435 строки
18 KiB
JSON
435 строки
18 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Zscaler Firewall Overview"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"query": "",
|
|
"crossComponentResources": [],
|
|
"parameters": [
|
|
{
|
|
"id": "ff5a2a6c-cf01-432a-ab49-e59918ead8ab",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 86400000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
},
|
|
{
|
|
"id": "fe452f11-ddc9-4b85-b441-b8f6be3b33a8",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SourceIP",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\" \r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where SourceTranslatedAddress != \"\" \r\n| summarize Count = count() by SourceTranslatedAddress\r\n| project Value = SourceTranslatedAddress, Label = strcat(SourceTranslatedAddress, \" count: \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "d5fa439b-b1d7-491e-8953-5e4f7bf74f81",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SourcePort",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\" \r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\")\r\n| where SourcePort != \"\" \r\n| summarize Count = count() by SourcePort\r\n| project Value = SourcePort, Label = strcat(\"Port: \",SourcePort, \" count: \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "2f749931-c232-471f-b91f-f91514fd7fa7",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DestinationIP",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\" \r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where DestinationIP != \"\" \r\n| summarize Count = count() by DestinationIP\r\n| project Value = DestinationIP, Label = strcat(DestinationIP, \" count: \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "5ecf989b-46cc-4cde-80fb-720d1ad2a5e2",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DestinationPort",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\" \r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\"\r\n| where DestinationPort != \"\" \r\n| summarize Count = count() by DestinationPort\r\n| project Value = DestinationPort, Label = strcat(DestinationPort, \" count: \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "### Block actions"
|
|
},
|
|
"name": "text - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where DeviceEventClassID !contains \"Allow\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n| summarize Count = count() by Protocol\r\n| sort by Count desc\r\n| top 10 by Count",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top blocked protocols",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\"\r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n| where SourceUserPrivileges == SourceUserName\r\n| summarize Count = count() by SourceUserName\r\n| sort by Count desc\r\n| top 10 by Count",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top blocked locations",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\"\r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n| where DestinationPort != \"0\" \r\n| extend dst_port = tostring(DestinationPort) \r\n| summarize Count = count() by dst_port\r\n| top 10 by Count desc nulls last ",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top blocked destination ports",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\"\r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n| where DestinationIP != \"\" \r\n| summarize Count = count() by DestinationIP\r\n| sort by Count desc\r\n| top 10 by Count",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top blocked destination IP addresses",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\" \r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n| where SourceTranslatedAddress != \"\" \r\n| summarize Count = count() by SourceTranslatedAddress\r\n| sort by Count desc\r\n| top 10 by Count",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top blocked source IP addresses",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\"\r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n| where SourcePort != \"0\" \r\n| extend src_port = tostring(SourcePort) \r\n| summarize Count = count() by src_port\r\n| order by Count\r\n| take 10",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top blocked source ports",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 12"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---"
|
|
},
|
|
"name": "text - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID contains \"Allow\"\r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n| summarize ['Recived MB'] = sum(ReceivedBytes/1024.0/1024.0), ['Sent MB'] = sum(SentBytes/1024.0/1024.0) by bin(TimeGenerated, {TimeRange:grain}), SourceUserPrivileges\r\n| project-rename Location = SourceUserPrivileges \r\n| order by ['Recived MB'] desc, ['Sent MB'] desc",
|
|
"size": 0,
|
|
"exportFieldName": "",
|
|
"exportParameterName": "LocationFilter",
|
|
"exportDefaultValue": "{\"Location\":\"*\"}",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Non-http downloads and uploads in MB",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "turquoise",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Location",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Recived MB",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "purple",
|
|
"showIcon": true,
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Sent MB",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "magenta",
|
|
"showIcon": true,
|
|
"aggregation": "Sum"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "$gen_group",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"hierarchySettings": {
|
|
"treeType": 1,
|
|
"groupBy": [
|
|
"Location"
|
|
],
|
|
"expandTopLevel": false,
|
|
"finalBy": "Location"
|
|
},
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID contains \"Allow\"\r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n| summarize ['Recived MB'] = sum(ReceivedBytes/1024.0/1024.0), ['Sent MB'] = sum(SentBytes/1024.0/1024.0) by bin(TimeGenerated, {TimeRange:grain}), SourceUserPrivileges\r\n| project-rename Location = SourceUserPrivileges \r\n| where Location == dynamic({LocationFilter}).childRows[0].Location or dynamic({LocationFilter}).Location == Location or dynamic({LocationFilter}).Location == \"*\"",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Non-http downloads and uploads in MB",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceProduct == \"NSSFWlog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n| where Activity !contains \"Default\" and Activity !contains \"Recommended\" \r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), Activity ",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Non-default firewall rules getting triggered",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"name": "query - 11"
|
|
}
|
|
],
|
|
"styleSettings": {},
|
|
"fromTemplateId": "sentinel-ZscalerFirewallOverview",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |