min": null,
|
|
"max": null
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "query - 16"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend SourceContinents_s = coalesce(parse_json(column_ifexists(\"SourceContinents_s\",\"\")),parse_json(AdditionalFields[\"SourceContinents\"]))\r\n| where SourceContinents_s <> \"{}\"\r\n| extend SourceContinents_s = parse_json(tostring(SourceContinents_s))\r\n| extend DynamicContinents = todynamic(SourceContinents_s) \r\n| project DynamicContinents\r\n| as T\r\n| mv-apply DynamicContinents on (\r\n extend Continent = tostring(bag_keys(DynamicContinents)[0])\r\n | project Continent, value = todouble(DynamicContinents[Continent])\r\n)\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T | count), 3)) by Continent\r\n| extend Percent = todouble(Percentage)",
|
|
"size": 0,
|
|
"title": "Continent of orgin",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "piechart",
|
|
"chartSettings": {
|
|
"ySettings": {
|
|
"unit": 1,
|
|
"min": null,
|
|
"max": null
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "query - 13 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend TopSourceCountries_s = coalesce(parse_json(column_ifexists(\"TopSourceCountries_s\",\"\")),parse_json(AdditionalFields[\"TopSourceCountries\"]))\r\n| where TopSourceCountries_s <> \"{}\"\r\n| extend TopSourceCountries_s = parse_json(tostring(TopSourceCountries_s))\r\n| extend DynamicCountries = todynamic(TopSourceCountries_s)\r\n| project DynamicCountries\r\n| as T\r\n| mv-apply DynamicCountries\r\non (extend Countries = tostring(bag_keys(DynamicCountries)[0])\r\n| project Countries, value = todouble(DynamicCountries[Countries]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3)) by Countries\r\n| sort by Percentage desc\r\n| extend Percent = todouble(Percentage)",
|
|
"size": 0,
|
|
"title": "Countries of Origin",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "piechart",
|
|
"chartSettings": {
|
|
"ySettings": {
|
|
"unit": 1,
|
|
"min": null,
|
|
"max": null
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "query - 13 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend TopSourceASNs_s = coalesce(parse_json(column_ifexists(\"TopSourceASNs_s\",\"\")),parse_json(AdditionalFields[\"TopSourceASNs\"]))\r\n| where TopSourceASNs_s <> \"{}\"\r\n| extend TopSourceASNs_s = parse_json(tostring(TopSourceASNs_s))\r\n| extend DynamicASNs = todynamic(TopSourceASNs_s)\r\n| project DynamicASNs\r\n| as T\r\n| mv-apply DynamicASNs on (extend ASN = tostring(bag_keys(DynamicASNs)[0])\r\n| project ASN, value = todouble(DynamicASNs[ASN]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T | count), 3)) by ASN\r\n| extend PercDec = todouble(Percentage)\r\n| sort by PercDec desc\r\n| render piechart",
|
|
"size": 0,
|
|
"title": "AS Numbers",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"chartSettings": {
|
|
"ySettings": {
|
|
"unit": 1,
|
|
"min": null,
|
|
"max": null
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "query - 15 - Copy",
|
|
"styleSettings": {
|
|
"margin": "15"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend DropReasons_s = coalesce(parse_json(column_ifexists(\"DropReasons_s\",\"\")),parse_json(AdditionalFields[\"DropReasons\"]))\r\n| extend DropReasons_s = parse_json(tostring(DropReasons_s))\r\n| where DropReasons_s <> \"{}\"\r\n| extend DynamicDroppedReasons = todynamic(DropReasons_s)\r\n| project DynamicDroppedReasons\r\n| as T\r\n| mv-apply DynamicDroppedReasons on (extend Reasons = tostring(bag_keys(DynamicDroppedReasons)[0])\r\n| project Reasons, value = todouble(DynamicDroppedReasons[Reasons]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3)) by Reasons\r\n| extend PercDec = todouble(Percentage)\r\n| render piechart",
|
|
"size": 0,
|
|
"title": "Drop Reasons",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Percentage",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Percentage",
|
|
"sortOrder": 2
|
|
}
|
|
],
|
|
"chartSettings": {
|
|
"ySettings": {
|
|
"unit": 1,
|
|
"min": null,
|
|
"max": null
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "Top Attack Vectors - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend Protocols_s = coalesce(parse_json(column_ifexists(\"Protocols_s\",\"\")),parse_json(AdditionalFields[\"Protocols\"]))\r\n| extend Protocols_s = parse_json(tostring(Protocols_s))\r\n| where Protocols_s <> \"{}\"\r\n| extend DynamicProtocols = todynamic(Protocols_s)\r\n| project DynamicProtocols\r\n| as T\r\n| mv-apply DynamicProtocols on (extend Protocol = tostring(bag_keys(DynamicProtocols)[0])\r\n| project Protocol, value = todouble(DynamicProtocols[Protocol]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3), \"%\") by Protocol\r\n| sort by Percentage desc",
|
|
"size": 1,
|
|
"title": "Protocols",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "query - 16 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend SourceContinents_s = coalesce(parse_json(column_ifexists(\"SourceContinents_s\",\"\")),parse_json(AdditionalFields[\"SourceContinents\"]))\r\n| extend SourceContinents_s = parse_json(tostring(SourceContinents_s))\r\n| where SourceContinents_s <> \"{}\"\r\n| extend DynamicContinents = todynamic(SourceContinents_s) \r\n| project DynamicContinents\r\n| as T\r\n| mv-apply DynamicContinents on (\r\n extend Continent = tostring(bag_keys(DynamicContinents)[0])\r\n | project Continent, value = todouble(DynamicContinents[Continent])\r\n)\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T | count), 3), \"%\") by Continent\r\n| sort by Percentage desc",
|
|
"size": 1,
|
|
"title": "Continent of orgin",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "query - 13"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend TopSourceCountries_s = coalesce(parse_json(column_ifexists(\"TopSourceCountries_s\",\"\")),parse_json(AdditionalFields[\"TopSourceCountries\"]))\r\n| extend TopSourceCountries_s = parse_json(tostring(TopSourceCountries_s))\r\n| where TopSourceCountries_s <> \"{}\"\r\n| extend DynamicCountries = todynamic(TopSourceCountries_s)\r\n| project DynamicCountries\r\n| as T\r\n| mv-apply DynamicCountries on (extend Countries = tostring(bag_keys(DynamicCountries)[0])\r\n| project Countries, value = todouble(DynamicCountries[Countries]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3), \"%\") by Countries\r\n| sort by Percentage desc",
|
|
"size": 1,
|
|
"title": "Countries of Origin",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "query - 14"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend TopSourceASNs_s = coalesce(parse_json(column_ifexists(\"TopSourceASNs_s\",\"\")),parse_json(AdditionalFields[\"TopSourceASNs\"]))\r\n| extend TopSourceASNs_s = parse_json(tostring(TopSourceASNs_s))\r\n| where TopSourceASNs_s <> \"{}\"\r\n| extend DynamicASNs = todynamic(TopSourceASNs_s)\r\n| project DynamicASNs\r\n| as T\r\n| mv-apply DynamicASNs on (extend ASN = tostring(bag_keys(DynamicASNs)[0])\r\n| project ASN, value = todouble(DynamicASNs[ASN]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3), \"%\") by ASN\r\n| sort by Percentage desc",
|
|
"size": 1,
|
|
"title": "AS Numbers",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "query - 15",
|
|
"styleSettings": {
|
|
"margin": "15"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend DropReasons_s = coalesce(parse_json(column_ifexists(\"DropReasons_s\",\"\")),parse_json(AdditionalFields[\"DropReasons\"]))\r\n| extend DropReasons_s = parse_json(tostring(DropReasons_s))\r\n| where DropReasons_s <> \"{}\"\r\n| extend DynamicDroppedReasons = todynamic(DropReasons_s)\r\n| project DynamicDroppedReasons\r\n| as T\r\n| mv-apply DynamicDroppedReasons on (extend Reasons = tostring(bag_keys(DynamicDroppedReasons)[0])\r\n| project Reasons, value = todouble(DynamicDroppedReasons[Reasons]) )\r\n| summarize Percentage = strcat(round(100 * sum(value) / toscalar(T\r\n| count), 3), \"%\") by Reasons\r\n| sort by Percentage desc",
|
|
"size": 1,
|
|
"title": "Drop Reasons",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "count_",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Percentage",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "Percentage",
|
|
"sortOrder": 2
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"customWidth": "20",
|
|
"name": "Top Attack Vectors"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| extend ReportType_s = coalesce(tostring(parse_json(column_ifexists(\"ReportType_s\",\"\"))[0]), AdditionalFields[\"ReportType\"])\r\n| extend MitigationPeriodStart_t = coalesce(column_ifexists(\"MitigationPeriodStart_t\", datetime(null)), todatetime(parse_json(AdditionalFields[\"MitigationPeriodStart\"])))\r\n| extend MitigationPeriodEnd_t = coalesce(column_ifexists(\"MitigationPeriodEnd_t\", datetime(null)), todatetime(parse_json(AdditionalFields[\"MitigationPeriodEnd\"])))\r\n| extend AttackVectors_s = coalesce(tostring(parse_json(column_ifexists(\"AttackVectors_s\",\"\"))[0]), AdditionalFields[\"AttackVectors\"])\r\n| extend TrafficOverview_s = coalesce(tostring(parse_json(column_ifexists(\"TrafficOverview_s\",\"\"))[0]), AdditionalFields[\"TrafficOverview\"])\r\n| extend Protocols_s = coalesce(tostring(parse_json(column_ifexists(\"Protocols_s\",\"\"))[0]), AdditionalFields[\"Protocols\"])\r\n| extend DropReasons_s = coalesce(tostring(parse_json(column_ifexists(\"DropReasons_s\",\"\"))[0]), AdditionalFields[\"DropReasons\"])\r\n| project TimeGenerated, ResourceGroup, SubscriptionId, Resource, ResourceType, Message, ReportType = ReportType_s, MitigationStartingTime = MitigationPeriodStart_t, MitigationEndingTime = MitigationPeriodEnd_t, IPAddress, AttackVectors = AttackVectors_s, TrafficOverview = TrafficOverview_s,Protocols = Protocols_s, DropReasons = DropReasons_s",
|
|
"size": 0,
|
|
"title": "Raw DDoS Mitigation Logs",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"name": "query - 23"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationFlowLogs\"\r\n| extend sourcePublicIpAddress_s = coalesce(tostring(parse_json(column_ifexists(\"sourcePublicIpAddress_s\",\"\"))[0]), AdditionalFields[\"sourcePublicIpAddress\"])\r\n| extend sourcePort_s = coalesce(tostring(parse_json(column_ifexists(\"sourcePort_s\",\"\"))[0]), AdditionalFields[\"sourcePort\"])\r\n| extend destPublicIpAddress_s = coalesce(tostring(parse_json(column_ifexists(\"destPublicIpAddress_s\",\"\"))[0]), AdditionalFields[\"destPublicIpAddress\"])\r\n| extend destPort_s = coalesce(tostring(parse_json(column_ifexists(\"destPort_s\",\"\"))[0]), AdditionalFields[\"destPort\"])\r\n| extend protocol_s = coalesce(tostring(parse_json(column_ifexists(\"protocol_s\",\"\"))[0]), AdditionalFields[\"protocol\"])\r\n| project TimeGenerated, ResourceGroup, SubscriptionId, Resource, ResourceType, Message, SourcePublicIPAddress = sourcePublicIpAddress_s, SourcePorts = sourcePort_s, DestinationPublicIpAddress = destPublicIpAddress_s, DestinationPorts = destPort_s, Protocol = protocol_s, ResouceID = _ResourceId\r\n",
|
|
"size": 0,
|
|
"title": "Raw DDoS Flow Logs",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Summary"
|
|
},
|
|
"name": "query - 22"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationFlowLogs\" \r\n| where Message == \"Packet was forwarded to service\" \r\n| extend protocol_s = coalesce(parse_json(column_ifexists(\"protocol_s\",\"\")),parse_json(AdditionalFields[\"protocol\"]))\r\n| extend destPort_s = coalesce(parse_json(column_ifexists(\"destPort_s\",\"\")),parse_json(AdditionalFields[\"destPort\"]))\r\n| summarize count() by strcat(protocol_s, destPort_s) ",
|
|
"size": 4,
|
|
"showAnalytics": true,
|
|
"title": "Allowed Traffic During Mitigation",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Column1"
|
|
},
|
|
"showBorder": false
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "destPort_s",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Investigate"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationFlowLogs\" \r\n| where Message startswith \"Protocol violation\" \r\n| extend protocol_s = coalesce(parse_json(column_ifexists(\"protocol_s\",\"\")),parse_json(AdditionalFields[\"protocol\"]))\r\n| extend destPort_s = coalesce(parse_json(column_ifexists(\"destPort_s\",\"\")),parse_json(AdditionalFields[\"destPort\"]))\r\n| summarize count() by strcat(protocol_s, destPort_s) ",
|
|
"size": 4,
|
|
"showAnalytics": true,
|
|
"title": "Dropped Traffic During Mitigation",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "Column1",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Investigate"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\n| where \"{Resource:label}\" == \"All\" or Resource in~ (split(\"{Resource:label}\", \", \"))\n| where Category == \"DDoSMitigationFlowLogs\" \n| extend sourcePublicIpAddress_s = coalesce(column_ifexists(\"sourcePublicIpAddress_s\",\"\"),parse_json(AdditionalFields[\"sourcePublicIpAddress_s\"]))\n| summarize count() by TimeGenerated, sourcePublicIpAddress_s\n",
|
|
"size": 1,
|
|
"showAnnotations": true,
|
|
"showAnalytics": true,
|
|
"title": "Top Attacking IPs",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"timeBrushParameterName": "brushtime",
|
|
"exportFieldName": "Category",
|
|
"exportParameterName": "Category",
|
|
"exportToExcelOptions": "all",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "areachart"
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Investigate"
|
|
},
|
|
"customWidth": "100",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSProtectionNotifications\"\r\n| extend publicIpAddress_s = coalesce(parse_json(column_ifexists(\"publicIpAddress_s\",\"\")),parse_json(AdditionalFields[\"publicIpAddress\"]))\r\n| project Message , publicIpAddress_s , ResourceId, TimeGenerated",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "DDoS Mitigation Activity",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "ResourceId",
|
|
"formatter": 13,
|
|
"formatOptions": {
|
|
"linkColumn": "ResourceId",
|
|
"linkTarget": "Metrics",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "TimeGenerated",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "TimeGenerated",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Investigate"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where Category == \"DDoSMitigationReports\"\r\n| distinct IPAddress",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "All Attacked IP Addresses - Select to Search Related",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"exportFieldName": "IPAddress",
|
|
"exportParameterName": "IPAddress",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "IPAddress",
|
|
"sortOrder": 1
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "IPAddress",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "IPAddress",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Investigate"
|
|
},
|
|
"customWidth": "25",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "search \"{IPAddress}\"\r\n| distinct Type",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Table Matches - Select to View Logs",
|
|
"noDataMessage": "Select an IP Address to discovery tables",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "brushtime",
|
|
"exportFieldName": "Type",
|
|
"exportParameterName": "Type",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Investigate"
|
|
},
|
|
"customWidth": "25",
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{Type}\r\n| search \"{IPAddress}\"\r\n| sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"showAnalytics": true,
|
|
"title": "Logs Related to Attacked IP Address",
|
|
"timeContext": {
|
|
"durationMs": 2419200000
|
|
},
|
|
"timeContextFromParameter": "brushtime",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspaces}"
|
|
],
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "DDoS Investigate"
|
|
},
|
|
"name": "query - 9"
|
|
}
|
|
],
|
|
"fallbackResourceIds": [
|
|
""
|
|
],
|
|
"fromTemplateId": "sentinel-AzDDoSStandardWorkbook",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|
|
|