1588 строки
61 KiB
JSON
1588 строки
61 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "5d84a856-8fc4-4bb1-8f7d-ca97d9a780bb",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 86400000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 2"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Overview",
|
|
"subTarget": "Overview",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Conversation Partners",
|
|
"subTarget": "ConversationPartners",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Traffic Analysis",
|
|
"subTarget": "TrafficAnalysis",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Top-N",
|
|
"subTarget": "TopN",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"cellValue": "Tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Geo Location",
|
|
"subTarget": "GeoLocation",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 4"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "IP Version and Protocols (Sum of Bytes)",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_ip_protocol_version_d\n| extend IPVersion = iff(netflow_ip_protocol_version_d == 4, \"4\", iff(netflow_ip_protocol_version_d == 6, \"6\", \"Unknown\"))\n| project IPVersion, Sum",
|
|
"size": 4,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 2",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = externaldata (Decimal:int, Keyword:string) [\"https://www.iana.org/assignments/protocol-numbers/protocol-numbers-1.csv\"]\nwith(ignorefirstrecord=true);\nnetflow_CL\n| extend NetflowProtocol = toint(netflow_protocol_d)\n| summarize Sum = sum(netflow_in_bytes_d) by NetflowProtocol\n| join (\ndata\n ) on $left.NetflowProtocol == $right.Decimal\n | project-rename Protocol = Keyword\n | project Protocol, Sum\n",
|
|
"size": 4,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 3",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Overview"
|
|
},
|
|
"name": "group - 4"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Destinations and Ports (Sum of Bytes)",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": " netflow_CL\n | where isnotempty(netflow_ipv4_dst_addr_s)\n | summarize Sum = sum(netflow_in_bytes_d) by netflow_ipv4_dst_addr_s\n | project-rename DestinationIP = netflow_ipv4_dst_addr_s",
|
|
"size": 2,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 0",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = externaldata (ServiceName:string, PortNumber:int) [\"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv\"]\nwith(ignorefirstrecord=true);\nnetflow_CL\n| where isnotempty(netflow_l4_dst_port_d)\n| where netflow_l4_dst_port_d != 0\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_l4_dst_port_d\n| extend Port = toint(netflow_l4_dst_port_d)\n| join (\ndata\n ) on $left.Port == $right.PortNumber\n | extend ServicePort = tostring(Port)\n | project ServicePort, Sum\n \n \n",
|
|
"size": 2,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 1",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Overview"
|
|
},
|
|
"name": "group - 3"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Sources and Ports (Sum of Bytes)",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": " netflow_CL\n | where isnotempty(netflow_ipv4_src_addr_s)\n | summarize Sum = sum(netflow_in_bytes_d) by netflow_ipv4_src_addr_s\n | project-rename SourceIP = netflow_ipv4_src_addr_s",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 0",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = externaldata (ServiceName:string, PortNumber:int) [\"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv\"]\nwith(ignorefirstrecord=true);\nnetflow_CL\n| where isnotempty(netflow_l4_src_port_d)\n| where netflow_l4_src_port_d != 0\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_l4_src_port_d\n| extend Port = toint(netflow_l4_src_port_d)\n| join (\ndata\n ) on $left.Port == $right.PortNumber\n | extend ServicePort = tostring(Port)\n | project ServicePort, Sum\n \n \n",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 1",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Overview"
|
|
},
|
|
"name": "group - 3 - Copy"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "TCP Flags and Types of Service (Sum of Bytes)",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_tcp_flags_d)\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_tcp_flags_d\n| extend TCPFlags = toint(netflow_tcp_flags_d)\n| project tostring(TCPFlags), Sum\n",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 0",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_src_tos_d)\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_src_tos_d\n| extend TOS = toint(netflow_src_tos_d)\n| project tostring(TOS), Sum",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 1",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Overview"
|
|
},
|
|
"name": "group - 3 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "ASN and Location (Sum of Bytes)",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_destinationASN_as_org_s",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 0",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_destinationGeo_country_code2_s, netflow_destinationGeo_city_name_s\n| extend City = iff(isempty(netflow_destinationGeo_city_name_s), \"Other\", netflow_destinationGeo_city_name_s)\n| extend Country = iff(isempty(netflow_destinationGeo_country_code2_s), \"Other\", netflow_destinationGeo_country_code2_s)\n| extend Location = strcat(City, \", \", Country)\n| project Location, Sum\n\n",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 1",
|
|
"styleSettings": {
|
|
"maxWidth": "50%"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Overview"
|
|
},
|
|
"name": "group - 3 - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Sources and Destinations (Sum of Bytes)",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_ipv4_src_addr_s\n| sort by Sum desc",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_ipv4_dst_addr_s\n| sort by Sum desc",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 1"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "ConversationPartners"
|
|
},
|
|
"name": "group - 3 - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Source and Destionation Ports (Sum of Bytes)",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_l4_src_port_d\n| extend SourcePort = toint(netflow_l4_src_port_d)\n| project tostring(SourcePort), Sum\n| sort by Sum desc",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| summarize Sum = sum(netflow_in_bytes_d) by netflow_l4_dst_port_d\n| extend DestinationPort = toint(netflow_l4_dst_port_d)\n| project tostring(DestinationPort), Sum\n| sort by Sum desc",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"name": "query - 1"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "ConversationPartners"
|
|
},
|
|
"name": "group - 8"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Conversation Partners",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Records = count() by Source = netflow_ipv4_src_addr_s, Destination = netflow_ipv4_dst_addr_s\n| sort by MB desc",
|
|
"size": 0,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "MB",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Packets",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Records",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "green"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "query - 0"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "ConversationPartners"
|
|
},
|
|
"name": "group - 10"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Sources",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_src_addr_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by SourceIP = netflow_ipv4_src_addr_s\n| sort by MB desc",
|
|
"size": 4,
|
|
"title": "Sources by MB",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "SourcesbyMB"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_src_addr_s)\n| distinct netflow_ipv4_src_addr_s\n| count\n| extend SourceIP = \"Count of Source IPs\"\n",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "SourceIP",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_ipv4_src_addr_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by SourceIP = netflow_ipv4_src_addr_s\n| top 10 by MB\n| project SourceIP;\n netflow_CL\n | where netflow_ipv4_src_addr_s in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by SourceIP = netflow_ipv4_src_addr_s, bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "Source by MB Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"customWidth": "100",
|
|
"name": "SourcebyMBoverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by SourceIP = netflow_ipv4_src_addr_s\n| top 10 by Count\n| project SourceIP;\n netflow_CL\n | where netflow_ipv4_src_addr_s in (data)\n | summarize Count = sum(netflow_in_pkts_d) by SourceIP = netflow_ipv4_src_addr_s, bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "Source by Packet Count Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "SourcebyPacketCountoverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_l4_src_port_d)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by SourcePort = netflow_l4_src_port_d\n| project tostring(SourcePort), MB\n| sort by MB desc",
|
|
"size": 4,
|
|
"title": "Source by Port",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "SourcebyPort"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_l4_src_port_d)\n| distinct netflow_l4_src_port_d\n| count\n| extend SourcePorts = \"Count of Source Ports\"\n",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "SourcePorts",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_l4_src_port_d)\n| summarize bytes = sum(netflow_in_bytes_d) by SourcePort = netflow_l4_src_port_d\n| top 10 by bytes;\n netflow_CL\n | where netflow_l4_src_port_d in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by SourcePort = netflow_l4_src_port_d, bin(TimeGenerated, 1m)\n | project tostring(SourcePort), MB, TimeGenerated\n",
|
|
"size": 3,
|
|
"title": "Source Port by MB Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"customWidth": "100",
|
|
"name": "SourcePortbyMBoverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by SourcePort = netflow_l4_src_port_d\n| top 10 by Count\n| project SourcePort;\n netflow_CL\n | where netflow_l4_src_port_d in (data)\n | summarize Count = sum(netflow_in_pkts_d) by SourcePort = tostring(netflow_l4_src_port_d), bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "Source Port by Count Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "SourcePortbyCountoverTime"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TrafficAnalysis"
|
|
},
|
|
"name": "Sources"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Destinations",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_dst_addr_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationIP = netflow_ipv4_dst_addr_s\n| sort by MB desc",
|
|
"size": 4,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 0"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_dst_addr_s)\n| distinct netflow_ipv4_dst_addr_s\n| count\n| extend SourceIP = \"Count of Destination IPs\"\n",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "SourceIP",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_ipv4_dst_addr_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationIP = netflow_ipv4_dst_addr_s\n| top 10 by MB\n| project DestinationIP;\n netflow_CL\n | where netflow_ipv4_dst_addr_s in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationIP = netflow_ipv4_dst_addr_s, bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "Destination by MB Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "DestinationbyMBoverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by DestinationIP = netflow_ipv4_dst_addr_s\n| top 10 by Count\n| project DestinationIP;\n netflow_CL\n | where netflow_ipv4_dst_addr_s in (data)\n | summarize Count = sum(netflow_in_pkts_d) by DestinationIP = netflow_ipv4_dst_addr_s, bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "Destination by Packet Count Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "DestinationbyPacketCountoverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_l4_dst_port_d)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationPort = tostring(netflow_l4_dst_port_d)\n| sort by MB desc",
|
|
"size": 4,
|
|
"title": "Destination by MB",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "DestinationbyMB"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_l4_dst_port_d)\n| distinct netflow_l4_dst_port_d\n| count\n| extend SourcePorts = \"Count of Destination Ports\"\n",
|
|
"size": 4,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "SourcePorts",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_l4_dst_port_d)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationPort = netflow_l4_dst_port_d\n| top 10 by MB\n| project DestinationPort;\n netflow_CL\n | where netflow_l4_dst_port_d in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by DestinationPort = tostring(netflow_l4_dst_port_d), bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "Destination Port by MB Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "DestinationPortbyMBoverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by DestinationPort = netflow_l4_dst_port_d\n| top 10 by Count\n| project DestinationPort;\n netflow_CL\n | where netflow_l4_dst_port_d in (data)\n | summarize Count = sum(netflow_in_pkts_d) by DestinationPort = tostring(netflow_l4_dst_port_d), bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "Destination Port by Packet Count Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "DestinationPortbyPacketCountoverTime"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TrafficAnalysis"
|
|
},
|
|
"name": "group - 11 - Copy"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "ASNs",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_destinationASN_asn_d)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by ASN = tostring(netflow_destinationASN_as_org_s)\n| sort by MB desc",
|
|
"size": 4,
|
|
"title": "ASNs by MB",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "ASNsbyMB"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_destinationASN_asn_d)\n| distinct netflow_destinationASN_as_org_s\n| count\n| extend ASN = \"Count of ASNs\"\n",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "ASN",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_destinationASN_asn_d)\n| summarize bytes = sum(netflow_in_bytes_d) by ASN = netflow_destinationASN_asn_d\n| top 10 by bytes\n| project ASN;\n netflow_CL\n | where netflow_destinationASN_asn_d in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by ASN = netflow_destinationASN_as_org_s, bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "ASNs by MB Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "ASNsbyMBoverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by ASN = netflow_destinationASN_asn_d\n| top 10 by Count\n| project ASN;\n netflow_CL\n | where netflow_destinationASN_asn_d in (data)\n | summarize Count = sum(netflow_in_pkts_d) by ASN = netflow_destinationASN_as_org_s, bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "ASNs by Packet Count Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "ASNsbyPacketCountoverTime"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TrafficAnalysis"
|
|
},
|
|
"name": "group - 11 - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Countries and Cities",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_destinationGeo_country_code2_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by Country = netflow_destinationGeo_country_code2_s\n| sort by MB desc",
|
|
"size": 4,
|
|
"title": "Country by MB",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "CountrybyMB"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_destinationGeo_country_code2_s)\n| distinct netflow_destinationGeo_country_code2_s\n| count\n| extend Country = \"Count of Countries\"\n",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Country",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_destinationGeo_country_code2_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by Country = netflow_destinationGeo_country_code2_s\n| top 10 by MB\n| project Country;\n netflow_CL\n | where netflow_destinationGeo_country_code2_s in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by Country = netflow_destinationGeo_country_code2_s, bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "Country by MB Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "CountrybyMBOverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by Country = netflow_destinationGeo_country_code2_s\n| top 10 by Count\n| project Country;\n netflow_CL\n | where netflow_destinationGeo_country_code2_s in (data)\n | summarize Count = sum(netflow_in_pkts_d) by Country = netflow_destinationGeo_country_code2_s, bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_destinationGeo_city_name_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by Country = netflow_destinationGeo_city_name_s\n| sort by MB desc",
|
|
"size": 4,
|
|
"title": "City by MB",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "CitybyMB"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_destinationGeo_city_name_s)\n| distinct netflow_destinationGeo_city_name_s\n| count\n| extend City = \"Count of Cities\"\n",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "City",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
"showBorder": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_destinationGeo_city_name_s)\n| summarize MB = sum(netflow_in_bytes_d)/1024/1024 by City = netflow_destinationGeo_city_name_s\n| top 10 by MB\n| project City;\n netflow_CL\n | where netflow_destinationGeo_city_name_s in (data)\n | summarize MB = sum(netflow_in_bytes_d)/1024/1024 by City = netflow_destinationGeo_city_name_s, bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "City by MB Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "CitybyMBOverTime"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = netflow_CL\n| where isnotempty(netflow_in_pkts_d)\n| summarize Count = sum(netflow_in_pkts_d) by City = netflow_destinationGeo_city_name_s\n| top 10 by Count\n| project City;\n netflow_CL\n | where netflow_destinationGeo_city_name_s in (data)\n | summarize Count = sum(netflow_in_pkts_d) by City = netflow_destinationGeo_city_name_s, bin(TimeGenerated, 1m)",
|
|
"size": 3,
|
|
"title": "City by Packet Count Over Time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "linechart"
|
|
},
|
|
"name": "CitybyPacketCountOverTime"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TrafficAnalysis"
|
|
},
|
|
"name": "group - 11 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_src_addr_s)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by SourceIP = netflow_ipv4_src_addr_s\n| sort by Mbytes desc ",
|
|
"size": 0,
|
|
"title": "Top Sources",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Mbytes",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Packets",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "purple"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TopN"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 15"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_ipv4_dst_addr_s)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by DestinationPort = netflow_ipv4_dst_addr_s\n| sort by Mbytes desc ",
|
|
"size": 0,
|
|
"title": "Top Destinations",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Mbytes",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
},
|
|
"tooltipFormat": {}
|
|
},
|
|
{
|
|
"columnMatch": "Packets",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "purple"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TopN"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 16"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_l4_src_port_d)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by SourcePort = netflow_l4_src_port_d\n| sort by Mbytes desc ",
|
|
"size": 0,
|
|
"title": "Top Source Ports",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Mbytes",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Packets",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "purple"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TopN"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 15 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_l4_dst_port_d)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by DestinationPort = netflow_l4_dst_port_d\n| sort by Mbytes desc ",
|
|
"size": 0,
|
|
"title": "Top Destination Ports",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Mbytes",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
},
|
|
"tooltipFormat": {}
|
|
},
|
|
{
|
|
"columnMatch": "Packets",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "purple"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TopN"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 16 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = externaldata (Decimal:int, Keyword:string) [\"https://www.iana.org/assignments/protocol-numbers/protocol-numbers-1.csv\"]\nwith(ignorefirstrecord=true);\nnetflow_CL\n| extend NetflowProtocol = toint(netflow_protocol_d)\n| summarize Mbytes = sum(netflow_in_bytes_d), Packets = sum(netflow_in_pkts_d), Records = count() by NetflowProtocol\n| join (\ndata\n ) on $left.NetflowProtocol == $right.Decimal\n | project Protocol = Keyword, Mbytes, Packets, Records\n | sort by Mbytes desc\n\n",
|
|
"size": 0,
|
|
"title": "Top Protocols",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Mbytes",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
},
|
|
"tooltipFormat": {}
|
|
},
|
|
{
|
|
"columnMatch": "Packets",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "purple"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Records",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TopN"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 16 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_destinationASN_asn_d)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by ASN = netflow_destinationASN_as_org_s\n| sort by Mbytes desc ",
|
|
"size": 0,
|
|
"title": "Top Autonomous Systems",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Mbytes",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
},
|
|
"tooltipFormat": {}
|
|
},
|
|
{
|
|
"columnMatch": "Packets",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "purple"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Records",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TopN"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 16 - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_destinationGeo_city_name_s)\n| summarize Mbytes = sum(netflow_in_bytes_d)/1024/1024, Packets = sum(netflow_in_pkts_d), Count = count() by City = netflow_destinationGeo_city_name_s\n| sort by Mbytes desc ",
|
|
"size": 0,
|
|
"title": "Top Cities",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Mbytes",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
},
|
|
"tooltipFormat": {}
|
|
},
|
|
{
|
|
"columnMatch": "Packets",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "purple"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Records",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "TopN"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 16 - Copy - Copy - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "netflow_CL\n| where isnotempty(netflow_destinationASN_asn_d)\n| summarize count() by ASN = netflow_destinationASN_asn_d, netflow_destinationGeo_latitude_d, netflow_destinationGeo_longitude_d, netflow_destinationGeo_country_name_s, netflow_destinationGeo_city_name_s",
|
|
"size": 3,
|
|
"title": "Destination Geo Location Heatmap",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "map",
|
|
"mapSettings": {
|
|
"locInfo": "LatLong",
|
|
"latitude": "netflow_destinationGeo_latitude_d",
|
|
"longitude": "netflow_destinationGeo_longitude_d",
|
|
"sizeSettings": "count_",
|
|
"sizeAggregation": "Sum",
|
|
"labelSettings": "netflow_destinationGeo_city_name_s",
|
|
"legendMetric": "count_",
|
|
"legendAggregation": "Sum",
|
|
"itemColorSettings": {
|
|
"nodeColorField": "count_",
|
|
"colorAggregation": "Count",
|
|
"type": "heatmap",
|
|
"heatmapPalette": "greenRed"
|
|
}
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "Tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "GeoLocation"
|
|
},
|
|
"name": "query - 22"
|
|
}
|
|
],
|
|
"styleSettings": {},
|
|
"fromTemplateId": "sentinel-UnifiSGNetflow",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |