Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/LinuxMachines.json

392 строки
18 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Linux Machines"
},
"name": "text - 0"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "1025a43d-241c-4e40-95dc-c9eb9c789bc5",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 1209600000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
},
{
"id": "bc241870-7874-4927-8c74-d17e747522b1",
"version": "KqlParameterItem/1.0",
"name": "Computer",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "Syslog\r\n| summarize syslogEventsCount = count() by Computer\r\n| sort by syslogEventsCount desc\r\n| project Computer\r\n",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "All"
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "e073f36e-2fb5-421d-9099-217205b247f5",
"version": "KqlParameterItem/1.0",
"name": "Severity",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*"
},
"jsonData": "[\"Emergency\", \"Alert\", \"Critical\", \"Error\", \"Warning\", \"Notice\", \"Informational\", \"Debug\"]",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| summarize count() by SeverityLevel\r\n| extend severityNumber = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 0, iif(SeverityLevel == 'alert', 1, iif(SeverityLevel == 'crit', 2, iif(SeverityLevel == 'err' or SeverityLevel == 'error', 3, iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 4, iif(SeverityLevel == 'notice', 5, iif(SeverityLevel == 'info', 6, iif(SeverityLevel == 'debug', 7, 8))))))))\r\n| sort by severityNumber asc\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| project-away severityNumber\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n",
"size": 4,
"exportToExcelOptions": "visible",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "SeverityLevel",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "hotCold",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"showBorder": false,
"sortOrderField": 2
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"emerg\")\r\n| summarize count() by Computer, TimeGenerated\r\n",
"size": 1,
"exportToExcelOptions": "visible",
"title": "\"Emergency\" level events, by computer",
"noDataMessage": "No emergency events within the defined scope",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "33",
"name": "query - 2 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"crit\")\r\n| summarize count() by Computer, TimeGenerated\r\n",
"size": 1,
"exportToExcelOptions": "visible",
"title": "\"Critical\" level events, by computer",
"noDataMessage": "No critical events within the defined scope",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "33",
"name": "query - 2 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"alert\")\r\n| summarize count() by Computer, TimeGenerated\r\n",
"size": 1,
"exportToExcelOptions": "visible",
"title": "\"Alert\" level events, by computer",
"noDataMessage": "No alert events within the defined scope",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "33",
"name": "query - 2 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| extend SeverityNumber = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 0, iif(SeverityLevel == 'alert', 1, iif(SeverityLevel == 'crit', 2, iif(SeverityLevel == 'err' or SeverityLevel == 'error', 3, iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 4, iif(SeverityLevel == 'notice', 5, iif(SeverityLevel == 'info', 6, iif(SeverityLevel == 'debug', 7, 8))))))))\r\n| where Severity in ({Severity})\r\n|extend Computer = iif(isempty(_ResourceId), Computer, _ResourceId)\r\n| project TimeGenerated, Computer, SeverityLevel, SeverityNumber, Facility, HostIP, ProcessNameAndID = strcat(ProcessName, ' (', iff(isempty(ProcessID), \"-\", tostring(ProcessID)), ')') \r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Events",
"noDataMessage": "No events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Computer",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "SeverityLevel",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "SeverityNumber",
"formatter": 8,
"formatOptions": {
"min": 7,
"max": 0,
"palette": "redDark",
"showIcon": true
}
},
{
"columnMatch": "Facility",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "HostIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ProcessNameAndID",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
}
},
"name": "query - 2 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by SyslogMessage\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Syslog messages of events",
"noDataMessage": "No messages",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, ProcessName\r\n| project Process = strcat(ProcessName, ' (', Facility, ')'), Count = count_ \r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Process names of events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, SeverityLevel\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Event distribution, by facility",
"noDataMessage": "No events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 7 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, SeverityLevel",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Severity levels, by facility",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"customWidth": "50",
"name": "query - 11 - Copy"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-LinuxMachines",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку