638 строки
23 KiB
JSON
638 строки
23 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## VM Insights"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"query": "",
|
|
"crossComponentResources": [],
|
|
"parameters": [
|
|
{
|
|
"id": "9db81e55-c2f5-47f6-8aac-168734a9fbbe",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 86400000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
},
|
|
{
|
|
"id": "1b0ec558-560c-492c-8a63-854c7afbf033",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Computer",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| summarize Total_Traffic = sum(BytesSent) + sum(BytesReceived), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived) by Computer | sort by Total_Traffic desc | project Computer \r\n",
|
|
"value": null,
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All"
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection\r\n| where Type == \"VMConnection\"\r\n| where Computer in ('ADE-Linux1','ADE-Linux2','DockerTest','FortiCEF','FortiWin','LoginTest','mor-dns-test','PaloAltoEF','Romeo-GoldenBox','TianderCEF','WIN01')\r\n| distinct Computer, _ResourceId\r\n| extend AzureOrNot = iif(not(isempty(_ResourceId)), 'Azure computer', 'Non-Azure computer')\r\n| summarize All = count(), Azure = count(AzureOrNot == 'Azure computer'), NonAzure = count(AzureOrNot == 'Non-Azure computer') by AzureOrNot\r\n| extend All = strcat('All computers: ', All), Azure = strcat('Azure: ', Azure), NonAzure = strcat('Non-Azure:', NonAzure)\r\n",
|
|
"size": 1,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Azure Computers",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "All",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Azure",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"rightContent": {
|
|
"columnMatch": "NonAzure",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
"showBorder": false,
|
|
"rowLimit": 1,
|
|
"sortCriteriaField": "Azure",
|
|
"sortOrderField": 2
|
|
}
|
|
},
|
|
"name": "query - 2",
|
|
"styleSettings": {
|
|
"margin": "0"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| summarize TotalBytesSent = sum(BytesSent) by Computer, TimeGenerated\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Bytes sent, by computer",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"customWidth": "60",
|
|
"name": "query - 2 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Computer = iif(isempty(_ResourceId), Computer, _ResourceId)\r\n| summarize Total_Traffic = sum(BytesSent) + sum(BytesReceived), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived) by Computer \r\n| sort by Total_Traffic desc | project-away Total_Traffic \r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top communicating computers",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Computer",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TotalBytesSent",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TotalBytesReceived",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "purple",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "40",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\"==\"All\" or Computer in ({Computer})\r\n| summarize TotalBytesReceived = sum(BytesReceived) by Computer, TimeGenerated\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Bytes received, by computer",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"customWidth": "60",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ServiceMapComputer_CL\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| summarize by Computer, Region = iff(HostingProvider_s == \"azure\", AzureLocation_s, \"non-azure\")\r\n| project Region \r\n| summarize count() by Region\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Computers, by region",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "40",
|
|
"name": "query - 5",
|
|
"styleSettings": {
|
|
"margin": "20"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ServiceMapComputer_CL\r\n| where Computer in ('ADE-Linux1','ADE-Linux2','DockerTest','FortiCEF','FortiWin','LoginTest','mor-dns-test','PaloAltoEF','Romeo-GoldenBox','TianderCEF','WIN01') and (\"{Computer:lable}\" == \"All\" or Computer in ({Computer}))\r\n| where HostingProvider_s == \"azure\"\r\n| extend Computer = _ResourceId\r\n| summarize by Computer, Region = AzureLocation_s, IPv4Addresses = Ipv4Addresses_s, IPv6Addresses = Ipv6Addresses_s\r\n| extend GroupId = strcat(Computer, Region), IPv4Addresses = todynamic(IPv4Addresses), IPv6Addresses = todynamic(IPv6Addresses)\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Azure computers",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Computer",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Region",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "IPv4Addresses",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "IPv6Addresses",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "GroupId",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "70",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ServiceMapComputer_CL\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| where HostingProvider_s == \"azure\"\r\n| summarize by AzureResourceID = AzureResourceId_s\r\n| project Subscription = split(AzureResourceID, \"/\")[2]\r\n| summarize count() by tostring(Subscription)\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Computers, by subscription",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 5 - Copy",
|
|
"styleSettings": {
|
|
"margin": "20"
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "ServiceMapComputer_CL\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| where HostingProvider_s != \"azure\"\r\n| summarize by Computer, IPv4Addresses = Ipv4Addresses_s, IPv6Addresses = Ipv6Addresses_s\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Non-Azure computers",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "40",
|
|
"name": "query - 7 - Copy"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Malicious actors"
|
|
},
|
|
"name": "text - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| where isnotempty(MaliciousIp)\r\n| where Direction == \"inbound\"\r\n| summarize TotalBytesCommunicated = sum(BytesSent) + sum(BytesReceived), TotalSent = sum(BytesSent), TotalReceived = sum(BytesReceived) by MaliciousIP = strcat(MaliciousIp, ' (', RemoteCountry, ')') | sort by TotalBytesCommunicated desc\r\n| where TotalBytesCommunicated > 0 \r\n\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top communicating malicious IPs",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"showBorder": false,
|
|
"titleContent": {
|
|
"columnMatch": "MaliciousIP",
|
|
"formatter": 1
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "TotalBytesCommunicated",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"graphSettings": {
|
|
"type": 0,
|
|
"topContent": {
|
|
"columnMatch": "MaliciousIP",
|
|
"formatter": 1
|
|
},
|
|
"centerContent": {
|
|
"columnMatch": "TotalBytesCommunicated",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| where isnotempty(MaliciousIp)\r\n| where Direction == \"inbound\"\r\n| summarize TotalTraffic = sum(BytesSent) + sum(BytesReceived) by Country = RemoteCountry | sort by TotalTraffic desc\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Malicious traffic, by country",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "25",
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| where isnotempty(MaliciousIp)\r\n| where Direction == \"inbound\"\r\n| summarize TotalTraffic = sum(BytesSent) + sum(BytesReceived) by IndicatorThreatType | sort by TotalTraffic desc \r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Malicious traffic, by threat type",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "25",
|
|
"name": "query - 11 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| where isnotempty(MaliciousIp)\r\n| where Direction == \"inbound\"\r\n| summarize TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived) by MaliciousIP = strcat(MaliciousIp, ' (', RemoteCountry, ')') | sort by TotalBytesReceived desc \r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Malicious IP addresses",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "MaliciousIP",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TotalBytesSent",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TotalBytesReceived",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"name": "query - 13"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Attacked resources"
|
|
},
|
|
"name": "text - 14"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| where isnotempty(MaliciousIp)\r\n| where Direction == \"inbound\"\r\n| summarize TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived) by Computer | sort by TotalBytesReceived desc \r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Most attacked computers",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 15"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| where isnotempty(MaliciousIp)\r\n| where Direction == \"inbound\"\r\n| summarize TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived) by Process = strcat (ProcessName, ' (', DestinationPort, ',', Protocol, ')') | sort by TotalBytesReceived desc \r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Most attacked processes",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 15 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| where isnotempty(MaliciousIp)\r\n| where Direction == \"inbound\"\r\n| summarize TotalTraffic = sum(BytesSent) + sum(BytesReceived) by Target = strcat (Computer, '/', ProcessName, '/', DestinationIp, '/', DestinationPort) | sort by TotalTraffic desc \r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Attack targets, by computer, process, IP address, and port",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 18"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "VMConnection \r\n| where Type == \"VMConnection\"\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| where isnotempty(MaliciousIp)\r\n| where Direction == \"inbound\"\r\n| extend Computer = iif(isempty(_ResourceId), Computer, _ResourceId)\r\n| summarize TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived) by Computer, ProcessName, DestinationIp, DestinationPort | sort by TotalBytesReceived desc \r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Attacked targets",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Computer",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ProcessName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationIp",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DestinationPort",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TotalBytesSent",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TotalBytesReceived",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "red",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"name": "query - 17"
|
|
}
|
|
],
|
|
"styleSettings": {},
|
|
"fromTemplateId": "sentinel-VirtualMachinesInsights",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |