8177 строки
679 KiB
JSON
8177 строки
679 KiB
JSON
{
|
||
"version": "Notebook/1.0",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# Advanced KQL for Microsoft Sentinel\n---"
|
||
},
|
||
"name": "Title"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "toolbar",
|
||
"links": [
|
||
{
|
||
"id": "4fcb6a13-78b5-478b-8541-0ac9804e85b8",
|
||
"cellValue": "About",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Click here for Overview",
|
||
"subTarget": "true",
|
||
"postText": "",
|
||
"style": "link",
|
||
"icon": "1"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "20",
|
||
"name": "links - About1"
|
||
},
|
||
{
|
||
"type": 9,
|
||
"content": {
|
||
"version": "KqlParameterItem/1.0",
|
||
"parameters": [
|
||
{
|
||
"id": "fa116a7d-107a-4f9a-9974-47a8e9c1779c",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "Workspace",
|
||
"type": 5,
|
||
"description": "Select a Workspace to be used for 'Try it in your environment'",
|
||
"query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| project id ",
|
||
"crossComponentResources": [
|
||
"value::selected"
|
||
],
|
||
"value": null,
|
||
"typeSettings": {
|
||
"additionalResourceOptions": [],
|
||
"showDefault": false
|
||
},
|
||
"timeContext": {
|
||
"durationMs": 86400000
|
||
},
|
||
"queryType": 1,
|
||
"resourceType": "microsoft.resourcegraph/resources"
|
||
},
|
||
{
|
||
"id": "5ebef97c-5160-42bd-b280-72d6aab223db",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "TableContent",
|
||
"type": 1,
|
||
"isGlobal": true,
|
||
"value": "false",
|
||
"isHiddenWhenLocked": true
|
||
},
|
||
{
|
||
"id": "f98351c1-d401-4693-ac2f-6c9a680d45b0",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "Category",
|
||
"type": 1,
|
||
"isGlobal": true,
|
||
"value": "Home",
|
||
"isHiddenWhenLocked": true
|
||
},
|
||
{
|
||
"id": "af530d05-7eef-4936-9f87-84db821eebab",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "About",
|
||
"type": 1,
|
||
"isGlobal": true,
|
||
"value": "false",
|
||
"isHiddenWhenLocked": true
|
||
}
|
||
],
|
||
"style": "pills",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
},
|
||
"customWidth": "85",
|
||
"name": "parameters"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "a008f913-a200-487e-b7bd-0bb6eb01390e",
|
||
"cellValue": "TableContent",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Table of Contents",
|
||
"subTarget": "true",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "15",
|
||
"name": "links-TableContent"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "Workbook version: 1.0\r\n\r\n<br/>\r\n\r\nKusto Query Language (KQL) is the language used in Microsoft Sentinel to perform search, analysis, write detection rules and visualise data in Workbooks.\r\n\r\nThis interactive Workbook is designed to help you improve KQL proficiency by taking a use-case driven approach based on:\r\n- Grouping KQL operators/commands by Category for easy navigation. \r\n- Listing possible tasks an user would perform with KQL in Microsoft Sentinel. Each task includes KQL operators used, sample queries and use cases.<br/>\r\n- Compiling a list of existing content found in Microsoft Sentinel (Analytics Rules, Hunting Queries, Workbooks and etc) to provide additional references specific to the KQL operators you want to learn.\r\n- Allowing you to execute the sample queries on the fly with your own environment or \"LA Demo\" - a public demo environment. Try the sample KQL statements in real time without the need to navigate away from the Workbook.<br/> (**Note**: if using your own workspace, you need to ensure you have the relevant data already ingested) \r\n\r\n\r\n<h3><u>How to use this Workbook</u></h3>\r\n\r\n1. Begin by select a **Category** that suits the outcomes you would like to achieve with KQL. Alternatively, you can refer to \"**Table of Contents**\" for an overview of what is covered under each Category.\r\n\r\n2. After clicking on a Category, you will be presented a list of tasks under \"**I want to**\". Select a task that suits your requirement.\r\n\r\n3. Review the Operators, sample queries, sample use cases and reference resources found in Microsoft Sentinel accordingly.\r\n\r\n4. Try the queries in your own environment or \"LA Demo\" using the \"**Try it**\" buttons.<br/><br/>\r\n**Note:** <br/>\r\n - \"**Try it in your environment**\" button will only be visible when the **Workspace parameter** at the top of the Workbook is populated. <br/>\r\n - **LA Demo** environment might not have all the tables or data specified for each sample queries and use cases.\r\n\r\n <br/>\r\n ",
|
||
"style": "info"
|
||
},
|
||
"name": "Info"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "569815b4-eabb-4432-a35b-caa85b3e26ef",
|
||
"cellValue": "About",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Close Overview",
|
||
"subTarget": "false",
|
||
"style": "primary"
|
||
}
|
||
]
|
||
},
|
||
"name": "links - CloseAbout"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "About",
|
||
"comparison": "isEqualTo",
|
||
"value": "true"
|
||
},
|
||
"name": "group - About"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "---"
|
||
},
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">Table of Contents</h2>\r\n\r\n<sub>**Category** | <sub>**Scenarios** | <sub>**Operators used in samples** | <sub>**Data sources used in samples** | <sub>**Sample queries and use cases ** \r\n--- | --- | --- \r\n<sub>**Aggregation** | 1. Summarize activity frequency across time <br/> <br/> 2. Summarize by minimum or maximum column values <br/> <br/> 3. Perform counts by various criteria | summarize <br/> count() <br/> arg_max() <br/> arg_min() <br/> toreal() <br/> dcount() <br/> countif() <br/> sumif() <br/> percentiles() <br/> make_list() <br/> | SecurityEvent <br/> SigninLogs | - Returns summary of Account activity over the past 24 hours <br/> - Returns summary of the count of failed logon attempts by Azure resources <br/> - Detect password spray attack <br/> - Identify which users were added to a security-enabled group over the last day <br/> <br/> - Returns most current event rows by IP Address within the specified lookback period <br/> - Returns subset of columns for the most recent records within specified lookback period <br/> - Returns oldest columns within specified lookback period <br/> - Identify accounts for which most recent activity was logon <br/> - Detect infrequently used accounts over the past 90 days <br/> <br/> - Returns a distinct count of computers successfully logged on to based on Account type <br/> - Performs a conditional count based on rows that meet the specified criteria <br/> - Performs a summation on rows that meet the specified criteria <br/> - Creates a list of unique computers <br/> - Obtain a summary of failed vs successful logons by time and location <br/> - Groups computers by percentile based on \"oldest missing updates\"\r\n<sub>**Converting Value** | 1. Type casting a field - Converting from one data type to another <br/> <br/> 2. Change the case of the string in a field | todynamic() <br/> tostring() <br/> todatetime() <br/> mv-expand <br/> toupper() <br/> tolower() <br/> | VMProcess <br/> SecurityEvent <br/> SecurityAlert | - Returns the Service DisplayName from the VM Processes <br/> - Returns the record at a specific time <br/> - Returns the MTP Alert URL from the MDATP Alert in the SecurityAlerts table <br/> - Extract UserName from a json element from within an Array in the Windows Event <br/> - Extract the UserPrincipal Name from the Windows Security Event 411 <br/> - List all comments added to Closed Incidents in Microsoft Sentinel from the past 24 hours <br/> <br/> - Convert Computer hostname to lowercase <br/> - Convert AccountName to upper case in Windows Security Logs <br/> - Compare the Account Name in the Windows Security Event Logs with a Dynamic List of Accounts \r\n<sub>**Correlation** |1. Combine and query data from two tables with a common field <br/> <br/> 2. Combine and query all records from multiple tables | join <br/> union <br/> count() <br/> sort <br/> | DeviceInfo <br/> SecurityEvent <br/> UpdateSummary <br/> DeviceTvmSoftwareVulnerabilities | - Returns a list of records from the SecurityEvent and SecurityAlert tables that share a matching computer name <br/> - Returns a list of records from the DeviceInfo and DeviceLogoon tables that havea matchin DeviceName <br/> - Detect whether admin accounts are being used on Windows Endpoints <br/> - Detect virtual machines on which a logon type of 'Network' was registered <br/> <br/> - Returns list of records from two tables with multiple common fields <br/> - Returns a list all tables with data in the workspace showing the record count for each <br/> - Combine multiple tables to produce a result set with a subset of columns that are common to all of the input tables <br/>- Returns a list vulnerabilities from Microsoft Defender for Endpoint that have a severity level of \"Critical\" or \"High\" with a CVSS score of greater than 7 and have a known public exploit <br/> - Returns a list of any accounts that were created but have never been used even once over the past 90 days\r\n<sub>**Dealing with Array Value** | 1. Expands dynamic array values into rows or columns <br/> <br/> 2. Packs multiple fields into a dynamic array | mv-expand <br/> pack_array() <br/> pack() <br/> make_list() <br/> make_set() <br/> | SecurityAlert <br/> SecurityIncident <br/> SecurityEvent | - Expands Host entities from SecurityAlert into multiple rows <br/> - Expands Account entities from SecurityAlert into multiple rows <br/> - Expands Incident tags into multiple rows <br/> - Expands Incident Alert Ids into multiple rows <br/> - Expands AlertIds of Incident to correlate with SecurityAlert <br/> <br/> - Packs Incident Title, Severity and Status fields as Incident Details <br/> - Summary of Account logon with a column packed with Computer <br/> - Summary of Account logon with a column packed with Computer and Datetime <br/> - Summary of Event IDs (packed in a column) by Computer <br/> - Packs IPAddress, Location and ClientAppUsed fields into an array for AAD SignIn failure <br/> - Summary of AAD SignIn with status and IP Address packed into columns <br/> - Summary of AAD SignIn with distinct IP Address, OS, Browser, Location, ResultType and AppDisplayName by Account <br/> - Summary of AAD SignIn with distinct IP Address and Location packed into a column \r\n<sub>**Dealing with Datetime** | 1. Filter a specific datetime or time range <br/> <br/> 2. Compare datetime <br/> <br/> 3. Add or deduct a datetime value <br/> <br/> 4. Convert datetime <br/> <br/> 5. Extract datetime from a field| ago() <br/> between() <br/> now() <br/> dayofweek() <br/> dayofmonth() <br/> dayofyear() <br/> hourofday() <br/> endofweek() <br/> endofmonth() <br/> endofyear() <br/> startofday() <br/> startofweek() <br/> startofmonth() <br/> startofyear() <br/> datetime_diff() <br/> iif() <br/> next() <br/> datetime_add() <br/> Numerical Operator (+,-) <br/> format_datetime() <br/> getmonth() <br/> getyear() <br/> | SecurityEvent <br/> SecurityIncident <br/> CommonSecurityLog | - Returns SecurityEvent records for the past 7 days <br/> - Returns SecurityEvent records for the past 30 minutes <br/> - Returns SecurityEvent records from '2021-07-16' to '2021-07-24' <br/> - Returns SecurityEvent records from '2021-07-21 16:20:00' to now <br/> - Returns SecurityEvent records for Monday to Saturday, 7am to 7pm (UTC) <br/> - Failed logons on computers by month <br/> - Calculates the ingestion delay and returns the top percentiles by computer <br/> <br/> - Calculates the difference in minute between TimeGenerated and now <br/> - Calculates the difference in second between TimeGenerated of every recond ingested by a computer <br/> - Calculates the difference in Hour between Incident creation time and closure time <br/>- Finds CEF records by computer where last received time is more than 30 minutes ago <br/> - Compares the ingestion volume of security events between now and 3 days ago <br/> <br/> - Add 2 hours to TimeGenerated (for time offset) <br/> - Minus 8 hours from TimeGenerated (for time offset) <br/> - Perform subtraction between two dates using the numerical operator <br/>- Calculates the ingestion delay and returns the top percentiles by computer <br/> <br/> - Formats TimeGenerated to 'yy/MM/dd HH:mm:ss' <br/> - Formats TimeGenerated to 'yyyy/MM/dd' <br/> - Shows AM /PM hours <br/> - Calculates the daily Incident count for the last 7 days <br/> <br/> - Get the month number from TimeGenerated and summarize the event count <br/> - Get the total security event by day of week <br/>- Returns windows logon events on Satuday and Sunday \r\n<sub>**Dealing with IP Address** | 1. Match IP addresses in the ingested logs with a known IP subnet <br/> <br/> 2. Compare IP addresses in the ingested logs with a known IP subnet <br/> <br/> 3. Check if IP Addresses in the ingested log is a private network IP <br/> <br/> 4. Matching IP Addresses in a text field <br/> <br/> 5. Lookup IP Addresses against a GeoIP table | ipv4_is_match() <br/> ipv6_is_match() <br/> ipv4_compare() <br/> ipv6_compare() <br/> ipv4_is_private() <br/> has_ipv4() <br/> has_any_ipv4() <br/> ipv4_lookup() <br/> externaldata <br/> | Heartbeat <br/> DnsEvents <br/> SophosXGFirewall <br/> VMConnection <br/> W3CIISLog <br/> AzureDiagnostics <br/> Corelight <br/> CommonSecurityLog <br/> AzureActivity | - Populate a column if an IPv4 address is within a known network subnet <br/> - Filter out 127.0.0.1 as Client IP from DNS Events <br/> - Detect a Port Scan <br/> <br/> - Populate a column if an IPv4 address is within a known network subnet <br/> - Tag communications as External/Internal based on IP Addresses <br/> <br/> - Check if an IP Address is private <br/> - Filter out all Public IPs from logs <br/>- Detect the presence of an External Proxy <br/> <br/> - Filter logs based on an IP Address <br/> - Filter logs based on a list of IP Addresses <br/>- Look for an IP Address match in multiple fields <br/> - Look for an IP Address match in Threat Intelligence Indicators <br/> <br/> - Lookup IP Address in the Azure Activity table against a GeoIP table \r\n<sub>**Dealing with Fields** | 1. Concatenate field to form a single string and write it to a new column <br/> <br/> 2. Split characters from a string field and extract a part of it <br/> <br/> 3. Conditionally write in a column <br/> <br/> 4. Validate and/or filter on a field value being empty or null <br/> <br/> 5. Conditionally populate a field based on other values in logs | strcat() <br/> split() <br/> iif() <br/> isempty() <br/> isnotempty() <br/> isnull() <br/> isnotnull() <br/> case() <br/> column_ifexists() <br/> | DeviceInfo <br/> SecurityEvent <br/> DnsEvents <br/> ProtectionStatus <br/> OfficeActivity <br/> AzureDiagnostics <br/> SecurityAlert | - Concatenated string that uses constant string and values from Fields <br/> - Identify when a password change occurs on a host <br/> <br/> - Split the FQDN and extract the hostname <br/> - Split the Account field and extract the Account Name <br/>- Identify user account interactive logons to new devices <br/> <br/> - Report of Windows machines that are/are not Protected by Windows Defender <br/>- Count Number of Logon and Logoff events for a host in the last 12 hours <br/> <br/> - Filter out records where the EventData field doesn't have a value in the Windows Security Events <br/> - Filter out records where the OfficeObjectID field have a value in the Office365 logs <br/> - Filter out records where the Event ID = 4688 and ParentProcessName field have a null value in the Windows Security Events <br/> - Check for a known IP IoC in the Azure AD SignIn Logs <br/> - Check for least common Parent And Child Process Pairs within the Security Events collected from the Windows Security Events <br/> <br/> - List Business orgs based on Source IPs <br/> - Create and update a field value based on a value from another column if it exists, or else, use a default value <br/>- Order Security Alerts based on Severity (High to Low)\r\n<sub>**Filter** | 1. Perform a simple filter on string <br/> <br/> 2. Perform a simple filter on integer <br/> <br/> 3. Limit results <br/> <br/> 4. Filter using regex <br/> <br/> 5. Filter events that occurred consecutively or in a specific sequence/pattern | == <br/> != <br/> in <br/> !in <br/> > <br/> < <br/> >= <br/> <= <br/> take <br/> limit <br/> top <br/> matches regex <br/> make_list <br/> mv-apply <br/> prev <br/> minif() <br/> maxif() <br/> | AzureActivity <br/> SecurityIncident <br/> SecurityAlert <br/> SecurityEvent <br/> LAQueryLogs <br/> SigninLogs | - Returns Storage Accounts List keys action with success status value <br/> - Returns Key Vault access policies update with status value NOT equal to \"Failure\" <br/> - Returns Microsoft Sentinel incidents with High and Medium severity <br/> - Returns Microsoft Sentinel closed incidents with classification not equal to FalsePositive and Undetermined <br/> - Returns Storage Accounts List keys action with success status value <br/> - Returns Key Vault access policies update with status value NOT equal to \"Failure\" <br/> - Returns Microsoft Sentinel incidents with High and Medium severity <br/> - Returns Microsoft Sentinel closed incidents with classification not equal to FalsePositive and Undetermined <br/> - Returns Powershell command executions on Virtual Machine <br/> - Summarizes Security Events count by Account and Activity but excluding Workgroup account <br/> - Returns account logon successfully events for Computer with prefix \"DC0\" <br/> - Returns special privileges assigned to new logon events for Computer with suffix \"contosohotels.com\" <br/> - Returns special privileges assigned to new logon events for Computer NOT end with \"contosohotels.com\" <br/> - Returns Powershell command executions on Virtual Machine <br/> - Summarizes Security Events count by Account and Activity but excluding Workgroup account <br/> - Returns total logon successful events for Computer with prefix \"DC00\" or \"DC01\" <br/> - Returns total security events for Computer with hostname \"DC01\" and domain name \"contosohotels\" <br/> - Returns special privileges assigned to new logon events for Computer with suffix \"contosohotels.com\" <br/> - Returns special privileges assigned to new logon events for Computer NOT end with \"contosohotels.com\" <br/>- SignIn logs with results NOT equal to result type \"success\" (0), \"interupted because of password reset\" (50125) and \"keep me signed in\" (50140) <br/> <br/> - Returns Windows logon successful and failure events <br/> - Returns Computer with more than 1000 security eventsr <br/> - Identifies queries execution more than 10 seconds <br/> - Identifies unsuccessful query executions <br/> <br/> - Take 10 random records from the SecurityEvent table <br/> - Take 5 newest records from the SecurityEvent table <br/> - Identifies top 20 Sign-in locations <br/> - Returns Security Incidents with tactics consist of \"Persistence\" or \"PreAttack\" <br/> <br/> - Returns Security Events where hostname starts with \"DC\" and domain name ends with \"contosohotels.com\" <br/> - Returns Security Events where Account name contains \"admin\" while domain name consists of any word character or digit <br/> - Returns Security Alerts with HostName entity that has prefix \"DESKTOP\" <br/> <br/> - Returns windows logon events where logon failure occurred before logon success within the 30 minutes window <br/> - Returns accounts with more than five AAD signin failures and at least a signin success event within the 30 minutes window <br/> - Returns accounts who have two AAD signin failures in a row, followed by a successful logon <br/> - Identifies Sign-in Failure after ProofPoint ClicksPermitted event <br/> - Identifies brute force attack against Azure Portal with the pattern of 5 consecutive failures followed by 1 successful logon within 30 minutes\r\n<sub>**Anomalies** | 1. Detect anomalies within time series data <br/> <br/> 2. Detect outliers within time series data <br/> <br/> 3. Detect anomalous activities based on built-in customizable rules | series_decompose_anomalies() <br/> series_outliers() <br/> series_fit_line() <br/> basket() <br/> make-series <br/> materialize() <br/> dcount() <br/> range <br/> summarize <br/> iif() <br/> avg <br/> project-away <br/> | Anomalies <br/> SigninLogs <br/> SecurityEvent <br/> AzureActivity <br/> Usage | - Create a Time series across 30 days with samples taken over 1 day intervals <br/> - Create a Time series across 30 days with samples taken over 1 day intervals, then plot a chart to visualize the distribution <br/> - Detect the creation of an anomaulous number of resources <br/> - Detect authentication attempts from an unusually large number of locations <br/> - Returns a number of tables from your workspace that have experienced an anomalous ingestion in relation to the established baseline over the past 30 days <br/> <br/> - Plot a chart to show deviation/outliers from expected pattern of input values <br/> - Returns a list of accounts, whether that account is an admin, how many machines did they log into, and the average number of machines they usually login to across the previous 5 days <br/> <br/> - Correlate and trigger an incident based on events in the anomalies table\r\n<sub>**Function** | 1. Bind name to expression using 'let' operator <br/> <br/> 2. Create or save a query as function for reuse purposes <br/> <br/> 3. Build an ASIM Normalizing parser <br/> | let <br/> datatable() <br/> where <br/> union <br/> distinct <br/> | SecurityEvent <br/> Heartbeat <br/> SigninLogs <br/> OfficeActivity <br/> SecurityIncident | - Use let operator to bind a constant <br/> - Use let operator to bind a dynamic list <br/> - Use let operator to bind scalar value <br/> - Use let operator to bind expression <br/> - Identifies account with the number of Azure AD logon failure exceeded the defined threshold <br/> - Returns Azure AD logon failure events within a specified time range <br/> - Returns AAD logon events NOT matches a list of result types <br/> - Returns \"Special privileges assigned to new logon\" Security Events for a list of pre-defined servers <br/> - Returns SharePointFileOperation via devices with user agents unseen in last 90 days <br/> <br/> - Returns both AAD Signin failure and Windows logon failure with a single command \"LogonFailure\" <br/> - Returns Microsoft Sentinel Incidents with specified status (single parameter) <br/> - Returns Microsoft Sentinel Incidents with specified status and severity (two parameters) <br/> - Create an ASIM ProcessEvent parser\r\n<sub>**Parsing** | 1. Extract entities from fields in logs <br/> <br/> 2. Extract elements from a text field <br/> <br/> 3. Create custom properties from a string expression <br/> | extend <br/> extract_all <br/> mv-apply <br/> isnotempty()<br/> tostring() <br/> join <br/> parse <br/> parse_json <br/> distinct <br/> extract <br/> split <br/> | SecurityAlert <br/> SigninLogs <br/>AzureActivity <br/> Syslog <br/> SecurityEvent <br/> AzureDiagnostics | - Extract Hostname from Entity field(JSON) in SecurityAlert table <br/> - Extract City, State and Country from LocationDetails field (dynamic) in Signin Logs <br/> - Extract a Username from a User Principal Name (UPN) <br/> - Identify a vulnerable host with a publicly exploitable vulnerability that also has suspicious file activity on it <br/> - Detect ransomware on a device protected by Microsoft Defender for Endpoint <br/> <br/> - Extract URL from a Syslog message <br/> - Extract Domain from a Syslog message <br/> - Extract HTTP Status code from a Syslog message <br/> - Extract IP and compare addresses from Syslog messages <br/> - Identify top 5 target accounts with failed logon attempts <br/> <br/> - Extract multiple fields from block a block of text within a single field <br/> - Create columns from a custom table text field <br/>- Lookup IP addresses against a GeoLookup list imported into a custom table\r\n<sub>**Using Watchlist Data** | 1. List items in a Watchlist <br/> <br/> 2. Correlate Watchlist items <br/> <br/> 3. Get Watchlist Aliases in Microsoft Sentinel <br/> <br/> 4. Correlate entities with UEBA Watchlists for Behavioral Analytics <br/> | _GetWatchlist() <br/> _GetWatchlist() <br/> | Heartbeat <br/> AzureActivity <br/> SecurityEvent <br/> SecurityAlert | - Returns top 10 watchlist items after sorting the entire watchlist by TimeGenerated <br/> - Returns all Watchlist items added in the last 24 hours <br/> <br/> - Returns the records that match the IPs from a Watchlist <br/> - Alert if item found in Watchlist <br/> - Alert if item not found in Watchlist <br/>- Known Malicious IP found in MCAS Logs <br/> - Monitor users running Log Analytics queries that contain filters for VIPUser watchlist <br/> <br/> - Returns 10 watchlist aliases configured in Microsoft Sentinel <br/> - Returns all Watchlists aliases that have the string VIP in the Alias configured in Microsoft Sentinel <br/> <br/> - Correlate High-Value Assets Watchlist with Security Events <br/> - Correlate Service Accounts' logon activity with Security Events <br/>- Alert on malicious file activity around a high value Assets that also have identified vulnerabiites"
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "TableContent",
|
||
"comparison": "isEqualTo",
|
||
"value": "true"
|
||
},
|
||
"name": "TableContent"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "779307c3-7914-4b49-b23a-56897f877fe2",
|
||
"cellValue": "TableContent",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Close",
|
||
"subTarget": "false",
|
||
"style": "primary"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "15",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "---"
|
||
},
|
||
"name": "text - 2"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "TableContent",
|
||
"comparison": "isEqualTo",
|
||
"value": "true"
|
||
},
|
||
"name": "group - TableContent"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "\r\n## Category"
|
||
},
|
||
"name": "text - Category"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "bullets",
|
||
"links": [
|
||
{
|
||
"id": "296bdef5-34b1-4dcc-a29c-bd10a6c23e75",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Aggregation",
|
||
"subTarget": "Aggregation",
|
||
"postText": "",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "6cb0f5f1-39c9-473c-addb-3529ed9363f2",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Converting value",
|
||
"subTarget": "Converting Value",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "62c028aa-d343-4cd9-add2-1c87e16b9c8a",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Correlation",
|
||
"subTarget": "Correlation",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "46eacd47-1771-4643-81f4-d1cda23885f3",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Dealing with Array values",
|
||
"subTarget": "Dealing with Array Values",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "677f128e-3265-4aff-850d-b1c9ed5645f8",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Dealing with Datetime",
|
||
"subTarget": "Dealing with Datetime",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "eb1f5ec9-7461-49cc-bef9-b8b46ba62008",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Dealing with IP address",
|
||
"subTarget": "Dealing with IP Addresses",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "a50ed89e-55a6-4560-906a-f9b6249cd007",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Dealing with Fields",
|
||
"subTarget": "Dealing with Fields",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "89e784f8-eafd-4302-88d6-1067079318a4",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Filter",
|
||
"subTarget": "Filter",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "27fcd8e8-7c9b-42e8-ac90-196b5a9cac8c",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Anomalies",
|
||
"subTarget": "Anomalies",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "e1015018-0a40-4dbd-b839-eb0ecc1e601e",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Functions (e.g. parser, parameterized)",
|
||
"subTarget": "Functions",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "d977b78d-6f50-4b52-97e8-f874ba083496",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Parsing",
|
||
"subTarget": "Parsing",
|
||
"style": "primary"
|
||
},
|
||
{
|
||
"id": "232f79ed-3fbb-46d4-b2fc-723d01e6fb4b",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Using Watchlist Data",
|
||
"subTarget": "Using Watchlist Data",
|
||
"style": "primary"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "50",
|
||
"name": "MainMenu"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "\r\n <img width='250' src='https://github.com/tatecksi/SentinelPlaybooks/blob/master/SentinelKQL_Medium.png?raw=true'/>\r\n"
|
||
},
|
||
"customWidth": "50",
|
||
"name": "Image"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "---"
|
||
},
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nDatetime is one of the most common data types that users need to deal with in Microsoft Sentinel. For example, filtering your records based on specific dates, days or hours.\r\n\r\nDatetime value in Microsoft Sentinel is always in the UTC time zone. Displaying datetime values in other time zones is the responsibility of the user application that displays the data, not a property of the data itself. Should time zone values be required to be kept as a part of the data, a separate columns should be used (providing offset information relative to UTC).\r\n\r\nBesides that, every table in the workspace has the following built-in columns which will be populated by default when data are being ingested into the table.\r\n\r\n- [TimeGenerated](https://docs.microsoft.com/azure/azure-monitor/logs/log-standard-columns#timegenerated-and-timestamp)\r\n- [_TimeReceived](https://docs.microsoft.com/azure/azure-monitor/logs/log-standard-columns#_timereceived)\r\n- [ingestionTime](https://docs.microsoft.com/azure/kusto/query/ingestiontimefunction)\r\n\r\n\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Filter a specific datetime or time range",
|
||
"subTarget": "Datetime1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "40988c97-79b0-481a-b5a8-390f16783e15",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Compare datetime",
|
||
"subTarget": "Datetime2",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "d9333cfe-ce35-4cb3-b0e2-eaa2edf263d4",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "3. Add or deduct a datetime value",
|
||
"subTarget": "Datetime3",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "6f6aba5d-73f6-4b20-b473-6f4cd910f494",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "4. Convert datetime",
|
||
"subTarget": "Datetime4",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "b4871307-daac-4a5c-83d1-66c7954b2286",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "5. Extract datetime from a field",
|
||
"subTarget": "Datetime5",
|
||
"preText": "",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Filter a specific datetime or time range\r\n\r\n### a) By date, day or time\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [ago()](https://docs.microsoft.com/azure/data-explorer/kusto/query/agofunction)**\r\n\r\n **- [between()](https://docs.microsoft.com/azure/data-explorer/kusto/query/betweenoperator)**\r\n\r\n **- [now()](https://docs.microsoft.com/azure/data-explorer/kusto/query/nowfunction)**\r\n\r\n **- [dayofweek()](https://docs.microsoft.com/azure/data-explorer/kusto/query/dayofweekfunction)**\r\n\r\n **- [hourofday()](https://docs.microsoft.com/azure/data-explorer/kusto/query/hourofdayfunction)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns SecurityEvent records for the past 7 days**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(7d)</p>\r\n\r\n** - Returns SecurityEvent records for the past 30 minutes **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(30m)</p>\r\n\r\n** - Returns SecurityEvent records from '2021-07-16' to '2021-07-24'**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated between (datetime('2021-07-16')..datetime('2021-07-24'))</p>\r\n\r\n** - Returns SecurityEvent records from '2021-07-21 16:20:00' to now**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated between (datetime('2021-07-21 16:20:00')..now())</p>\r\n\r\n** - Returns SecurityEvent records for Monday to Saturday, 7am to 7pm (UTC) **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where dayofweek(TimeGenerated) !=0d // To retrieve data for all days except Sunday.<br> | where (hourofday(TimeGenerated)>7 and hourofday(TimeGenerated)<19) // To filter 7am – 7pm</p>\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Failed logons on computers by month **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4625<br> | extend month = getmonth(TimeGenerated)<br> | summarize FailedLogonCount=count() by month </p>\r\n\r\n** - Calculates the ingestion delay and returns the top percentiles by computer **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | extend delay = ingestion_time() - TimeGenerated <br> | summarize percentiles(delay,95,99) by Computer</p>\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime1"
|
||
},
|
||
"name": "text-Datetime1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime1"
|
||
},
|
||
"name": "space1-Datetime1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA72V32%2FaMBDH3%2FkrbuKBROJHSFsiqqXSxtiE2u2hsOfJJAdEi%2B3MdqBMe9j%2FsP%2Bwf0nPhhZoRQUa2wmh2D6%2Bd5%2BL72i1Gq%2FZQGijysRkUrzq92iVVos%2BANeZSPMlaCyYYgbhR4kqQw1jzOUCxktQyOU8E1OoVqtwM%2FjSh%2Fe3%2FXfXdrnSOCjcoUZ6t2hKJTQMMSlVZpb9OQpDaSRSpRomUoGZIRRMG4ggZUtd2fGs%2FILFDBXCKOP4CQVarBSugE2lF6U%2BRajuNdgmhP1%2BT3ZcvmcB8EyUBo%2FJ%2BSzg%2Fz1pJTnUwiBsN4Ko0e7UwMjNOjyvHZT%2BGM0CUYCX0tLQkbct6TebL%2FdJ2j8ctv8vaMM2tDuXYXAZBA5byMXf0m5LEjYpekdQnu4efpaC%2BsVCDRn50nMdIsbtRlRw8L6Oev4eVvKVE%2BL77u1Q%2B%2FAmDlKgQTKSFMrQ6JhbZ8NcQJbnrkMB7xIsDAxLm0DzSdWbyVLJCe09k72KgIkU9h2%2FbXf9ddBJlhtUDuP%2B9x%2FLcfLCfmRZTi84l1NJ5ZUCEskLamKl7XzkUpjZnqq51eADxDGcd8IL2sc7gwTmfgQxTNG4x2d85KhLzpnKfiKswt%2FY6D1ZChMn9tvzN8FPDdxjeVLmlIl2o4uGP2r7xwIp5nR%2F7JtR68tmz40soECVECtl6oryWKEXdVnzr4TijfQ31zE%2BNHa7aqcQWzE8J1DvXtS7XVeI3jrgA8LrKOgmBwAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime1"
|
||
},
|
||
"name": "TryLADemo-Datetime1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "24dd3e02-4daf-4af5-bd5d-5c4953daae34",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA72V32%2FaMBDH3%2FkrbuKBROJHSFsiqqXSxtiE2u2hsOfJJAdEi%2B3MdqBMe9j%2FsP%2Bwf0nPhhZoRQUa2wmh2D6%2Bd5%2BL72i1Gq%2FZQGijysRkUrzq92iVVos%2BANeZSPMlaCyYYgbhR4kqQw1jzOUCxktQyOU8E1OoVqtwM%2FjSh%2Fe3%2FXfXdrnSOCjcoUZ6t2hKJTQMMSlVZpb9OQpDaSRSpRomUoGZIRRMG4ggZUtd2fGs%2FILFDBXCKOP4CQVarBSugE2lF6U%2BRajuNdgmhP1%2BT3ZcvmcB8EyUBo%2FJ%2BSzg%2Fz1pJTnUwiBsN4Ko0e7UwMjNOjyvHZT%2BGM0CUYCX0tLQkbct6TebL%2FdJ2j8ctv8vaMM2tDuXYXAZBA5byMXf0m5LEjYpekdQnu4efpaC%2BsVCDRn50nMdIsbtRlRw8L6Oev4eVvKVE%2BL77u1Q%2B%2FAmDlKgQTKSFMrQ6JhbZ8NcQJbnrkMB7xIsDAxLm0DzSdWbyVLJCe09k72KgIkU9h2%2FbXf9ddBJlhtUDuP%2B9x%2FLcfLCfmRZTi84l1NJ5ZUCEskLamKl7XzkUpjZnqq51eADxDGcd8IL2sc7gwTmfgQxTNG4x2d85KhLzpnKfiKswt%2FY6D1ZChMn9tvzN8FPDdxjeVLmlIl2o4uGP2r7xwIp5nR%2F7JtR68tmz40soECVECtl6oryWKEXdVnzr4TijfQ31zE%2BNHa7aqcQWzE8J1DvXtS7XVeI3jrgA8LrKOgmBwAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Datetime1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime1"
|
||
},
|
||
"name": "space2-Datetime1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [User account enabled and disabled within 10 mins](https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml)**\r\n\r\n **- [User account created and deleted within 10 mins](https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml)**\r\n\r\n **- [User login from different countries within 3 hours (Uses Authentication Normalization)](https://github.com/Azure/Azure-Sentinel/blob/84deef53a17d0f989b9098d92e051fad09d9e568/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml)**\r\n\r\n **- [Failed logon attempts by valid accounts within 10 mins](https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml)**\r\n\r\n **- [TI map URL entity to Syslog data](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml)**\r\n\r\n#### Hunting Queries:\r\n\r\n **- [User account created and then deleted within 10 minutes across last 14 days](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/SecurityEvent/UserAccountCreatedDeleted.yaml)**\r\n\r\n **- [SharePointFileOperation via devices with previously unseen user agents](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting%20Queries/OfficeActivity/new_sharepoint_downloads_by_UserAgent.yaml)**\r\n\r\n **- [Inactive or New Account Usage](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting%20Queries/GitHub/Inactive%20or%20New%20Account%20Usage.yaml)**\r\n\r\n **- [Suspicious Windows Login outside normal hours](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting%20Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml)**\r\n\r\n **- [Login spike with increase failure rate](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting%20Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml)**\r\n\r\n#### Workbook:\r\n\r\n **- [ExchangeOnline](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/ExchangeOnline.json)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime1"
|
||
},
|
||
"name": "text2-Datetime1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Compare datetime\r\n\r\n### a) Between two dates\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [datetime_diff()](https://docs.microsoft.com/azure/data-explorer/kusto/query/datetime-difffunction)**\r\n\r\n **- [iif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/iiffunction)**\r\n\r\n **- [next()](https://docs.microsoft.com/azure/data-explorer/kusto/query/nextfunction)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Calculates the difference in minute between TimeGenerated and now**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | extend DeltaInMinute = datetime_diff('minute', now(),TimeGenerated)<br> | project TimeGenerated, DeltaInMinute, EventID, EventData</p>\r\n\r\n** - Calculates the difference in second between TimeGenerated of every recond ingested by a computer **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Computer == \"RETAILVM01\"<br> | order by TimeGenerated asc<br> | extend nextTimeGenerated = next(TimeGenerated, 1)<br> | extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated) </p>\r\n\r\n** - Calculates the difference in Hour between Incident creation time and closure time.**\r\n\r\n<p style=\"color:red;\"> SecurityIncident <br> | where Status == \"Closed\"<br> | extend DeltaInHour = datetime_diff('hour', ClosedTime,CreatedTime)<br> | extend DeltaInHour = datetime_diff('hour', ClosedTime,CreatedTime)<br> | project CreatedTime, ClosedTime, DeltaInHour, IncidentNumber, Title, Severity</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Finds CEF records by computer where last received time is more than 30 minutes ago **\r\n\r\n<p style=\"color:red;\"> CommonSecurityLog <br> | summarize last_log = datetime_diff('minute',now(), max(TimeGenerated)) by Computer<br> | where last_log > 30<br> | project-rename ['Last Record Received in Minute'] = last_log<br> | order by ['Last Record Received in Minute'] desc </p>\r\n\r\n** - Compares the ingestion volume of security events between now and 3 days ago **\r\n\r\n<p style=\"color:red;\"> let binSize = 15m;<br> let refDelay = 3d;<br> let EndTime = now();<br> let StartTime = EndTime - 1d;<br> let ReferenceEndTime = EndTime - refDelay;<br> let ReferenceStartTime = StartTime - refDelay;<br> SecurityEvent<br> | where TimeGenerated between (StartTime .. EndTime) or TimeGenerated between (ReferenceStartTime .. ReferenceEndTime)<br> | extend RefTimeGenerated = iif(TimeGenerated between (StartTime .. EndTime),TimeGenerated, TimeGenerated + refDelay)</p>\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime2"
|
||
},
|
||
"name": "text-Datetime2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime2"
|
||
},
|
||
"name": "text - 11"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime2"
|
||
},
|
||
"name": "space2-Datetime2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "16d4a38e-8e1e-46bb-a568-722d28989793",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA71US28aMRC%2B8ytG4QCrbkJQ1FNFpZSQFoXkAFEvVRWZ3QFc7dqp7YVQ9cd3bO%2BbkKZSVAsJ73jmm5lvHoPB6UtnKrRRWWS4FC%2FqFaczGNAP4IaLONmDxkemmEH4maHiqGGJidzBcg8KU7nlYg3dbhdm07sJfJpPLm%2Fsp8d4lbvXHsIbsyTKEopFg9kgxHy1QoUiQuACUi4yinKJZoco4J6n%2BBkF2tBjYCIGIXedBUaZ4mY%2F2aIwnd%2BATwbp6QoTw6bi1kOMICYjQwAP1kW%2F56F7oYXoB2EDOiCURyV%2FYGSaPsMmagjO5%2FQqv1wxwyil7tEDdUrhuF55%2FkaQxkhSrs8TJFeAW1S2qE6LyoraPlCdGUQyfaQc1AF%2Fuw3hwzh%2FhtEITuaT%2B8vp7Ovt%2BfCEFKSKSU4grXroqGJf0H%2FzeeRk%2FRafw6CysU%2BOXy4WLmJ9WDafcC88wG9X8L%2BW4YvMVFmEqYh4TFRCpJDZCQUbv2vXKJE6I3Kt4KwkvjAouV8YZjLtmB%2BTBcYnB23tPB6wsyEptbQ3soSEYxuDvwdvBVKMRk3cUK%2FDhyUdd1m6RPq%2B5yYhnYVtTUr%2BzQt1zW3jjCfXru0V3alTi2bPCU6YNvYZ%2BZY605WHa0ilLc2GCbg4z1ePBraWHZqFVIqiXDO5JhJ0lqZM8V8e7CGR6%2BM7xq8YSNlTs%2F2DwMZWTFpZ%2FhLwIwVS8X1K7cYo0m%2B9mQ1%2F7rKzfz4LakO%2FlXrfKZICoz6urzCMkYb4zUeHEmQqHxy%2FhOxUbGWSUTq0pXTOrF1Xwuhykog3NzYXROzelyJBA0vaD5b4EQzfpx%2BcSOGKmo7tSXYRe9FEuG60e8fS74U0Wcrk4kLhFIa5yRzzma5sK6XCRUu1jljd6%2BrP79fmciwy7lcQZ2eF84BKeEz%2FmTjIsJ1IbfTpqb2XOV%2F1%2FyWc5qoNW6G9K1MP%2FgBxkI0dxQgAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime2"
|
||
},
|
||
"name": "TryLADemo-Datetime2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "d1ace013-f3a5-4f34-8120-65febf2dad36",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA71US28aMRC%2B8ytG4QCrbkJQ1FNFpZSQFoXkAFEvVRWZ3QFc7dqp7YVQ9cd3bO%2BbkKZSVAsJ73jmm5lvHoPB6UtnKrRRWWS4FC%2FqFaczGNAP4IaLONmDxkemmEH4maHiqGGJidzBcg8KU7nlYg3dbhdm07sJfJpPLm%2Fsp8d4lbvXHsIbsyTKEopFg9kgxHy1QoUiQuACUi4yinKJZoco4J6n%2BBkF2tBjYCIGIXedBUaZ4mY%2F2aIwnd%2BATwbp6QoTw6bi1kOMICYjQwAP1kW%2F56F7oYXoB2EDOiCURyV%2FYGSaPsMmagjO5%2FQqv1wxwyil7tEDdUrhuF55%2FkaQxkhSrs8TJFeAW1S2qE6LyoraPlCdGUQyfaQc1AF%2Fuw3hwzh%2FhtEITuaT%2B8vp7Ovt%2BfCEFKSKSU4grXroqGJf0H%2FzeeRk%2FRafw6CysU%2BOXy4WLmJ9WDafcC88wG9X8L%2BW4YvMVFmEqYh4TFRCpJDZCQUbv2vXKJE6I3Kt4KwkvjAouV8YZjLtmB%2BTBcYnB23tPB6wsyEptbQ3soSEYxuDvwdvBVKMRk3cUK%2FDhyUdd1m6RPq%2B5yYhnYVtTUr%2BzQt1zW3jjCfXru0V3alTi2bPCU6YNvYZ%2BZY605WHa0ilLc2GCbg4z1ePBraWHZqFVIqiXDO5JhJ0lqZM8V8e7CGR6%2BM7xq8YSNlTs%2F2DwMZWTFpZ%2FhLwIwVS8X1K7cYo0m%2B9mQ1%2F7rKzfz4LakO%2FlXrfKZICoz6urzCMkYb4zUeHEmQqHxy%2FhOxUbGWSUTq0pXTOrF1Xwuhykog3NzYXROzelyJBA0vaD5b4EQzfpx%2BcSOGKmo7tSXYRe9FEuG60e8fS74U0Wcrk4kLhFIa5yRzzma5sK6XCRUu1jljd6%2BrP79fmciwy7lcQZ2eF84BKeEz%2FmTjIsJ1IbfTpqb2XOV%2F1%2FyWc5qoNW6G9K1MP%2FgBxkI0dxQgAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime2"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Datetime2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime2"
|
||
},
|
||
"name": "space1-Datetime2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [AD user enabled and password not set within 48 hours](https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/SecurityEvent/password_not_set.yaml)**\r\n\r\n **- [Palo Alto - potential beaconing detected](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml)**\r\n\r\n **- [Fortinet - Beacon pattern detected](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml)**\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Entropy for Processes for a given Host](https://github.com/Azure/Azure-Sentinel/blob/5a81ffa8c10b001be41d6fda3ade45384a1a2eb8/Hunting Queries/SecurityEvent/ProcessEntropy.yaml)**\r\n\r\n **- [Interactive STS refresh token modifications](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/AuditLogs/StsRefreshTokenModification.yaml)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime2"
|
||
},
|
||
"name": "text2-Datetime2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 3. Add or deduct a datetime value\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [datetime_add()](https://docs.microsoft.com/azure/data-explorer/kusto/query/datetime-addfunction)**\r\n\r\n **- [Numerical Operator (+,-)](https://docs.microsoft.com/azure/data-explorer/kusto/query/numoperators)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Add 2 hours to TimeGenerated (for time offset)**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | extend TimeOfEventOffset = datetime_add('hour',2, TimeGenerated)<br> | project TimeOfEventOffset, EventID, EventData</p>\r\n\r\n** - Minus 8 hours from TimeGenerated (for time offset)**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | extend TimeOfEventOffset = datetime_add('hour',-8, TimeGenerated)<br> | project TimeOfEventOffset, EventID, EventData</p>\r\n\r\n** - Perform subtraction between two dates using the numerical operator**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | extend delta = now() - TimeGenerated<br> | project TimeGenerated, delta, EventID, EventData</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Calculates the ingestion delay and returns the top percentiles by computer **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | extend delay = ingestion_time() - TimeGenerated<br> | summarize percentiles(delay,95,99) by Computer </p>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime3"
|
||
},
|
||
"name": "text-Datetime3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime3"
|
||
},
|
||
"name": "space1-Datetime3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "0e390e88-1395-4b3b-9dd7-906edac6531b",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA81TUUvDMBB%2B36846MNa6BgMhO3Bh6lDxtSJ%2Bj6y5uoiTVKTy2rFH2%2FSzeHUjr0oHnlojrvvvu%2FLtd%2FvHYqpsmRcRkKrg3Uf0en3%2FQGYCcWLGiyWzDBCeHZoBFpYYqErWNZgUOq1UI8QRRFcTW8mcHY3Gc%2FCdYNx1LhjI3Aacw4DWGlnLJCGByHxEhUGehziXBsgnwKd5xYp6dxj5oygerJGRZ03wBdCxZu2ed4k500lnAL3EKF3wTiPu2FCNx2k%2BxMSD1Ea%2FYQZfcdIoblML7YfF4yYpxy1Bny2DNrrdhEMuBbKWRhuLciNlr9tQm%2F4%2F1y4ReNlSrBuSYY1m%2B23kipEBVTpRocFZ8Nu0gpBOelXN2MF6DKI0KbNFY4FMe%2BE0lWcQG9f%2BRfhu3y6afsD7e2sWe1Ze71ogxuL8Io%2FCrBOSmbEK4J3IvMookAbNwDp6CQdjZLwZ59rWTpC8w47Aog4WgQAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime3"
|
||
},
|
||
"name": "TryLADemo-Datetime3 "
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "266fc4c3-f435-4c94-b83c-2032929928c9",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA81TUUvDMBB%2B36846MNa6BgMhO3Bh6lDxtSJ%2Bj6y5uoiTVKTy2rFH2%2FSzeHUjr0oHnlojrvvvu%2FLtd%2FvHYqpsmRcRkKrg3Uf0en3%2FQGYCcWLGiyWzDBCeHZoBFpYYqErWNZgUOq1UI8QRRFcTW8mcHY3Gc%2FCdYNx1LhjI3Aacw4DWGlnLJCGByHxEhUGehziXBsgnwKd5xYp6dxj5oygerJGRZ03wBdCxZu2ed4k500lnAL3EKF3wTiPu2FCNx2k%2BxMSD1Ea%2FYQZfcdIoblML7YfF4yYpxy1Bny2DNrrdhEMuBbKWRhuLciNlr9tQm%2F4%2F1y4ReNlSrBuSYY1m%2B23kipEBVTpRocFZ8Nu0gpBOelXN2MF6DKI0KbNFY4FMe%2BE0lWcQG9f%2BRfhu3y6afsD7e2sWe1Ze71ogxuL8Io%2FCrBOSmbEK4J3IvMookAbNwDp6CQdjZLwZ59rWTpC8w47Aog4WgQAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime3"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Datetime3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 4. Convert datetime\r\n\r\n### a) To another format\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [format_datetime()](https://docs.microsoft.com/azure/data-explorer/kusto/query/format-datetimefunction)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Formats TimeGenerated to 'yy/MM/dd HH:mm:ss' **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | project TimeGenerated = format_datetime(TimeGenerated, 'yy/MM/dd HH:mm:ss'), EventID, EventData</p>\r\n\r\n** - Formats TimeGenerated to 'yyyy/MM/dd' **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | project TimeGenerated = format_datetime(TimeGenerated, 'yyyy/MM/dd'), EventID, EventData</p>\r\n\r\n** - Shows AM /PM hours**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | extend AmPm = format_datetime(TimeGenerated,\"tt\")<br> | project TimeGenerated = TimeGenerated, AmPm, EventID, EventData</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Calculates the daily Incident count for the last 7 days**\r\n\r\n<p style=\"color:red;\"> SecurityIncident <br> | where CreatedTime > ago(7d)<br> | extend Day = format_datetime(TimeGenerated,\"yyyy-MM-dd\")<br> | distinct IncidentNumber, Day <br> | summarize Count=count() by Day </p>\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime4"
|
||
},
|
||
"name": "text-Datetime4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime4"
|
||
},
|
||
"name": "space1-Datetime4"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "f0c1caaf-97de-4d4e-96fb-2c7e32233a55",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA72UW0%2FCQBCF3%2FkVE%2FoATSB9JCHBBAGlwRIivpulO9I13V3cC1jjj3e3WlCUy4Nh0jRtZnrmfKdpo6h9rGKhjbKpYVIcnauqFkXuAJgwQfMCNK6IIgbhxaJiqGGBudzAogCFXK6ZWEIQBHAXT0dwfT%2FqT%2Fztp8ZZ684t7%2BlGKk6MhgfG8RYFel8UjIRGUURJElEK43GX867WjdocU6uYKUZrFKb2DislnzE1ew%2F34KkUfaTu1rhW80e%2F9Zd02IJSNB5%2BXQyJIc5fcLDgez5weG5bp2grU%2F%2BJudW8EN88kxsN%2FQSiWQKZtEr%2FgsFXg4JCn8%2F4SYS6MfXwSAB7wF7zMpwDkqc2d1s1mAyBEuY%2Bq1ikjLqVkErrzg6tbOZEG%2Bi4mWIXRjXq2DYZKoSBQs%2FggeAKyFI2OzTcpTUkxemw%2FOtuJ0mb0jI0yrRhwqVWLZtavkDV8mKurS3nRLE3t9vb7ZWmm6H%2FC7iBD9fxEWOBBAAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime4"
|
||
},
|
||
"name": "TryLADemo-Datetime4"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "6e424fac-a519-40e3-86c0-77bf8f2c0390",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA72UW0%2FCQBCF3%2FkVE%2FoATSB9JCHBBAGlwRIivpulO9I13V3cC1jjj3e3WlCUy4Nh0jRtZnrmfKdpo6h9rGKhjbKpYVIcnauqFkXuAJgwQfMCNK6IIgbhxaJiqGGBudzAogCFXK6ZWEIQBHAXT0dwfT%2FqT%2Fztp8ZZ684t7%2BlGKk6MhgfG8RYFel8UjIRGUURJElEK43GX867WjdocU6uYKUZrFKb2DislnzE1ew%2F34KkUfaTu1rhW80e%2F9Zd02IJSNB5%2BXQyJIc5fcLDgez5weG5bp2grU%2F%2BJudW8EN88kxsN%2FQSiWQKZtEr%2FgsFXg4JCn8%2F4SYS6MfXwSAB7wF7zMpwDkqc2d1s1mAyBEuY%2Bq1ikjLqVkErrzg6tbOZEG%2Bi4mWIXRjXq2DYZKoSBQs%2FggeAKyFI2OzTcpTUkxemw%2FOtuJ0mb0jI0yrRhwqVWLZtavkDV8mKurS3nRLE3t9vb7ZWmm6H%2FC7iBD9fxEWOBBAAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime4"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Datetime4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime4"
|
||
},
|
||
"name": "space2-Datetime4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Workbooks:\r\n\r\n **- [Extra Hop Detection Summary](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/ExtraHopDetectionSummary.json)**\r\n\r\n **- [Microsoft 365 Security Posture](https://github.com/Azure/Azure-Sentinel/blob/ce613ee0c302d4c19e325120ab42200e5ed80c1a/Workbooks/M365SecurityPosture.json)**\r\n\r\n **- [Incident Overview](https://github.com/Azure/Azure-Sentinel/blob/0a4d50238b8d6dfc342d8275465d62c3c55a2444/Workbooks/IncidentOverview.json)**\r\n\r\n **- [Investigation Insights](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/InvestigationInsights.json)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime4"
|
||
},
|
||
"name": "text2-Datetime4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 5. Returns day, month, or year from a date field\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [getmonth()](https://docs.microsoft.com/azure/data-explorer/kusto/query/getmonthfunction)**\r\n\r\n **- [getyear()](https://docs.microsoft.com/azure/data-explorer/kusto/query/getyearfunction)**\r\n\r\n **- [dayofweek()](https://docs.microsoft.com/azure/data-explorer/kusto/query/dayofweekfunction)**\r\n\r\n **- [dayofmonth()](https://docs.microsoft.com/azure/data-explorer/kusto/query/dayofmonthfunction)**\r\n\r\n **- [dayofyear()](https://docs.microsoft.com/azure/data-explorer/kusto/query/dayofyearfunction)**\r\n\r\n **- [endofmonth()](https://docs.microsoft.com/azure/data-explorer/kusto/query/endofmonthfunction)**\r\n\r\n **- [endofweek()](https://docs.microsoft.com/azure/data-explorer/kusto/query/endofweekfunction)**\r\n\r\n **- [endofyear()](https://docs.microsoft.com/azure/data-explorer/kusto/query/endofyearfunction)**\r\n\r\n **- [startofday()](https://docs.microsoft.com/azure/data-explorer/kusto/query/startofdayfunction)**\r\n\r\n **- [startofmonth()](https://docs.microsoft.com/azure/data-explorer/kusto/query/startofmonthfunction)**\r\n\r\n **- [startofweek()](https://docs.microsoft.com/azure/data-explorer/kusto/query/startofweekfunction)**\r\n\r\n **- [startofyear()](https://docs.microsoft.com/azure/data-explorer/kusto/query/startofyearfunction)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Get the month number from TimeGenerated and summarize the event count. **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | extend month = getmonth(TimeGenerated)<br> | summarize EventCount=count() by month, EventID</p>\r\n\r\n** - Get the total security event by day of week.**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(7d)<br> | summarize Count=count() by bin(TimeGenerated,1d)<br> | extend Day = case(dayofweek(TimeGenerated)==time(0.00:00:00),\"Sunday\", <br> dayofweek(TimeGenerated)==time(1.00:00:00), \"Monday\", <br> dayofweek(TimeGenerated)==time(2.00:00:00), \"Tuesday\", <br> dayofweek(TimeGenerated)==time(3.00:00:00), \"Wednesday\", <br> dayofweek(TimeGenerated)==time(4.00:00:00), \"Thursday\", <br> dayofweek(TimeGenerated)==time(5.00:00:00), \"Friday\", <br> \"Saturday\")<br> | order by TimeGenerated desc</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Returns windows logon events on Satuday and Sunday**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4624<br> | where dayofweek(TimeGenerated) in (time(0.00:00:00),time(6.00:00:00))<br> | project TimeGenerated, Computer, Activity</p>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime5"
|
||
},
|
||
"name": "text-Datetime5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"name": "space1-Datetime5"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "bd507c05-e201-4b1b-84ff-9cdeee2e2feb",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA61UTW8aMRC98yue4LJI20ASmkqVNlLSkAil7SFE6tnsDuCUtYk%2F2FD1x3e8SwMLIt1KGflgj%2BfNx5uxe70Pb8lIWWd86qRWb9r9lVavxwu4lypbrGFpKYxwhGdPRpLFhBa6wGQNQ7leSTVDp9PB19H3Ia4fhlf34Vj5aBSuqYSc7sjBzQm5Vm4O5fMJGUyNzvEoc7ojRSHTDEJlsD7PhZG%2FqETQipRDqr1yJ60xpd5Itx4GZes36MURIyqvCWbkym1Uc9plw63PEvoluEtKp1E3MFLC4upydMMZd44KdhnDcbtX2a3faScW3JmqjE1xHD8Ta%2BgpCqKfh1UWczK0R9QlxExHn%2FaKO6hrIlWdjPi0hGyIu%2BGwCVJhKeIM9DTE3yMvSRyfo%2F5Jv%2F%2B5XN24PfaKzdtxCyz%2FAJ7uANH%2Bppsjz2rIR0%2B2MfS8Bv1BmfoP8KAed%2B5Nc%2BzHGvbWyC2yPRbOm3AODdAm4xfAHaq3NSObvv%2F0PRBHVhYFfwy6sFjomVbV8FnwLmQWJjC8vqq3R2Zw8z6QJBhcnA1e9cdYgVSIDuanVFxsFYGPpdFPlLo6HTEPdL70jkyMK%2F4HV5zQHz3WVQM0BQAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime5"
|
||
},
|
||
"name": "TryLADemo-Datetime5"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "1d28f0f8-0d14-4ca9-bb7f-24cfff3afeee",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA61UTW8aMRC98yue4LJI20ASmkqVNlLSkAil7SFE6tnsDuCUtYk%2F2FD1x3e8SwMLIt1KGflgj%2BfNx5uxe70Pb8lIWWd86qRWb9r9lVavxwu4lypbrGFpKYxwhGdPRpLFhBa6wGQNQ7leSTVDp9PB19H3Ia4fhlf34Vj5aBSuqYSc7sjBzQm5Vm4O5fMJGUyNzvEoc7ojRSHTDEJlsD7PhZG%2FqETQipRDqr1yJ60xpd5Itx4GZes36MURIyqvCWbkym1Uc9plw63PEvoluEtKp1E3MFLC4upydMMZd44KdhnDcbtX2a3faScW3JmqjE1xHD8Ta%2BgpCqKfh1UWczK0R9QlxExHn%2FaKO6hrIlWdjPi0hGyIu%2BGwCVJhKeIM9DTE3yMvSRyfo%2F5Jv%2F%2B5XN24PfaKzdtxCyz%2FAJ7uANH%2Bppsjz2rIR0%2B2MfS8Bv1BmfoP8KAed%2B5Nc%2BzHGvbWyC2yPRbOm3AODdAm4xfAHaq3NSObvv%2F0PRBHVhYFfwy6sFjomVbV8FnwLmQWJjC8vqq3R2Zw8z6QJBhcnA1e9cdYgVSIDuanVFxsFYGPpdFPlLo6HTEPdL70jkyMK%2F4HV5zQHz3WVQM0BQAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime5"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Datetime5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime5"
|
||
},
|
||
"name": "space2-Datetime5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Suspicious Windows Login outside normal hours](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml)**\r\n\r\n **- [DNS Full Name anomalous lookup increase](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting Queries/DnsEvents/DNS_FullNameAnomalousLookupIncrease.yaml)**\r\n\r\n **- [Login spike with increase failure rate](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml)**\r\n\r\n#### Function:\r\n\r\n **- [CheckifDayLightSavings-US-EU](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Functions/CheckifDayLightSavings-US-EU.txt)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime5"
|
||
},
|
||
"name": "text2-Datetime5"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Dealing with Datetime"
|
||
},
|
||
"name": "group-Datetime"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nIn most cases, you need to limit your search results based on specific criteria by applying filters.\r\n\r\nUse [where](https://docs.microsoft.com/azure/data-explorer/kusto/query/whereoperator) operator to contruct the filter statement and [project](https://docs.microsoft.com/azure/data-explorer/kusto/query/projectoperator) operator to select the columns to be included in the result.\r\n\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Perform a simple filter on string",
|
||
"subTarget": "Filter1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "40988c97-79b0-481a-b5a8-390f16783e15",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Perform a simple filter on integer",
|
||
"subTarget": "Filter2",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "d9333cfe-ce35-4cb3-b0e2-eaa2edf263d4",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "3. Limit results",
|
||
"subTarget": "Filter3",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "6f6aba5d-73f6-4b20-b473-6f4cd910f494",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "4. Filter using regex",
|
||
"subTarget": "Filter4",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "b4871307-daac-4a5c-83d1-66c7954b2286",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "5. Filter events that occurred consecutively or in a specific sequence/pattern",
|
||
"subTarget": "Filter5",
|
||
"preText": "",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Perform a simple filter on string\r\n\r\n### a) Case-sensitive full string values\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [==](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!=](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [in](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!in](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n<p style=\"color:#A6290F;\"> **Note:** Try swapping the string values to lower/upper case to compare the results.</p>\r\n\r\n\r\n** - Returns Storage Accounts List keys action with success status value**\r\n\r\n<p style=\"color:red;\"> AzureActivity <br> | where OperationNameValue == \"MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION\"<br> | where ActivityStatusValue == \"Success\"</p>\r\n\r\n** - Returns Key Vault access policies update with status value NOT equal to \"Failure\" **\r\n\r\n<p style=\"color:red;\"> AzureActivity <br> | where OperationNameValue == \"MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE\"<br> | where ActivityStatusValue != \"Failure\"</p>\r\n\r\n** - Returns Microsoft Sentinel incidents with High and Medium severity**\r\n\r\n<p style=\"color:red;\"> SecurityIncident <br> | where Severity in (\"High\", \"Medium\")</p>\r\n\r\n** - Returns Microsoft Sentinel closed incidents with classification not equal to FalsePositive and Undetermined **\r\n\r\n<p style=\"color:red;\"> SecurityIncident <br> | where Status == \"Closed\"<br> | where Classification !in (\"FalsePositive\", \"Undetermined\")</p>\r\n\r\n<br>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "text-Filter1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "space1-Filter1a"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA72TXWvbMBSG7%2FMrTp2bFbb5F%2BTCM05n4trFcjJ2qcpniZgipfpI8NiPn6SkiTtoKIPuYPwBR%2BfV%2B7xWmn66VqU0VjtmuZJX%2B55rkqb%2BAlhw2YsBDO6ophbhyaHmaOARhTrA4wAat2rP5Rqm0ylUZV3Al7bIFuHzOONNcm%2BtsKcWrdPSALFK0zVCxphy0hqouLHwEwcDNBqFA7cbMI4xNAaMpdYZ2FPhcJL9choz37Xndpj8hsMGNUKzQ2%2FSr6zpFlehEWYzSO7LvG1IM%2B8%2Bk65ps7siPT2zPG%2BWdUfSqiTdovhO0izvyqZOzhOfJUgUv4wkx00l3s%2F01YIxT3i971xjOgscYEWdsB5G9L9TgrMQndv1IckjnBEUqJsO8MlRAVZBMqdceEjJv7LyPFbZsurSeA9o8oKQh6Yq87Ig6be27IrroG5mo128G6hoDwhKyyUK4JLxHsPvFAF95esNUNnDPfbcbf1B2PsD4DkQZC68lKf%2BsxNy6vCT4EMS1icfPZe4PLn9bz6YUAb7v%2B0wQY3hPziL0YFU9pL4nAqDD8pwnwRGz0vZo0W99QP7K4aP%2F1BIP4%2Bil1Tzl3I3EckLncBmLJPc%2FgHS4XUMyQQAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "TryLADemo-Filter1a"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "262c9f91-f40f-4255-a984-d0bb16cfacf3",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA72TXWvbMBSG7%2FMrTp2bFbb5F%2BTCM05n4trFcjJ2qcpniZgipfpI8NiPn6SkiTtoKIPuYPwBR%2BfV%2B7xWmn66VqU0VjtmuZJX%2B55rkqb%2BAlhw2YsBDO6ophbhyaHmaOARhTrA4wAat2rP5Rqm0ylUZV3Al7bIFuHzOONNcm%2BtsKcWrdPSALFK0zVCxphy0hqouLHwEwcDNBqFA7cbMI4xNAaMpdYZ2FPhcJL9choz37Xndpj8hsMGNUKzQ2%2FSr6zpFlehEWYzSO7LvG1IM%2B8%2Bk65ps7siPT2zPG%2BWdUfSqiTdovhO0izvyqZOzhOfJUgUv4wkx00l3s%2F01YIxT3i971xjOgscYEWdsB5G9L9TgrMQndv1IckjnBEUqJsO8MlRAVZBMqdceEjJv7LyPFbZsurSeA9o8oKQh6Yq87Ig6be27IrroG5mo128G6hoDwhKyyUK4JLxHsPvFAF95esNUNnDPfbcbf1B2PsD4DkQZC68lKf%2BsxNy6vCT4EMS1icfPZe4PLn9bz6YUAb7v%2B0wQY3hPziL0YFU9pL4nAqDD8pwnwRGz0vZo0W99QP7K4aP%2F1BIP4%2Bil1Tzl3I3EckLncBmLJPc%2FgHS4XUMyQQAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Filter1a-ori"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "space1-Filter1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "\r\n### b) Case-insensitive full string values\r\n\r\n<p style=\"color:#A6290F;\"> **Note:** Avoid using case-insensitive operators when possible for a better query performance.</p>\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [=~](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!~](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [in~](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!in~](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns Storage Accounts List keys action with success status value **\r\n\r\n<p style=\"color:red;\"> AzureActivity <br> | where OperationNameValue =~ \"MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/action\"<br> | where ActivityStatusValue =~ \"success\"</p>\r\n\r\n** - Returns Key Vault access policies update with status value NOT equal to \"Failure\" **\r\n\r\n<p style=\"color:red;\"> AzureActivity <br> | where OperationNameValue =~ \"MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/write\"<br> | where ActivityStatusValue !~ \"failure\"</p>\r\n\r\n** - Returns Microsoft Sentinel incidents with High and Medium severity **\r\n\r\n<p style=\"color:red;\"> SecurityIncident <br> | where Severity in~ (\"high\", \"medium\")</p>\r\n\r\n** - Returns Microsoft Sentinel closed incidents with classification not equal to FalsePositive and Undetermined **\r\n\r\n<p style=\"color:red;\"> SecurityIncident <br> | where Status =~ \"closed\"<br> | where Classification !in~ (\"falsepositive\", \"undetermined\")</p>\r\n\r\n<br>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "text-Filter1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "space2-Filter1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "dade9b67-f99e-4e31-b63d-67ed8c025953",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA72T3YrbMBCF7%2FMUs8pNF9rqCXrhBqc18cZL5AR6qZUniagseS0pwaXss1eynZ8WNiyFdjD%2BgdE5Ot%2FIlH64VZm2rvXCSaNv9p1qQmm4ABZSV6oDiw1vuUN49thKtPCEyhzhqYMWa3OQegfT6RTybJnC51WaLOLnoPEmu7dW3NMKnW%2B1BeZMy3cIiRDGa2chl9bBd%2Bws8D4oHKXbg%2FVCoLVgHXfewoErj5Pkh28xCV0H6brJTzjusUUoGgwhw8olr3ETG%2BHTC5CHbLYqWDEvP7KyWCVfUjo%2Bk9msWC9LRvOMlYv0G6ODMTkrnixYb36RHDdFQp7pqwXXPOH1vnNd01lgBxvulQsw%2BvyNUVLE0fmmipMc4FxBgWVRAj57rsAZIHMuVYBE%2FpZV4LFJ1nlJ%2BzujAVbK2GORZ7MsZfTYSoe3Qd0Fve1pF%2F8MVB8PGGonNSqQWsgK43HqAX2Vuz1wXcEDVtLX4Uc4hB8gcGAofHzJxv5zEjZ2BKUXeEf2QYC8B1L368n9fwsilLFY%2FZlHKG6t3ErRzw60cZeRz7my%2BGisDKPAPvRaV%2BiwrYNgdSPxcIji%2BAfTy1hnv9vdDUy20agZjSIcf%2BVD7n8B1R0L8MsEAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "TryLADemo-Filter1b"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "24dd3e02-4daf-4af5-bd5d-5c4953daae34",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA72T3YrbMBCF7%2FMUs8pNF9rqCXrhBqc18cZL5AR6qZUniagseS0pwaXss1eynZ8WNiyFdjD%2BgdE5Ot%2FIlH64VZm2rvXCSaNv9p1qQmm4ABZSV6oDiw1vuUN49thKtPCEyhzhqYMWa3OQegfT6RTybJnC51WaLOLnoPEmu7dW3NMKnW%2B1BeZMy3cIiRDGa2chl9bBd%2Bws8D4oHKXbg%2FVCoLVgHXfewoErj5Pkh28xCV0H6brJTzjusUUoGgwhw8olr3ETG%2BHTC5CHbLYqWDEvP7KyWCVfUjo%2Bk9msWC9LRvOMlYv0G6ODMTkrnixYb36RHDdFQp7pqwXXPOH1vnNd01lgBxvulQsw%2BvyNUVLE0fmmipMc4FxBgWVRAj57rsAZIHMuVYBE%2FpZV4LFJ1nlJ%2BzujAVbK2GORZ7MsZfTYSoe3Qd0Fve1pF%2F8MVB8PGGonNSqQWsgK43HqAX2Vuz1wXcEDVtLX4Uc4hB8gcGAofHzJxv5zEjZ2BKUXeEf2QYC8B1L368n9fwsilLFY%2FZlHKG6t3ErRzw60cZeRz7my%2BGisDKPAPvRaV%2BiwrYNgdSPxcIji%2BAfTy1hnv9vdDUy20agZjSIcf%2BVD7n8B1R0L8MsEAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Filter1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "space1-Filter1c"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "\r\n### c) Case-sensitive partial string values\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [has_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!has_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [contains_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!contains_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [hasprefix_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!hasprefix_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [hassuffix_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!hassuffix_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [startswith_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!startswith_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [endswith_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!endswith_cs](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns Powershell command executions on Virtual Machine **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4688 <br> | where CommandLine has_cs \"powershell.exe\"</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4688 <br> | where CommandLine contains_cs \"powershell.exe\"</p>\r\n\r\n** - Summarizes Security Events count by Account and Activity but excluding Workgroup account **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Account !has_cs \"WORKGROUP\" <br> | summarize count() by Account, Activity</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Account !contains_cs \"WORKGROUP\" <br> | summarize count() by Account, Activity</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Account !hasprefix_cs \"WORKGROUP\" <br> | summarize count() by Account, Activity</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Account !startswith_cs \"WORKGROUP\" <br> | summarize count() by Account, Activity</p>\r\n\r\n** - Returns account logon successfully events for Computer with prefix \"DC0\" **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4624 <br> | where Computer hasprefix_cs \"DC0\" </p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4624 <br> | where Computer startswith_cs \"DC0\" </p>\r\n\r\n** - Returns special privileges assigned to new logon events for Computer with suffix \"contosohotels.com\" **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4672 <br> | where Computer hassuffix_cs \"contosohotels.com\" </p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4672 <br> | where Computer endswith_cs \"contosohotels.com\" </p>\r\n\r\n** - Returns special privileges assigned to new logon events for Computer NOT end with \"contosohotels.com\" **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4672 <br> | where Computer !endswith_cs \"contosohotels.com\" </p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4672 <br> | where Computer !hassuffix_cs \"contosohotels.com\" </p>\r\n\r\n<br>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "text-Filter1c"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "space3-Filter1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "ee3c32fd-22e6-4b45-bbf6-137d024b5960",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA9WVUU%2FbMBDH3%2FspjvRlk4BOCG288NBBNVVlFJVtPCLXuSYWrp357IZOfPjZNQlhalm1QQSnPMTJ5e7v%2B50vvd7eUzZUZI3jVmj1pF9lnV7PXwAjoVK5BMKCGWYRfjo0AgmmKHUJ0yUYnOuFUBl0u104G54P4PNk0B%2BFZYyxVbptLWiaoHVGEVzoEg3lKCVwPZ8zlQLeIndhjwRawQ9hrGMSvjKeC4WdS%2F%2FSCLscLFDZzh2UORqE1Wp4CsfHcPjx6Kh%2BfhJjnvkvIWd0zQmSok6571MlXk13o0GzGrDZr7b%2F0Me1skyoNkR6AJfOZzbil2%2BDSnJUSV6IUza0RZ%2FH20Cl79tuEZymznpEXLo0NMyVNjeZ0a4AFp03FKAKtVNRuBpPRl8m4%2B8XifehSkzM%2Fe59I%2FtunboVUrXQRzhevVpf1sLgTNy%2BDblkmbFUCpu%2FEr2NkXTfyCB15ucPOc6RaOakn6AYD8hMm3ByC2fRQNgExNpDcnryIdlmBBwcNkdADPQY4SpS66Npna4%2FWL2AsEbxqUAu%2FLgvjKcsMfPjiRGJTGEKVoPC8p7LRhTkZisU4fxq0rm2KGnf%2F1y2AvPpYC2YGHS1%2FzVxW8e0TiWq9AHSi4t8LmTn429BeUT3jMx22i3Hv6r8W2v9BkyuJcwRCgAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "TryLADemo-Filter1c"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "562a1e42-374b-4eb2-8818-1a8179164160",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA9WVUU%2FbMBDH3%2FspjvRlk4BOCG288NBBNVVlFJVtPCLXuSYWrp357IZOfPjZNQlhalm1QQSnPMTJ5e7v%2B50vvd7eUzZUZI3jVmj1pF9lnV7PXwAjoVK5BMKCGWYRfjo0AgmmKHUJ0yUYnOuFUBl0u104G54P4PNk0B%2BFZYyxVbptLWiaoHVGEVzoEg3lKCVwPZ8zlQLeIndhjwRawQ9hrGMSvjKeC4WdS%2F%2FSCLscLFDZzh2UORqE1Wp4CsfHcPjx6Kh%2BfhJjnvkvIWd0zQmSok6571MlXk13o0GzGrDZr7b%2F0Me1skyoNkR6AJfOZzbil2%2BDSnJUSV6IUza0RZ%2FH20Cl79tuEZymznpEXLo0NMyVNjeZ0a4AFp03FKAKtVNRuBpPRl8m4%2B8XifehSkzM%2Fe59I%2FtunboVUrXQRzhevVpf1sLgTNy%2BDblkmbFUCpu%2FEr2NkXTfyCB15ucPOc6RaOakn6AYD8hMm3ByC2fRQNgExNpDcnryIdlmBBwcNkdADPQY4SpS66Npna4%2FWL2AsEbxqUAu%2FLgvjKcsMfPjiRGJTGEKVoPC8p7LRhTkZisU4fxq0rm2KGnf%2F1y2AvPpYC2YGHS1%2FzVxW8e0TiWq9AHSi4t8LmTn429BeUT3jMx22i3Hv6r8W2v9BkyuJcwRCgAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Filter1c"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "space1-Filter1d"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "\r\n### d) Case-insensitive partial string values\r\n\r\n<p style=\"color:#A6290F;\"> **Note:** Avoid using case-insensitive operators when possible for a better query performance.</p>\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [has](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!has](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [has_all](https://docs.microsoft.com/azure/data-explorer/kusto/query/has-all-operator)**\r\n\r\n **- [has_any](https://docs.microsoft.com/azure/data-explorer/kusto/query/has-anyoperator)**\r\n\r\n **- [contains](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!contains](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [hasprefix](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!hasprefix](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [hassuffix](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!hassuffix](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [startswith](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!startswith](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [endswith](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!endswith](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns Powershell command executions on Virtual Machine **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4688 <br> | where CommandLine has \"POWERSHELL.EXE\"</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4688 <br> | where CommandLine contains \"POWERSHELL.EXE\"</p>\r\n\r\n** - Summarizes Security Events count by Account and Activity but excluding Workgroup account **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Account !has \"Workgroup\" <br> | summarize count() by Account, Activity</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Account !contains \"Workgroup\" <br> | summarize count() by Account, Activity</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Account !hasprefix \"Workgroup\" <br> | summarize count() by Account, Activity</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Account !startswith \"Workgroup\" <br> | summarize count() by Account, Activity</p>\r\n\r\n** - Returns total logon successful events for Computer with prefix \"DC00\" or \"DC01\" **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4624 <br> | where Computer hasprefix \"dc00\" or Computer hasprefix \"dc01\" <br> | summarize count() by Computer</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4624 <br> | where Computer startswith \"dc00\" or Computer startswith \"dc01\" <br> | summarize count() by Computer</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4624 <br> | where Computer has_any (\"dc00\",\"dc01\") <br> | summarize count() by Computer</p>\r\n\r\n** - Returns total security events for Computer with hostname \"DC01\" and domain name \"contosohotels\" **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Computer has_all (\"dc01\",\"ContosoHotels\") <br> | summarize count() by Computer</p>\r\n\r\n** - Returns special privileges assigned to new logon events for Computer with suffix \"contosohotels.com\" **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4672 <br> | where Computer hassuffix \"ContosoHotels.Com\"</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4672 <br> | where Computer endswith \"ContosoHotels.Com\"</p>\r\n\r\n** - Returns special privileges assigned to new logon events for Computer NOT end with \"contosohotels.com\" **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4672 <br> | where Computer !endswith \"ContosoHotels.Com\"</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4672 <br> | where Computer !hassuffix \"ContosoHotels.Com\"</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - SignIn logs with results NOT equal to [result type](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators) \"success\" (0), \"interupted because of password reset\" (50125) and \"keep me signed in\" (50140) **\r\n\r\n<p style=\"color:red;\"> SigninLogs <br> | where ResultType !in (\"0\",\"50125\",\"50140\") </p>\r\n\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "text-Filter1d"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "space4-Filter1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "187b2142-368f-459f-aecb-d70ffbb2014e",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA9VWTW%2FaQBC98ysGcwGJAolIm0sOKbEUFJpEEDW9VYs94FXMrrMfEKr%2B%2BM56MYUmjlCb0GSFhO3dnXn73syz2%2B0Pz42%2B0EbZyHApnl1XjEq7TT%2BACy7idAkaM6aYQbi3qDhqGGMqFzBegsKZnHMxhVqtBoP%2BZQifh%2BHphbv1MXZKt%2BtwmIZorBIaruUClU4wTSGSsxkTMeADRtadUYMU8JUrY1kKX1iUcIGVEU0qbpbhHIWp%2FIRFggohv%2BufwckJdD8eH6%2Bf93zMAe2EhGkIrq9uw%2BHoPBwMWuG3MCAotdIBm1RA%2Bbr1%2BAdwkRSGcfHqCIn6kaW0iv%2BgAijweoiaUFhhXEGcRv7S6XFKBTd3i8bWkDhRamNXKrdS3U2VtBkwv7jk9EWoas7%2FeldAC3SBxCeuNzZSN9d596LRGuVvId48VCI0UzjhD%2B8AqzZMGb3gJnkLYDcMyEhD7pLKKXmNtlGEWk9sCugbYiKVa9PMGlSQoy8YP%2Bt1OgHQtLs6CHZp%2FcPuZuv7mBsaxtEqYsnkQSldxYb9u9lTR9qU%2BvGZ%2Fph9L4ciKb4zsYS6P1LTY2%2FsGfyjutWFgZfWayK1EWyGqzrNHT2WM7I48I%2Bd4UktE2kw1WV1vM0DvazrnoBm0PPbz%2F32%2F0iIzjDiREmmyDFSnNLrjWnNpwJjIgsELlZdXkqVtpO817YYadFnyU7d%2FenwSbaKoFs8tXou6N4L%2BymIKOJVN746wpcS6%2FLqxsH2or2gWtU9cvG3EPdZUeA%2BFkmTvnBiaM%2B3Qm1TUiQX4d59mZNe%2FiGYZUaGsnqLBlDvNJoQcEHAbWZI2TFGzGoEOYGMzrGQKnZb0dDao87B4VEjt6fgDjED8qZVQXDh57udRsXh4WJAcNbkDPPkNy53lVytHjh7zsP5%2F24naPwCPid90lkNAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "TryLADemo-Filter1d"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "a1472876-e981-4edf-bfe2-c1894612699d",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA9VWTW%2FaQBC98ysGcwGJAolIm0sOKbEUFJpEEDW9VYs94FXMrrMfEKr%2B%2BM56MYUmjlCb0GSFhO3dnXn73syz2%2B0Pz42%2B0EbZyHApnl1XjEq7TT%2BACy7idAkaM6aYQbi3qDhqGGMqFzBegsKZnHMxhVqtBoP%2BZQifh%2BHphbv1MXZKt%2BtwmIZorBIaruUClU4wTSGSsxkTMeADRtadUYMU8JUrY1kKX1iUcIGVEU0qbpbhHIWp%2FIRFggohv%2BufwckJdD8eH6%2Bf93zMAe2EhGkIrq9uw%2BHoPBwMWuG3MCAotdIBm1RA%2Bbr1%2BAdwkRSGcfHqCIn6kaW0iv%2BgAijweoiaUFhhXEGcRv7S6XFKBTd3i8bWkDhRamNXKrdS3U2VtBkwv7jk9EWoas7%2FeldAC3SBxCeuNzZSN9d596LRGuVvId48VCI0UzjhD%2B8AqzZMGb3gJnkLYDcMyEhD7pLKKXmNtlGEWk9sCugbYiKVa9PMGlSQoy8YP%2Bt1OgHQtLs6CHZp%2FcPuZuv7mBsaxtEqYsnkQSldxYb9u9lTR9qU%2BvGZ%2Fph9L4ciKb4zsYS6P1LTY2%2FsGfyjutWFgZfWayK1EWyGqzrNHT2WM7I48I%2Bd4UktE2kw1WV1vM0DvazrnoBm0PPbz%2F32%2F0iIzjDiREmmyDFSnNLrjWnNpwJjIgsELlZdXkqVtpO817YYadFnyU7d%2FenwSbaKoFs8tXou6N4L%2BymIKOJVN746wpcS6%2FLqxsH2or2gWtU9cvG3EPdZUeA%2BFkmTvnBiaM%2B3Qm1TUiQX4d59mZNe%2FiGYZUaGsnqLBlDvNJoQcEHAbWZI2TFGzGoEOYGMzrGQKnZb0dDao87B4VEjt6fgDjED8qZVQXDh57udRsXh4WJAcNbkDPPkNy53lVytHjh7zsP5%2F24naPwCPid90lkNAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Filter1d"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "space5-Filter1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Multiple Password Reset by user](https://github.com/Azure/Azure-Sentinel/blob/9360261b187d1c9d29262bca6641f8383732c703/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml)**\r\n\r\n **- [ User account added to built in domain local or global group](https://github.com/Azure/Azure-Sentinel/blob/3cf25b0d6dd2549c372219035ecf4c1090ae160e/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml)**\r\n\r\n **- [DEV-0322 Serv-U related IOCs - July 2021](https://github.com/Azure/Azure-Sentinel/blob/1bbe385ca80189e2a6eb09c19545ce736cd9ba77/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml)**\r\n\r\n **- [HAFNIUM Suspicious UM Service Error](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SecurityEvent/HAFNIUMSuspiciousUMServiceError.yaml)**\r\n\r\n **- [Exchange SSRF Autodiscover ProxyShell](https://github.com/Azure/Azure-Sentinel/blob/1ec69a144ea9e405de6cbbc4b109f7fa6d61c164/Detections/W3CIISLog/ProxyShellPwn2Own.yaml)**\r\n\r\n **- [NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)](https://github.com/Azure/Azure-Sentinel/blob/84deef53a17d0f989b9098d92e051fad09d9e568/Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml)**\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Potential Microsoft security services tampering](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml)**\r\n\r\n **- [Tracking Password Changes](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/MultipleDataSources/TrackingPasswordChanges.yaml)**\r\n\r\n **- [Query looking for secrets](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/LAQueryLogs/QueryLookingForSecrets.yaml)**\r\n\r\n **- [Login attempt by Blocked MFA user](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/SigninLogs/MFAUserBlocked.yaml)**\r\n\r\n **- [Solorigate DNS Pattern](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting Queries/DnsEvents/Solorigate-DNS-Pattern.yaml)**\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter1"
|
||
},
|
||
"name": "text5-Filter1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Perform a simple filter on integer\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [==](https://docs.microsoft.com/azure/data-explorer/kusto/query/numoperators)**\r\n\r\n **- [!=](https://docs.microsoft.com/azure/data-explorer/kusto/query/numoperators)**\r\n\r\n **- [>](https://docs.microsoft.com/azure/data-explorer/kusto/query/numoperators)**\r\n\r\n **- [<](https://docs.microsoft.com/azure/data-explorer/kusto/query/numoperators)**\r\n\r\n **- [>=](https://docs.microsoft.com/azure/data-explorer/kusto/query/numoperators)**\r\n\r\n **- [<=](https://docs.microsoft.com/azure/data-explorer/kusto/query/numoperators)**\r\n\r\n **- [in](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n **- [!in](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns Windows logon successful and failure events**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID == 4624 or EventID == 4625</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID in (4624,4625)</p>\r\n\r\n** - Returns Computer with more than 1000 security eventsr **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | summarize Count=count() by Computer<br> | where Count > 1000 </p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Identifies queries execution more than 10 seconds **\r\n\r\n<p style=\"color:red;\"> LAQueryLogs <br> | where ResponseDurationMs > 10000 </p>\r\n\r\n** - Identifies unsuccessful query executions **\r\n\r\n<p style=\"color:red;\"> LAQueryLogs <br> | where ResponseCode != 200 </p>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter2"
|
||
},
|
||
"name": "text-Filter2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime2"
|
||
},
|
||
"name": "text - 11"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter2"
|
||
},
|
||
"name": "space2-Filter2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "16d4a38e-8e1e-46bb-a568-722d28989793",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7WST0%2FCQBDF7%2F0Uz%2FQCiaaVoLeaIHBoQBPx4Lm0A2zS7uLOLljjh3eXf6IG5IAvTZNppzO%2Ft31RdHVMqWSjbW6Ekkf7tgqiyF3AQMiirME0z3RmCK%2BWtCDGmEq1xLiGpkothJwiDEMM08c%2B7kf9zsCX6xknrTtVnmlExmrJeHFoasko1VRJsM1zYp7YEpksMMlEaTWBFiQNB8%2BUWy1M3fdl8IHljNzLVZX2kCRo37baUPrHoxu3Lzwo7PvF4b6d%2FsAQEg3Pcek3N8%2B8eu%2FguqqaW0MaS2FmqJRDMLNM4jqOY%2Fen14ibk9O%2FmNlWVabFO7k5Vpok9%2FdG02dhO3jnbNWBu9Xk8%2FtJC0ckJj6O21jSm6P1If9my5tSsuBg2HlyjfVQTXnHOCKeK8nUsy7g7ssH3gD%2FL7GVe4n1%2BPUX%2FHHQrioIFwlacfwJ5rDeBPUDAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter2"
|
||
},
|
||
"name": "TryLADemo-Filter2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "d1ace013-f3a5-4f34-8120-65febf2dad36",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7WST0%2FCQBDF7%2F0Uz%2FQCiaaVoLeaIHBoQBPx4Lm0A2zS7uLOLljjh3eXf6IG5IAvTZNppzO%2Ft31RdHVMqWSjbW6Ekkf7tgqiyF3AQMiirME0z3RmCK%2BWtCDGmEq1xLiGpkothJwiDEMM08c%2B7kf9zsCX6xknrTtVnmlExmrJeHFoasko1VRJsM1zYp7YEpksMMlEaTWBFiQNB8%2BUWy1M3fdl8IHljNzLVZX2kCRo37baUPrHoxu3Lzwo7PvF4b6d%2FsAQEg3Pcek3N8%2B8eu%2FguqqaW0MaS2FmqJRDMLNM4jqOY%2Fen14ibk9O%2FmNlWVabFO7k5Vpok9%2FdG02dhO3jnbNWBu9Xk8%2FtJC0ckJj6O21jSm6P1If9my5tSsuBg2HlyjfVQTXnHOCKeK8nUsy7g7ssH3gD%2FL7GVe4n1%2BPUX%2FHHQrioIFwlacfwJ5rDeBPUDAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter2"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Filter2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter2"
|
||
},
|
||
"name": "space1-Filter2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [AD user enabled and password not set within 48 hours](https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/SecurityEvent/password_not_set.yaml)**\r\n\r\n **- [Failed login attempts to Azure Portal](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SigninLogs/FailedLogonToAzurePortal.yaml)**\r\n\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Hosts running a rare process](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/SecurityEvent/RareProcess_forWinHost.yaml)**\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter2"
|
||
},
|
||
"name": "text2-Filter2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 3. Limit results\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [take](https://docs.microsoft.com/azure/data-explorer/kusto/query/takeoperator)**\r\n\r\n **- [limit](https://docs.microsoft.com/azure/data-explorer/kusto/query/limitoperator)**\r\n\r\n **- [top](https://docs.microsoft.com/azure/data-explorer/kusto/query/topoperator)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Take 10 random records from the SecurityEvent table**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | take 10</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | limit 10</p>\r\n\r\n** - Take 5 newest records from the SecurityEvent table**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | top 5 by TimeGenerated</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | sort by TimeGenerated asc<br> | take 5</p>\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | sort by TimeGenerated asc<br> | limit 5</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Identifies top 20 Sign-in locations **\r\n\r\n<p style=\"color:red;\"> SigninLogs <br> | extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\"<br> , tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"])) <br> | where locationString != \"//\"<br> | summarize count() by locationString <br> | order by count_ desc<br> | take 20</p>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter3"
|
||
},
|
||
"name": "text-Filter3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter3"
|
||
},
|
||
"name": "space1-Filter3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "0e390e88-1395-4b3b-9dd7-906edac6531b",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA8VTwWrCQBC95yumyUVBiRW8FDy0VIooLai3UsqajHFpsmt3J9qUfnxno7G1okixdMhl37zMvH2zE4bNY9FXlkwekdTqKK8KLwz5AxhIFacFWFwIIwjhNUcj0cIUU72CaQEGM72UKoEgCGDYv%2B%2FBzah3PXDHdY2T2p0aTtNEvCBctsAIFeuMBUTaxBZmhg80RxhjlBtJRW%2BJioDENEVvB%2FM%2BGC1rcLngYMD368Bh3jb2uqQyk3T%2BNpUHHVC4Qku%2FtEAvuAJPcCIzvEOFbr7xHztitaG9niBsVM2k848C1uM6twKeVj%2Fm5nLm9sa53m7BWCaqKRWkOhJuJ%2B2V5yCphjqxLAXfCFW8TY%2FJ8Ip1gXeYgRppWwK14SZ%2FiyRkah%2F9SOeKTPFgRpgw7j%2FVG%2BCHvteAw%2F9YYg8q5jFixD4yr876VnM0%2BEMeXHS5Ajdjl%2FMsE0a%2BI5SCanVn%2BS6bWfxm0bhMSXqGGL%2FeQbv1CTCcudvRBAAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter3"
|
||
},
|
||
"name": "TryLADemo-Filter3 "
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "266fc4c3-f435-4c94-b83c-2032929928c9",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA8VTwWrCQBC95yumyUVBiRW8FDy0VIooLai3UsqajHFpsmt3J9qUfnxno7G1okixdMhl37zMvH2zE4bNY9FXlkwekdTqKK8KLwz5AxhIFacFWFwIIwjhNUcj0cIUU72CaQEGM72UKoEgCGDYv%2B%2FBzah3PXDHdY2T2p0aTtNEvCBctsAIFeuMBUTaxBZmhg80RxhjlBtJRW%2BJioDENEVvB%2FM%2BGC1rcLngYMD368Bh3jb2uqQyk3T%2BNpUHHVC4Qku%2FtEAvuAJPcCIzvEOFbr7xHztitaG9niBsVM2k848C1uM6twKeVj%2Fm5nLm9sa53m7BWCaqKRWkOhJuJ%2B2V5yCphjqxLAXfCFW8TY%2FJ8Ip1gXeYgRppWwK14SZ%2FiyRkah%2F9SOeKTPFgRpgw7j%2FVG%2BCHvteAw%2F9YYg8q5jFixD4yr876VnM0%2BEMeXHS5Ajdjl%2FMsE0a%2BI5SCanVn%2BS6bWfxm0bhMSXqGGL%2FeQbv1CTCcudvRBAAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter3"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Filter3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter3"
|
||
},
|
||
"name": "space2-Filter3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Hunting Queries:\r\n\r\n **- [PowerShell downloads](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/SecurityEvent/powershell_downloads.yaml)**\r\n\r\n **- [Persisting Via IFEO Registry Key](https://github.com/Azure/Azure-Sentinel/blob/c34d23ff4b0d9af8dffbd36d2a0581d43766ae3c/Hunting Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml)**\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter3"
|
||
},
|
||
"name": "text2-Filter3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 4. Filter using regex\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [matches regex](https://docs.microsoft.com/azure/data-explorer/kusto/query/re2)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns Security Events where hostname starts with \"DC\" and domain name ends with \"contosohotels.com\" **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Computer matches regex \"DC*.*contosohotels.com\"</p>\r\n\r\n** - Returns Security Events where Account name contains \"admin\" while domain name consists of any word character or digit **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where Account matches regex @\"[a-zA-Z0-9]\\\\*admin*\"</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Returns Security Incidents with tactics consist of \"Persistence\" or \"PreAttack\"**\r\n\r\n<p style=\"color:red;\"> SecurityIncident <br> | where AdditionalData.tactics matches regex \"[Persistence|PreAttack]\"</p>\r\n\r\n** - Returns Security Alerts with HostName entity that has prefix \"DESKTOP\"**\r\n\r\n<p style=\"color:red;\"> SecurityAlert <br> | where Entities matches regex '\"HostName\": \"DESKTOP\"*'</p>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter4"
|
||
},
|
||
"name": "text-Filter4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter4"
|
||
},
|
||
"name": "space1-Filter4"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "f0c1caaf-97de-4d4e-96fb-2c7e32233a55",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA72TUU%2FCMBDH3%2FkUl%2FJAYgLzVZ%2BcsESCQQI%2BqTzU9mCNW4vtDcT44W2ZY2AEeTBe9rCt1%2F%2F1979rFLWPRV87soUgZfTRvCoaUeQfgIHSMluDwwW3nBBeC7QKHTxjZlbwvAaLuVkqPYdmswm3%2FWEC1%2BMkHoTPUuOkcqdGONMYqbDawQRFYRWtIVmiJgerFC1CahxpniM44jb8VZQC63UZcC1BmpwrDZsE1LJaFkaTcSY1hJnrCJOzRqW%2BEW98fKl3Tb4oCC3knETqfbA4x7eg3%2FlBI4qaBwN2zYLDedv4HT0WwhSaSrpwHI%2FqgHGZK818jspwzwCf4pTz283Mm7OGlbESROobLQKisSDVXNEBK6pq%2B05csUfefo%2FbD%2Bfti%2BlTWfoffOhroWRpRWgoeQIlXEUYANkIbXhHLZAFNjayGJPPfKmbXcnUkFKqcGd41uPEO5Xut%2B4%2F7mh%2FbGWnfw0OP5HHGW7H%2FMbP%2FrAcbQprlHKClDtYWJypMKbJZHB%2FN6qBN7u3tEnYFm73Pl%2BLVcLsstY4a30Cx0mzHHMEAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter4"
|
||
},
|
||
"name": "TryLADemo-Filter4"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "6e424fac-a519-40e3-86c0-77bf8f2c0390",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA72TUU%2FCMBDH3%2FkUl%2FJAYgLzVZ%2BcsESCQQI%2BqTzU9mCNW4vtDcT44W2ZY2AEeTBe9rCt1%2F%2F1979rFLWPRV87soUgZfTRvCoaUeQfgIHSMluDwwW3nBBeC7QKHTxjZlbwvAaLuVkqPYdmswm3%2FWEC1%2BMkHoTPUuOkcqdGONMYqbDawQRFYRWtIVmiJgerFC1CahxpniM44jb8VZQC63UZcC1BmpwrDZsE1LJaFkaTcSY1hJnrCJOzRqW%2BEW98fKl3Tb4oCC3knETqfbA4x7eg3%2FlBI4qaBwN2zYLDedv4HT0WwhSaSrpwHI%2FqgHGZK818jspwzwCf4pTz283Mm7OGlbESROobLQKisSDVXNEBK6pq%2B05csUfefo%2FbD%2Bfti%2BlTWfoffOhroWRpRWgoeQIlXEUYANkIbXhHLZAFNjayGJPPfKmbXcnUkFKqcGd41uPEO5Xut%2B4%2F7mh%2FbGWnfw0OP5HHGW7H%2FMbP%2FrAcbQprlHKClDtYWJypMKbJZHB%2FN6qBN7u3tEnYFm73Pl%2BLVcLsstY4a30Cx0mzHHMEAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter4"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Filter4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter4"
|
||
},
|
||
"name": "space2-Filter4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Account added and removed from privileged groups](https://github.com/Azure/Azure-Sentinel/blob/3cf25b0d6dd2549c372219035ecf4c1090ae160e/Detections/SecurityEvent/UserAccountAdd-Removed.yaml)**\r\n\r\n **- [Group created then added to built in domain local or global group](https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml)**\r\n\r\n **- [Password spray attack against Azure AD application](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SigninLogs/SigninPasswordSpray.yaml)**\r\n\r\n **- [Malformed user agent](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/MalformedUserAgents.yaml)**\r\n\r\n **- [Several deny actions registered](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml)**\r\n\r\n **- [Palo Alto - potential beaconing detected](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml)**\r\n\r\n\r\n#### Hunting Queries::\r\n\r\n **- [Rare Process Path](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/SecurityEvent/RareProcessPath.yaml)**\r\n\r\n **- [Rare processes run by Service accounts](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/SecurityEvent/RareProcbyServiceAccount.yaml)**\r\n\r\n **- [FireEye stolen red teaming tools communications](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/MultipleDataSources/FireEyeRedTeamComms.yaml)**\r\n\r\n **- [Exploit and Pentest Framework User Agent](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/MultipleDataSources/UseragentExploitPentest.yaml)**\r\n\r\n **- [Exchange Server ProxyLogon URIs](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml)**\r\n\r\n **- [RareDNSLookupWithDataTransfer](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml)**"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter4"
|
||
},
|
||
"name": "text2-Filter4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 5. Filters events that occurred consecutively or in a specific sequence/pattern\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [make_list](https://docs.microsoft.com/azure/data-explorer/kusto/query/makelist-aggfunction)**\r\n\r\n **- [mv-apply](https://docs.microsoft.com/azure/data-explorer/kusto/query/mv-applyoperator)**\r\n\r\n **- [prev](https://docs.microsoft.com/azure/data-explorer/kusto/query/prevfunction)**\r\n\r\n **- [minif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/minif-aggfunction)**\r\n\r\n **- [maxif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/maxif-aggfunction)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns windows logon events where logon failure occurred before logon success within the 30 minutes window**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID in (4624,4625)<br> | summarize FirstLogonTime = minif(TimeGenerated,EventID==4624), FirstFailureTime = <br> minif(TimeGenerated,EventID==4625) by bin(TimeGenerated,30m), Computer, Account\r\n<br> | where FirstLogonTime > FirstFailureTime</p>\r\n\r\n** - Returns accounts with more than five AAD signin failures and at least a signin success event within the 30 minutes window**\r\n\r\n<p style=\"color:red;\"> SigninLogs <br> | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")<br> | sort by UserPrincipalName, TimeGenerated<br> | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = <br> make_set(IPAddress), make_list(FailureOrSuccess), FailureCount = <br> countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") <br> by bin(TimeGenerated, 30m), UserPrincipalName, AppDisplayName <br> | where FailureCount >5 and SuccessCount >0</p>\r\n\r\n** - Returns accounts who have two AAD signin failures in a row, followed by a successful logon**\r\n\r\n<p style=\"color:red;\"> SigninLogs <br> | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")<br> | sort by UserPrincipalName, TimeGenerated<br> | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = <br> make_set(IPAddress), make_list(FailureOrSuccess), FailureCount = <br> countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") <br> by bin(TimeGenerated, 30m), UserPrincipalName, AppDisplayName <br> | where list_FailureOrSuccess matches regex '\"Failure\",\"Failure\",\"Success\"'</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Identifies Sign-in Failure after ProofPoint ClicksPermitted event**\r\n\r\n<p style=\"color:red;\"> let SignInFailure = ( <br> SigninLogs<br> | where ConditionalAccessStatus == \"failure\"<br> | extend DataType = \"SignInFailure\" <br> | project EventTime=CreatedDateTime, recipient_s=trim(\" \",UserPrincipalName), DataType <br> ); <br> let ProofPointClicksPermitted =( <br> ProofPointTAPClicksPermitted_CL<br> | where classification_s == \"malware\"<br> | extend DataType = \"ClicksPermitted\"<br> | project EventTime=clickTime_t, recipient_s=trim(\" \",recipient_s), classification_s,url_s, DataType<br> );<br> union isfuzzy=true SignInFailure,ProofPointClicksPermitted<br> | sort by EventTime, recipient_s<br> | summarize StartClickTime=minif(EventTime,DataType==\"ClicksPermitted\"),EndClickTime=maxif(EventTime,DataType==\"ClicksPermitted\"),<br> StartLoginFailureTime=minif(EventTime,DataType==\"SignInFailure\"),EndLoginFailureTime=maxif(EventTime,DataType==\"SignInFailure\"),<br> make_list(DataType), make_list(url_s) by recipient_s<br> | where StartLoginFailureTime > StartClickTime or StartLoginFailureTime > EndClickTime or <br> EndLoginFailureTime > StartClickTime or EndLoginFailureTime > EndClickTime </p>\r\n\r\n** - Identifies brute force attack against Azure Portal with the pattern of 5 consecutive failures followed by 1 successful logon within 30 minutes**\r\n\r\n<p style=\"color:red;\"> let failureCountThreshold = 5; <br> let successCountThreshold = 1;<br> let authenticationWindow = 30m;<br> SigninLogs <br> | extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails) <br> | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser <br> | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails) <br> | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = <br> tostring(LocationDetails.countryOrRegion)<br> | where AppDisplayName has \"Azure Portal\"<br> | where ResultType !in (70043,70044) <br> );<br> | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\") <br> | sort by UserPrincipalName, TimeGenerated <br> | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = <br> make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),<br> make_set(State), make_set(Region),make_set(ResultType),make_list(FailureOrSuccess), FailureCount = <br> countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") <br> by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type <br> | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold <br> | where list_FailureOrSuccess matches regex '\"Failure\",\"Failure\",\"Failure\",\"Failure\",\"Failure\",\"Success\"'</p>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter5"
|
||
},
|
||
"name": "text-Filter5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter5"
|
||
},
|
||
"name": "space1-Filter5"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "bd507c05-e201-4b1b-84ff-9cdeee2e2feb",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA%2B1XS2%2FjNhC%2B61dMlcPagDZxNnZ7WCiA184WxgYbI07Ro8FItM1GEl2SiuOgP75DUg9Klr05bIuiWMEwpHlxHp9mRhcX709ds0wqkUeK8eykXHl5Fxf4A%2FjCsjjZg6RbIoii8GdOBaMSHmnCd%2FC4B0FT%2FsyyNZydncHt7OsNfLq%2FGX%2FRj9bGm45766V9uqcqF5mEHbrGdxISvuYZ0GeaKSRuqKAFaUVYkuMTj6JcCBqj0ytecWUeRVRqM2rDMlAbClcDSFmWK1oa9xYUVZna32jr3l%2BFefM0mwKq9YY%2FfxgG%2BDfqI1vmaUoEe6XwmQmpbvVBDyylEGrDbNXTD7%2FSjOpcxkFhJwy1kX5glT5br62a9y21UV8X4ZFlLZmrQYoGJzzdYjgigHEU8dwJoeXf9cHZmOmzoxe4lYbjctXl1o1YV2zmIdUVURuC5WLPFMbjKUi2zlhVPlTIYiAKEkqkAlKyy%2FqZwn%2BjikYDo5UYP31RFA0Wod6JRWEnBLZa9e6pzBP1sN9SU11%2F4AfgjwaXH0bFzdBQfhkMhlflzdDHVPuFHU0sbPsGElwoXaLfJBVzwbKIbUnylaQ0gEbFGuhZKCJUDZxmbfGwmywuueTlgDubj%2BNYmJi8lDzRpaSqVxFRwBATJlWvnQUNQkua6BqhAVMrhGBbMgzrMAMoiIUSnFAq09T3OnELFrgd2Rpvt1MmtwnZ6%2BcayK671yMDloY314N%2FA8obDhuC%2BFU73olhvCcg%2BC6AFU%2BwdeputNdgtq6u8sS2pR9Y%2FR9jVYexPChmSlS0QYgIuqYv8K5yNXDuSk%2FefX8sz2Kq49dDXWPvPUKpOBfICmcHzAXnqzlnmK1JwqInOaciZQozYHuvl1BlVGdZqRhCrwlkG%2F%2BEZzHTKwhJxiYexI7KsfQh%2BMWb4teonxJFDLiR2zCvZbaC%2F0EjZUexLks4EVRXBbXM%2FAown1gRhuylDJVgac8HPzgoFhawPMjrfzSx1AG34w17Xs18GM9b%2FOXktoo1SoiUmNaI6ICXNsiUJDtyNMiWte4wIy2k75bqSIgOEYNr%2BxHkIsH%2FRtB5hixg2IVeX%2FdoKKfNegZHM%2BI0jcrFhluHrWJSBhDa3abWK13CN6%2Bdin6AbcTRJC9v1%2FTMsQhEljn7zanTm2gzZx%2BqH3ehre7VPayUajQ2U5G%2BXabdxFkgdXqPC1szmcDFUUk3dSjndYTTaa9bzrX2j3ajR4E7HI5LEWEnUopET0DWhOGHDIxfdZeZI%2FJIYtdIvfhtUYqKDPgKRtjWM4nLu9JLZTWF3dl7eTB7yyWyXiBNO1g5Q%2BZhg2Y2PMFWACPbLaQzTlz2pWWTHF3DkOz797tZSJGLo%2BNj56yf0mcW0SlVeCrKKR7vM5KyqOcy9BQrWudxiVtuz7SEpmiL16%2FPv1ugoGvpnG%2F1vMNPvMVeKpoG8An3GGyjbblHS65NWRcnPKbmbPwARSM9Sz2nQnCheVUsrp9NWRKXY%2BPQXy3SsN8K7VxqAf0thJ9xp%2BQi5KPYPV3rZhh6xwV1pcX%2BTljRfvWmNqc%2B7oMSfBepfiXpbG4%2F6dXNrGiB2c%2F6uiH%2F2PzKBqmJdwv3qUCfS5qY0tVWFkXJK0JRqcAhlAksiP%2FRDbOrexQrpwO1N%2BygWEc97Lu%2FmsIjPe7wWyrsbnffYcM9fVftv38Dr%2FIcXucSAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter5"
|
||
},
|
||
"name": "TryLADemo-Filter5"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "1d28f0f8-0d14-4ca9-bb7f-24cfff3afeee",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA%2B1XS2%2FjNhC%2B61dMlcPagDZxNnZ7WCiA184WxgYbI07Ro8FItM1GEl2SiuOgP75DUg9Klr05bIuiWMEwpHlxHp9mRhcX709ds0wqkUeK8eykXHl5Fxf4A%2FjCsjjZg6RbIoii8GdOBaMSHmnCd%2FC4B0FT%2FsyyNZydncHt7OsNfLq%2FGX%2FRj9bGm45766V9uqcqF5mEHbrGdxISvuYZ0GeaKSRuqKAFaUVYkuMTj6JcCBqj0ytecWUeRVRqM2rDMlAbClcDSFmWK1oa9xYUVZna32jr3l%2BFefM0mwKq9YY%2FfxgG%2BDfqI1vmaUoEe6XwmQmpbvVBDyylEGrDbNXTD7%2FSjOpcxkFhJwy1kX5glT5br62a9y21UV8X4ZFlLZmrQYoGJzzdYjgigHEU8dwJoeXf9cHZmOmzoxe4lYbjctXl1o1YV2zmIdUVURuC5WLPFMbjKUi2zlhVPlTIYiAKEkqkAlKyy%2FqZwn%2BjikYDo5UYP31RFA0Wod6JRWEnBLZa9e6pzBP1sN9SU11%2F4AfgjwaXH0bFzdBQfhkMhlflzdDHVPuFHU0sbPsGElwoXaLfJBVzwbKIbUnylaQ0gEbFGuhZKCJUDZxmbfGwmywuueTlgDubj%2BNYmJi8lDzRpaSqVxFRwBATJlWvnQUNQkua6BqhAVMrhGBbMgzrMAMoiIUSnFAq09T3OnELFrgd2Rpvt1MmtwnZ6%2BcayK671yMDloY314N%2FA8obDhuC%2BFU73olhvCcg%2BC6AFU%2BwdeputNdgtq6u8sS2pR9Y%2FR9jVYexPChmSlS0QYgIuqYv8K5yNXDuSk%2FefX8sz2Kq49dDXWPvPUKpOBfICmcHzAXnqzlnmK1JwqInOaciZQozYHuvl1BlVGdZqRhCrwlkG%2F%2BEZzHTKwhJxiYexI7KsfQh%2BMWb4teonxJFDLiR2zCvZbaC%2F0EjZUexLks4EVRXBbXM%2FAown1gRhuylDJVgac8HPzgoFhawPMjrfzSx1AG34w17Xs18GM9b%2FOXktoo1SoiUmNaI6ICXNsiUJDtyNMiWte4wIy2k75bqSIgOEYNr%2BxHkIsH%2FRtB5hixg2IVeX%2FdoKKfNegZHM%2BI0jcrFhluHrWJSBhDa3abWK13CN6%2Bdin6AbcTRJC9v1%2FTMsQhEljn7zanTm2gzZx%2BqH3ehre7VPayUajQ2U5G%2BXabdxFkgdXqPC1szmcDFUUk3dSjndYTTaa9bzrX2j3ajR4E7HI5LEWEnUopET0DWhOGHDIxfdZeZI%2FJIYtdIvfhtUYqKDPgKRtjWM4nLu9JLZTWF3dl7eTB7yyWyXiBNO1g5Q%2BZhg2Y2PMFWACPbLaQzTlz2pWWTHF3DkOz797tZSJGLo%2BNj56yf0mcW0SlVeCrKKR7vM5KyqOcy9BQrWudxiVtuz7SEpmiL16%2FPv1ugoGvpnG%2F1vMNPvMVeKpoG8An3GGyjbblHS65NWRcnPKbmbPwARSM9Sz2nQnCheVUsrp9NWRKXY%2BPQXy3SsN8K7VxqAf0thJ9xp%2BQi5KPYPV3rZhh6xwV1pcX%2BTljRfvWmNqc%2B7oMSfBepfiXpbG4%2F6dXNrGiB2c%2F6uiH%2F2PzKBqmJdwv3qUCfS5qY0tVWFkXJK0JRqcAhlAksiP%2FRDbOrexQrpwO1N%2BygWEc97Lu%2FmsIjPe7wWyrsbnffYcM9fVftv38Dr%2FIcXucSAAA%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter5"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Filter5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter5"
|
||
},
|
||
"name": "space2-Filter5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Multiple authentication failures followed by a success](https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/SecurityEvent/MultipleFailedFollowedBySuccess.yaml)**\r\n\r\n **- [Brute force attack against Azure Portal](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml)**\r\n\r\n **- [Anomalous login followed by Teams action](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml)**\r\n\r\n **- [User account created and deleted within 10 mins](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml)**\r\n\r\n **- [User account enabled and disabled within 10 mins](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter5"
|
||
},
|
||
"name": "text2-Filter5"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Filter"
|
||
},
|
||
"name": "group-Filter"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nFunctions are reusable queries which provide a way for analyst to simplify complex KQL queries and increase the efficiency of analysis. \r\n\r\nOne of the common methods to improve modularity and reuse in KQL is using [let](https://docs.microsoft.com/azure/data-explorer/kusto/query/letstatement) statements to bind names to your expressions. The name can then be used to refer to its bound value as [user-defined functions and views](https://docs.microsoft.com/azure/data-explorer/kusto/query/functions/user-defined-functions).\r\n\r\nYou can also [save query as function](https://docs.microsoft.com/azure/azure-monitor/logs/functions#create-a-function) and run the query regulary by calling the function name without the need of re-writing the whole query.\r\n\r\nParameters can be added to functions as input arguments so that you can provide values for certain variables when calling it. This allows the same function to be used in different queries, each providing different values for the parameters. \r\n\r\nIn Microsoft Sentinel, the [Microsoft Sentinel Information Model (ASIM)](https://docs.microsoft.com/azure/sentinel/normalization-about-parsers) parsers leverage functions to parse and normalize data at query time.\r\n\r\n\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Bind name to expression using ‘let’ operator",
|
||
"subTarget": "Function1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "40988c97-79b0-481a-b5a8-390f16783e15",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Create or save a query as function for reuse purposes",
|
||
"subTarget": "Function2",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "d9333cfe-ce35-4cb3-b0e2-eaa2edf263d4",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "3. Build an ASIM Normalizing parser ",
|
||
"subTarget": "Function3",
|
||
"preText": "",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Bind name to expression using 'let' operator\r\n\r\n### a) Define simple contants or scalar values\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [let](https://docs.microsoft.com/azure/data-explorer/kusto/query/letstatement)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Use let operator to bind a constant**\r\n\r\n<p style=\"color:red;\"> let timeframe = 1d; <br> SecurityEvent<br> | where TimeGenerated > ago(timeframe)</p>\r\n\r\n** - Use let operator to bind a dynamic list **\r\n\r\n Returns Activity logs with keyvault deletion or Azure resource deployment operations.\r\n\r\n<p style=\"color:red;\"> let operationList = dynamic([\"MICROSOFT.KEYVAULT/VAULTS/DELETE\", <br> \"MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE\"]);<br> AzureActivity<br> | where OperationNameValue in (operationList)<br> | where ActivityStatusValue == \"Success\"</p>\r\n\r\n** - Use let operator to bind scalar value**\r\n\r\n Returns Security Events for a list of pre-defined servers\r\n\r\n<p style=\"color:red;\"> let Computerlist =( <br> Heartbeat<br> | where Computer startswith \"DC\"<br> | distinct Computer<br> );<br> SecurityEvent<br> | where Computer in (Computerlist)</p>\r\n\r\n** - Use let operator to bind expression **\r\n\r\n Returns Windows logon failure events for a list of pre-defined servers\r\n\r\n<p style=\"color:red;\"> let DC_list =( <br> Heartbeat<br> | where Computer startswith \"DC\"<br> | distinct Computer<br> );<br> let LogonFailureEvent =(<br> SecurityEvent<br> | where EventID == 4625<br> | summarize count() by Account, Computer, EventSourceName, Activity<br> );<br> LogonFailureEvent<br> | where Computer in (DC_list) </p>\r\n\r\n<br>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
"name": "text-Function1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
"name": "space1-Function1a"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA71UXW%2FaQBB8969YmRcskVit2r5EVKLgtAgHKhsSRVVVHfZCTrV99D5MHPXHd89gQ9WQplKVFUI63%2Bzu7OzYvn%2F2VIwLpaVJNBfFk7gmHN%2BnH8CEF2lWgcINk0wj%2FDAoOSpYYia2sKxAYi5KXqyh0%2BlAOJ4G8CEKBhN73NV4VrvnhuW0UAgZahAbJEpCghawJJrAIBE0Jiu0Y%2B81z3ElWY7Qh1fphRNjYiTXVVAiIX7C9g4lwpxQH7GwpTCF98DWottmetSvczLgeF44jWvjL%2BzTqmA5TyDjSltohNrIQsGA1lYSccjEWsGW6zv4jlXJTKYhRSpGSwWqNHgwNJBEJYxMkK42mahyGnbfjGDq3Dk0p3NIrUiefefuF%2FdqPIxm8exyfj4Jbq8Hi3Du1%2F%2BxPwrCYB64PecIEwXxbBENA3v7OZzdXgVTQt5EYwJ%2B9S6cmlFDv5V81nSfksTXLDMIvIDub6S8Ft2kx5ppo3bwfh%2Fc2CQJKuW%2B4IpUwjImobQcjhfUOAtqaylYUQ6r1whiBRuJZymueEH%2BUihLlKpewlDkG6NR1rh%2B1%2FmETOolsoM3GwSQqaVW9ebd0dAlQEpJvEgOVRzvlMPbKlbk46Yv6W68JxmUou0eC3dDV2KrrLHJwivGM%2Btg%2FBcVR8Nv%2F09AWzC0XC53VGohbenHla1P45G145t3r9%2FSc2XynEn%2BgPQpMoXuevYTOUjqQ69t1dtlxvV7al%2BCXutyy%2BIPBo%2Bvcj%2B59wv6Bm1S%2BgUAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
"name": "TryLADemo-Function1a"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "262c9f91-f40f-4255-a984-d0bb16cfacf3",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA71UXW%2FaQBB8969YmRcskVit2r5EVKLgtAgHKhsSRVVVHfZCTrV99D5MHPXHd89gQ9WQplKVFUI63%2Bzu7OzYvn%2F2VIwLpaVJNBfFk7gmHN%2BnH8CEF2lWgcINk0wj%2FDAoOSpYYia2sKxAYi5KXqyh0%2BlAOJ4G8CEKBhN73NV4VrvnhuW0UAgZahAbJEpCghawJJrAIBE0Jiu0Y%2B81z3ElWY7Qh1fphRNjYiTXVVAiIX7C9g4lwpxQH7GwpTCF98DWottmetSvczLgeF44jWvjL%2BzTqmA5TyDjSltohNrIQsGA1lYSccjEWsGW6zv4jlXJTKYhRSpGSwWqNHgwNJBEJYxMkK42mahyGnbfjGDq3Dk0p3NIrUiefefuF%2FdqPIxm8exyfj4Jbq8Hi3Du1%2F%2BxPwrCYB64PecIEwXxbBENA3v7OZzdXgVTQt5EYwJ%2B9S6cmlFDv5V81nSfksTXLDMIvIDub6S8Ft2kx5ppo3bwfh%2Fc2CQJKuW%2B4IpUwjImobQcjhfUOAtqaylYUQ6r1whiBRuJZymueEH%2BUihLlKpewlDkG6NR1rh%2B1%2FmETOolsoM3GwSQqaVW9ebd0dAlQEpJvEgOVRzvlMPbKlbk46Yv6W68JxmUou0eC3dDV2KrrLHJwivGM%2Btg%2FBcVR8Nv%2F09AWzC0XC53VGohbenHla1P45G145t3r9%2FSc2XynEn%2BgPQpMoXuevYTOUjqQ69t1dtlxvV7al%2BCXutyy%2BIPBo%2Bvcj%2B59wv6Bm1S%2BgUAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Function1a-ori"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
"name": "space1-Function1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Identifies account with the number of Azure AD logon failure exceeded the defined threshold **\r\n\r\n<p style=\"color:red;\"> let Threshold = 5; <br> SigninLogs<br> | where ResultType != \"0\"<br> | summarize Count=count() by UserPrincipalName<br> | where Count > Threshold</p>\r\n\r\n** - Returns Azure AD logon failure events within a specified time range **\r\n\r\n<p style=\"color:red;\"> let timeframe = 1d; <br> SigninLogs<br> | where ResultType != \"0\"<br> | where TimeGenerated > ago(timeframe)</p>\r\n\r\n** - Returns AAD logon events NOT matches a list of [result types](https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes#aadsts-error-codes) **\r\n\r\n<p style=\"color:red;\"> let ResultTypeList = dynamic([\"0\",\"50125\",\"50140\"]); <br> SigninLogs<br> | where ResultType !in (ResultTypeList)</p>\r\n\r\n** - Returns \"Special privileges assigned to new logon\" Security Events for a list of pre-defined servers **\r\n\r\n<p style=\"color:red;\"> let DC_list = ( <br> Heartbeat<br> | where Computer startswith \"DC\"<br> | distinct Computer<br> );<br> SecurityEvent<br> | where EventID == 4672<br> | where Computer in (DC_list)<br> | summarize count() by Account, Computer, EventSourceName, Activity</p>\r\n\r\n\r\n** - Returns SharePointFileOperation via devices with user agents unseen in last 90 days **\r\n\r\n<p style=\"color:red;\"> let HistoricalLookback = 90d; <br> let RecentLookback = 1d;<br> let lookback = now() - RecentLookback - HistoricalLookback;<br> let historicalActivity= materialize( OfficeActivity<br> | where RecordType == \"SharePointFileOperation\"<br> | where Operation in (\"FileDownloaded\", \"FileUploaded\")<br> | where TimeGenerated between(lookback .. (now()-RecentLookback))<br> | summarize historicalCount=count() by UserAgent, RecordType);<br> let recentActivity = materialize(OfficeActivity<br> | where RecordType == \"SharePointFileOperation\"<br> | where Operation in (\"FileDownloaded\", \"FileUploaded\")<br> | where TimeGenerated > ago(RecentLookback)<br> | summarize<br> StartTime = min(TimeGenerated),<br> EndTime = max(TimeGenerated),<br> recentCount=count()<br> by UserAgent, RecordType);<br> recentActivity<br> | join kind = leftanti (<br> historicalActivity<br> )<br> on UserAgent, RecordType<br> | order by recentCount asc, UserAgent</p>\r\n\r\n<br>\r\n\r\n<p style=\"color:#A6290F;\"> **Note: You can use [materialize()](https://docs.microsoft.com/azure/data-explorer/kusto/query/materializefunction) to cache a subquery result during query execution.**</p>\r\n\r\n<br>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
"name": "text-Function1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
"name": "space2-Function1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "dade9b67-f99e-4e31-b63d-67ed8c025953",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA82W32%2FaMBDH3%2FNX3MJLIkGh1bqpmpjEClurorYq9GmaJpNcwKtjZ7YDpdofv7MDAdrS9aXSLCRwfD7u%2B7kf0G63Xlrn0lhdJpYr%2BaLdegXtNr0ALrhMxRIMFkwzi%2FC7RM3RwASFWsBkCRpzNedyCo1GA4bnlwP4cjPoXbht5eNVX%2Ffa5WI6T1FanrkoWJKoUlpYcDsDO0OQZT5BDSqD3kOpEXp9EGqqJGSMC%2FcA7xPEFFNvnWLGpf%2Bs0cyUSAOBFsbrHXTh%2BFMw4lPJ5VBNTfAHFjMkJzdoSmHHywLhXRfCTkgnpsxzpvkDwqkLqesDi2KH6NagvtZcJrxg4pLlWDvypvB585Wkr7F3wTZf2G9XL0frBm2ppdnLY04wjQfIJTAwBSaOLUHhOYJmcoqeittmmoInKofpq7FUJ2O6%2FA0luhJKSS%2Bbqqh2GL%2Bh6FrvSufl1RhyZpOZKx4Q3FhXK9oHDpYiN17sRsnQmXQhXUqW8yT6Tqqa4XHn8Oi4en%2FfCX%2FE%2F6RBaKNdn28oOhy5HDIBheZzLnDqtBpDEbqsKpC4qKCEMMKk1NwuYVDhyZTewlJobK1bhEp4jrqi0z%2F9KSosUXCGTNsJMrtV03lRWmpCY%2BnI%2BNYM%2B6euGFK6RW1ga5vAoVvF4EOovfjdeR%2B6XXj%2F4ePRU%2B8O6SqQeKf9thqvV42HZn2rWfkdqVIn6DqxSTaWKNnl2%2BVjNGMarxWX9itl46pwXUBjGOac0QSa8wSr%2FoOSIFNr%2BEyU0iBKp1IwQn3SgZQtK%2FxnJFlpnjAxVOpuwpI7ysRJh3qyKt2EHGydHK4OxOaRVAsC1Hps23rGdXV3Vj9f4%2Bq6NqKfAiaIeQRXWUY6apabHkiUTn0PUCLDPSQ2c2IDx6U3dFZ9tZBCMRrZYRP8k9titY%2F3zJcJ2gXBi2rFBwcQec2tXcXxbuVsVD47wnsuM80tTXEFR3ufa%2B2wS%2Ba%2FAlMN3kcMthEEI9ez7pKTwWW0cz9uBgOZrk%2FZ%2FZPTisQOvOAFeLvgKI5fRADu6B8H%2BReYWUa%2F8zRjnlZfEAeE4lm%2F5IY%2BUSP5%2FyZ1PDQBk%2Bbmxl%2FmVbO6LgkAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
"name": "TryLADemo-Function1b"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "24dd3e02-4daf-4af5-bd5d-5c4953daae34",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA82W32%2FaMBDH3%2FNX3MJLIkGh1bqpmpjEClurorYq9GmaJpNcwKtjZ7YDpdofv7MDAdrS9aXSLCRwfD7u%2B7kf0G63Xlrn0lhdJpYr%2BaLdegXtNr0ALrhMxRIMFkwzi%2FC7RM3RwASFWsBkCRpzNedyCo1GA4bnlwP4cjPoXbht5eNVX%2Ffa5WI6T1FanrkoWJKoUlpYcDsDO0OQZT5BDSqD3kOpEXp9EGqqJGSMC%2FcA7xPEFFNvnWLGpf%2Bs0cyUSAOBFsbrHXTh%2BFMw4lPJ5VBNTfAHFjMkJzdoSmHHywLhXRfCTkgnpsxzpvkDwqkLqesDi2KH6NagvtZcJrxg4pLlWDvypvB585Wkr7F3wTZf2G9XL0frBm2ppdnLY04wjQfIJTAwBSaOLUHhOYJmcoqeittmmoInKofpq7FUJ2O6%2FA0luhJKSS%2Bbqqh2GL%2Bh6FrvSufl1RhyZpOZKx4Q3FhXK9oHDpYiN17sRsnQmXQhXUqW8yT6Tqqa4XHn8Oi4en%2FfCX%2FE%2F6RBaKNdn28oOhy5HDIBheZzLnDqtBpDEbqsKpC4qKCEMMKk1NwuYVDhyZTewlJobK1bhEp4jrqi0z%2F9KSosUXCGTNsJMrtV03lRWmpCY%2BnI%2BNYM%2B6euGFK6RW1ga5vAoVvF4EOovfjdeR%2B6XXj%2F4ePRU%2B8O6SqQeKf9thqvV42HZn2rWfkdqVIn6DqxSTaWKNnl2%2BVjNGMarxWX9itl46pwXUBjGOac0QSa8wSr%2FoOSIFNr%2BEyU0iBKp1IwQn3SgZQtK%2FxnJFlpnjAxVOpuwpI7ysRJh3qyKt2EHGydHK4OxOaRVAsC1Hps23rGdXV3Vj9f4%2Bq6NqKfAiaIeQRXWUY6apabHkiUTn0PUCLDPSQ2c2IDx6U3dFZ9tZBCMRrZYRP8k9titY%2F3zJcJ2gXBi2rFBwcQec2tXcXxbuVsVD47wnsuM80tTXEFR3ufa%2B2wS%2Ba%2FAlMN3kcMthEEI9ez7pKTwWW0cz9uBgOZrk%2FZ%2FZPTisQOvOAFeLvgKI5fRADu6B8H%2BReYWUa%2F8zRjnlZfEAeE4lm%2F5IY%2BUSP5%2FyZ1PDQBk%2Bbmxl%2FmVbO6LgkAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Function1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
"name": "space3-Filter1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [SharePointFileOperation via previously unseen IPs](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/OfficeActivity/SharePoint_Downloads_byNewIP.yaml)**\r\n\r\n **- [GitHub Activites from a New Country](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/GitHub/GitHub Activities from Infrequent Country.yaml)**\r\n\r\n **- [Failed logon attempts in authpriv](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/Syslog/FailedLogonAttempts_UnknownUser.yaml)**\r\n\r\n **- [Possible contact with a domain generated by a DGA](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml)**\r\n\r\n **- [Failed host logons but success logon to AzureAD](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/HostAADCorrelation.yaml)**\r\n\r\n **- [Suspicious Resource deployment](https://github.com/Azure/Azure-Sentinel/blob/2cad1a602c99d6e3f8be2548e31e4ca63ed75c6f/Detections/AzureActivity/NewResourceGroupsDeployedTo.yaml)**\r\n\r\n **- [AD user enabled and password not set within 48 hours](https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/SecurityEvent/password_not_set.yaml)**\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Rare Custom Script Extension](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/AzureActivity/Rare_Custom_Script_Extension.yaml)**\r\n\r\n **- [Rare DNS Lookup With Data Transfer](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml)**\r\n\r\n **- [Potential DGA detected](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting Queries/DnsEvents/DNS_HighPercentNXDomainCount.yaml)**\r\n\r\n **- [Potential Microsoft security services tampering](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml)**\r\n\r\n **- [GitHub Inactive or New Account Access or Usage](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/GitHub/Inactive or New Account Usage.yaml)**\r\n\r\n **- [Unused or Unsupported Cloud Regions](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/AWSCloudTrail/AWS_Unused_UnsupportedCloudRegions.yaml)**\r\n\r\n **- [Hosts with new logons](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/SecurityEvent/HostsWithNewLogons.yaml)**\r\n\r\n **- [Hosts running a rare process](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/SecurityEvent/RareProcess_forWinHost.yaml)**"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function1"
|
||
},
|
||
"name": "text2-Function1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Create or save a query as function for reuse purposes\r\n\r\n### a) Create a function without Parameters\r\n\r\n** - Returns both AAD Signin failure and Windows logon failure with a single command \"LogonFailure\"**\r\n\r\n [Create a function](https://docs.microsoft.com/azure/azure-monitor/logs/functions#create-a-function) (without parameter) called \"LogonFailure\" with the below query.\r\n\r\n<p style=\"color:red;\"> let AADSigninFailure=( <br> SigninLogs<br> | where ResultType !in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\")<br> | project TimeGenerated, UserPrincipalName, SourceIP=IPAddress, Target=AppDisplayName<br> );<br> let WindowsLogonFailure=(<br> SecurityEvent<br> | where EventID == 4625<br> | project TimeGenerated, UserPrincipalName =<br> strcat(TargetUserName,\"@\",TargetDomainName,\".com\"), SourceIP = IpAddress, Target = Computer<br> );<br> union isfuzzy=true AADSigninFailure, WindowsLogonFailure</p>\r\n\r\n<br/>\r\n\r\n <img width='500' src='https://github.com/tatecksi/AdvanceKQLWorkbook/blob/main/images/Function1.png?raw=true'/>\r\n\r\n<br>\r\n\r\n Then, execute the function by running **LogonFailure** in Logs page.\r\n\r\n <img width='400' src='https://github.com/tatecksi/AdvanceKQLWorkbook/blob/main/images/Function1-1.png?raw=true'/>\r\n\r\n<br>\r\n\r\n### b) Create a function with Parameters\r\n\r\n We can parameterize functions for better reuseability (a single function can be used repeatably with different inputs).\r\n\r\n** - Returns Microsoft Sentinel Incidents with specified status (single parameter)**\r\n\r\n [Create a function](https://docs.microsoft.com/azure/azure-monitor/logs/functions#create-a-function) (with parameter = status) called \"GetIncident\" with the below highlighted query body.\r\n\r\n\r\n<p style=\"color:red;\"> let GetIncident =(status:string){<br> <span style=\"background-color:yellow\">SecurityIncident</span><br> <span style=\"background-color:yellow\">| where Status =~ status</span><br> };<br> GetIncident(\"new\")</p>\r\n\r\n<br/>\r\n\r\n <img width='500' src='https://github.com/tatecksi/AdvanceKQLWorkbook/blob/main/images/Function2.png?raw=true'/>\r\n\r\n<br/>\r\n\r\n Then, execute the function by running **GetIncident(\"new\")** or **GetIncident(\"closed\")**\r\n\r\n <img width='400' src='https://github.com/tatecksi/AdvanceKQLWorkbook/blob/main/images/Function2-1.png?raw=true'/>\r\n\r\n<br/>\r\n\r\n** - Returns Microsoft Sentinel Incidents with specified status and severity (two parameters)**\r\n\r\n Similar to the above sample, this sample gives you the flexibility to query Incidents with different status and severity by using the sample function but different parameter values.\r\n\r\n [Create a function](https://docs.microsoft.com/azure/azure-monitor/logs/functions#create-a-function) (with two parameter – status and severity) called \"GetIncident2\" with the below highlighted query body.\r\n\r\n\r\n<p style=\"color:red;\"> let GetIncident2 =(status:string, severity:string){<br> <span style=\"background-color:yellow\">SecurityIncident</span><br> <span style=\"background-color:yellow\">| where Status =~ status</span><br> <span style=\"background-color:yellow\">| where Severity =~ severity</span><br> };<br> GetIncident2(\"new\", \"high\")</p>\r\n\r\n<br/>\r\n <img width='500' src='https://github.com/tatecksi/AdvanceKQLWorkbook/blob/main/images/Function3.png?raw=true'/>\r\n\r\n<br/>\r\n\r\n Then, execute the function by running **GetIncident2(\"new\",\"high\")** or **GetIncident2(\"closed\",\"high\")**\r\n\r\n <img width='400' src='https://github.com/tatecksi/AdvanceKQLWorkbook/blob/main/images/Function3-1.png?raw=true'/>\r\n\r\n<br/>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function2"
|
||
},
|
||
"name": "text-Function2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime2"
|
||
},
|
||
"name": "text - 11"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function2"
|
||
},
|
||
"name": "space2-Function2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "16d4a38e-8e1e-46bb-a568-722d28989793",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA81Ty27bMBC8%2Byu28kUGlNh1nfZQCKgbp4GQIAhiFz0z0tpmQZEqHzEUBEX%2FoX%2FYL%2BlSD9t1nNQBeuhCB3G5XM7sDPv9o%2BcikcZql1qu5LN1bXT6ffoALrjMRAkGC6aZRfjmUHM0cItCreC2BI25uuNyAd1uFy6TqzP4eHM2vvDLusdB1x0aHtMNWqclQVB2CePxBKZ8IbmEOePCaQQmM%2FhCsNXKgFALtdlZcTrBwBBcgZCqPPe1waUv%2BlTXBBVriiM41egZM5g7WQ0OQt9AOQt%2BGDla1D1ImRC426S%2ByS6xmZOfWnm8aT1boozA6hKsAu1kVfoEHoHWs6xJNtk47NRrKjWdB1gtkejdoHHCzsoC4RXNIwwGQQTByeD18KT5GVWZd4PB6E37Mwp61KDQ6iumFmY8x3OU6LXOIvhsUF9rLlNeMHFFlCOYKqdTTK7j5HqcZRqNiWDG9AJtPC6KCTeFYKUv7fTeV9gbKbZJefiYOs1teXaH0q4ZVKtkAnEMo7fDkxcAg7hDBk%2BZDWswvqACHHwIojo1UTnjsk4e07CD3oYNxJAUO3wod6rywpHMnouT3gLczN39fRnTY8JHskT7yJLq3ScDtp8MPF23ju0HML73pp7SyLhEAQlNI6OFqd1nCkz5nJM3jWXWGQgb32%2FM%2B1ev01Ht3%2Fb6CM2k7rYx%2Fjna9ub9vqeHmh1s%2Fq1uYSBxFfRA6T%2BzqVAGM7Jt66F2a22jaU04%2Ft6A%2FW8k8AwN3qFHDaFdqc1kzQFq%2BAO7ihj49ePnvv57FRr%2BW4mGtUZRsOSL5SOphmut2oIXSLbeaMflt5r%2F3zWiQRfsBgAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function2"
|
||
},
|
||
"name": "TryLADemo-Function2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "d1ace013-f3a5-4f34-8120-65febf2dad36",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA81Ty27bMBC8%2Byu28kUGlNh1nfZQCKgbp4GQIAhiFz0z0tpmQZEqHzEUBEX%2FoX%2FYL%2BlSD9t1nNQBeuhCB3G5XM7sDPv9o%2BcikcZql1qu5LN1bXT6ffoALrjMRAkGC6aZRfjmUHM0cItCreC2BI25uuNyAd1uFy6TqzP4eHM2vvDLusdB1x0aHtMNWqclQVB2CePxBKZ8IbmEOePCaQQmM%2FhCsNXKgFALtdlZcTrBwBBcgZCqPPe1waUv%2BlTXBBVriiM41egZM5g7WQ0OQt9AOQt%2BGDla1D1ImRC426S%2ByS6xmZOfWnm8aT1boozA6hKsAu1kVfoEHoHWs6xJNtk47NRrKjWdB1gtkejdoHHCzsoC4RXNIwwGQQTByeD18KT5GVWZd4PB6E37Mwp61KDQ6iumFmY8x3OU6LXOIvhsUF9rLlNeMHFFlCOYKqdTTK7j5HqcZRqNiWDG9AJtPC6KCTeFYKUv7fTeV9gbKbZJefiYOs1teXaH0q4ZVKtkAnEMo7fDkxcAg7hDBk%2BZDWswvqACHHwIojo1UTnjsk4e07CD3oYNxJAUO3wod6rywpHMnouT3gLczN39fRnTY8JHskT7yJLq3ScDtp8MPF23ju0HML73pp7SyLhEAQlNI6OFqd1nCkz5nJM3jWXWGQgb32%2FM%2B1ev01Ht3%2Fb6CM2k7rYx%2Fjna9ub9vqeHmh1s%2Fq1uYSBxFfRA6T%2BzqVAGM7Jt66F2a22jaU04%2Ft6A%2FW8k8AwN3qFHDaFdqc1kzQFq%2BAO7ihj49ePnvv57FRr%2BW4mGtUZRsOSL5SOphmut2oIXSLbeaMflt5r%2F3zWiQRfsBgAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function2"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Function2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function2"
|
||
},
|
||
"name": "space1-Function2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Failed login attempts to Azure Portal](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SigninLogs/FailedLogonToAzurePortal.yaml)**\r\n\r\n **- [Brute force attack against Azure Portal](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml)**\r\n\r\n **- [Failed AzureAD logons but success logon to host](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml)**\r\n\r\n **- [Failed AzureAD logons but success logon to AWS Console](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml)**\r\n\r\n **- [IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml)**\r\n\r\n\r\n#### Additional Resources:\r\n\r\n **- [Azure-Sentinel/Parsers at master · Azure/Azure-Sentinel (github.com)](https://github.com/Azure/Azure-Sentinel/tree/master/Parsers)**\r\n\r\n **- [Azure-Sentinel/Exploration Queries at master · Azure/Azure-Sentinel (github.com)](https://github.com/Azure/Azure-Sentinel/tree/master/Exploration Queries)**\r\n\r\n **- [Enriching Windows Security Events with Parameterized Function - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/azure-sentinel/enriching-windows-security-events-with-parameterized-function/ba-p/1712564)**\r\n\r\n **- [https://github.com/Azure/Azure-Sentinel/tree/Functions](https://github.com/Azure/Azure-Sentinel/tree/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Functions)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function2"
|
||
},
|
||
"name": "text2-Function2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 3. Build an ASIM Normalizing parser \r\n\r\n [ASIM Normalizing parsers](https://docs.microsoft.com/azure/sentinel/normalization-about-parsers) are [KQL user-defined functions](https://docs.microsoft.com/azure/data-explorer/kusto/query/functions/user-defined-functions) that parse and transform data at query time into the normalized schema.<br> The parser query includes the following parts:\r\n\r\n** Filter > Parse > Prepare fields**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use case:</h3>\r\n\r\n Let's say we have the following custom table called <span style=\"color:red\";>MyCustomEvent</span> that stored process events.<br> We will walk through step by step on how to create an ASIM ProcessEvent parser.\r\n\r\n\r\n<br>\r\n\r\n Since the above sample data are fictitious and will not be available in any environment. We will use [let](https://docs.microsoft.com/azure/data-explorer/kusto/query/letstatement) and [datatable](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatableoperator?pivots=azuredataexplorer) operators to create the sample data during run time. \r\n\r\n Below is the query for the sample data. [Create a function](https://docs.microsoft.com/azure/azure-monitor/logs/functions#create-a-function) (without parameter) called <span style=\"color:red\";>MyCustomEvent</span> with the query.\r\n\r\n **Note: Kindly update the date values in TimeGenerated field to your current date so that you don't need to change the Time Range in Logs page.**\r\n\r\n<p style=\"color:red;\"> let MyCustomEvent = datatable ( TimeGenerated:datetime, Activity:string, ProcessName:string, <br> SubjectAccount:string,TargetAccount:string, Computer:string, ProcessID:int, Command:string)<br> [<br> '8/25/2021, 10:54:26.537 AM', 'A new process has been created successfully', @'C:\\Program <br> Files\\PostgreSQL\\13\\bin\\postgres.exe','John.Doe','John.Doe','VM01', 12345678, @'\"C:/Program <br> Files/PostgreSQL/13/bin/postgres.exe\" \"--forkavworker\" \"5256\"'<br> , '8/25/2021, 10:55:26.253 AM', 'Timeout waiting for the service to connect',<br> @'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe','John.Doe','John.Doe',<br> 'VM01', 53536456, @'powershell.exe -ExecutionPolicy Restricted -Command Write-Host \"Final result: 1\"'<br> , '8/25/2021, 11:10:12.126 AM', 'A process has been terminated successfully', @'C:\\Program <br> Files\\PostgreSQL\\13\\bin\\postgres.exe','John.Doe','', 'VM02', 12345678, @'\"C:/Program <br> Files/PostgreSQL/13/bin/postgres.exe\" -V'<br> , '8/25/2021, 11:15:36.334 AM', 'A new process has been created successfully',<br> @'C:\\Windows\\System32\\cscript.exe','administrator','administrator', 'VM02', 79035635,<br> @'\"C:\\windows\\system32\\cscript.exe\" /nologo \"ChangeEventModuleBatchSize.vbs\"'<br> ];<br> MyCustomEvent</p>\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Review the Schema:</h3>\r\n\r\n Let’s review the Process event normalization schema [here](https://docs.microsoft.com/azure/sentinel/process-events-normalization-schema#schema-details). Based on the schema, we have the following information:\r\n\r\n \t•\t**The mandatory fields are as below:**<br> •\tEventCount<br> •\tEventStartTime<br> •\tEventEndTime<br> •\tEventType<br> •\tEventResult<br> •\tEventProduct<br> •\tEventVendor<br> •\tEventSchemaVersion<br> •\tDvc<br> •\tActorUsername<br> •\tActorUsernameType<br> •\tActingProcessId<br> •\tParentProcessId<br> •\tTargetUsername <span style=\"color:teal\";>- (Mandatory for process create events)</span><br> •\tTargetUsernameType <span style=\"color:teal\";>- (Mandatory for process create events)</span><br> •\tTargetProcessName<br> •\tTargetProcessCommandLine<br> •\tTargetProcessCreationTime<br> •\tTargetProcessId\r\n\r\n<br>\r\n \t•\t**EventType field supports the following values:**<br> •\tProcessCreated<br> •\tProcessTerminated\r\n\r\n \t•\t**EventResult field supports the following values:**<br> •\tSuccess<br> •\tPartial<br> •\tFailure<br> •\tNA\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Create the parser:</h3>\r\n\r\n#### Filter:\r\n\r\n First, we need to filter the relevant events. We are only interested on \"A new process has been created successfully\" and \"A process has been terminated successfully\" events.\r\n\r\n<p style=\"color:red;\"> MyCustomEvent <br> | where Activity in (\"A new process has been created successfully\",\"A process has been terminated successfully\")</p>\r\n<br>\r\n\r\n#### Parse:\r\n\r\n In this example, we don't need to perform any phasing or extraction on any column.<br> However, we need to assign the EventType field based on Activity using [iif](https://docs.microsoft.com/azure/data-explorer/kusto/query/iiffunction) statement.\r\n\r\n<p style=\"color:red;\"> MyCustomEvent <br> | where Activity in (\"A new process has been created successfully\",\"A process has been terminated successfully\")<br> | extend EventType = iif(Activity ==\"A new process has been created successfully\",\"ProcessCreated\",\"ProcessTerminated\")</p>\r\n<br>\r\n\r\n#### Prepare fields:\r\n\r\n In the final step, we need to prepare the fields in the result set to ensure that the normalized fields are used according to the [schema](https://docs.microsoft.com/azure/sentinel/process-events-normalization-schema#schema-details). \r\n\r\n We will use [extend](https://docs.microsoft.com/azure/data-explorer/kusto/query/extendoperator) to create fields that didn’t exist in the orignal data (such as EventCount, EventResult, EventProduct and etc), or map new fields to existing data (such as EventStartTime, EventEndTime, TargetProcessCreationTime and ActingProcessId).\r\n\r\n Besides that, [project-rename](https://docs.microsoft.com/azure/data-explorer/kusto/query/projectrenameoperator) will be used for fields that exist in the original data but with a different name compared to the schema.\r\n\r\n Below is the final query with all the mandatory fields and an optional field (EventMessage):\r\n\r\n<p style=\"color:red;\"> MyCustomEvent <br> | where Activity in (\"A new process has been created successfully\",\"A process has been terminated successfully\")<br> | extend EventType = iif(Activity ==\"A new process has been created successfully\",\"ProcessCreated\",\"ProcessTerminated\")<br> | extend EventCount = 1<br> | extend EventStartTime = TimeGenerated<br> | extend EventEndTime = TimeGenerated<br> | extend TargetProcessCreationTime = TimeGenerated<br> | extend EventResult = \"Success\"<br> | extend EventProduct = \"MyCustomEvent\"<br> | extend EventVendor = \"MyDemo\"<br> | extend EventSchemaVersion = \"0.1.0\"<br> | extend ActorUsernameType = \"Windows\"<br> | extend TargetUsernameType = \"Windows\"<br> | extend ParentProcessId = int(null)<br> | extend ActingProcessId = ProcessID<br> | project-rename Dvc=Computer, ActorUsername=SubjectAccount, TargetUsername=TargetAccount, TargetProcessName=ProcessName,<br> TargetProcessCommandLine=Command, TargetProcessId= ProcessID, EventMessage=Activity </p>\r\n<br>\r\n\r\n **Note:** We should have all the mandatory fields. Any original fields that are not normalized should not be removed from the result using project-away.\r\n\r\n Lastly, let’s create a function for our parser called <span style=\"color:red\";>MyCustomProcessParser</span> with the query above.\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function3"
|
||
},
|
||
"name": "text-Function3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function3"
|
||
},
|
||
"name": "space1-Function3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "0e390e88-1395-4b3b-9dd7-906edac6531b",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA61W32%2FiRhB%2B568Y%2BYVEMja2Y3KlstSUJL1rk4oGmnsofVjsCWxrdt3dNYSqf3xnbcNhc7retRUS2p2Z%2FebHN8zg%2BzCA%2BRrhjxLVHpaYyx2UGjX0M2bos8yxD0ZCIYsyZwZBs02RI1it1%2FPt8x%2B4yPI9lEVm9WZdKRG2LC8JhwuY8w1%2BhwIViTN44ZhnFnIvSwVpqRQKUz%2FRkp4zYzWQSdE3IBAr23TNxKoGt2jwVF0J%2B0GuNBRshU0wM7atzeqEmIb7UqSGSwE7btaVSjBCcB73k1IbuZkqmaLWU6Y0Ksfr5WjgoLvb2tgSONYCLtrZjG3chiQu3JCXLTf7sTaKi5ULDfCP5O0om5XL3zA1N2kqS2EO4jlTK%2BwKYSI3RWlQdQHf3Y65MJV%2Bw0TWqC97v%2FT6b%2Fww9sNhGLgQDMfx1TgceXF0DTePfRf6N1TOHRQ1CqypNktEAanCihhdplbxUub5nsy%2F6U%2FGC3K5UmwD9zxHvZhKbVYKZz89LIJoseRiUdQS7eEr9t3%2B93ItvFvZOT4%2FDgMCDMLoKh5dv7HQzmTst7D9D9h%2BEPmE7Z9iO%2BAMBi9S%2Fc62O%2FomosCJw3jk9HuUWCft2KYdxlGTtiVMlgZ2jBsqFBBM1QZE95anWLWXFIJoOWT9njpa7vRittcGN1F4EEzlDtVsjXm%2B2AbekLKnu7b3T%2BUPhwLEURyNqATWS%2FspDO5eMS1tm05lztM9PKGlNbW8DBqi4b3iBgdvqSzg3HPBcqDqlLkZQ3Beh2BMpQhCLwhHR%2FrPqKfu2hDQ%2F89%2Bk3X4n2kfPH8ss3gcjbwouvr3jX1GcapTxQvTpMIyqgsnCpiR6vx%2BTO76q2EUj6K4SW6xa2D1R2Ad8IXM5UqCM6nGWTVdHmVW5vgtM%2Bl6xv9Eb7vUROavX%2FdaM6j3F%2BzWqPA4Zezsu3C%2BIHHHdT6%2FAZxLcoivBqnrKv%2FzfYE0Bzl%2FuThGkCRf6L%2BZX5Na%2B0EwPwZx5ndiJyI5DjrymWHKVJsgaQ%2Fkjt2dyD5tVY%2Fe08joN%2FgZwE%2FVL4%2BMnFmdpNMxIMisTCuLFpNdu2c60UCqzG5xI7v6WbrGDXumYWF3GJkNPRo9J1bEh1Q%2F0zCza63hyWna2%2Bkm%2Bs92tAfr6KtVk1nShbkQROFlyydN0lOj424iI%2BoHu%2BQGBGQ37e02TQ67zG2Hm7T3odsOMmntRbfNlV2rycm5o25m5gMXmDRnt2XwLjsJ2q1r%2FUgX%2BiuRHFr8b1urN20eCQAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function3"
|
||
},
|
||
"name": "TryLADemo-Function3 "
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "266fc4c3-f435-4c94-b83c-2032929928c9",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA61W32%2FiRhB%2B568Y%2BYVEMja2Y3KlstSUJL1rk4oGmnsofVjsCWxrdt3dNYSqf3xnbcNhc7retRUS2p2Z%2FebHN8zg%2BzCA%2BRrhjxLVHpaYyx2UGjX0M2bos8yxD0ZCIYsyZwZBs02RI1it1%2FPt8x%2B4yPI9lEVm9WZdKRG2LC8JhwuY8w1%2BhwIViTN44ZhnFnIvSwVpqRQKUz%2FRkp4zYzWQSdE3IBAr23TNxKoGt2jwVF0J%2B0GuNBRshU0wM7atzeqEmIb7UqSGSwE7btaVSjBCcB73k1IbuZkqmaLWU6Y0Ksfr5WjgoLvb2tgSONYCLtrZjG3chiQu3JCXLTf7sTaKi5ULDfCP5O0om5XL3zA1N2kqS2EO4jlTK%2BwKYSI3RWlQdQHf3Y65MJV%2Bw0TWqC97v%2FT6b%2Fww9sNhGLgQDMfx1TgceXF0DTePfRf6N1TOHRQ1CqypNktEAanCihhdplbxUub5nsy%2F6U%2FGC3K5UmwD9zxHvZhKbVYKZz89LIJoseRiUdQS7eEr9t3%2B93ItvFvZOT4%2FDgMCDMLoKh5dv7HQzmTst7D9D9h%2BEPmE7Z9iO%2BAMBi9S%2Fc62O%2FomosCJw3jk9HuUWCft2KYdxlGTtiVMlgZ2jBsqFBBM1QZE95anWLWXFIJoOWT9njpa7vRittcGN1F4EEzlDtVsjXm%2B2AbekLKnu7b3T%2BUPhwLEURyNqATWS%2FspDO5eMS1tm05lztM9PKGlNbW8DBqi4b3iBgdvqSzg3HPBcqDqlLkZQ3Beh2BMpQhCLwhHR%2FrPqKfu2hDQ%2F89%2Bk3X4n2kfPH8ss3gcjbwouvr3jX1GcapTxQvTpMIyqgsnCpiR6vx%2BTO76q2EUj6K4SW6xa2D1R2Ad8IXM5UqCM6nGWTVdHmVW5vgtM%2Bl6xv9Eb7vUROavX%2FdaM6j3F%2BzWqPA4Zezsu3C%2BIHHHdT6%2FAZxLcoivBqnrKv%2FzfYE0Bzl%2FuThGkCRf6L%2BZX5Na%2B0EwPwZx5ndiJyI5DjrymWHKVJsgaQ%2Fkjt2dyD5tVY%2Fe08joN%2FgZwE%2FVL4%2BMnFmdpNMxIMisTCuLFpNdu2c60UCqzG5xI7v6WbrGDXumYWF3GJkNPRo9J1bEh1Q%2F0zCza63hyWna2%2Bkm%2Bs92tAfr6KtVk1nShbkQROFlyydN0lOj424iI%2BoHu%2BQGBGQ37e02TQ67zG2Hm7T3odsOMmntRbfNlV2rycm5o25m5gMXmDRnt2XwLjsJ2q1r%2FUgX%2BiuRHFr8b1urN20eCQAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function3"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Function3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function3"
|
||
},
|
||
"name": "space2-Function3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Add your parser to the schema source-agnostic parser:</h3>\r\n\r\n Firstly, deploy [ASIM ProcessEvent parsers](https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimProcessEvent) if they didn't exist in your environment.\r\n\r\n Next, we can add MyCustomProcessParser to the source-agnostic parser (imProcess) to take advantage of built-in Microsoft Sentinel content that support ASIM normalization. To do that, [edit imProcess function](https://docs.microsoft.com/azure/azure-monitor/logs/functions#edit-a-function) to include <span style=\"color:teal\";>MyCustomProcessParser</span> in the union statement.\r\n\r\n\r\n<span style=\"color:red;\"> union isfuzzy=true<br> vimProcessEmpty,<br> vimProcessEventMicrosoft365D,<br> vimProcessCreateMicrosoftSysmon,<br> vimProcessTerminateMicrosoftSysmon,<br> vimProcessCreateMicrosoftSecurityEvents,<br> vimProcessTerminateMicrosoftSecurityEvents,<br> vimProcessCreateLinuxSysmon,<br> vimProcessTerminateMicrosoftWindowsEvents,<br> vimProcessCreateMicrosoftWindowsEvents,<br> vimProcessEventAD4IoT,</span><br> <span style=\"color:teal\";>MyCustomProcessParser</span>\r\n\r\n<br>\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Additional resources:\r\n\r\n **- [Microsoft Sentinel Information Model (ASIM) Parsers | Microsoft Docs](https://docs.microsoft.com/azure/sentinel/normalization-about-parsers#writing-source-specific-parsers)**\r\n\r\n **- [Microsoft Sentinel Webinar: Deep Dive into Microsoft Sentinel Normalizing Parsers and Normalized Content](https://www.youtube.com/watch?v=zaqblyjQW6k)**\r\n\r\n **- [Azure-Sentinel Parsers at Github](https://github.com/Azure/Azure-Sentinel/tree/master/Parsers)**"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Function3"
|
||
},
|
||
"name": "text2-Function3"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Functions"
|
||
},
|
||
"name": "group-Functions"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nDynamic array values are widely found in logs of Microsoft Sentinel. For example, entities and custom details of SecurityAlert table, AlertIds and labels of SecurityIncident table, and many more.<br>\r\nThe array values are represented within [] and you would need to expand the array values into rows or columns for correlation. \r\n\r\n\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Expands dynamic array values into rows or columns",
|
||
"subTarget": "Array1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "40988c97-79b0-481a-b5a8-390f16783e15",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Packs multiple fields into a dynamic array",
|
||
"subTarget": "Array2",
|
||
"preText": "",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Expands dynamic array values into rows or columns.\r\n\r\n### a) Expand multi-value dynamic arrays into multiple rows.\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [mv-expand](https://docs.microsoft.com/azure/data-explorer/kusto/query/mvexpandoperator)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Expands Host entities from SecurityAlert into multiple rows**\r\n\r\n<p style=\"color:red;\"> SecurityAlert <br> | extend d = parse_json(Entities) <br> | mv-expand d<br> | where isnotempty(d.HostName)<br> | project HostName = tostring(d.HostName), AlertName, Description , TimeGenerated</p>\r\n\r\n** - Expands Account entities from SecurityAlert into multiple rows **\r\n\r\n<p style=\"color:red;\"> SecurityAlert<br> | extend d = parse_json(Entities)<br> | mv-expand d<br> | where isnotempty(d.Name) and d.Type == \"account\"<br> | project Account = tostring(d.Name), AlertName, Description, TimeGenerated</p>\r\n\r\n** - Expands Incident tags into multiple rows**\r\n\r\n<p style=\"color:red;\"> SecurityIncident <br> | summarize arg_max(TimeGenerated,*) by IncidentNumber<br> | extend d = parse_json(Labels)<br> | mv-expand d<br> | project TimeGenerated,IncidentNumber,Title,CreatedTime, Description, Severity, Tag= d.labelName</p>\r\n\r\n** - Expands Incident Alert Ids into multiple rows**\r\n\r\n<p style=\"color:red;\"> SecurityIncident <br> | summarize arg_max(TimeGenerated,*) by IncidentNumber<br> | mv-expand AlertIds<br> | project TimeGenerated, IncidentNumber, Title, CreatedTime, AlertIds</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Expands AlertIds of Incident to correlate with SecurityAlert **\r\n\r\n<p style=\"color:red;\"> SecurityIncident <br> | summarize arg_max(TimeGenerated,*) by IncidentNumber<br> | mv-expand AlertIds<br> | project TimeGenerated, IncidentNumber, IncidentTitle=Title, IncidentCreatedTime=CreatedTime, tostring(AlertIds)<br> | join kind =leftouter (SecurityAlert<br> | project tostring(SystemAlertId), ProviderName, AlertStartTime=StartTime,<br> AlertEndTime=EndTime, Entities, ExtendedProperties)<br> on $left.AlertIds == $right.SystemAlertId<br> | project-away SystemAlertId, AlertIds</p>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "text-Array1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "space1-Array1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "aiDemo",
|
||
"source": "static",
|
||
"value": "true"
|
||
},
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA82VzY7aMBDH7zzFaNkDWwV4ghxoi1q0K1QV7itvMoBpYqfjCZCqD99xwCFBBe1lV2tFij8mM3%2F%2F7JmMx8NbbWYcU5mwtuamXWi98VgegEdt0qwCh4UixQi%2FSySNDl4ws3t4qYAwtztt1tDv9%2BFpNp%2FC55%2FTyaMfHn28Ktxrm9c0PRTKpA6%2BW8eAhjV7QSuyOSwwKUlzNcmQGLRhC3mZsS4yBLJ71%2BsY9P4CHhhNCinEIBt0%2BLx11gymJ6cPYpHvhlgHhFRG%2Bw0SgnbGMuYFV4N05GXMVY7euCC7xYQhzIlbli4Jn7ZlBHV834%2FgK7qEdOFPBiJY6hy%2FoUEPO5Xd9q82aNOG63ZNa7ObJIktzUfAVwOB2mC0rApBFsOdOsq7ayENijtEb9J8N5gzk%2BhUSAKrtbuFLRjKtlyZ54r0HwRF6%2BdcHQYdsdGnB59c4YN5mb8gXQX%2BpCQd%2F4M7sOu67jqNlpozjL4Q%2BkVveQFxgTv04gWnWsdySpmP5mm%2FA9HjTZylb4z1jK0OKPGu0rv42F8yzw86ABsvb5fApwhgV637ZyGxRJj5Sr3XvOlm9AcBFsY1uPiEL0y2MMYdpE3Wh4D%2Bum%2BtNvBLflEQZ7hiWzISDC6rVNDVuFhUTurPyZHUjx8kv7AU6VhC6vkFK%2BJaRdOLevXK1BzVnd4RhHInvTo7MRV%2FhVjWJVCq%2Br3XNmpOTArcPen1hkcdHWehQ7VXFXQWz1fqHwKORUXoBwAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "TryLADemo-Array1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "262c9f91-f40f-4255-a984-d0bb16cfacf3",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA82VzY7aMBDH7zzFaNkDWwV4ghxoi1q0K1QV7itvMoBpYqfjCZCqD99xwCFBBe1lV2tFij8mM3%2F%2F7JmMx8NbbWYcU5mwtuamXWi98VgegEdt0qwCh4UixQi%2FSySNDl4ws3t4qYAwtztt1tDv9%2BFpNp%2FC55%2FTyaMfHn28Ktxrm9c0PRTKpA6%2BW8eAhjV7QSuyOSwwKUlzNcmQGLRhC3mZsS4yBLJ71%2BsY9P4CHhhNCinEIBt0%2BLx11gymJ6cPYpHvhlgHhFRG%2Bw0SgnbGMuYFV4N05GXMVY7euCC7xYQhzIlbli4Jn7ZlBHV834%2FgK7qEdOFPBiJY6hy%2FoUEPO5Xd9q82aNOG63ZNa7ObJIktzUfAVwOB2mC0rApBFsOdOsq7ayENijtEb9J8N5gzk%2BhUSAKrtbuFLRjKtlyZ54r0HwRF6%2BdcHQYdsdGnB59c4YN5mb8gXQX%2BpCQd%2F4M7sOu67jqNlpozjL4Q%2BkVveQFxgTv04gWnWsdySpmP5mm%2FA9HjTZylb4z1jK0OKPGu0rv42F8yzw86ABsvb5fApwhgV637ZyGxRJj5Sr3XvOlm9AcBFsY1uPiEL0y2MMYdpE3Wh4D%2Bum%2BtNvBLflEQZ7hiWzISDC6rVNDVuFhUTurPyZHUjx8kv7AU6VhC6vkFK%2BJaRdOLevXK1BzVnd4RhHInvTo7MRV%2FhVjWJVCq%2Br3XNmpOTArcPen1hkcdHWehQ7VXFXQWz1fqHwKORUXoBwAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Array1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "space2-Array1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Modified domain federation trust settings](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/AuditLogs/ADFSDomainTrustMods.yaml)**\r\n\r\n **- [User added to Azure Active Directory Privileged Groups](https://github.com/Azure/Azure-Sentinel/blob/eceb2637e2328c736cd0e9530dcf1fffe8d0577e/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml)**\r\n\r\n **- [Multiple users email forwarded to same destination](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/OfficeActivity/Office_MailForwarding.yaml)**\r\n\r\n **- [ADFS Database Named Pipe Connection](https://github.com/Azure/Azure-Sentinel/blob/bab41840da8c760c417324bc30e8a9da756c489d/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml)**\r\n\r\n **- [Credential added after admin consented to Application](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml)**\r\n\r\n **- [First access credential added to Application or Service Principal where no credential was present](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml)**\r\n\r\n\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Application Granted EWS Permissions](https://github.com/Azure/Azure-Sentinel/blob/f11d4a04de95413244677f2d519d5c2d653277ea/Hunting Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml)**\r\n\r\n **- [Solorigate Encoded Domain in URL](https://github.com/Azure/Azure-Sentinel/blob/44771fce9d745c937461bfd87e8ac3682048ecec/Hunting Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml)**\r\n\r\n **- [Anomalous AAD Account Manipulation](https://github.com/Azure/Azure-Sentinel/blob/44771fce9d745c937461bfd87e8ac3682048ecec/Hunting Queries/BehaviorAnalytics/Anomalous AAD Account Manipulation.yaml)**\r\n\r\n **- [Cross workspace query anomolies](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/LAQueryLogs/CrossWorkspaceQueryAnomolies.yaml)**\r\n\r\n **- [Azure DevOps - Internal Upstream Package Feed Added](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/AzureDevOpsAuditing/ADOInternalUpstreamPacakgeFeedAdded.yaml)**\r\n\r\n **- [Rare Audit activity initiated by User](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/AuditLogs/RareAuditActivityByUser.yaml)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "text2-Array1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "space1-Array1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "\r\n\r\n<br>\r\n\r\n### b) Expand multi-value dynamic arrays into multiple columns.\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [bag_unpack](https://docs.microsoft.com/azure/data-explorer/kusto/query/bag-unpackplugin)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Expands custom details of SecurityAlert into multiple columns**\r\n\r\n<p style=\"color:red;\"> SecurityAlert <br> | extend customDetails = parse_json(tostring(parse_json(ExtendedProperties).[\"Custom Details\"])) <br> | where isnotempty(customDetails)<br> | project TimeGenerated, AlertName, AlertSeverity, StartTime, EndTime, customDetails<br> | evaluate bag\\_unpack (customDetails, \"custom\\_\")</p>\r\n\r\n** - Expands device details of SignIn logs into multiple columns **\r\n\r\n<p style=\"color:red;\"> SigninLogs<br> | project TimeGenerated, UserPrincipalName, IPAddress, ResultDescription, AppDisplayName, DeviceDetail, Location<br> | evaluate bag_unpack (DeviceDetail)</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Expands modifiedProperties field of audit events when a user is added to any Azure Active Directory Privileged Groups **\r\n\r\n<p style=\"color:red;\"> AuditLogs <br> | where OperationName in (\"Add member to role\",\"Add member to role in PIM completed (permanent)\")<br> | mv-expand TargetResources<br> | project TimeGenerated, OperationName, TargetResources, InitiatedBy<br> | extend TargetResources = parse_json(TargetResources)<br> | extend modProps = TargetResources.modifiedProperties<br> | extend TargetUser = TargetResources.userPrincipalName<br> | extend InitiatedBy = iif(isnotempty(parse_json(parse_json(InitiatedBy).user).displayName),<br> parse_json(parse_json(InitiatedBy).user).displayName,parse_json(parse_json(InitiatedBy).app).displayName)<br> | mv-expand bagexpansion=array modProps<br> | evaluate bag_unpack(modProps)<br> | project-away TargetResources</p>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "text1-Array1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "space2-Array1b"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "3dbbf0aa-b49c-42c8-afa5-60273e49334d",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "aiDemo",
|
||
"source": "static",
|
||
"value": "true"
|
||
},
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7WU207bQBCG7%2FMUI%2BfGlpzkCbgITYQiKI2AXlUV2ngn6dI9dQ8GV334zsaB2IYgVKmrXKydfw77%2FbOezSbvrZX2wcUqCKPf1T2v0WxGP4BLoblswKNljgWEXxGdQA8blOYRNg04VKYWegfj8RiuVtdLOL9Zzi%2FTY5vjQ%2BU%2BulJPyyfLNPdQRR%2BMAo6BCenBbOEWq%2BhEaOYSXQChgwEVZRBWIlRGRqX9qKcZ%2FQF8Cqj5IdnikOsM6Lge7x%2B80XkwhI5OmHfeLfdRyNfOWMpDRIrpt%2BxT29EhS%2Fa9KKjA4w90CMJrE1DZ0OS9UklhnXnAKsCdUHiBGhNoXsK%2Bw2um8LC9xRpT5yXcBuZCUpew1Lzd9LKmc9VMxuTYhu3uo7as%2Bgn90iVk7fN9VhDX8ckFXV%2FhtO5ldV3iWIsKey6JnV5pkGbnT3lECqGvSHCazlePbk22VMIy2VJareecO%2FR0shv0lHSBvnLCpqEnhtYuhLeSNa16sW%2BsZVHClalY0p0i11X%2FR1rKcLEV3bkCepQ8cWORi0DdoQ4%2BTZUGBpEo0GwB4zSMQCyZbmD%2BO9LEzemy1wgL4YiecQ0QrVpI3JHwwplo%2FWieMh4wt2P6xSa%2BxCExIncgz4gpKFQbKkT5nZGYlW%2B8TOL16jN5qMhKsghyyqWYpnaLLI25qie4PybcMbfDQB6Z6Cp8x%2BReO%2BUwjhzXIogkPW%2BOV3mg6l%2FmwZ%2FFMYzQJ%2BpJPxBNX7syrJam8Y3AOBzSY1yndQoUYpt3PhGdhjvbTkixT11M%2BXGii3L0L2HlB4KYtf1SPTfpmux3nnw6Y86x5oXl27cpf%2F678%2FGbsEeKG%2FD7CyhDhZrUBgAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "TryLADemo-Array1b"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "f95a0b11-732c-42e7-a3d2-e476c827e610",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7WU207bQBCG7%2FMUI%2BfGlpzkCbgITYQiKI2AXlUV2ngn6dI9dQ8GV334zsaB2IYgVKmrXKydfw77%2FbOezSbvrZX2wcUqCKPf1T2v0WxGP4BLoblswKNljgWEXxGdQA8blOYRNg04VKYWegfj8RiuVtdLOL9Zzi%2FTY5vjQ%2BU%2BulJPyyfLNPdQRR%2BMAo6BCenBbOEWq%2BhEaOYSXQChgwEVZRBWIlRGRqX9qKcZ%2FQF8Cqj5IdnikOsM6Lge7x%2B80XkwhI5OmHfeLfdRyNfOWMpDRIrpt%2BxT29EhS%2Fa9KKjA4w90CMJrE1DZ0OS9UklhnXnAKsCdUHiBGhNoXsK%2Bw2um8LC9xRpT5yXcBuZCUpew1Lzd9LKmc9VMxuTYhu3uo7as%2Bgn90iVk7fN9VhDX8ckFXV%2FhtO5ldV3iWIsKey6JnV5pkGbnT3lECqGvSHCazlePbk22VMIy2VJareecO%2FR0shv0lHSBvnLCpqEnhtYuhLeSNa16sW%2BsZVHClalY0p0i11X%2FR1rKcLEV3bkCepQ8cWORi0DdoQ4%2BTZUGBpEo0GwB4zSMQCyZbmD%2BO9LEzemy1wgL4YiecQ0QrVpI3JHwwplo%2FWieMh4wt2P6xSa%2BxCExIncgz4gpKFQbKkT5nZGYlW%2B8TOL16jN5qMhKsghyyqWYpnaLLI25qie4PybcMbfDQB6Z6Cp8x%2BReO%2BUwjhzXIogkPW%2BOV3mg6l%2FmwZ%2FFMYzQJ%2BpJPxBNX7syrJam8Y3AOBzSY1yndQoUYpt3PhGdhjvbTkixT11M%2BXGii3L0L2HlB4KYtf1SPTfpmux3nnw6Y86x5oXl27cpf%2F678%2FGbsEeKG%2FD7CyhDhZrUBgAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Array1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "space3-Array1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [ADFS Database Named Pipe Connection](https://github.com/Azure/Azure-Sentinel/blob/bab41840da8c760c417324bc30e8a9da756c489d/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml)**\r\n\r\n **- [AD FS Remote HTTP Network Connection](https://github.com/Azure/Azure-Sentinel/blob/bab41840da8c760c417324bc30e8a9da756c489d/Detections/SecurityEvent/ADFSRemoteHTTPNetworkConnection.yaml)**\r\n\r\n **- [Gain Code Execution on ADFS Server via Remote WMI Execution](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml)**\r\n\r\n **- [ADFS Database Named Pipe Connection](https://github.com/Azure/Azure-Sentinel/blob/bab41840da8c760c417324bc30e8a9da756c489d/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml)**\r\n\r\n **- [User added to Azure Active Directory Privileged Groups](https://github.com/Azure/Azure-Sentinel/blob/eceb2637e2328c736cd0e9530dcf1fffe8d0577e/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml)**\r\n\r\n\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Windows System Shutdown/Reboot(Sysmon)](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/SecurityEvent/WindowsSystemShutdown-Reboot.yaml)**\r\n\r\n **- [Certutil (LOLBins and LOLScripts)](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/SecurityEvent/Certutil-LOLBins.yaml)**\r\n\r\n **- [Rundll32 (LOLBins and LOLScripts)](https://github.com/Azure/Azure-Sentinel/blob/00086a75b45e2b1cd462b7dc4f13f009f9f4c1f5/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml)**\r\n\r\n **- [Persisting Via IFEO Registry Key ](https://github.com/Azure/Azure-Sentinel/blob/c34d23ff4b0d9af8dffbd36d2a0581d43766ae3c/Hunting Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml)**\r\n\r\n **- [Rare firewall rule changes using netsh](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml)**\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array1"
|
||
},
|
||
"name": "text2-Array1b"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Packs multiple fields into a dynamic array\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [pack_array](https://docs.microsoft.com/azure/data-explorer/kusto/query/packarrayfunction) (Packs all values into a dynamic array)**\r\n\r\n **- [pack](https://docs.microsoft.com/azure/data-explorer/kusto/query/packfunction) (Create a dynamic object from a list of names and values)**\r\n\r\n **- [make_list](https://docs.microsoft.com/azure/data-explorer/kusto/query/makelist-aggfunction) (Returns a dynamic (JSON) array of all the values)**\r\n\r\n **- [make_set](https://docs.microsoft.com/azure/data-explorer/kusto/query/makeset-aggfunction) (Returns a dynamic (JSON) array of the set of distinct values)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Packs Incident Title, Severity and Status fields as Incident Details**\r\n\r\n<p style=\"color:red;\"> SecurityIncident<br> | summarize arg_max(TimeGenerated,*) by IncidentNumber<br> | project TimeGenerated, IncidentNumber, Title, Severity, Status<br> | extend IncidentDetails = pack_array(Title, Severity, Status)<br> | project TimeGenerated, IncidentNumber, IncidentDetails</p>\r\n\r\n** - Summary of Account logon with a column packed with Computer**\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | where EventID == 4624<br> | summarize Details = make_list(Computer) by Account, bin(TimeGenerated,1h)</p>\r\n\r\n** - Summary of Account logon with a column packed with Computer and Datetime**\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | where EventID == 4624<br> | summarize Details = make_list(pack('Computer', Computer, 'DateTime', TimeGenerated)) by Account, bin(TimeGenerated,1h)</p>\r\n\r\n** - Summary of Event IDs (packed in a column) by Computer**\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | summarize Events = make_set(EventID) by Computer</p>\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Packs IPAddress, Location and ClientAppUsed fields into an array for AAD SignIn failure**\r\n\r\n<p style=\"color:red;\"> SigninLogs<br> | where ResultType !in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\")<br> | project TimeGenerated, Location, AppDisplayName, ClientAppUsed, IPAddress, UserPrincipalName<br> | extend UserDetails = pack_array(IPAddress, Location,ClientAppUsed)<br> | project TimeGenerated, UserPrincipalName, AppDisplayName, UserDetails</p>\r\n\r\n** - Summary of AAD SignIn with status and IP Address packed into columns **\r\n\r\n<p style=\"color:red;\"> SigninLogs<br> | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser<br> | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)<br> | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)<br> | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status =<br> make_list(Status), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress)<br> by UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type</p>\r\n\r\n** - Summary of AAD SignIn with distinct IP Address, OS, Browser, Location, ResultType and AppDisplayName by Account**\r\n\r\n<p style=\"color:red;\"> SigninLogs<br> | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser<br> | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)<br> | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = <br> make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City), make_set(State), <br> make_set(Region),make_set(ResultType), make_set(AppDisplayName)<br> by bin(TimeGenerated, 1d), UserDisplayName, UserPrincipalName</p>\r\n\r\n** - Summary of AAD SignIn with distinct IP Address and Location packed into a column**\r\n\r\n<p style=\"color:red;\"> SigninLogs<br> | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser<br> | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)<br> | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails) <br> | summarize Details = make_set(pack('State', State, 'City', City, 'IPAddress',IPAddress)),StartTime = <br> min(TimeGenerated), EndTime = max(TimeGenerated),IPAddressCount = dcount(IPAddress) by UserPrincipalName</p>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array2"
|
||
},
|
||
"name": "text-Array2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Datetime2"
|
||
},
|
||
"name": "text - 11"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array2"
|
||
},
|
||
"name": "space2-Array2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "16d4a38e-8e1e-46bb-a568-722d28989793",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA%2BVWTW%2FjNhC9%2B1dMk4Otgs3H1tuefPDaQWFskARReg5oaeKwK4kqSSWrRX98h5REUUripkC6W2AFHyxySL558%2FhGx8c%2F7Xs2hTaqSoyQxd647pkcH9MP4KMo0qwGjSVX3CD8WaESqGGLmXyEbQ0Kc%2Fkgih0cHh7C%2BebiDD5cny0%2F2tdmj1cd99rHYrriyScNmyIRKRYGboTJkEGMD4TM1MCLFGLDTaXhTmCWauBB9BoNF5mexJhUNrybmPwFuspzrsQXBK52tzn%2FPLsROf6GBdrMU%2FZjZPPtFlxU%2BRYVLSuV%2FAMTiyMMHsWxMUzWYqQN8LNBwtwtaBHCAkpK9JYrxevZC6uj158%2F2p6IPHzxgbCQ8HKcf2xZYkdfDfIOlkkiKyI7kztZwKMw98AhkVmVFy4pTJvBlczLyhCLXTXOHppSPN6jQnBvmzUsFjD%2F5d18UKKepZx%2FwttMaDPrtnN1ajEw2IpiVMjT%2B%2Bh%2Flb6T7JqgGYL5RlzYc2bT7oQp84cxmNqjLCNTNhRN9K2Jc0nCZq1h1vIkCk%2BdA%2FeiYno23IgnQ6OZtdwNN3jzPFpbulqmqUKtGZzLhFu%2FdeVdZYJALMvyd01ptcYkCiNpFtwdhzupYLlcQyx2xaaAO6pppUgP9CqKc7nTXgzXqKvM3NQlwg%2FE0Ozg5IDBwfuT03fv2z9zN%2FLrycn85%2B7P%2FGCPW3RYGRDEtdBlxusLnpPlDICzMD8aUFdKkK%2BUPLPBvZfZqWd97Bl62OCEPRifnPcUbHDuf3vD%2BzK5m6ybfmMLvbmCNkXwGqYqNxrWw2q2bF3GRNIaH0SCDfgjWdqkqavGtTaYM%2Fig5CPlNo7bNsP9VrYtIEUZSe2e1s86lltWjixSjKistlXuiUtonsKucWcVvC%2FQmoWqL1UTGg2xVHol0wGgZvQIlZLKzkVdL%2Bv1Mo7laSrskTxrY6LBhacoZaxW7J0fexZtf1ak3ey4p%2FvDYTHpvbPtrYHYcWiufjyMWTnPX0DqGAliJmQ7r9Cuz7qtdRQMXcZtyRq82BWGDJxM4KtKPSUCKA8TCJ2Rgr1EQy8JfMpejWHGQa%2F5Lm7FWwnWC6vTrG1xoSL9oFONf%2Btl5YdWTTr%2BPW5o6Ldt0bNgoKtouG5YWCf4px8PcGrRO4ceW%2Fawi3xjNTup%2Bt4denj3JfJdyPUrm%2FjoG9aqqvmEdWRMve9Nbc7TzgynXvdT1l%2BBiAU3bPKvb9g%2FOzo85%2Bh%2FA0ot8laBDwAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array2"
|
||
},
|
||
"name": "TryLADemo-Array2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "d1ace013-f3a5-4f34-8120-65febf2dad36",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA%2BVWTW%2FjNhC9%2B1dMk4Otgs3H1tuefPDaQWFskARReg5oaeKwK4kqSSWrRX98h5REUUripkC6W2AFHyxySL558%2FhGx8c%2F7Xs2hTaqSoyQxd647pkcH9MP4KMo0qwGjSVX3CD8WaESqGGLmXyEbQ0Kc%2Fkgih0cHh7C%2BebiDD5cny0%2F2tdmj1cd99rHYrriyScNmyIRKRYGboTJkEGMD4TM1MCLFGLDTaXhTmCWauBB9BoNF5mexJhUNrybmPwFuspzrsQXBK52tzn%2FPLsROf6GBdrMU%2FZjZPPtFlxU%2BRYVLSuV%2FAMTiyMMHsWxMUzWYqQN8LNBwtwtaBHCAkpK9JYrxevZC6uj158%2F2p6IPHzxgbCQ8HKcf2xZYkdfDfIOlkkiKyI7kztZwKMw98AhkVmVFy4pTJvBlczLyhCLXTXOHppSPN6jQnBvmzUsFjD%2F5d18UKKepZx%2FwttMaDPrtnN1ajEw2IpiVMjT%2B%2Bh%2Flb6T7JqgGYL5RlzYc2bT7oQp84cxmNqjLCNTNhRN9K2Jc0nCZq1h1vIkCk%2BdA%2FeiYno23IgnQ6OZtdwNN3jzPFpbulqmqUKtGZzLhFu%2FdeVdZYJALMvyd01ptcYkCiNpFtwdhzupYLlcQyx2xaaAO6pppUgP9CqKc7nTXgzXqKvM3NQlwg%2FE0Ozg5IDBwfuT03fv2z9zN%2FLrycn85%2B7P%2FGCPW3RYGRDEtdBlxusLnpPlDICzMD8aUFdKkK%2BUPLPBvZfZqWd97Bl62OCEPRifnPcUbHDuf3vD%2BzK5m6ybfmMLvbmCNkXwGqYqNxrWw2q2bF3GRNIaH0SCDfgjWdqkqavGtTaYM%2Fig5CPlNo7bNsP9VrYtIEUZSe2e1s86lltWjixSjKistlXuiUtonsKucWcVvC%2FQmoWqL1UTGg2xVHol0wGgZvQIlZLKzkVdL%2Bv1Mo7laSrskTxrY6LBhacoZaxW7J0fexZtf1ak3ey4p%2FvDYTHpvbPtrYHYcWiufjyMWTnPX0DqGAliJmQ7r9Cuz7qtdRQMXcZtyRq82BWGDJxM4KtKPSUCKA8TCJ2Rgr1EQy8JfMpejWHGQa%2F5Lm7FWwnWC6vTrG1xoSL9oFONf%2Btl5YdWTTr%2BPW5o6Ldt0bNgoKtouG5YWCf4px8PcGrRO4ceW%2Fawi3xjNTup%2Bt4denj3JfJdyPUrm%2FjoG9aqqvmEdWRMve9Nbc7TzgynXvdT1l%2BBiAU3bPKvb9g%2FOzo85%2Bh%2FA0ot8laBDwAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array2"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Array2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array2"
|
||
},
|
||
"name": "space1-Array2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Linked Malicious Storage Artifacts](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml)**\r\n\r\n **- [New internet-exposed SSH endpoints](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/Syslog/ssh_NewlyInternetExposed.yaml)**\r\n\r\n **- [New executable via Office FileUploaded Operation](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/OfficeActivity/Office_Uploaded_Executables.yaml)**\r\n\r\n **- [Attempt to bypass conditional access rule in Azure AD](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/SigninLogs/BypassCondAccessRule.yaml)**\r\n\r\n **- [Linked Malicious Storage Artifacts](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml)**\r\n\r\n **- [Failed host logons but success logon to AzureAD](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/MultipleDataSources/HostAADCorrelation.yaml)**\r\n\r\n **- [Brute force attack against Azure Portal](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml)**\r\n\r\n **- [Multiple Password Reset by user](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml)**\r\n\r\n **- [Distributed Password cracking attempts in AzureAD](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/SigninLogs/DistribPassCrackAttempt.yaml)**\r\n\r\n **- [Suspicious granting of permissions to an account](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml)**\r\n\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Potential IIS code injection attempt](https://github.com/Azure/Azure-Sentinel/blob/44771fce9d745c937461bfd87e8ac3682048ecec/Hunting Queries/W3CIISLog/Potential_IIS_CodeInject.yaml)**\r\n\r\n **- [Host Exporting Mailbox and Removing Export](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml)**\r\n\r\n **- [10 most recent VM configuration changes based on process](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Exploration Queries/InputEntity_Process/Process2Host_VMConfigChange.yaml)**\r\n\r\n **- [Rare firewall rule changes using netsh](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml)**\r\n\r\n **- [User Account Linked to Storage Account File Upload](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/AzureStorage/AzureStorageUploadLinkAccount.yaml)**\r\n\r\n **- [Failed service logon attempt by user account with available AuditData](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml)**\r\n\r\n **- [User Granted Access and created resources](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml)**\r\n\r\n **- [Windows Reserved Filenames staged on Office file services](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting Queries/OfficeActivity/WindowsReservedFileNamesOnOfficeFileServices.yaml)**\r\n\r\n **- [New Windows Reserved Filenames staged on Office file services](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/OfficeActivity/New_WindowsReservedFileNamesOnOfficeFileServices.yaml)**\r\n\r\n **- [Anomalous access to other user's mailboxes](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml)**\r\n\r\n **- [Suspicious Windows Login outside normal hours](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml)**\r\n\r\n\r\n#### Parsers:\r\n\r\n **- [Zoom Data Parser](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Parsers/Zoom_parser.txt)**\r\n\r\n **- [Microsoft Teams Data Parser](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Parsers/Teams_parser.txt)**"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Array2"
|
||
},
|
||
"name": "text2-Array2"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Dealing with Array Values"
|
||
},
|
||
"name": "group-Array"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nAggregations in Microsoft Sentinel are a means of taking large and diverse data sets, reducing them to logically grouped units that make analysis much easier and faster. It involves taking values of multiple rows, performing some form of calculation on them and then returning a summarized value. Aggregations in Microsoft Sentinel are also the basis upon which we build visualization charts as well as workbooks. The summarize operator in KQL is foundational to achieving aggregations.\r\n\r\n\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Summarize activity frequency across time",
|
||
"subTarget": "Aggregation1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "38e715eb-b556-4f7b-98a1-7ad14950e8b1",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Summarize by minimum or maximum column values",
|
||
"subTarget": "Aggregation2",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "14bc8e08-9745-4c49-b115-5eff4baa443d",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "3. Perform counts by various criteria",
|
||
"subTarget": "Aggregation3",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Summarize activity frequency across time\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [summarize](https://docs.microsoft.com/azure/data-explorer/kusto/query/summarizeoperator)**\r\n\r\n **- [count()](https://docs.microsoft.com/azure/data-explorer/kusto/query/count-aggfunction)**\r\n\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns summary of Account activity over the past 24 hours**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(24h) <br> | summarize count() by Account</p>\r\n\r\n\r\n** - Returns summary of the count of failed logon attempts by Azure resources **\r\n\r\n<p style=\"color:red;\"> SigninLogs <br> | where ResultType !=0 <br> | summarize FailedLoginCount=count() by ResourceDisplayName<br> | sort by FailedLoginCount desc nulls last</p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Detect password spray attack **\r\n\r\n<p style=\"color:red;\"> let timeframe = 1d; <br> let threshold = 3;<br> SigninLogs<br> | where TimeGenerated >= ago(timeframe)<br> | where ResultType == \"50057\"<br> | where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\r\n<br> | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count(), applicationSet =<br> make_set(AppDisplayName),ApplicationCount = dcount(AppDisplayName) by UserPrincipalName, IPAddress<br> | where ApplicationCount >= threshold\r\n</p>\r\n\r\n\r\n** - Identify which users were added to a security-enabled group over the last day **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | extend delay = ingestion_time() - TimeGenerated <br> | where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group <br> | summarize count() by SubjectAccount, Computer, _ResourceId </p>\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation1"
|
||
},
|
||
"name": "text-Aggregation1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation1"
|
||
},
|
||
"name": "space1-Aggregation1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1fa36fb-48cf-4c39-86b5-db9bae1b5a21",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA61U227aQBB95yum8AKSE1JCmkqRK9FAKytRFEH6HC3eAW9j7273AnFU9ds7i4GQcEkeMrIseXc8M%2BfMmWm3jw5ZIq0zPnVCyYN%2BK6u12%2FQAXAnJ8xIsamaYQ%2Fjj0Qi0MMZczWFcgsFCzYScQqPRgOvkZgDfh4PeVfisYrwr3XuN4g3ReSMtWF8UzJSgJtBLU%2BWlA0b4Zo6OZmjAZQiaWQedLmTKG1uDlY0w9Ua4cjBD6Z6P%2F8I8Q4NwJwr8iRIDYA7fgE1Vs9PNWpueVXbxhLBI3WwFLpZ1UJGNvQabJMF%2Bv7XthhzQVaDpY8JETpXmaqokMOew0M4uCnryhMegJfwp2tpITKWQ12pqt1EP0frc3ZUa4VN8shvrj0Ui%2Bl%2FIy5A83gA%2FXGbpC6tzVt6wAl8EUcYFt9chgKNNQfo8t5BTuz6cvD46TF2Qgp0rw8Fqw8rAEksfajk6cNTuiaFyIYbP%2FKI6y4i0TOWczk4vDvL2Si3xQi7rmK2DRMcx1M9OTs7O6%2Fvc%2BsSOETrMLcT%2FoP7LkrTZUu%2FCAheWjYnQY7gjRawuMhYmFOX6OjDPSBu8EFLQJmBOmeP67iaPHDMuoCLs5N58AbAVwUDy1S173LpdKiICpnUuUhYqHxGjwfsB7y26Zk%2FrDZG0ot6zZyWJGHgV5pVnQBEIuDVCpkKzPJxGkNz2OKd%2B7WjOVmjqz7q3Hy61hNM%2BEZOSkos0A0%2BlWpiHOhjn1ASngNEqrZbPEcqqNVOjvH7eWWEIgLOytn9N4aNDyWlyiBgii7Yv2gDxPsiOpvHopSi3aVlETPr0JzS7552vEXTPTzvhffalBbT3qRCLgMENkr4lRx5oJCBQYDGmUucksTdRvbkxR378m6ZzuTgjuFSF9g5NBPerfZJ8cJ%2F%2BAxX2gTIpBwAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation1"
|
||
},
|
||
"name": "TryLADemo-Aggregation1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "6767f18a-5ff3-413a-955c-5fc42c3a1eb1",
|
||
"cellValue": "",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in my own environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA61V227aQBB9z1dM4QUkJ6SENFUrV6KBVlaiKIL0OVq8A97G3t3uBeKo6rd3FnMLEJKHrBCSd8Yzc86cGbdax4dOIq0zPnVCyYN%2By3PUatEP4EpInpdgUTPDHMIfj0aghRHmagajEgwWairkBOr1OlwnN334Puh3r8JjFeNN6d56KN4AnTfSgvVFwUwJagzdNFVeOmCEb%2BroaooGXIagmXXQ7kCmvLFHsDxDTL0RruxPUbr19V%2BYZWgQ7kSBP1FiAMzhG7CJarQ7WXPTs8ounhDmqRvNwMWiDiqy%2FuKBTZLgZb%2FV2Q85oKtA08OYiZwqzdVESWDOYaGdnRf05AmPQUv4U7RHQzGRQl6rid1FPUDrc3dXaoQP8el%2BrD%2Fmieh9IS9D8ngD%2FGCRpSeszll5wwp8FkQZF9y2QwBHm4L0eW4hp3a9O3lDVugcwVsijFm0X%2Biuhw5TF%2BRhZ8pwsNqwMjDH0od10Tk6cKSFsSEsEMNH%2FnXLmBG1mco5Gc82bIdo3hJXPFfXKkvzYF%2FiGGrnp6fnF7WX3HpEphE6jDnE%2F6D2y9IksMV4CAtcWDYi%2Fk%2FgjgS0NGQsDDTKlTk0ipGUeCGkoMXBnDIntf2aGDpmXEBFJJB74xnAZgR9yZdW9rhjXQgoAqZ1LlIWKh8StfE6WcEe8N6ia3S13hBXM%2BquX6mkFAOv4m15BjiBiVsjZCo0y8NtBMltl3Pq4J4u7YSmRq26%2Fe4STTjtITEuKblIsyBVY2EW6mCcUzecAkYruFpaxyirHk2M8nq968LwAGflG9YcPjqUnCaPCCLSaHujDVDvgw5pmo%2Bfq3SXnnnEpEdvQqNz0f4cQefirB3%2Bzz81gb4bVBDNGwY3SHqWHHmgkwBBgcWISp6R5l5F9%2BrGHfrRb5rkxeKN4FIV2js0Edwv91HC%2FwN%2FvFO6GwcAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Aggregation1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation1"
|
||
},
|
||
"name": "space2-Aggregation1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Malformed user agent](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/MalformedUserAgents.yaml)**\r\n\r\n **- [Potential DGA detected](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml)**\r\n\r\n **- [User login from different countries within 3 hours (Uses Authentication Normalization)](https://github.com/Azure/Azure-Sentinel/blob/84deef53a17d0f989b9098d92e051fad09d9e568/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml)**\r\n\r\n **- [Failed AzureAD logons but success logon to AWS Console](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml)**\r\n\r\n\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Tracking Privileged Account Rare Activity](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml)**\r\n\r\n **- [User Login IP Address Teleportation](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/SigninLogs/UserLoginIPAddressTeleportation.yaml)**\r\n\r\n **- [Tracking password changes](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml)**\r\n\r\n#### Data connectors:\r\n\r\n **- [Alcide KAudit](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/DataConnectors/alcide_kaudit.json)**\r\n\r\n **- [Better Mobile Threat Defence](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/DataConnectors/BETTERMTD.json)**\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation1"
|
||
},
|
||
"name": "text2-Aggregation1 "
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Summarize by maximum or minimum column values \r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [arg_max()](https://docs.microsoft.com/azure/data-explorer/kusto/query/arg-max-aggfunction)**\r\n\r\n **- [arg_min()](https://docs.microsoft.com/azure/data-explorer/kusto/query/arg-min-aggfunction)**\r\n\r\n **- [toreal()](https://docs.microsoft.com/azure/data-explorer/kusto/query/todoublefunction)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns most current event rows by IP Address within the specified lookback period**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(1h) <br> | summarize arg_max(TimeGenerated, *) by IpAddress</p>\r\n\r\n** - Returns subset of columns for the most recent records within specified lookback period **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(1h) <br> | summarize arg_max(TimeGenerated, Computer) by IpAddress\r\n</p>\r\n\r\n\r\n** - Returns oldest columns within specified lookback period **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(1h) <br> | summarize arg_min(TimeGenerated, *) by IpAddress\r\n</p>\r\n\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Identify accounts for which most recent activity was logon **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | summarize arg_max(TimeGenerated, *) by Account<br> | where EventID == \"4624\"<br> </p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n** - Detect infrequently used accounts over the past 90 days **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated < ago(90d) <br> | where EventID == 4624 <br> | where AccountType == \"User\"<br> | summarize Count=count(), LastLogon=arg_max(TimeGenerated, *) by Account\r\n<br> | where toreal(Count) <5\r\n<br>\r\n\r\n\r\n\r\n\r\n\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation2"
|
||
},
|
||
"name": "text-Aggregation2 "
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation2"
|
||
},
|
||
"name": "text - 11"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation2"
|
||
},
|
||
"name": "space1-Aggregation2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "869e15d9-b2a3-4d1d-84f3-e2f0b83cab8a",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA82Ub2%2FTMBDG3%2B9TPCpvGjTUgQbSpBWpbBWqViE0xmvk2pfGWmKHs90QxIfHcdqyaayMqfw5RXlhXS7P%2Fe7xjUZP7g1gPns3xZvL6eQCuD9vGwej0bNdMTPOc5BeW%2BN2Jm4iFowPcKGNKls4qgULT%2FAF4XMg1uSwoNI2WLRgquxKm2Wn9KbyXtivtP1uxHqX5AMbh8o6DxmYyXjQqnuzbVynafYeE6WYnEOjfaFNku5qkjrXpFBae70Q8hp1bMaqA2ziA8WC2rfTrtyP429oCmLCla7oLRnqaCi8hlja4fMiu5noQlUJ1l8JgpefKvFleOujQzzNksJ6LTA2tF8rbPC4sHDkYXNIW4YqnuSWE4cEjkkmYiQtqy2m%2FwPRma3q4In%2FMKlez4aXLRV1hlrD%2BodAtPnbnsFMRe06byGktMH43ixNoWVxyy4ibpFV7BWNcJHI0poHcHjglZj0v75LMBWcnWM8xuD41Yvjwd77PydP0kObnCkuOOPj1gsujmuLw66ovzy1iDROjqBE6x7pgdPkgZMjle3stWv1bsKa0lVbUwLy0REPfk77rEscp%2FRhdoh5VD7vRjZ%2B3Bi8ZRLlMFXNcPpyv1P4DrbS4cYSBwAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation2"
|
||
},
|
||
"name": "TryLADemo-Aggregation2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "b26e5de2-4089-4d31-854c-199a64af2189",
|
||
"cellValue": "",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA82U22rbQBCG7%2FMUP%2FaNVVKclrSQEgecxBQRU0oO12G9O7KWSDvqHqyq9OGzkh3HIY0xoaQdhEDD6J%2BZb2dnOHy%2FzVLjvA3SazZb4x5sbziMD3ChjSoaOKqEFZ7wI5DV5DCjgmvMGlgqeaHNHP1%2BH9P02wSnl5PxRfu51Ngp3a4W9S7JB2scSnYeMlhLxoMW7dty7dqa0u8YK2XJOdTa59rA5wRXkdSZJoWC%2BW4m5B2q2AyrPTzYFUVB7ZtJK%2Ffo%2Fo06J0u41iV9JUMtCYUTiDkPPuTJZqALZSms%2FkUQdn5bip%2BDJz%2Ft413SVVitCowN9V80bALFy3Fr28DjwsyRB2eQXIQyejK2HYcOnCXZESPJVq0x%2FR%2BIzrisgif7RqS4UNSO0grTP0ShzVtPy5Uoq4IQHEEKR%2B5L9KUqtqOzBkJKDsYvJ6fOtcyfzI6I22QR20ctXIQ0Z7MDmh3vx3iZ%2BjnUTjA9x2iE3uHnj4e9v4tknS%2FKnpMn6aFNZimuPePjHoyg1CMXXtDySlUiYjk6gBKNe%2BV8HHfzcXSgkq1Ntz0%2FD1jhum4q6sjcOLK9P2M%2FawNHXfgg2cc0Vj5tz270uvPwbEkUg041wfGneyv%2B5jiHBgAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation2"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Aggregation2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation2"
|
||
},
|
||
"name": "space2-Aggregation2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Multiple password reset by user](https://github.com/Azure/Azure-Sentinel/blob/9360261b187d1c9d29262bca6641f8383732c703/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml)**\r\n\r\n **- [ Time series anomaly for data size transferred to public internet](https://github.com/Azure/Azure-Sentinel/blob/9efc5f1f3ebfcaccd1922df317167afeec38e6d9/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml)**\r\n\r\n\r\n **- [Vulnerable Machines related to OMIGOD CVE-2021-38647](https://github.com/Azure/Azure-Sentinel/blob/e01fb340625bdb0d32dc8fc0a6fcacc0f7970f37/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml)**\r\n\r\n **- [Failed logon attempts in authpriv](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/Syslog/FailedLogonAttempts_UnknownUser.yaml)**\r\n\r\n \r\n\r\n#### Hunting Queries:\r\n\r\n **- [ DNS Events that match threat intelligence](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/ThreatIntelligenceIndicator/Sample-DNSEventsMatchToThreatIntel.yaml)**\r\n\r\n **- [Rare Custom Script Extension](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/AzureActivity/Rare_Custom_Script_Extension.yaml)**\r\n\r\n **- [TI map File entity to WireData Event](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml)**\r\n\r\n\r\n#### Workbooks:\r\n\r\n **- [Investigation insights](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/InvestigationInsights.json)**\r\n\r\n **- [Workspace auditing](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/WorkspaceAuditing.json)**\r\n\r\n **- [UEBA](https://github.com/Azure/Azure-Sentinel/blob/2d4e84c672900d5e4929544f553d465285238e48/Workbooks/UserEntityBehaviorAnalytics.json)**\r\n\r\n#### Parsers:\r\n\r\n **- [Zoom Reports](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Parsers/ZoomReports/Zoom.txt)**\r\n\r\n\r\n\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation2"
|
||
},
|
||
"name": "text2-Aggregation2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 3. Perform counts by various criteria\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [summarize](https://docs.microsoft.com/azure/data-explorer/kusto/query/summarizeoperator)**\r\n\r\n **- [dcount()](https://docs.microsoft.com/azure/data-explorer/kusto/query/dcount-aggfunction)**\r\n\r\n **- [countif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/countif-aggfunction)**\r\n\r\n **- [sumif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/sumif-aggfunction)**\r\n\r\n **- [percentiles()](https://docs.microsoft.com/azure/data-explorer/kusto/query/percentiles-aggfunction)**\r\n\r\n **- [make_list()](https://docs.microsoft.com/azure/data-explorer/kusto/query/makelist-aggfunction)**\r\n\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns a distinct count of computers successfully logged on to based on Account type\r\n**\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(24h) <br> | where EventID == 4624 <br> | summarize dcount(Computer) by AccountType</p>\r\n\r\n\r\n** - Performs a conditional count based on rows that meet the specified criteria **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(1d) <br> | summarize RowCount=countif(toint(Level) == 8 ) by Computer<br> | sort by RowCount desc </p>\r\n\r\n** - Performs a summation on rows that meet the specified criteria **\r\n\r\n<p style=\"color:red;\"> VMConnection <br> | where TimeGenerated > ago(1d) <br> | summarize sumif(BytesSent, SourceIp contains \"10.1.1.5\") </p>\r\n\r\n** - Creates a list of unique computers **\r\n\r\n<p style=\"color:red;\"> VMComputer <br> | where TimeGenerated > ago(1h) <br> | distinct Computer //to eliminate duplicates<br> | summarize CompList = make_list(Computer)\r\n\r\n\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Obtain a summary of failed vs successful logons by time and location **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(7d)<br> | summarize Successful=countif(EventID==4624), Failed=countif(EventID==4625) by IpAddress </p>\r\n\r\n\r\n\r\n\r\n\r\n** - Groups computers by percentile based on \"oldest missing updates\" **\r\n\r\n<p style=\"color:red;\"> UpdateSummary <br> | where TimeGenerated > ago(14d) <br> |project Computer, OldestMissingSecurityUpdateInDays <br> | summarize percentiles(OldestMissingSecurityUpdateInDays,10,40,80) </p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n</p>\r\n\r\n\r\n\r\n\r\n\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation3"
|
||
},
|
||
"name": "text-Aggregation3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation3"
|
||
},
|
||
"name": "text - 11 "
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation3"
|
||
},
|
||
"name": "sapce1-Aggregation3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "6a2f4441-806b-4d21-851b-916f73174bfb",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7WVTW8aMRCG7%2FkVI3oBiXYhIm0uVCIkjVCSpgppr5WxB3C7a2%2F9AdqoP74zu3wqgbQJNRwsr3f8%2Bpl5Z5Pkzc4BcD34fAFndxe9K4Dd%2B1bjKEne7hsD44OLMmhr%2FN6Ny0EB6Q9wpY1KC%2FCYCycCQpgi%2FIroNHoYYWrnMCrAYWZn2kxY6abySthz2v51sK47DNEZDwKU9kEbGUDaaALYMU2yPAZ0HnyUEr0fx5SukNrJBBVYA8HCSPhq3pPVe6HI8QiWY4gyOh2KixmasF7%2BDfMpOoR7neElGmQiCj6CmNj6cWfaeLyzDDA4h24XOu%2BPO5sbfMwy4fQDgiol1PsL3Q1GutB1z7KSA1cKfEE3thnTk9YozVUh0gXAFRln557SLQJkiKFMvM9R6rGm55LoUBGIVyFrq8bTQO7svM9iuqUkPa4HqwnQNc4wbTDLUyghLYltRbEu8LNlDFDo5f9ESLIFE3wBs283fWsMlrZ8JTKaEaezIqAfUgKaMLTRSRzknOIgNHml1m69a9PvpNY4PI%2B%2BQ5LJPFIyJNswGk2NYu3G7Ws%2FTtyeS287a%2BX4ZRRIErI0pjrThnuUinmqJct5mhW%2Fd80qu5CJn%2FidFa%2Fdd3A2tyPmX1UKKSgYzljolO432%2BxR3KGoPXPxBqIAwihakmKrOl5gsw%2B7ama4OnpltEW%2F6na5WzWa8KnU%2BeTjk9KCg7ynlKMoB8d26WzM%2FUY3p9NypJomJSmu%2B1TNpmRxcpz2nr9BMVec%2Btr6zl%2FLlWFF%2Fy9LrrMFLXf2B25UXBNuy0NvqjOXSakOGphzUewovfUFfP3ZEM12q9lpNU9bB67JP6KjKGF6CAAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation3"
|
||
},
|
||
"name": "TryLADemo-Aggregation3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "f11a653c-8251-4c83-b750-faa7d184872d",
|
||
"cellValue": "",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7WV224TMRCG7%2FsUo3CTlQKbVClUSEFq01JFbSlqCrfIsSepYddefEi0iIdnZjdHNWmhDU4uVrZ3%2FM%2Fn%2BWfT9NXOAXA1%2BHQOp7fnJ5cAu%2Fctx0Gavn5sDIwPLsqgrfGPblwMCkh%2FgEttVFaCx0I4ERDCPcLPiE6jhxFmdgajEhzmdqrNhJWuK6%2BFPaXtXwfrusUQnfEgQGkftJEBpI0mgB3TQ17EgM6Dj1Ki9%2BOYUQqZnUxQgTUQLIyEr59PZP1eKAs8gMUYooxOh%2FJ8iiaspn%2FD7B4dwp3O8QINMhEFH0BMbPOwe5883FkFGJxBrwfdt4fd9Q0%2B5rlw%2BheCqiQ0%2B3PdCSOd67pjWemeKwU%2BoxvbnOlJa5TmqhDZHOCSjLMzT9ctAuSIobp4X6DUY03rkuhQEYgXIeuoZDuQWzvrs5heJUmPm8FqAnSFU8wSZnkMFaQFsY0o1gVeW8QAhV7%2BT4QkWzDBZzD7et23xmBlyxcioyfidFoG9EO6gBYMbXQSBwVfcRCavNLotN906HfUSPbPo%2B%2BQZDKPjAzJNoxGU6NYuXEz7YcX90jSm85aOn4RBdKULI2ZzrXhHqVikWnJcraz4veuWGUPcvEDv7Hilfv2z2Yo8iJDiJ5okLv8e5q8GfGl1OVDskomNhY6o6Sn642L2xb1bK7oQGhAGEVTUmyWzDPM925XJQ2XZy%2FtN%2B9ivR73sKQFHyuhW5ePKmMOihOlHEWhTC%2BcjYVf68q0XiDVJr1LVJb9pmEzsio5R3vP35JYKL7Cxkrll2pmWAP7y9LpbqRZOPsd1yqnBTfVodf1mQuM9UEDcybKHSW0SsA3nwzR6rRb3XbruJ38Adrt7fX0BwAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation3"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Aggregation3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation3"
|
||
},
|
||
"name": "space2-Aggregation3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [ Rare client observed with high reverse DNS lookup count](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/DnsEvents/DNS_HighReverseDNSCount_detection.yaml)**\r\n\r\n **- [Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)](https://github.com/Azure/Azure-Sentinel/blob/84deef53a17d0f989b9098d92e051fad09d9e568/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml)**\r\n\r\n **- [New High Severity Vulnerability Detected Across Multiple Hosts)](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/QualysVM/NewHighSeverityVulnDetectedAcrossMulitpleHosts.yaml)**\r\n\r\n\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Login spike with increased failure rate](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml)**\r\n\r\n **- [: Azure Storage Mass File Deletion](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/AzureStorage/AzureStorageMassDeletion.yaml)**\r\n\r\n **- [Tracking Privileged Account Rare Activity](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml)**\r\n\r\n#### Workbooks:\r\n\r\n **- [IOC Insights](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/IntsightsIOCWorkbook.json)**\r\n\r\n **- [Proofpoint Threat Dashboard](https://github.com/Azure/Azure-Sentinel/blob/c37ffc1532ae5760f71b27dd049c77cab5abfece/Workbooks/ProofPointThreatDashboard.json)**\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation3"
|
||
},
|
||
"name": "text2-Aggregation3"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation"
|
||
},
|
||
"name": "group-Aggregation"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Aggregation"
|
||
},
|
||
"name": "group - Aggregation"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nAs the threat landscape continues to grow in complexity, cyberdefenders require to make sense of the multiplicity of signals that are generated by security solutions covering different threat vectors. The ability of a SIEM solution to aggregate data from multiple sources, analyse and generate high fidelity incidents is of paramount importance. SIEM solutions accomplish this desired outcome via the process of event correlation. The ability to correlate various log sources is perhaps one of the most powerful features of a SIEM. This is because correlation brings out more relevant context and insights by stitching together events that on their own may pass as benign but taken together in a particular sequence or conditions could be uncover nefarious activity. Correlation in Microsoft Sentinel can be achieved broadly using the ‘join’ or ‘union’ commands with each of the commands having various flavors depending on the use-case to be fulfilled. Below is a summary of flavours available via the correlation options:\r\n\r\n\r\n<br>\r\nSummary of 'join' flavors <br>\r\n\r\n|No|Type |Output schema |\r\n|--|---------------|--------------------|\r\n|1|kind=leftanti, kind=leftantisemi|Returns all the records from the left side that don't have matches from the right|\r\n|2|kind=rightanti, kind=rightantisemi|Returns all the records from the right side that don't have matches from the left.|\r\n|3|kind unspecified, kind=innerunique |Only one row from the left side is matched for each value of the on key. The output contains a row for each match of this row with rows from the right.|\r\n|4|kind=leftsemi|Returns all the records from the left side that have matches from the right.|\r\n|5 |kind=rightsemi|Returns all the records from the right side that have matches from the left.|\r\n|6|kind=inner|Contains a row in the output for every combination of matching rows from left and right.|\r\n|7|kind=leftouter (or kind=rightouter or kind=fullouter)|Contains a row for every row on the left and right, even if it has no match. The unmatched output cells contain nulls.\r\n\r\n<br>\r\nSummary of 'union' flavors <br>\r\n\r\n|No|Type |Output schema |\r\n|--|---------------|--------------------|\r\n|1|inner|The result has the subset of columns that are common to all of the input tables.|\r\n|2|outer|(default). The result has all the columns that occur in any of the inputs. Cells that weren't defined by an input row are set to null.\r\n\r\n\r\n- [join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)\r\n- [union](https://docs.microsoft.com/azure/data-explorer/kusto/query/unionoperator?pivots=azuredataexplorer)\r\n- [project](https://docs.microsoft.com/azure/data-explorer/kusto/query/projectoperator)\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Combine and query data from two tables with a common field",
|
||
"subTarget": "Correlation1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "40988c97-79b0-481a-b5a8-390f16783e15",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Combine and query all records from multiple tables ",
|
||
"subTarget": "Correlation2",
|
||
"preText": "",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Combine and query data from two tables with a common field\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)**\r\n\r\n **- [union](https://docs.microsoft.com/azure/data-explorer/kusto/query/unionoperator?pivots=azuredataexplorer)**\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns a list of records from the SecurityEvent and SecurityAlert tables that share a matching computer name **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where TimeGenerated > ago(1d)<br> | join (SecurityAlert) on SourceComputerId| join (SecurityAlert) on SourceComputerId</p>\r\n\r\n** - Returns a list of records from the DeviceInfo and DeviceLogoon tables that havea matchin DeviceName **\r\n\r\n<p style=\"color:red;\"> DeviceInfo <br> | where TimeGenerated > ago(1d)<br> | join (DeviceLogonEvents) on $left.DeviceName == $right.DeviceName\r\n</p>\r\n <em style=\"color:blue;\"> This query requires the DeviceInfo and DeviceLogonEvents </em> \r\n\r\n\r\n\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Detect whether admin accounts are being used on Windows Endpoints. This use case requires DeviceInfo logs from Microsoft 365 Defender **\r\n\r\n<p style=\"color:red;\"> DeviceInfo <br> | where TimeGenerated >ago(1d)<br> | where OSPlatform !contains \"Server\"<br> | join DeviceLogonEvents on $left.DeviceName == $right.DeviceName<br> | where TimeGenerated > ago(1d)<br> | where AccountName in ('Administrator','Admin')<br> | project DeviceName, OSPlatform, LogonType, AccountName</p>\r\n\r\n** - Detect virtual machines on which a logon type of 'Network' was registered **\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | where TimeGenerated > ago(1d)<br> | where AccountType == \"Machine\" and LogonType == 3<br> | project Computer, AccountType, TargetAccount, Level<br> | join (ServiceMapComputer_CL | where TimeGenerated > ago(1d)<br> project Computer, Ipv4Addresses_s, FullDisplayName_s, VirtualizationState_s<br> | where VirtualizationState_s == \"virtual\") on Computer\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation1"
|
||
},
|
||
"name": "text-Correlation1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation1"
|
||
},
|
||
"name": "space1-Correlation1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA62VUW%2FaMBDH3%2FspbqwSrcSKpm57mNRJrLAJlXZTQdtjZexL4s6xU9sJotqH3zkJJAjasY4TLxzn8%2F9%2Bd2f6%2FddPGsBkfDOCz7ejwRXA03FrO%2Br33zxnY%2B28zbmXRrtnA1dGCekDcCW1UEtwmDHLPIJPEB5ytBIdzFGZBcyXYDE1hdRxUNpWXgn7m7Z%2FNco3ZWmm1kI%2BkucWfW61AwZKOg8mIlHcWOEgsiYtZU%2BR51b65ahA7YFpsfYMFFoPns0VVeUT5sElzCIlS5nnSaiMmzTLPVrQLMUjWNlGzsb9GxYJUoKZTPEragzoBHwCFpuTt%2BK0HXhvpIaTDSWnYDRMTW45XtbXjsX%2BkUTjsJO1B9shFpLjWEemBFt9nZjYkL4214QVuKZah91sEG0y%2FQfO5n5ddsaVoI4VRv6suRQuLuDYyjhpOw9Ob5ZIV05q2JOHXNqSxTPIasnNmOcOgTNXDfoQPXIfgFASC0ykVDDj3OR0BsLUzjEMLB0SoeiftMBm4WCkRUZsvDuDUtEqaSOqJUiZuG7uteTWOBN5OP%2FwnkIi1ALti9q1o1tV3Lfpd8V8ZGwKr7jRnkkats4UbYG2s9XcLVD7t%2FYlA1UFDirAZeowYN1B4E7bQCeN7faq792Nk5k196FVjYBeq9QelCXMlhm5W%2BkPPn%2F1wBTS%2Bpwp2r2welhSWySSJ2GtgxLwJCUsd%2FcG%2FcLYX11YMEfjEVOZxEAc8tXboBoYhIZ1rittnXIh1njCT%2Be7wK6evF47UQ9mzMboaxdhxgLVrhfXhrZcs2yV5u5ysn8J2xrGWfFuIARtEm3qnevBl1ypoXSZYsvQ2OD6UTVBPrLwTzz1lP3ObXPZGVYSqrvYKd%2Bz1d1%2FAFb3aBxKCAAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation1"
|
||
},
|
||
"name": "TryLADemo-Correlation1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "24dd3e02-4daf-4af5-bd5d-5c4953daae34",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA62VUW%2FaMBDH3%2FspbqwSrcSKpm57mNRJrLAJlXZTQdtjZexL4s6xU9sJotqH3zkJJAjasY4TLxzn8%2F9%2Bd2f6%2FddPGsBkfDOCz7ejwRXA03FrO%2Br33zxnY%2B28zbmXRrtnA1dGCekDcCW1UEtwmDHLPIJPEB5ytBIdzFGZBcyXYDE1hdRxUNpWXgn7m7Z%2FNco3ZWmm1kI%2BkucWfW61AwZKOg8mIlHcWOEgsiYtZU%2BR51b65ahA7YFpsfYMFFoPns0VVeUT5sElzCIlS5nnSaiMmzTLPVrQLMUjWNlGzsb9GxYJUoKZTPEragzoBHwCFpuTt%2BK0HXhvpIaTDSWnYDRMTW45XtbXjsX%2BkUTjsJO1B9shFpLjWEemBFt9nZjYkL4214QVuKZah91sEG0y%2FQfO5n5ddsaVoI4VRv6suRQuLuDYyjhpOw9Ob5ZIV05q2JOHXNqSxTPIasnNmOcOgTNXDfoQPXIfgFASC0ykVDDj3OR0BsLUzjEMLB0SoeiftMBm4WCkRUZsvDuDUtEqaSOqJUiZuG7uteTWOBN5OP%2FwnkIi1ALti9q1o1tV3Lfpd8V8ZGwKr7jRnkkats4UbYG2s9XcLVD7t%2FYlA1UFDirAZeowYN1B4E7bQCeN7faq792Nk5k196FVjYBeq9QelCXMlhm5W%2BkPPn%2F1wBTS%2Bpwp2r2welhSWySSJ2GtgxLwJCUsd%2FcG%2FcLYX11YMEfjEVOZxEAc8tXboBoYhIZ1rittnXIh1njCT%2Be7wK6evF47UQ9mzMboaxdhxgLVrhfXhrZcs2yV5u5ysn8J2xrGWfFuIARtEm3qnevBl1ypoXSZYsvQ2OD6UTVBPrLwTzz1lP3ObXPZGVYSqrvYKd%2Bz1d1%2FAFb3aBxKCAAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Correlation1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation1"
|
||
},
|
||
"name": "space2-Correlation1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Possible contact with a domain generated by a DGA](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml)**\r\n\r\n **- [Anomalous login followed by Teams action](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml)**\r\n\r\n **- [Failed logon attempts in authpriv](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/Syslog/FailedLogonAttempts_UnknownUser.yaml)**\r\n\r\n\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Azure Active Directory sign-in burst from multiple locations](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/SigninLogs/signinBurstFromMultipleLocations.yaml)**\r\n\r\n **- [Unused or Unsupported Cloud Regions](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/AWSCloudTrail/AWS_Unused_UnsupportedCloudRegions.yaml)**\r\n\r\n **- [User Login IP Address Teleportation](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/SigninLogs/UserLoginIPAddressTeleportation.yaml)**\r\n\r\n **- [Potential DGA detected](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/DnsEvents/DNS_HighPercentNXDomainCount.yaml)**\r\n\r\n\r\n#### Workbook:\r\n\r\n **- [Identity & Access](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/IdentityAndAccess.json)**\r\n\r\n#### Playbook:\r\n\r\n **- [Endpoint enrichment - Carbon Black](https://github.com/Azure/Azure-Sentinel/blob/bf839dd241e33fc253eec60db94e9eb6000bc7a9/Playbooks/CarbonBlack/Playbooks/CarbonBlack-DeviceEnrichment/azuredeploy.json)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation1"
|
||
},
|
||
"name": "text2-Correlation1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Combine and query records from multiple tables \r\n\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [union](https://docs.microsoft.com/azure/data-explorer/kusto/query/unionoperator?pivots=azuredataexplorer)**\r\n\r\n **- [count()](https://docs.microsoft.com/azure/data-explorer/kusto/query/count-aggfunction)**\r\n\r\n **- [sort](https://docs.microsoft.com/azure/data-explorer/kusto/query/sortoperator)**\r\n\r\n\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Returns list of records from two tables with multiple common fields**\r\n\r\n<p style=\"color:red;\"> let UpdateSum=UpdateSummary <br> | project Computer, OsVersion, ResourceGroup;<br> let Updt = Update<br> | project Computer, ComputerEnvironment, ResourceGroup, Type, Title, UpdateState;\r\n<br> union withsource=\"SourceTable\" UpdateSum, Update<br> | where TimeGenerated > ago(1d)\r\n</p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n** - Returns a list all tables with data in the workspace showing the record count for each **\r\n\r\n<p style=\"color:red;\"> union withsource=table * <br> | summarize count() by table<br> | sort by table asc</p>\r\n\r\n** - Combine multiple tables to produce a result set with a subset of columns that are common to all of the input tables**\r\n\r\n<p style=\"color:red;\"> UpdateSummary <br> | union kind=inner Update</p>\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Returns a list vulnerabilities from Microsoft Defender for Endpoint that have a severity level of “Critical” or “High” with a CVSS <br> score of greater than 7 and have a known public exploit **\r\n\r\n<p style=\"color:red;\"> DeviceTvmSoftwareVulnerabilities <br> | where VulnerabilitySeverityLevel == 'Critical' or VulnerabilitySeverityLevel == 'High' <br> | join kind=inner (DeviceTvmSoftwareVulnerabilitiesKB) on CveId | where IsExploitAvailable !=0 and CvssScore > 7 </p>\r\n\r\n\r\n\r\n** - The query will return a list of any accounts that were created but have never been used even once over the past 90 days **\r\n\r\n<p style=\"color:red;\"> IdentityInfo<br> | where TimeGenerated > ago(30d)<br> | where AccountCreationTime < ago(90d) //filter out anything that was created earlier than 90<br> | where isnotempty(AccountCreationTime) //confirm no blanks<br> | where isempty(DeletedDateTime) //account was not deleted after it was created<br> | where IsAccountEnabled == true // confirm account is not disabled<br> | join kind=leftanti (SigninLogs | where TimeGenerated > ago(90d)) on $left.AccountUPN == $right.UserPrincipalName\r\n</p>\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation2"
|
||
},
|
||
"name": "text-Correlation2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation2"
|
||
},
|
||
"name": "text - 11"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation2"
|
||
},
|
||
"name": "space1-Correlation2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "16d4a38e-8e1e-46bb-a568-722d28989793",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7VW227bRhB911dM0wCWCzdykYfAaBXAkYVUsOsGlu33JTmUJl7OsrtLMiz6kA9Jfy5f0tklKcuRLy3gLgxJJGdnzpxzZunJ5PsHF8DZ4nwO7y7mx6cAD8dt1mgy%2BfGxtWDnbZV6MuweDRyWJJQ%2FgFPiTLfgsFRWeQS%2FRvijQkvoIEFtGkhasFiYmngVkG4j74A9he2%2FLsl3gb6y7ECT82ByAZAamznIrSnANwa8SrQgbMivoai0p1IjpKYoDENOqDM3gs3S6OGqzKS9ZVVMN78KZdvbqL%2BgtOYjph5mpigrj%2FYAfnfXaJ1wegAX6ExlU3xvTVX%2BPPo2t4dpX%2BLxjMOvOddkDRfI%2FpvcB3DZliif5LV89Wi9fGxVrVhAxe67ndMXy%2Fh9GWh5cdvswT2gmjValPQFvkfGIHoGb0GtzPinbF%2B4f17XDkqqTkul9R3tBJwC4mi7xtgbV6oUwa1NE%2BwW7nbSi7YVe8iNBVTperTLQMwKP2x36qLG9Cd2u8f7wcsx7k6UsX7zAJRLn50DET0hxluj9gx4ExySVdKxkj6dPJZB9B0zSuAn4UrsnxpdFUKiXyuh0G6cLgkCoRIRmCIWa%2FW5R%2FCgzTvmbmTup8RigMEi%2F7PydaWD2xLS5MPhEkf5N0qtcSb3cII5ciZogsRzzkpDondseK3qQJDDWo4l38rI1Rib%2Fvr5y0zuUKr0189%2Fg2yUO7%2FSah2uehJn18slOLEQhh0ri9KqDXkZ3oDibMh%2Bw6ZhKKtEUwr4qdSG%2FC1rJ1iTTFddLAVrIwpc3%2B1md762A9plD%2F0sIp9OYW%2FAvRdQPxEbOtrbrvBRuNkWcPwUvNN3%2ByCaz2pcZBuECzfv2jyuFelo%2Fu%2Bmh5GTWe3cMnL2Ft48uzEu%2B1dMKxqJe230yWATEUlxCyqNI9tbvgl406hdBknVW4IDU%2FKSQobKyQO5ZGlTpsnUUWOEUknKo0M5ZtotjRaZHLtC8YJz8%2B9OxteHcjTuRB53IGcBmMxU2Ai%2FxPgjiYfJJCcd3GYEsTTl192ZFhpSbtMPKqtp8OTR4W4Zcmw8FqVvx%2FdUDHVSwznZAthAohXf3ONHcl2GE5Q3FmYnUnrY3XMdQUklyLoQUHkAT3fQ7iZeuB7UnIOHsmBZ%2BVcEJTEMuIYK1BcgF0Pv97TG3CvRB8ZLWjHxmVm5R8UJZEd%2FvwxbX%2FVwrj6cBygvrUyPf3Xl0H6wxCmVSp%2Br4pmPu38A%2BfocNuwJAAA%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation2"
|
||
},
|
||
"name": "TryLADemo-Correlation2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "d1ace013-f3a5-4f34-8120-65febf2dad36",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7VWwW7bRhC95yumcQDLhRu56CFwWwVwZCEV7LqBZfu%2BJIfSxMtZdndJhkUP%2BZD25%2FIlnV2SshzZig%2FuQqBIanbmzZs3sxqPf9i15uy8rVJPhnfaDevFeCwfgDPiTLfgsFRWeYQ%2FK7SEDhLUpoGkBYuFqYmXsLe3B%2Bfzixm8u5ydnIXHzseTwj11ib%2Bp0mmlBYsDv0LIKM%2FRIqcIxFAQV4IyQd8gMlxRge%2BRMUDPQHEGbBrxsffogs0c4HG79RJvC1WUek3Nz%2FLmEn1l2YEm58HkQlJqbOYgt6YA3xjwKtGSQEN%2BBUWlPQUHqSkKw5AT6sy9gGFp9HBdZpLCoiom67tC2fbO6G8orfmIqYepKUrhwB7CH%2B4GrZOKH8IlOlPZFN9bU5W%2FbPn2MOlD7PY43M24Jmu4QPZf%2BT6Eq7ZEuZLX8tWj9XLZiFqxgIrJdzsnLxfx%2Byqw8vIu2cMHQDUrqfZXhX0LamlGP2YHz17aoZCqK6XS%2Bl7pBJwKsgtCbIy9daUSHbqVaUJHhLdd5aW0FXvIjQVU6WoHE9E7fL%2BZsYu1pr%2Bw8zI6CG0X7e5ZGevXP4By6bNzIcVPiPFOrz0T3gSlZJVkriRfJz%2FLvPAdQ0rgJ%2BFJuiA1uio4tK0SKu1a8OIgECsWgTFikVjv%2By7BR2XfMXgrY2pCLIIYJPM%2FNXnlBLZy99u8V0dd6aDIhDT5MCNjt%2F9OqTXO5B5OMUfOBGGQwYyz0pBoIpKxUnUgz2EtI8S30pY1RkK%2BfP5nKm8oVfrL539BNsqb32i5Ck89wdObxQKcyAzDjqVFSd8Gvwxv4szrvd%2FK7GMoq0RTCvip1IZ8x%2BQp1iTdVxcLwdlIZW7uZ7Ldf5sG7aKHfR5RTyawP2DeD4i%2FYRuy2d%2BM8FF42Szo6Fvwzt4dgGhgWuM8WyOcu1mX4kmtSMem%2BG5yFPmY1s4tIl9v4c2zC%2BVq1R0FrdRHVG2jRgaJSIEUt6DS2Mp9KzQBbxrrlkFS9XLgwJScZHKMiegykEeWNKXLTB3ri1AqcXl8JGOo3ajRPJOxLBTPOTdPm5w%2FHcno3LI86UBOAzDpsbARfo32x2IP43FOOijNCGJJyq%2B6mRcSUm6dDyqradDj8dF2GHJsPBalb0cPRAxxUsM52ULObki04tsH9Eiu83CKcqJhdiqhh9091xGURIKsMwGVB%2FB0D%2B2247nrQc04aCgLkpU%2FUiiOYcA1RKA%2BALlo%2BrCmNeZeSX1gtKAlE5%2BbpdtZnEB21PersPV1D%2Bf6w0WA8spK9%2FjX1w7tB0ucUqn0hSrwP1lGBYEOCgAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation2"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Correaltion2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation2"
|
||
},
|
||
"name": "space2-Correlation2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Failed AzureAD logons but success logon to host](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml)**\r\n\r\n **- [Multiple Password Reset by user](https://github.com/Azure/Azure-Sentinel/blob/9360261b187d1c9d29262bca6641f8383732c703/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml)**\r\n\r\n **- [Time series anomaly for data size transferred to public internet](https://github.com/Azure/Azure-Sentinel/blob/9efc5f1f3ebfcaccd1922df317167afeec38e6d9/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml)**\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Tracking Privileged Account Rare Activity](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml)**\r\n\r\n **- [Rare Custom Script Extension](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/AzureActivity/Rare_Custom_Script_Extension.yaml)**\r\n\r\n **- [Failed service logon attempt by user account with available AuditData](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml)**\r\n\r\n#### Workbooks:\r\n\r\n **- [Threat Intelligence overview](https://github.com/Azure/Azure-Sentinel/blob/e12de62f4f34221a030679a2f872db3e4cb1085d/Workbooks/ThreatIntelligence.json)**\r\n\r\n\r\n#### Parsers:\r\n\r\n **- [ASIM Source Agnostic Process Creation Event Parser](https://github.com/Azure/Azure-Sentinel/blob/6d9537bc187b28d1d6fedb74531cc6364a082a57/Parsers/ASimProcessEvent/ProcessEventCreate.yaml)**\r\n\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation2"
|
||
},
|
||
"name": "text2-Correlation2"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation"
|
||
},
|
||
"name": "group-Correlation"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Correlation"
|
||
},
|
||
"name": "group - Correlation"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nA key function of a SIEM solution is to detect deviations from the norm that might represent malicious activity in one’s environment. Anomaly detections can be particularly useful in uncovering threats that do not lend themselves to detection by traditional rule-based analytics. Thankfully, KQL does come with built-in anomaly detection functions that make the process of building anomaly detection queries that much easier. \r\n\r\n\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Detect anomalies within time series data",
|
||
"subTarget": "Anomaly1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "40988c97-79b0-481a-b5a8-390f16783e15",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Detect outliers within time series data",
|
||
"subTarget": "Anomaly2",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "1bd89840-ebcc-48f9-b9e8-20ca1c0a2a4b",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "3. Detect anomalous activities based on built-in customizable rules",
|
||
"subTarget": "Anomaly3",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Detect anomalies within time series data\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [series_decompose_anomalies()](https://docs.microsoft.com/azure/data-explorer/kusto/query/series-decompose-anomaliesfunction?WT.mc_id=Portal-fx)**\r\n\r\n **- [series_outliers()](https://docs.microsoft.com/azure/data-explorer/kusto/query/series-outliersfunction?WT.mc_id=Portal-fx)**\r\n\r\n **- [series_fit_line()](https://docs.microsoft.com/azure/data-explorer/kusto/query/series-fit-linefunction)**\r\n\r\n **- [make-series](https://docs.microsoft.com/azure/data-explorer/kusto/query/make-seriesoperator)**\r\n\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** 1. Create a Time series across 30 days with samples taken over 1 day intervals**\r\n \r\n<p style=\"color:red;\"> SigninLogs<br> | make-series Trend=count() default=0 on TimeGenerated in range(startofday(ago(30d)), now(), 1d) by UserPrincipalName </p>\r\n\r\n<p style=\"color:blue;\"> <em>Data may not be available in LA Demo </em> </p>\r\n\r\n** 2. Create a Time series across 30 days with samples taken over 1 day intervals, then plot a chart to visualize the distribution**\r\n<p style=\"color:red;\"> SecurityEvent<br> | make-series Trend=count() default=0 on TimeGenerated in range(startofday(ago(30d)), now(), 1d) by UserPrincipalName<br> | extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, -1, 'linefit')<br> | render timechart </p>\r\n\r\n<br>\r\n<p style=\"color:blue;\"> Sample output would look like below: </p>\r\n\r\n <img width='1000' src='https://github.com/iwafula025/SIEM-Rule-Migration/blob/main/TimeSeriesData.PNG?raw=true'/>\r\n\r\n<br>\r\n\r\n\r\n\r\n\r\n\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Detect the creation of an anomaulous number of resources**\r\n\r\n<p style=\"color:red;\"> AzureActivity<br> | where TimeGenerated >= ago(30d)<br> | where OperationName == \"Create or Update Virtual Machine\" or OperationName == \"Create Deployment\";<br> | make-series num = dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(30d), now(), 1d) by Caller<br> | where ResultDescription =~ \"User did not pass the MFA challenge (non interactive).\"<br> | extend (flag, score, baseline) = series_decompose_anomalies(Trend)<br> failedMFAChallengeLogons<br> | make-series Trend=count() default=0 on TimeGenerated in range(startofday(ago(30d)), now(), 1d) by UserPrincipalName<br> | extend (flag, score, baseline) = series_decompose_anomalies(Trend)<br> | extend outliers=series_outliers(num, \"ctukey\", 0, 10, 90)<br> | project-away num<br> | mvexpand outliers\r\n<br> | where outliers > 0.9\r\n<br> | summarize by Caller<br> \r\n</p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n** - Detect authentication attempts from an unusually large number of locations**\r\n\r\n<p style=\"color:red;\"> SigninLogs<br> | where TimeGenerated >= ago(30d)<br> | extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\",<br> tostring(LocationDetails[\"city\"]), \";\")<br> | project TimeGenerated, AppDisplayName , UserPrincipalName, locationString<br> | make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(30d)),now(), 1d) by UserPrincipalName,<br> AppDisplayName| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)<br> | where Slope >0.3<br> \r\n</p>\r\n\r\n** - Returns a number of tables from your workspace that have experienced an anomalous ingestion in relation to the established <br> baseline over the past 30 days**\r\n\r\n<p style=\"color:red;\"> let UpperThreshold = 3.0; <br> let MinimunIngestionPerDay = 50;<br> let MinimumPercentageIncrease = 30;<br> Usage<br> | where IsBillable == \"true\"<br> | make-series Qty=sum(Quantity) on TimeGenerated from ago(30d) to now() step 1d by DataType<br> | extend (anomalies, score, baseline) = series_decompose_anomalies(Qty, 1.5, 0, 'linefit', 1, 'ctukey',0.01)<br> | where anomalies[-1] == 1 or anomalies[-1] == -1<br> | extend Score = score[-1]<br> | where Score >= UpperThreshold <br> | extend PercentageQtyIncrease = ((round(todouble(Qty[-1]),0)-round(todouble(baseline[-1]),1))/round(todouble(Qty[-1]),0) * 100)<br> | project DataType,ExpectedQty=round(todouble(baseline[-1]),0), ActualQty=round(todouble(Qty[-1]),0),round(PercentageQtyIncrease,0)<br> | order by round(todouble(PercentageQtyIncrease),0) desc <br> | where ActualQty >=MinimunIngestionPerDay and PercentageQtyIncrease >= 30\r\n<br> | summarize count() by Account\r\n</p>\r\n\r\n<br>\r\n\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly1"
|
||
},
|
||
"name": "text-Anomaly1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly1"
|
||
},
|
||
"name": "space1-Anomaly1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://portal.azure.com/#blade/Microsoft_Azure_Security_Insights/MainMenuBlade/4/id/%2Fsubscriptions%2Fdeffe5f0-ccd2-4f7e-901b-76d5967561fd%2Fresourcegroups%2Fcybsec%2Fproviders%2Fmicrosoft.securityinsightsarg%2Fsentinel%2Fcybsecsoc",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA81X32%2FaSBB%2Bz18x4h5qn0xiFPWhqoiUJukJNWnTkPalqqrFHmAv9q67u4ZSne5vv28NBhNMqlac7qxEBO%2Fs%2FPzmm8nJyW97H6LrwdsrenV3df6GaL%2Fc%2Bjk6Oek%2B9QyUdaZMnNTKPilYP1CIH6I3UqXZgiwXwgjH5KZMX0s2ki2NONNzGi3IcK5nUk28p03Pl479yLeffaDvwrB3RtC9zBnOVe6IxGhr6TSmVCwszaWbkhV5keHMiQdWpGdsqOePSSrHZiYyezSUEyXVtZ7Yo78oh1x3pe%2FesEr7iS6VC0JKeSzKzPVj0qoy%2Bwcr9ilJoYuMUBMOrBPG6TH0B2Kig9M4DcOIlJ4H%2BOiloc%2FVB2i%2FNVIlshDZW5EzwjksEA6YnMjXW1GRaQd9yRThkdM0k7YUmfy%2BhEMqgS05Kj24jqh%2BhpyURrrF1YyV27z%2Bb1LcMM%2FfHGxSIJTOEQMjRptowxGNhOVMKg6pv8ral5QTnRfa8pe1eFD5DFvHzyPq9iJ65u%2BMpXsWNs14IeTTIYoqbQev8iU7TlxVgMQXHMknPSahqHK1zHRpSZX5CF7gvWGrS5Ow3Th5%2Fr00fA5OmKFMTd%2FnUzb8qABnfarzvSv6rvBS8MAnm%2Fp96qwwqA19KFL%2F10dpHDBDNyKZIl8df7T32iUDcYscwOm83AcdhIY6pUvs3K2iG6SPUFShb1iOcmktDPmYgKC82ACqjuoxiC5ElrHZjRWmoP2SbWJkUWW9%2Fzd1POTQCCmUOCoEOs0X5ub1uW8aKIIlChSEq9YSPukcHnfagDnOxOSXMNkozFjIjFOYv6itg99A%2Ff%2FDPjxEuGttunQQMLa%2Fulx%2FD4CWiDqJKx940Ykoho%2F4fRFvKSmM%2FhM91RVzcCBubGVrxt8K0TCxi4z6hM4oPn7RPLdlngvj%2BXIDrH%2BJD0TpGdvJZMkIwjnOC2dpbHTuyaFUpedujPRMGIBywxCZXt5pRNYYjb9GD6uy1KqHmBNqgtI6gxeB07Z6EVyvzhEDgGs%2FdSokmsU7c8cTvO98Bqg6Jyjc%2FisApOO14MaJJ64k4L3ljZedNiBsxxjReVFcSltkYlERVrQL8OhRqPv6La19ufCBbnhs%2B3b4s%2F33g%2FZrZmU7lk073g2%2FlgKtOMx0wdFHoFaohKO79V8DT2AJV9QXXaNXX0sX1v2GMfjF92%2BwHWDLyKj001l8fHrwTrhjVxqFlacBbidGftOpumCBUUFzbR5sIRK%2FwghHUzFj5KDwYSDKdD1HqzGKWmBsyIq%2BMUmzZW9hEfIk7wfKKJN2ils1fy2XKX%2BKWeDqrWuThYwdBiOs3U8xmKc6S4GB0%2BP45bbIjVQyL9WgNn%2FL5hLU1Kfn7ZL5rS%2BNcmLCA%2BW3Asteb1P4g8XhbjkG9pXMMp%2Bkag7jfwXu7APve7fog9GC96UA0bhFC0yXbLPCpU9UhUz0PRdApwfnpXDiflEcdjWDZ6vFLG7sZXiFb0vufxbFx3GvBY9rJZ%2B6vc8%2BBz2%2Foey87fZaHB56J71n%2FtNLtsC9EgFLble9RdmmhIimUcUgMGilFKSZ6hJ18sF6W2EUh91HR3W6lue9MDzZf5d%2BxyhsnYPrGkVXaIwEdfWVf9JUDPbBRokB0yLaMBotj1pjjbad0cbv0f6fzG1trXergFLsZrsVWLuFKuzpK7E3%2FWe%2Bi9oner00wcPzpPpyWEL7B3gLNOgnEAAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly1"
|
||
},
|
||
"name": "TryLADemo-Anomaly1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "24dd3e02-4daf-4af5-bd5d-5c4953daae34",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA81XXW%2FaSBR9z6%2B4Yh9ir0xiFPWhWxEpTdIVatKPkPalqqrBvsBs7Bl3ZgylWu1v3zMGgwkmVSukXSsRwXPnfp577s3p6W97H6KbwZtrenl3ffGaaL%2Fc%2Bjk6Pe0%2B9QyUdaZMnNTKPilYP1CIH6LXUqXZgiwXwgjH5KZMX0s2ki2NONNzGi3IcK5nUk28p03Pl479yLeffaDv0rB3RtC9zBnOVe6IxGhr6SymVCwszaWbkhV5keHMiQdWpGdsqOePSSrHZiYyezSUEyXVjZ7Yo78ph1x3pe%2FesEr7iS6VC0JKeSzKzPVj0qoy%2Bycr9ilJoYuMUBMOrBPG6TH0B2Kig7M4DcOIlJ4H%2BOiloc%2FVB2h%2FZ6RKZCGyNyJnhHNYIBwwOZGvt6Ii0w76kinCI6dpJm0pMvl9CYdUAltyVHpwHVH9DDkpjXSL6xkrt3n936S4YZ6%2FOdikQCidIwZGjDbRhiMaCcuZVBxSf5W1LyknOi%2B05S9r8aDyGbZOnkXU7UV07O%2BMpTsOm2a8EPLpEEWVtoNXeVgVj0rLlMBx%2BwfeXbHjxFVFSTwIUBDSYxKKKvfLTJeWVJmP4BneG7a6NAnbjeMX30vDF%2BCJGUrXjGc%2BZcOPinLep7oGu6JvCy8FD3wBqN%2BnzgqX2tCHIvV%2FfZTGAUd0K5IpctjxR3uvXTFQuMgBps6LfXBCaKhdusTT3Sq6QfoIWRUih%2BUol9bCkI8JqMqLDcjqqB4D61JkGZvdWGEK2q%2FYJkYWVdb7%2F1DHwxDNkUKJo0Kg%2B3xhbl9d%2BEaCIliiQEG4ajfhk87hSacNrONMTH4Jp43CjIXMOIX5y9o6OA%2Fj4H%2FYm4cId61Nlw4CxvZXl%2BvvAdASUSdx5QMvOhHF8BG%2Fz%2BMtJYXRf6GnumIOXsSNrWzN%2BFshGiZ2kVGf0DnFJ8%2Bb57bMc2E8hzaAdViSoDUjiNLzuJPJkhOEc5wXztLY6NzTQ6lKz%2BgY9JkwgOWGIzK9vNOIrTEwf40gVoWpVQ8xPdQExXUGLwKnbfUiuFmdIwZA137qVFg0i7fmjid43%2FkMWHVOUbr9VwBJx2vBjRNPXEnAfMsbLzptUNiOMaKLoriStsjEoqKsaBfi0aNQ93VcWvty6QPdMNn27fBnO%2FAHDdjMynYsm4a8G34tBZpxmOmCo4%2FArVAJR3frvwaewhKuyC%2B6Qbe%2Bki6sOw7D8Yvv4GA7wJahUemn8%2Fjk7LDzcm0Iau%2FYlUZhI2qg3ImRX4SqdlhgatBcmwdbiMRvOMLRVMwYySh8PAg3XY%2FUaqKiKJggsmJyDNVs2WTYkzzf%2B9kyyqSdcrqJt%2Ba05dLlxTAfXL2dbeQydhiWMHs%2FxbCe6iwFKs5O4hfbIrdSybxUg9qPd2yuQFd9etYumb%2FzxVJOTHig%2FKaAJQJ6m8IfLA53CzSwL2WW%2BWxVsxn%2FU3BnH5zfu0UfLBe8LwWoxy1agLvknxVSfcYqrIIJuABePVyvhBP3i%2BKwKxw8Wy1wcWN%2Fwyt8W86D4yg%2BiXstCF0r%2BdTtffY56PmtZedtt9fi8NA76T3zn16ypQEqEfDmdtVblG1KiGgaVQwCg%2BZKQaOpLlEnH6y3FUZx2H10VKdred4Lw9P9d%2Bl3jMfW2biuUXSNDklQV1%2F5J03F4CNsmRg5LaINo9HyqDXWaNsZbfy%2B7f8Z3dbWercKKMW%2BtluBtVuowp6%2BEnvTf%2B67qH3K14sUPLxIqi%2F%2FAgOsmysBEAAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Anomaly1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly1"
|
||
},
|
||
"name": "space2-Anomaly1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Process execution frequency anomaly](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml)**\r\n\r\n **- [Exchange workflow MailItemsAccessed operation anomaly](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml)**\r\n\r\n\r\n#### Hunting Queries:\r\n\r\n **- [GitHub Repo Clone - Time Series Anomly](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/SecurityEvent/UserAccountCreatedDeleted.yaml)**\r\n\r\n **- [Detect anomalously large Log Analytics queries by users](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/LAQueryLogs/QueryDataVolumeAnomolies.yaml)**\r\n\r\n\r\n#### Workbooks:\r\n\r\n **- [Data Collection Health monitoring](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/DataCollectionHealthMonitoring.json)**\r\n\r\n **- [Azure Key Vault](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/AzureKeyVaultWorkbook.json)**\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly1"
|
||
},
|
||
"name": "text2-Anomaly1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Detect outliers within Timeseries data\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [materialize()](https://docs.microsoft.com/azure/data-explorer/kusto/query/materializefunction)**\r\n\r\n **- [make-series](https://docs.microsoft.com/azure/data-explorer/kusto/query/make-seriesoperator)**\r\n\r\n **- [dcount()](https://docs.microsoft.com/azure/data-explorer/kusto/query/dcount-aggfunction)**\r\n\r\n **- [range](https://docs.microsoft.com/azure/data-explorer/kusto/query/rangeoperator)**\r\n\r\n **- [summarize](https://docs.microsoft.com/azure/data-explorer/kusto/query/summarizeoperator)**\r\n\r\n **- [iif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/iiffunction)**\r\n\r\n **- [avg](https://docs.microsoft.com/azure/data-explorer/kusto/query/avg-aggfunction)**\r\n\r\n **- [project-away](https://docs.microsoft.com/azure/data-explorer/kusto/query/projectawayoperator)**\r\n\r\n **- [autocluster()](https://docs.microsoft.com/azure/data-explorer/kusto/query/autoclusterplugin#:~:text=autocluster%20finds%20common%20patterns%20of%20discrete%20attributes%20%28dimensions%29,can%20potentially%20work%20on%20any%20filtered%20data%20set.)**\r\n\r\n **- [basket()](https://docs.microsoft.com/azure/data-explorer/kusto/query/basketplugin)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** 1. Plot a chart to show deviation/outliers from expected pattern of input values **\r\n \r\n<p style=\"color:red;\"> range x from 1 to 1 step 1<br> | project x=range(bin(now(), 1h)-11h, bin(now(), 1h), 1h) , y=dynamic([2,5,6,8,11,15,17,18,25,26,30,30])<br> | extend (RSquare,Slope,Variance,RVariance,Interception,LineFit) = series_fit_line(y)<br> | render timechart </p>\r\n\r\n<h3 style=\"color:blue;\"> Sample use case:</h3>\r\n\r\n\r\n** - Detect whether the operation of \"Create role assignment\" was performed by an expected identity in Azure**\r\n\r\n<p style=\"color:red;\"> AzureActivity<br> | where TimeGenerated > ago(30d)<br> | where OperationName == \"Create role assignment\"<br> | where ActivityStatus == \"Succeeded\"<br> | project Caller, CallerIpAddress<br> | evaluate basket()<br> | join kind=leftouter (AzureActivity // include all records from left but only \t\tmatched from the right<br> | where OperationName == \"Create role assignment\"<br> | where ActivityStatus == \"Succeeded\"<br> | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Caller, CallerIpAddress)\r\n\t on Caller, CallerIpAddress<br> | project-away Caller1, CallerIpAddress1<br> | where isnotempty(StartTime)<br> | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress<br> | project timestamp, AccountCustomEntity, IPCustomEntity, Percent\r\n\r\n</p>\r\n\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly2"
|
||
},
|
||
"name": "text-Anomaly2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly2"
|
||
},
|
||
"name": "text - 11"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly2"
|
||
},
|
||
"name": "space1-Anomaly2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "16d4a38e-8e1e-46bb-a568-722d28989793",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA8VUXU%2FbQBB851es6IsjHQoGQXlxpZSmVQSiiFR9qSp0sTfxge%2FO3K2TGPHju2dwggmhrVSpKytft7s3OzObfv%2Fd1gA4H10M4ePVcHAGsD1vFTv9%2Ft5bMTKeXJWSssa%2FmdgGN%2BQH4EyZrKjBYymdJATKEe4qdAo9TLCwC5jU4FDbuTKzgPQ58kdgv8P2t8H9LgtLICHNpSMgCz5nIBnOlQwT9m1FhULnYeqsBlyWmBJmUEoidAbsFJQpK4K5LCr0O9CGk2aGsHwsi0PjGDxhCfE6Bx6gdPaGO8IyaQqiiTKRsYuoJyDOe3txnAvo%2Fta8gIA6yWojtUqjHwfiSByLExHHIj4S8XsRn4iDI3FwLA73%2BfnZ23l2Iy4JTQbR1fiukg7FuLAliu%2FSKWlSFFerTyPDE6ZYBhrEuTL4WVEPEtYvKHY9VXRd8K9R3WnvuDk6IKWxoZQZ%2Frfe%2FIQUCFvkyP5xjYl4ANeoFeTYPXUY3OVsgSC9VzOj0dAuLKQHTpxap1lAtpo0az1VxjmKalYTBveVw%2FVMzdcB%2B33O589HZQgO4RtP%2BgVNQMB9PoCc2ehwP%2BttZn5tYV5IjZAkW6FulrbXj0lS5ZvacZWmiBlmnfTWT6eyKNCJp%2FdROcgyh953jBAsG66fSH%2BLFHUQ31gm4pYXNilwSrwETHXUYQJ4pZVJiypj7EXBwqfWZU97EopgwmthDW%2B8lpTmTE5zFARzapbT%2FyHIV1qzw%2B8RONVRUI89rXnFOkLymg1N1p7K5YvTYJ8tFPd45j%2Bh%2F0mpPbmQba94oyDenFR5Ywl1SXW0muC1BQ8b6EnqkgdYJQomKrWVodPKk9XDR88nK7yjy1cP3hpgfdGrzV%2F2FHAZ%2FlUM%2FQJrBWlQtAYAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly2"
|
||
},
|
||
"name": "TryLADemo-Anomlay2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "d1ace013-f3a5-4f34-8120-65febf2dad36",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA8VUXU%2FbQBB851es6IsjHQoGQXlxpZSmVQSiiFR9qSp0sTfxge%2FO3K2TGPHju2dwggmhrVSpKytft7s3OzObfv%2Fd1gA4H10M4ePVcHAGsD1vFTv9%2Ft5bMTKeXJWSssa%2FmdgGN%2BQH4EyZrKjBYymdJATKEe4qdAo9TLCwC5jU4FDbuTKzgPQ58kdgv8P2t8H9LgtLICHNpSMgCz5nIBnOlQwT9m1FhULnYeqsBlyWmBJmUEoidAbsFJQpK4K5LCr0O9CGk2aGsHwsi0PjGDxhCfE6Bx6gdPaGO8IyaQqiiTKRsYuoJyDOe3txnAvo%2Fta8gIA6yWojtUqjHwfiSByLExHHIj4S8XsRn4iDI3FwLA73%2BfnZ23l2Iy4JTQbR1fiukg7FuLAliu%2FSKWlSFFerTyPDE6ZYBhrEuTL4WVEPEtYvKHY9VXRd8K9R3WnvuDk6IKWxoZQZ%2Frfe%2FIQUCFvkyP5xjYl4ANeoFeTYPXUY3OVsgSC9VzOj0dAuLKQHTpxap1lAtpo0az1VxjmKalYTBveVw%2FVMzdcB%2B33O589HZQgO4RtP%2BgVNQMB9PoCc2ehwP%2BttZn5tYV5IjZAkW6FulrbXj0lS5ZvacZWmiBlmnfTWT6eyKNCJp%2FdROcgyh953jBAsG66fSH%2BLFHUQ31gm4pYXNilwSrwETHXUYQJ4pZVJiypj7EXBwqfWZU97EopgwmthDW%2B8lpTmTE5zFARzapbT%2FyHIV1qzw%2B8RONVRUI89rXnFOkLymg1N1p7K5YvTYJ8tFPd45j%2Bh%2F0mpPbmQba94oyDenFR5Ywl1SXW0muC1BQ8b6EnqkgdYJQomKrWVodPKk9XDR88nK7yjy1cP3hpgfdGrzV%2F2FHAZ%2FlUM%2FQJrBWlQtAYAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly2"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Anomaly2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly2"
|
||
},
|
||
"name": "space2-Anomaly2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Anomalous sign-in location by user account and authenticating application](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SigninLogs/AnomalousUserAppSigninLocationIncrease-detection.yaml)**\r\n\r\n **- [Suspicious number of resource creation or deployment activities](https://github.com/Azure/Azure-Sentinel/blob/2cad1a602c99d6e3f8be2548e31e4ca63ed75c6f/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml)**\r\n\r\n **- [Azure Key Vault access TimeSeries anomaly](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml)**\r\n\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Looks for anomalous number of resource creation or deployment activities in azure activity log](https://github.com/Azure/Azure-Sentinel/blob/2cad1a602c99d6e3f8be2548e31e4ca63ed75c6f/Hunting%20Queries/AzureActivity/Creating_Anomalous_Number_Of_Resources.yaml)**\r\n\r\n **- [Unusual number of repository clones](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting%20Queries/GitHub/Unusual%20Number%20of%20Repository%20Clones.yaml)**\r\n\r\n#### Workbooks:\r\n\r\n **- [Checkpoint](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/CheckPoint.json)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly2"
|
||
},
|
||
"name": "text2-Anomaly2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 3. SOC Machine Learning rules\r\n\r\n<h3 style=\"color:blue;\"> Built-in rule description:</h3>\r\n\r\n\r\n\r\nAnomalies are saved to the new Anomalies table in your Microsoft Sentinel workspace. No alerts or incidents are generated by these anomalies. Use these anomalies to correlate with other signals to build threat detections, investigate an incident, or hunt for malicious actors. For a more detailed description of the anomaly rules, go [here](https://techcommunity.microsoft.com/t5/azure-sentinel/democratize-machine-learning-with-customizable-ml-anomalies/ba-p/2346338). All these rules are available with the Microsoft Sentinel Analytics blade. However, one cannot edit the KQL logic behind them but they are customizable via the user interface. \r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** 1. Correlate and trigger an incident based on events in the anomalies table**\r\n\r\n<p style=\"color:red;\"> Anomalies<br> | where TimeGenerated > ago(14d)<br> | extend upn_split=split(UserName,\"\\\\\")<br> | extend Uname = tostring(upn_split[1])<br> | extend AnomUpn=strcat(Uname,\"@seccxp.ninja\")\r\n<br> | extend AnomScore = tostring(AnomalyDetails.Score)<br> | join SigninLogs on $left.AnomUpn == $right.UserPrincipalName<br> | where toreal( AnomScore) > 0.02\r\n\r\n<br>\r\n\r\n </p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly3"
|
||
},
|
||
"name": "text-Anomaly3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly3"
|
||
},
|
||
"name": "space1-Anomaly3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Snapshot of SOC ML rules in Microsoft Sentinel:</h3>\r\n\r\n<br>\r\n\r\n <img width='1000' src='https://github.com/iwafula025/SIEM-Rule-Migration/blob/main/SOC%20ML.PNG?raw=true'/>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomaly3"
|
||
},
|
||
"name": "text2-Anomaly3"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomalies"
|
||
},
|
||
"name": "group - Anomaly"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Anomalies"
|
||
},
|
||
"name": "group - Anomaly"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nSIEM solutions require to collect and analyze data from several sources. As such, some of the needed data is not always presented in a structured format while in its raw state. Therefore, it may be necessary to perform some pre-processing operations on the data in order to transform it into a format that allows you to query it in a more granular manner or make it possible to correlate using a language such as Kusto Query Language (KQL) or Regular Expression constructs (Regex).\r\n\r\n\r\n\r\n\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Extract entities from fields in logs",
|
||
"subTarget": "Parsing1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "40988c97-79b0-481a-b5a8-390f16783e15",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Extract elements from a text field",
|
||
"subTarget": "Parsing2",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "d9333cfe-ce35-4cb3-b0e2-eaa2edf263d4",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "3. Create custom properties from a string expression",
|
||
"subTarget": "Parsing3",
|
||
"preText": "",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Extract entities from fields in logs\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [extend](https://docs.microsoft.com/azure/data-explorer/kusto/query/extendoperator)**\r\n\r\n **- [extract_all](https://docs.microsoft.com/azure/data-explorer/kusto/query/extractallfunction)**\r\n\r\n **- [mv-apply](https://docs.microsoft.com/azure/data-explorer/kusto/query/mv-applyoperator)**\r\n\r\n **- [isnotempty()](https://docs.microsoft.com/azure/data-explorer/kusto/query/isnotemptyfunction)**\r\n\r\n\r\n **- [tostring()](https://docs.microsoft.com/azure/data-explorer/kusto/query/tostringfunction)**\r\n\r\n **- [join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)**\r\n\r\n **- [parse](https://docs.microsoft.com/azure/data-explorer/kusto/query/distinctoperator)**\r\n\r\n **- [parse_json](https://docs.microsoft.com/azure/data-explorer/kusto/query/parsejsonfunction)**\r\n\r\n **- [distinct](https://docs.microsoft.com/azure/data-explorer/kusto/query/distinctoperator)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Extract Hostname from Entity field(JSON) in SecurityAlert table**\r\n\r\n<p style=\"color:red;\"> SecurityAlert <br> | where Entities has \"HostName\" <br> | extend entities = todynamic(Entities) \r\n<br> | mv-apply Entity = entities on (\r\n<br> where Entity.Type == \"host\"\r\n<br> | extend HostName = Entity.HostName)\r\n<br> | project HostName, AlertName, Description , TimeGenerated\r\n</p>\r\n\r\n\r\n<p style=\"color:red;\"> SecurityAlert <br> | where Entities has \"HostName\" <br> | extend HostName = extract_all('\"HostName\"\\\\s*:\\\\s*\"([^\"]*)\"', Entities)\r\n<br> | project HostName, AlertName, Description , TimeGenerated\r\n</p>\r\n\r\n** - Extract City, State and Country from LocationDetails field (dynamic) in Signin Logs**\r\n\r\n<p style=\"color:red;\"> SigninLogs <br> | project TimeGenerated, UserPrincipalName, StatusCode=Status.errorCode, <br> City= LocationDetails.city, State= LocationDetails.state, Country = LocationDetails.countryOrRegion\r\n</p>\r\n\r\n\r\n** - Extract a Username from a User Principal Name (UPN) **\r\n\r\n<p style=\"color:red;\"> AzureActivity <br> | where TimeGenerated > ago(7d)<br> | parse Caller with UPNUserPart \"@\" * //drop anything after the @ sign\r\n<br> | where UPNUserPart != \"\" //Remove non UPN callers (apps, SPNs, etc)<br> | distinct UPNUserPart, Caller</p>\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Identify a vulnerable host with a publicly exploitable vulnerability that also has suspicious file activity on it **\r\n\r\n<p style=\"color:red;\"> let watchlst=(_GetWatchlist('Hva'))<br> | project svrname;<br> let secalert=(SecurityAlert<br> | where TimeGenerated > ago(1d) \r\n<br> | where AlertName contains \"MTP File activity alert\"<br> | extend HostName_ = tostring(parse_json(Entities)[0].HostName)<br> \r\n|extend AppendDom=strcat(HostName_,\".contoso.azure\"));<br> secalert<br> | join MDE_TVM_PublicExploits_CL on $left.AppendDom == $right.DeviceName_s<br> | where TimeGenerated > ago(1d)\r\n<br> | where VulnerabilitySeverityLevel_s == \"High\" and AppendHost in~ (watchlst)<br> | distinct DisplayName, AlertSeverity, VulnerabilitySeverityLevel_s, VulnerabilityDescription_s\r\n </p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n** - Detect ransomware on a device protected by Microsoft Defender for Endpoint **\r\n\r\n<p style=\"color:red;\"> SecurityAlert <br> | where TimeGenerated > ago(1h) <br> | where ProviderName ==\"MDATP\" and Status in (\"New\", \"Active\")\r\n<br> | where ExtendedProperties has \"Ransomware\" <br> | extend Prop = parse_json(ExtendedProperties)<br> | extend MDE_Category = Prop[\"MicrosoftDefenderAtp.Category\"]\r\n<br> | where MDE_Category has \"Ransomware\" \r\n<br> | extend Action = Prop.Action<br> | extend ThreatName = Prop.ThreatName<br> | extend HostName = extract_all('\"HostName\"\\\\s*:\\\\s*\"([^\"]*)\"', Entities)<br> | project MDE_Category, TimeGenerated, Action, ThreatName, VendorOriginalId, SystemAlertId, HostName</p>\r\n<br>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing1"
|
||
},
|
||
"name": "text-Parsing1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing1"
|
||
},
|
||
"name": "space1-Parsing1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA81WbW%2FbNhD%2Bnl9x0wpEDlR7%2BzSghYZ6ttdkdRwjcbsPSWYw0tliIIsaSTvRUOy390hab7HrdFgGjDAsiTze63MP2et9%2F9UBMD6bjOCXy1H%2FA8DX5apx1Ou9PjTOMqXlOtJcZOqgYDlIIf0APvAsTgtQmDPJNIJOEP5co%2BSo4A5T8QB3BUhciQ3PlsbTpufOsed8%2B6fjCHq90aOWLNJwKpTO2AphIcUKRpnmuoAFxzT2f7u6mHSAZ3CF0VrSfD9FqUGzuxSPYDtaa9UsfIaHBCU6hSbUhCnwjLEJGfOagvioMYsBS8kQtIgL8olHfrm909yw2rxmeU453Xob1ntFBn4tCk0niu6syBHCELyE3NjnQukeadxuKWda9nMp7nGbOrMYgA3evQ5RRZLnBicQwIyv8D1maCofUxlfErAvXoFG%2BOjQMWdp6h%2FXm27Umxvl%2Bdd%2FeLcnHe84gL31%2BZ%2Fkp8b4gLITwJU27cco0IFYZ1oWDvJjETHjzRA146ly2Ad%2Fi0CHf77M6DEWS1XH6Sbbc3XsrcAC%2BKhQTiXPIp6z1CXCuLNWAxFj6F67KKWQZiKoNRrXw6c%2BdqM6oN1FZaaDKsg9u93KhbzEJU3%2FZ2lnNuyaXNw3VHkACzb%2F43TSgE%2F%2Fr7XEPvHshmLcRXMrr%2FAzsKXwf4rb8GNSIQwIumTsgesEyIItACP28t55cEL8F0uRExgKnRjaZQtNwoaa34Giwu4abur4jjjEIx2XhrURMoIyLUNkTSrwiZ0UlWc6oX%2FUUcu7mCtN8eumwmDr7YtX4iw2zLgoKPWbdWqyRtQNhv5cYhjk67uUR8Sl%2BJingltur2R5auhVJ4xqmSphGUStVc4jLtamU0iWbUtlqJc36CdFssF0lKRKh%2F571L%2FbD4rePz7dsOPOXspQG4uXt209Cim1xCCh%2FwzX7UPHj210OMGKkCASGXVFRtR4PpvCr62QrNFnmFLTKwF66VvY3SuR1YfW9Q%2B3%2B04Q%2BLxV089zegzFKiQd1KN%2BxZhe1%2FgllOgy0w9ep9NISZmOpmP3ggjqfDiazz6dz6e2qCNXUTUfjE1xXqW40N3KpDkIX0m%2BTHR3iBseobE7V%2F8ip5%2BaqLnCDZpCjemZzpU9dk%2FJmmcJ2HlhoiV6%2FRv8Eij7O2XIVZ6yonGUlNqDg0afrDZOHorzpVuNyNUAWLJMidUDo3xQzhnENrcG32aZEkiXvXMeSSrtgiLDBeWBmGchJJ2lcU5V1M8c7AfrknR25KaSbpZkw%2BE19M6H%2FdnUlcGdO%2BaE870JPngBeJZ5CW87akYWshiTupzcqS4Ul1XAHjQ2bRFupKlJbG%2FMXXPs6OnsbjNAHlBcS2EPMCN77VVpK7PW13m3lPJudzxuKfkGX%2Fv2cr8113Vfu1KzRCIrm99K1jO70t9wpbpRJ2%2FM3%2BFrVU2RzbCCp%2FcM53XQ8JKagBwR8oJ6nWcsPSOpq0JpXFlYmc%2FKSXjZrvgCt%2FdoSaANAAA%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing1"
|
||
},
|
||
"name": "TryLADemo-Parsing1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "24dd3e02-4daf-4af5-bd5d-5c4953daae34",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA81WbW%2FbNhD%2Bnl9x0wpEDlR7%2BzSghYZ6ttdkdRwjcbsPSWYw0tliIIsaSTvRUOy390hab7HrdFgGjDAsiTze63MP2et9%2F9UBMD6bjOCXy1H%2FA8DX5apx1Ou9PjTOMqXlOtJcZOqgYDlIIf0APvAsTgtQmDPJNIJOEP5co%2BSo4A5T8QB3BUhciQ3PlsbTpufOsed8%2B6fjCHq90aOWLNJwKpTO2AphIcUKRpnmuoAFxzT2f7u6mHSAZ3CF0VrSfD9FqUGzuxSPYDtaa9UsfIaHBCU6hSbUhCnwjLEJGfOagvioMYsBS8kQtIgL8olHfrm909yw2rxmeU453Xob1ntFBn4tCk0niu6syBHCELyE3NjnQukeadxuKWda9nMp7nGbOrMYgA3evQ5RRZLnBicQwIyv8D1maCofUxlfErAvXoFG%2BOjQMWdp6h%2FXm27Umxvl%2Bdd%2FeLcnHe84gL31%2BZ%2Fkp8b4gLITwJU27cco0IFYZ1oWDvJjETHjzRA146ly2Ad%2Fi0CHf77M6DEWS1XH6Sbbc3XsrcAC%2BKhQTiXPIp6z1CXCuLNWAxFj6F67KKWQZiKoNRrXw6c%2BdqM6oN1FZaaDKsg9u93KhbzEJU3%2FZ2lnNuyaXNw3VHkACzb%2F43TSgE%2F%2Fr7XEPvHshmLcRXMrr%2FAzsKXwf4rb8GNSIQwIumTsgesEyIItACP28t55cEL8F0uRExgKnRjaZQtNwoaa34Giwu4abur4jjjEIx2XhrURMoIyLUNkTSrwiZ0UlWc6oX%2FUUcu7mCtN8eumwmDr7YtX4iw2zLgoKPWbdWqyRtQNhv5cYhjk67uUR8Sl%2BJingltur2R5auhVJ4xqmSphGUStVc4jLtamU0iWbUtlqJc36CdFssF0lKRKh%2F571L%2FbD4rePz7dsOPOXspQG4uXt209Cim1xCCh%2FwzX7UPHj210OMGKkCASGXVFRtR4PpvCr62QrNFnmFLTKwF66VvY3SuR1YfW9Q%2B3%2B04Q%2BLxV089zegzFKiQd1KN%2BxZhe1%2FgllOgy0w9ep9NISZmOpmP3ggjqfDiazz6dz6e2qCNXUTUfjE1xXqW40N3KpDkIX0m%2BTHR3iBseobE7V%2F8ip5%2BaqLnCDZpCjemZzpU9dk%2FJmmcJ2HlhoiV6%2FRv8Eij7O2XIVZ6yonGUlNqDg0afrDZOHorzpVuNyNUAWLJMidUDo3xQzhnENrcG32aZEkiXvXMeSSrtgiLDBeWBmGchJJ2lcU5V1M8c7AfrknR25KaSbpZkw%2BE19M6H%2FdnUlcGdO%2BaE870JPngBeJZ5CW87akYWshiTupzcqS4Ul1XAHjQ2bRFupKlJbG%2FMXXPs6OnsbjNAHlBcS2EPMCN77VVpK7PW13m3lPJudzxuKfkGX%2Fv2cr8113Vfu1KzRCIrm99K1jO70t9wpbpRJ2%2FM3%2BFrVU2RzbCCp%2FcM53XQ8JKagBwR8oJ6nWcsPSOpq0JpXFlYmc%2FSl5ftiS8Dy%2BvNng0AAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Parsing1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing1"
|
||
},
|
||
"name": "space2-Parsing1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics rules:\r\n **- [Rare application consent ](https://github.com/Azure/Azure-Sentinel/blob/b254c070132a4686c95d10c3cdbb8fb25e9ef997/Detections/AuditLogs/RareApplicationConsent.yaml)**\r\n\r\n **- [ Correlate Unfamiliar sign-in properties and atypical travel alerts](https://github.com/Azure/Azure-Sentinel/blob/ade86a8cf8026f3a3e3ad28be8a5e89aa1479067/Detections/SecurityAlert/CorrelateIPC_Unfamiliar-Atypical.yaml)**\r\n\r\n **- [ Creation of expensive computes in Azure](https://github.com/Azure/Azure-Sentinel/blob/2cad1a602c99d6e3f8be2548e31e4ca63ed75c6f/Detections/AzureActivity/Creation_of_Expensive_Computes_in%20_Azure.yaml)**\r\n\r\n\r\n\r\n#### Hunting queries:\r\n\r\n **- [Identifies what ports may have been opened for a given Azure Resource over the last 7 days ](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml)**\r\n\r\n **- [Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs](https://github.com/Azure/Azure-Sentinel/blob/301819b3d4217428d848a95ea8d19fd351edc6df/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml)**\r\n\r\n **- [SQL Alert Correlation with CommonSecurityLogs and AuditLogs](https://github.com/Azure/Azure-Sentinel/blob/5a71f1c4732f501df9f7d2f52efe46137e76bf4a/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml)**\r\n\r\n\r\n\r\n#### Workbook:\r\n\r\n **- [ExchangeOnline](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/ExchangeOnline.json)**\r\n\r\n **- [View Microsoft Sentinel incidents](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/SentinelCentral.json)**\r\n\r\n\r\n#### Parsers:\r\n **- [ASIM Process creation event](https://github.com/Azure/Azure-Sentinel/blob/579f4d9917dc3dc51b17d32e71cf9717fdacea2b/Parsers/ASimProcessEvent/ProductParsers/ProcessEventMicrosoftSysmonCreate.yaml)**\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing1"
|
||
},
|
||
"name": "text2-Parsing1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Extract elements from a Syslog message\r\n\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [extend](https://docs.microsoft.com/azure/data-explorer/kusto/query/extendoperator)**\r\n\r\n **- [extract](https://docs.microsoft.com/azure/data-explorer/kusto/query/extractfunction)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Extract URL from a Syslog message**\r\n \r\n\r\n<p style=\"color:red;\"> Syslog<br> | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)</p>\r\n\r\n** - Extract Domain from a Syslog message**\r\n\r\n<p style=\"color:red;\"> Syslog <br> | extend Domain = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage)</p>\r\n\r\n** - Extract HTTP Status code from a Syslog message**\r\n\r\n<p style=\"color:red;\"> Syslog <br> HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage)</p>\r\n\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Extract IP and compare addresses from Syslog messages **\r\n\r\n<p style=\"color:red;\"> let PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.'; <br> | where Facility contains \"auth\" and ProcessName =~ \"sshd\"<br> let ssh_logins = Syslog | where SyslogMessage has \"Accepted\"<br> | extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage) <br> | where isnotempty(SourceIP)<br> | extend ipType = iff(SourceIP matches regex PrivateIPregex,\"private\" ,\"public\");ssh_logins<br> | summarize privatecount=countif(ipType==\"private\"), publiccount=countif(ipType==\"public\") by HostName, HostIP, bin(EventTime, 1d)\r\n<br> | summarize \r\npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\r\n<br> privateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\r\n</p>\r\n\r\n** - Identify top 5 target accounts with failed logon attempts **\r\n<p style=\"color:red;\"> \r\nlet top5 = SecurityEvent<br> | where EventID == 4625 and AccountType == 'User'<br> | extend Account_Name = extract(@\"^(.*\\\\)?([^@]*)(@.*)?$\", 2, tolower(Account))<br> | summarize Attempts = count() by Account_Name<br> | where Account_Name != \"\"<br> | top 5 by Attempts<br> | summarize make_list(Account_Name);<br> SecurityEvent<br> | where EventID == 4625 and AccountType == 'User'<br> | extend Name = extract(@\"^(.*\\\\)?([^@]*)(@.*)?$\", 2, tolower(Account))<br> | extend Account_Name = iff(Name in (top5), Name, \"Other\")<br> | where Account_Name != \"\"<br> | summarize Attempts = count() by Account_Name</p>\r\n\r\n\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing2"
|
||
},
|
||
"name": "text-Parsing2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing2"
|
||
},
|
||
"name": "text - 11"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing2"
|
||
},
|
||
"name": "space1-Parsing2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "16d4a38e-8e1e-46bb-a568-722d28989793",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7VWbXPaRhD%2B7l%2BxUdOiswUKOHYSZzSG2M6YxnU0AX8pYOYsHXATvfXuZJuE9Ld3TxIgbKB1J75hxO2xL88%2Bu3vCtn%2FZuAAu2pdn8OHLWesTwGa9xdqx7eq21Y6kEqmneBzJrYrzhQ7xA%2FCJR34wBckSKqhioCYM%2FkqZ4EzCDQviO7iZgmBhfMujsUZaRp4D%2BzdsT107YNtn90pQTwGF81iqiIYMRiIOUf698%2FkSRpwFvtbr0DAJFoiPyqZXXy7mNp2pDOIxhExKOmY7MF%2F5%2BVKeAbtXLPLhSgTgaEF7Mg1zolTSk4PjI9s2j496tPqtVf1zMOu9qr7D58vqsFn7bQ93L3b7Zp9Ygxlq%2Fap%2FpdVRq%2FpxUNoSskcMC%2BpWHvyPHBPRyH9uv8x5OI1DyqP%2FTUVhXmbD7Ons90DzMPj%2B2jr4cdS3%2BzaZFefE7F0DHg12MdP9Z060VPHzbteFjqIqleDFPntqztp%2BmNufaPNyzt0Td543mX%2FvktnVael4uDgntpn1xvf9H0jB22evdTEGqWTgUakHYclK2wWKdfTiEEecAfV9gThwvDN2VrmRSzICpsAV%2FBYvhbYr2JjdIx%2FNynW98aY2u66%2F0o83jVq9d4h5FkIjS7oQ9lGoZ8I7VDt8W6u8L7fX3YQhmo%2FU4wFXU4QXKewzCQZN1cTIILsi9hDXpZ5%2B528wpJz4xipCPBoifm3ozHN5GGOFfJhQjNHyPJYoVva2aPhOnAoPc37Q8lk56xYWtF%2FbKpVFgtV%2FPOkPAXIZxYqFiZqa8%2BBkDTCedKeJ7ko%2BGi0UIaTKm2A18xKtVswyklw2ALfpTcA9g7xfclYOItMwpIJ%2FY1DYeHEaKSd78pGZB3echUdiQe5xk14RTr8%2F9B2uq2hlu7ZrwQ2PzLNbFqku18d1n2zAknlpuxca7zmXKhZTZCCkX9kwQNFMqPfVrLTdEx2%2FsoLJggqmGUdDhTHwp0U8QqxltGTO2H8PUeJnS4x1iT%2FD5df2mSZ%2BCipO4AAUFWOcC5pTIOGOqwmMKA%2BYDxlSoCrrtQejjtYHeoSYlwqcxyyPx52aHbdPwXHg9WHjIJvSVh4q700HKleSicqa9i30hvk4L2araVybtT45xndGc0DMZo0cv8T3Y8NCSPj3gwmzMCQbWqRV5IM%2BMz0zY74c7XEeK1heOGCsXAQ5k9rJI6rKgZcdUnZHSrfcM7L5c1hcXxp9v2RbfO%2BbujFw1vMuNj7j%2F0NhrLnDtjP6lGr9Ay8NsPw4CwAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing2"
|
||
},
|
||
"name": "TryLADemo-Parsing2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "d1ace013-f3a5-4f34-8120-65febf2dad36",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7VWbXPaRhD%2B7l%2BxUdOiswUKOHYSZzSG2M6YxnU0AX8pYOYsHXATvfXuZJuE9Ld3TxIgbKB1J75hxO2xL88%2Bu3vCtn%2FZuAAu2pdn8OHLWesTwGa9xdqx7eq21Y6kEqmneBzJrYrzhQ7xA%2FCJR34wBckSKqhioCYM%2FkqZ4EzCDQviO7iZgmBhfMujsUZaRp4D%2BzdsT107YNtn90pQTwGF81iqiIYMRiIOUf698%2FkSRpwFvtbr0DAJFoiPyqZXXy7mNp2pDOIxhExKOmY7MF%2F5%2BVKeAbtXLPLhSgTgaEF7Mg1zolTSk4PjI9s2j496tPqtVf1zMOu9qr7D58vqsFn7bQ93L3b7Zp9Ygxlq%2Fap%2FpdVRq%2FpxUNoSskcMC%2BpWHvyPHBPRyH9uv8x5OI1DyqP%2FTUVhXmbD7Ons90DzMPj%2B2jr4cdS3%2BzaZFefE7F0DHg12MdP9Z060VPHzbteFjqIqleDFPntqztp%2BmNufaPNyzt0Td543mX%2FvktnVael4uDgntpn1xvf9H0jB22evdTEGqWTgUakHYclK2wWKdfTiEEecAfV9gThwvDN2VrmRSzICpsAV%2FBYvhbYr2JjdIx%2FNynW98aY2u66%2F0o83jVq9d4h5FkIjS7oQ9lGoZ8I7VDt8W6u8L7fX3YQhmo%2FU4wFXU4QXKewzCQZN1cTIILsi9hDXpZ5%2B528wpJz4xipCPBoifm3ozHN5GGOFfJhQjNHyPJYoVva2aPhOnAoPc37Q8lk56xYWtF%2FbKpVFgtV%2FPOkPAXIZxYqFiZqa8%2BBkDTCedKeJ7ko%2BGi0UIaTKm2A18xKtVswyklw2ALfpTcA9g7xfclYOItMwpIJ%2FY1DYeHEaKSd78pGZB3echUdiQe5xk14RTr8%2F9B2uq2hlu7ZrwQ2PzLNbFqku18d1n2zAknlpuxca7zmXKhZTZCCkX9kwQNFMqPfVrLTdEx2%2FsoLJggqmGUdDhTHwp0U8QqxltGTO2H8PUeJnS4x1iT%2FD5df2mSZ%2BCipO4AAUFWOcC5pTIOGOqwmMKA%2BYDxlSoCrrtQejjtYHeoSYlwqcxyyPx52aHbdPwXHg9WHjIJvSVh4q700HKleSicqa9i30hvk4L2araVybtT45xndGc0DMZo0cv8T3Y8NCSPj3gwmzMCQbWqRV5IM%2BMz0zY74c7XEeK1heOGCsXAQ5k9rJI6rKgZcdUnZHSrfcM7L5c1hcXxp9v2RbfO%2BbujFw1vMuNj7j%2F0NhrLnDtjP6lGr9Ay8NsPw4CwAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing2"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Parsing2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing2"
|
||
},
|
||
"name": "space2-Parsing2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [Check for Squid proxy events associated with common ToR proxies.](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/Syslog/squid_tor_proxies.yaml)**\r\n\r\n **- [Possible contact with a domain generated by a DGA](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml)**\r\n\r\n **- [IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml)**\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Cscript script daily summary breakdown (Normalized Process Events)](https://github.com/Azure/Azure-Sentinel/blob/bbb0eb38fdb9dbdcfa8d6d6c5ba8b591fc4af52c/Hunting%20Queries/ASimProcess/imProcess_cscript_summary.yaml)**\r\n\r\n **- [Detect Squid malformed requests](https://github.com/Azure/Azure-Sentinel/blob/44771fce9d745c937461bfd87e8ac3682048ecec/Hunting%20Queries/Syslog/squid_malformed_requests.yaml)**\r\n\r\n **- [Disabled accounts using Squid proxy](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/Syslog/disabled_account_squid_usage.yaml)**\r\n\r\n\r\n#### Parsers:\r\n\r\n **- [Parse Zscaler logs](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Parsers/ZScaler/ZScalerWeb_Parser.csl)**\r\n\r\n **- [Cisco ISE (Identity Services Engine) Syslog](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Parsers/Cisco_ISEParser.txt)**\r\n\r\n **- [OneIdentity Safeguard CEF Parser](https://github.com/Azure/Azure-Sentinel/blob/9e94e5c835f51b49b3b19a1189c025ad03c27ef7/Parsers/OneIdentity_Safeguard.txt)**\r\n\r\n#### Workbooks:\r\n\r\n **- [IoT Devices asset discovery from Firewall logs By Azure Defender for IoT](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/IoTAssetDiscovery.json)**\r\n\r\n **- [Azure Kubernetes Service Security](https://github.com/Azure/Azure-Sentinel/blob/368ddf53f09a09610f57ec74118f678935dcda73/Workbooks/AksSecurity.json)**\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing2"
|
||
},
|
||
"name": "text2-Parsing2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 3. Create custom properties from string expressions\r\n\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [extend](https://docs.microsoft.com/azure/data-explorer/kusto/query/extendoperator)**\r\n\r\n **- [split](https://docs.microsoft.com/azure/data-explorer/kusto/query/splitfunction)**\r\n\r\n **- [parse](https://docs.microsoft.com/azure/data-explorer/kusto/query/parseoperator)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample queries:</h3>\r\n\r\n** - Extract multiple fields from block a block of text within a single field**\r\n\r\n<p style=\"color:red;\"> AzureDiagnostics\r\n<br> | where OperationName == \"AzureFirewallThreatIntelLog\"<br> | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *<br> | parse msg_s with * \". Action: \" Action \".\" Message<br> | parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2<br> | extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt)<br> | extend Protocol = case(Protocol == \"\", Protocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),<br> TargetIP = case(TargetIP==\"\", TargetIP2, TargetIP),SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),<br> TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)<br> | sort by TimeGenerated desc<br> | project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action,Message </p>\r\n<br>\r\n\r\n** - Create columns from a custom table text field**\r\n<p style=\"color:blue;\"> <br>Some log data collected by Azure Monitor will include multiple pieces of information in a single property. Parsing this data into multiple properties make it easier to use in queries. A common example is a custom log that collects an entire log entry with multiple values into a single property. By creating separate properties for the different values, you can search and aggregate on each. Mode details **[here](https://docs.microsoft.com/azure/azure-monitor/logs/parse-text)**</p>\r\n \r\n<p style=\"color:red;\"> GeoDataTest2_CL<br> | where TimeGenerated > ago(7d)<br> | extend CSVFields = split(RawData, ',')<br> | extend EventTime = todatetime(CSVFields[0])<br> | extend network_s = tostring(CSVFields[1])<br> | extend longitude = tostring(CSVFields[2])<br> | extend latitude = tostring(CSVFields[3])<br> | extend accuracy = tostring(CSVFields[4])<br> | extend continent = tostring(CSVFields[5])<br> | extend country = tostring(CSVFields[6])<br> | extend timezone = tostring(CSVFields[7]) </p>\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample use case:</h3>\r\n\r\n** - Lookup IP addresses against a GeoLookup list imported into a custom table **\r\n\r\n<p style=\"color:red;\"> let GeoData=(GeoDataTest2_CL<br> | where TimeGenerated > ago(1d)<br> | extend CSVFields = split(RawData, ',')<br> | extend EventTime = todatetime(CSVFields[0])<br> | extend network_s = tostring(CSVFields[1]) <br> | extend longitude = tostring(CSVFields[2]) <br> | extend latitude = tostring(CSVFields[3])<br> | extend accuracy = tostring(CSVFields[4])<br> | extend continent = tostring(CSVFields[5])<br> | extend country = tostring(CSVFields[6])<br> | extend timezone = tostring(CSVFields[7])<br> | project-away CSVFields);<br> SecurityEvent<br> | extend commonfield = 1<br> | lookup (GeoData | extend commonfield = 1) on commonfield<br> | summarize arg_max(TimeGenerated,*) by id_s<br> | where ipv4_is_in_range(IpAddress,network_s)<br> | project-away commonfield<br> | project TimeGenerated, IpAddress, network_s, longitude, latitude, continent, country, timezone\r\n\r\n</p>\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing3"
|
||
},
|
||
"name": "text-Parsing3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing3"
|
||
},
|
||
"name": "space1-Parsing2 - Copy"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing3"
|
||
},
|
||
"name": "text - 11 "
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "1cee852d-4a6f-4dc5-82f4-95c7742716a5",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA%2B1W30%2FbMBB%2B5684pQ%2BkU1hHx4bUKZM6KFNFxxCt9jJNkZscwSOxO9uhFO2P36Vp4mQkCE17mmYhGjv33c%2FPdxkMDp5aU6GNykLDpXhSrlx7gwH9AZxzESUb0LhiihmEHxkqjhqWmMg1LDegMJV3XMTQ6%2FVgNr2YwIeryfg83xY6nmXuuYv0zVm6SipHRnQyuTeKhQbSLDE8f3fNMYk0XCuZwjKR4S2w3a%2B8BoP3Btbc3HBBx5pcLxF7UK7xQ6bwlLNYSG14qO2bn7C%2BQYXweYWUD8rmBUsRfB%2BcLeaMK1yzJFncKGRmKgwmMxk7dTwlUiOkOg701g24VNLIUCbgUDIpLG0Kzx2Yy0yFOL0EZ1RuLqXK1Y64MCRgJP1bMBWj2UkVm5rUk6adlzDecmJEeoonOnPgE2rNYnyW28Nuv4e%2Fuzhsszism6HioIhqwYJPKoi7VCe3kYK%2BZ2OtCzUy0G%2FRXeXbh5BpdO2equh4NjD72PeqUuxAdl%2BAqpDtY9%2Bzxqsa7eDl3vdzcJUe%2B1ha3EVXs1mcFFadi8G4Mp6%2FeGyzrqB%2B0lBgXzQSpnNJuuMLnuJHFDnjMYIIddhghpLfka5fQ8orqGJTaPNSi8wrw63V0itY4ZUcHAx6nQvqHQe65apl%2Ff6I8pQZtiDaDoOT2eMb3gz6PbBYusdRG6FO5l%2FOio7jg14l3LhXbJ0r92Df229DTO5QmNzAlrgRWTC0cStFX199a4MJNGupbgNd57sFHbaCEilibrII20HDdhD1tm7M61YMC8OM%2BvCmHXPUigmlMFxQMtpBbzpAmTCqw87bVkie3gcpOuI5JszfpVk1pjJqmvndy%2BfUTMrbbAXUBVgUKaI3zVEWM06jmSYREXInkHA64OmKLgMxj3q4pNdhpg01V8OWSa0vJ2hKJvvuH1H68D%2Bl%2F1VK1zC7Hn3A1mxji9t%2FZ2XmSKFys9nWsdXDNJVi%2B51EFg%2FrEklB25J%2FnZg%2B0OdF7awxarI0ZYo%2FINAgCFJ27zbHyYt%2BPoh4FLR8i%2FHV3VHAdcBFoJiI0Z2uxsUF8yp6dWejw6GOqWZVW%2Bp6lpBeRTPPEsEry%2BtVRfsF4wTp964LAAA%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "16",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing3"
|
||
},
|
||
"name": "TryLADemo-Parsing3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "7032f1c2-370a-4141-adbb-c39b6a52f898",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA%2B1W30%2FbMBB%2B5684pQ%2BkU1hHx4bUKZM6KFNFxxCt9jJNkZscwSOxO9uhFO2P36Vp4mQkCE17mmYhGjv33c%2FPdxkMDp5aU6GNykLDpXhSrlx7gwH9AZxzESUb0LhiihmEHxkqjhqWmMg1LDegMJV3XMTQ6%2FVgNr2YwIeryfg83xY6nmXuuYv0zVm6SipHRnQyuTeKhQbSLDE8f3fNMYk0XCuZwjKR4S2w3a%2B8BoP3Btbc3HBBx5pcLxF7UK7xQ6bwlLNYSG14qO2bn7C%2BQYXweYWUD8rmBUsRfB%2BcLeaMK1yzJFncKGRmKgwmMxk7dTwlUiOkOg701g24VNLIUCbgUDIpLG0Kzx2Yy0yFOL0EZ1RuLqXK1Y64MCRgJP1bMBWj2UkVm5rUk6adlzDecmJEeoonOnPgE2rNYnyW28Nuv4e%2Fuzhsszism6HioIhqwYJPKoi7VCe3kYK%2BZ2OtCzUy0G%2FRXeXbh5BpdO2equh4NjD72PeqUuxAdl%2BAqpDtY9%2Bzxqsa7eDl3vdzcJUe%2B1ha3EVXs1mcFFadi8G4Mp6%2FeGyzrqB%2B0lBgXzQSpnNJuuMLnuJHFDnjMYIIddhghpLfka5fQ8orqGJTaPNSi8wrw63V0itY4ZUcHAx6nQvqHQe65apl%2Ff6I8pQZtiDaDoOT2eMb3gz6PbBYusdRG6FO5l%2FOio7jg14l3LhXbJ0r92Df229DTO5QmNzAlrgRWTC0cStFX199a4MJNGupbgNd57sFHbaCEilibrII20HDdhD1tm7M61YMC8OM%2BvCmHXPUigmlMFxQMtpBbzpAmTCqw87bVkie3gcpOuI5JszfpVk1pjJqmvndy%2BfUTMrbbAXUBVgUKaI3zVEWM06jmSYREXInkHA64OmKLgMxj3q4pNdhpg01V8OWSa0vJ2hKJvvuH1H68D%2Bl%2F1VK1zC7Hn3A1mxji9t%2FZ2XmSKFys9nWsdXDNJVi%2B51EFg%2FrEklB25J%2FnZg%2B0OdF7awxarI0ZYo%2FINAgCFJ27zbHyYt%2BPoh4FLR8i%2FHV3VHAdcBFoJiI0Z2uxsUF8yp6dWejw6GOqWZVW%2Bp6lpBeRTPPEsEry%2BtVRfsF4wTp964LAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "22",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing3"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Parsing3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing3"
|
||
},
|
||
"name": "space2-Parsing3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n\r\n<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rules:\r\n\r\n **- [ Cisco ASA - average attack detection rate increase](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml)**\r\n\r\n **- [Mail redirect via ExO transport rule](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/OfficeActivity/Mail_redirect_via_ExO_transport_rule.yaml)**\r\n\r\n **- [Audit policy manipulation using auditpol utility](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml)**\r\n\r\n#### Hunting Queries:\r\n\r\n **- [ External user from a new organisation added to Teams](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/OfficeActivity/ExternalUserFromNewOrgAddedToTeams.yaml)**\r\n\r\n **- [User Granted Access and Grants others Access](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/AuditLogs/UserGrantedAccess_GrantsOthersAccess.yaml)**\r\n\r\n **- [User Granted Access and Grants others Access](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/AuditLogs/UserGrantedAccess_GrantsOthersAccess.yaml)**\r\n\r\n\r\n#### Parsers:\r\n\r\n **- [M365 Defender Network Sessions](https://github.com/Azure/Azure-Sentinel/blob/509c1bae773b19161bd166ef9d128118b6720f1b/Parsers/ASimNetworkSession/ProductParsers/vimNetworkSessionMicrosoft365Defender.yaml)**\r\n\r\n **- [Takes raw CylancePROTECT logs from a Syslog stream and parses the logs into a normalized schema.](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Parsers/CylancePROTECT/CylancePROTECT.txt)**\r\n\r\n **- [ASIM File Event normalization](https://github.com/Azure/Azure-Sentinel/blob/f00db47d83eceddbab0969579cdcb90ed91a9db6/Parsers/ASimFileEvent/ARM/FileEventMicrosoftQueueStorage/FileEventMicrosoftQueueStorage.json)**\r\n\r\n#### Workbooks:\r\n\r\n **- [Analytics efficiency workbook](https://github.com/Azure/Azure-Sentinel/blob/f4133f38e2bc3f964c8e1de22db27d0ff5536986/Workbooks/AnalyticsEfficiency.json)**\r\n\r\n **- [Azure Purview](https://github.com/Azure/Azure-Sentinel/blob/9297bcb5c7c6d41959dc2d8f70db78dda3ae03aa/Workbooks/AzurePurview.json)**\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing3"
|
||
},
|
||
"name": "text2-Parsing3"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing"
|
||
},
|
||
"name": "group-Parsing"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Parsing"
|
||
},
|
||
"name": "group - Parsing"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nWriting Kusto queries when correlating fields from different log sources or manipulating fields may require explicit conversion to a particular data type. Data type conversion may also be required when using certain KQL operators that expect input parameters in a specific format.\r\n\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Type casting a field - Converting from one data type to another",
|
||
"subTarget": "Conversion1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "6da32c48-3d26-4d69-bc0d-9ed2fd469e2b",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Change the case of the string in a field",
|
||
"subTarget": "Conversion2",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Type casting a field - Converting from one data type to another\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [todynamic()](https://docs.microsoft.com/azure/data-explorer/kusto/query/parsejsonfunction)** <br>\r\n\r\n **- [tostring()](https://docs.microsoft.com/azure/data-explorer/kusto/query/tostringfunction)** <br>\r\n\r\n **- [todatetime()](https://docs.microsoft.com/azure/data-explorer/kusto/query/todatetimefunction)**<br>\r\n\r\n **- [mv-expand](https://docs.microsoft.com/azure/data-explorer/kusto/query/mvexpandoperator)**\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample Queries:</h3>\r\n\r\n** - Returns the Service DisplayName from the VM Processes**\r\n<p style=\"color:red;\"> VMProcess<br> | mv-expand Services<br> | extend DN = tostring(Services.DisplayName)<br> | project TimeGenerated, Computer, Description, DN, WorkingDirectory</p>\r\n\r\n** - Returns the record at a specific time**\r\n<p style=\"color:red;\"> SecurityEvent<br> | where TimeGenerated == todatetime(\"2021-09-07T16:11:35.920Z\")</p>\r\n\r\n** - Returns the MTP Alert URL from the MDATP Alert in the SecurityAlerts table**\r\n<p style=\"color:red;\"> SecurityAlert<br> | where ProviderName == \"MDATP\"<br> | mv-expand todynamic(ExtendedLinks)<br> | extend URL = tostring(ExtendedLinks.Href)<br> | project TimeGenerated, AlertName, MTP_URL, AlertSeverity, SystemAlertId, Description</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample Use Cases:</h3>\r\n\r\n** - Extract UserName from a json element from within an Array in the Windows Event**\r\n\r\n<p style=\"color:red;\"> Event<br> | where TimeGenerated > ago(3d)<br> | where EventID == '55555'<br> | mv-expand todynamic(RenderedDescription)<br> | extend name = parse_json(RenderedDescription).UserName</p>\r\n\r\n** - Extract the UserPrincipal Name from the Windows Security Event 411 **\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | where EventID == 411<br> | extend p = parse_xml(EventData)<br> | extend Error = tostring(parse_json(tostring(parse_json(tostring(p.EventData)).Data))[2])<br> | where Error contains \"The user name or password is incorrect\"<br> | extend UPN = split(Error, \"-\")[0]</p>\r\n\r\n** - List all comments added to Closed Incidents in Microsoft Sentinel from the past 24 hours**\r\n\r\n<p style=\"color:red;\"> SecurityIncident<br> | where Status == \"Closed\" and isnotempty(Comments)<br> | mv-expand Comments<br> | extend CommentCreationTime = todatetime(parse_json(Comments.createdTimeUtc))<br> | where CommentCreationTime >= ago(24h)<br> | summarize by IncidentName, tostring(Comments), ProviderIncidentId</p>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Conversion1"
|
||
},
|
||
"name": "text-Coversion1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "d9ee5910-b3bd-4b39-82fb-e7666b58479d",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA61VbU%2FiQBD%2Bzq%2BY1A9CAgiod9FEE07IHREIAV%2BSM8as7Sgr7W5vdwvW3I%2B%2F2S0txVO%2F6IaEMjs7PC%2Bz0729xqs1ENqoxDdciu2Nyt4efQDOuQjCFO4VsgWYOcKfBBVHDfcYyhVwYSRojJliBuE%2BlP6CtlJQGMklF4%2BwQwuGg3Effkz73XP3eycr%2FhrLu8sCmaJJlNAOwgzVkvsIPa7jkKVjFiE8KBm5zasRTJT0UWvUlavR%2BrnyF6JlA59jJoL8vA3is0GK9MZwAkaSFoS5mu83S39Qo%2BRYySf0DVzwCH%2BiQMs5qMOZjOLEoKpDD7WveGzVpB%2FjOlxLtaCKPa7onFQpMdl5c%2F0n0ev1WgMqKFUAzAADHaPPH7gPhoBVZugnipu0v0RhCPVqjgq3McOJZRvQoz1R9TqtTrvROmq0vl%2B0vx2328f7h82jTuu3V%2Fs6wKOLCXRDVAYup8ONXaNet9jgYm1vRsAF6TC7DzesXLBgRe4ueYDKtQCR8lw5b8ttIpoKFnG%2F2ndmYzDkYqFrG%2FctoJL9W2nNXwofPjDf4bF%2FX7cM76jUOjbDJVrAdZil2mDkgoNgq0k%2Bpy7hVIwQXeq1AE5UBk9aCsAQI%2FI%2Fi624mZO4TEBXKZbmQl%2FT3ZYrDVmnfNQvp8AeZXU%2FqBX7LnvQs6LvHtq1%2B47oU6ulwqBEuyS9cMYBzQ%2BNdxb4m%2FnNnOLXCGa524oTstvnMQthe4TkuuQ9l5GFg3b7nctVEsMmFezigtpzFFZdVo8ZVuLfV0qqcvOVlPg41tyUqzWzr5vObckgV9mXwjBOV9C7IGIJkc4kp62Yab2yM4RragiaJnZGeaVbMbFDkQYgN1VXrA5ew6vdtG4%2F58KQaxpaYUjYItuiGlhAt40kgLNQanoakCuB26FG7b4kys4EYbjAcGMSwTfQOYC5TJQufMmPFjLMDDOJdrMhq%2B6B7U%2BuhaRLGZu0eraGUdtq4Dy60WMdOaM3oW1Ke0Fga4yWbMpPN32bjYFNvjR%2BbWPPW9VOT9w16xzMbZ5Ooogp%2FoL2fZrzyiZN0QUF9noxCvPMQfAPTx8P0u4HAAA%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-Conversion1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "d44226f1-021a-4726-8987-93b6ca740e1a",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA61VbU%2FiQBD%2Bzq%2BY1A9CAgiod9FEE07IHREIAV%2BSM8as7Sgr7W5vdwvW3I%2B%2F2S0txVO%2F6IaEMjs7PC%2Bz0729xqs1ENqoxDdciu2Nyt4efQDOuQjCFO4VsgWYOcKfBBVHDfcYyhVwYSRojJliBuE%2BlP6CtlJQGMklF4%2BwQwuGg3Effkz73XP3eycr%2FhrLu8sCmaJJlNAOwgzVkvsIPa7jkKVjFiE8KBm5zasRTJT0UWvUlavR%2BrnyF6JlA59jJoL8vA3is0GK9MZwAkaSFoS5mu83S39Qo%2BRYySf0DVzwCH%2BiQMs5qMOZjOLEoKpDD7WveGzVpB%2FjOlxLtaCKPa7onFQpMdl5c%2F0n0ev1WgMqKFUAzAADHaPPH7gPhoBVZugnipu0v0RhCPVqjgq3McOJZRvQoz1R9TqtTrvROmq0vl%2B0vx2328f7h82jTuu3V%2Fs6wKOLCXRDVAYup8ONXaNet9jgYm1vRsAF6TC7DzesXLBgRe4ueYDKtQCR8lw5b8ttIpoKFnG%2F2ndmYzDkYqFrG%2FctoJL9W2nNXwofPjDf4bF%2FX7cM76jUOjbDJVrAdZil2mDkgoNgq0k%2Bpy7hVIwQXeq1AE5UBk9aCsAQI%2FI%2Fi624mZO4TEBXKZbmQl%2FT3ZYrDVmnfNQvp8AeZXU%2FqBX7LnvQs6LvHtq1%2B47oU6ulwqBEuyS9cMYBzQ%2BNdxb4m%2FnNnOLXCGa524oTstvnMQthe4TkuuQ9l5GFg3b7nctVEsMmFezigtpzFFZdVo8ZVuLfV0qqcvOVlPg41tyUqzWzr5vObckgV9mXwjBOV9C7IGIJkc4kp62Yab2yM4RragiaJnZGeaVbMbFDkQYgN1VXrA5ew6vdtG4%2F58KQaxpaYUjYItuiGlhAt40kgLNQanoakCuB26FG7b4kys4EYbjAcGMSwTfQOYC5TJQufMmPFjLMDDOJdrMhq%2B6B7U%2BuhaRLGZu0eraGUdtq4Dy60WMdOaM3oW1Ke0Fga4yWbMpPN32bjYFNvjR%2BbWPPW9VOT9w16xzMbZ5Ooogp%2FoL2fZrzyiZN0QUF9noxCvPMQfAPTx8P0u4HAAA%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-Conversion1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rule:\r\n\r\n **- [Multiple users email forwarded to same destination](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/OfficeActivity/Office_MailForwarding.yaml)**<br>\r\n **- [Correlate Unfamiliar sign-in properties and atypical travel alerts](https://github.com/Azure/Azure-Sentinel/blob/ade86a8cf8026f3a3e3ad28be8a5e89aa1479067/Detections/SecurityAlert/CorrelateIPC_Unfamiliar-Atypical.yaml)**<br>\r\n **- [Brute force attack against Azure Portal](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml)**<br>\r\n **- [Distributed Password cracking attempts in AzureAD](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SigninLogs/DistribPassCrackAttempt.yaml)**<br>\r\n\r\n#### Workbooks:\r\n\r\n **- [Security Operations Efficiency](https://github.com/Azure/Azure-Sentinel/blob/eb0320d133ee877b7564519dbc99148ef331830e/Workbooks/SecurityOperationsEfficiency.json)**<br>\r\n **- [Proofpoint Threat Dashboard](https://github.com/Azure/Azure-Sentinel/blob/c37ffc1532ae5760f71b27dd049c77cab5abfece/Workbooks/ProofPointThreatDashboard.json)**<br>\r\n **- [Analytics Efficiency](https://github.com/Azure/Azure-Sentinel/blob/f4133f38e2bc3f964c8e1de22db27d0ff5536986/Workbooks/AnalyticsEfficiency.json)**<br>\r\n **- [Okta Single SignOnMicrosoft Sentinel Security Alerts](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/AzureSentinelSecurityAlerts.json)**<br>\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Cobalt Strike DNS Beaconing](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml)**<br>\r\n **- [User Granted Access and associated audit activity](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/AuditLogs/UserGrantedAccess_AllAuditActivity.yaml)**<br>\r\n **- [SQL Alert Correlation with CommonSecurityLogs and AuditLogs](https://github.com/Azure/Azure-Sentinel/blob/5a71f1c4732f501df9f7d2f52efe46137e76bf4a/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml)**<br>\r\n **- [Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs](https://github.com/Azure/Azure-Sentinel/blob/301819b3d4217428d848a95ea8d19fd351edc6df/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml)**<br>\r\n\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Conversion1"
|
||
},
|
||
"name": "text-Coversion1 - Copy"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Conversion1"
|
||
},
|
||
"name": "Conversion1"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Change the case of the string in a field\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [toupper()](https://docs.microsoft.com/azure/data-explorer/kusto/query/toupperfunction)** <br>\r\n\r\n **- [tolower()](https://docs.microsoft.com/azure/data-explorer/kusto/query/tolowerfunction)** <br>\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample Queries:</h3>\r\n\r\n** - Convert Computer hostname to lowercase**\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | extend Hostname = tolower(tostring(split(Computer,\".\")[0]))</p>\r\n\r\n** - Convert AccountName to upper case in Windows Security Logs**\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | extend AccountName = toupper(tostring(split(Account,\"\\\\\\\")[1]))</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample Use Cases:</h3>\r\n\r\n** - Compare the Account Name in the Windows Security Event Logs with a Dynamic List of Accounts**\r\n\r\n<p style=\"color:red;\"> let HVA_Accounts = dynamic([\"LOCAL SERVICE\",\"SYSTEM\",\"DC01$\"]);<br> SecurityEvent<br> | extend AccountName = toupper(tostring(split(Account,\"\\\\\\\")[1]))<br> | where AccountName in (HVA_Accounts)</p>\r\n\r\n** - Compare the Account Name in the Windows Security Event Logs with a Dynamic List of Accounts**\r\n\r\n<p style=\"color:red;\"> let HVA_Computer = dynamic([\"victim00\",\"sql00\",\"jbox00\",\"dc01\"]);<br> SecurityEvent<br> | extend Hostname = tolower(tostring(split(Computer,\".\")[0]))<br> | where Hostname in (HVA_Computer)</p>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Conversion2"
|
||
},
|
||
"name": "text-Conversion2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 5"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA9WT30%2FCMBDH3%2FkrLsOHLUEZz8YHhCUQJiZiNAaIGeOEytbO9gaS%2BMd7FEb4IT4YXrwsadder5%2Fvt7lq9fIg2tKQzmMSSu5vlKpV%2FgA6Qo6TJYw0RjOgKcJHjlqggREmagFCkgKDWaQjQhglKp7x1hI0pmou5ATKHBC2uwHcPgT1jv0vr4sfspyMFUhDyTlq4jHNckINU2VIRikCAzAJ6jgyWOphnGtBy2COkkpfgJ%2BEcgytIvmG0222S7ykmdA1WSLILepWnCvH6%2FtDz%2BNbyz%2FGkZzD2OWtx7HKJXU3pHmWMfsKla2DZzZXLQwU1BCqiTmlYbfSSoYtdShjk1RxBgOWUTuDjJTfFu3Lb2qDJWD61dqRAgttdcBC0BQiaC7ZeRFDKAyBeivKmFKCBK2n%2BmuxwKrG61y374T3jXoIveDhqd0InIrTe%2Bk9Bnc8aTb82oUz9K7P7dMXLKaoce88q3R3Ef%2BBm9sG2XVzLrjFU99n%2F8xHYsf3kfq0k3Hs137z80%2B9U5i5PVw4WeR634iknwCMBAAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-Conversion2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "24dd3e02-4daf-4af5-bd5d-5c4953daae34",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA9WT30%2FCMBDH3%2FkrLsOHLUEZz8YHhCUQJiZiNAaIGeOEytbO9gaS%2BMd7FEb4IT4YXrwsadder5%2Fvt7lq9fIg2tKQzmMSSu5vlKpV%2FgA6Qo6TJYw0RjOgKcJHjlqggREmagFCkgKDWaQjQhglKp7x1hI0pmou5ATKHBC2uwHcPgT1jv0vr4sfspyMFUhDyTlq4jHNckINU2VIRikCAzAJ6jgyWOphnGtBy2COkkpfgJ%2BEcgytIvmG0222S7ykmdA1WSLILepWnCvH6%2FtDz%2BNbyz%2FGkZzD2OWtx7HKJXU3pHmWMfsKla2DZzZXLQwU1BCqiTmlYbfSSoYtdShjk1RxBgOWUTuDjJTfFu3Lb2qDJWD61dqRAgttdcBC0BQiaC7ZeRFDKAyBeivKmFKCBK2n%2BmuxwKrG61y374T3jXoIveDhqd0InIrTe%2Bk9Bnc8aTb82oUz9K7P7dMXLKaoce88q3R3Ef%2BBm9sG2XVzLrjFU99n%2F8xHYsf3kfq0k3Hs137z80%2B9U5i5PVw4WeR634iknwCMBAAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-Conversion2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rule:\r\n\r\n **- [RDP Nesting](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/SecurityEvent/RDP_Nesting.yaml)**<br>\r\n **- [Rare RDP Connection](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/SecurityEvent/RDP_RareConnection.yaml)**<br>\r\n **- [User created and added to Built-in Admins on the same day](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml)**<br>\r\n\r\n#### Workbooks:\r\n\r\n **- [AKS Security](https://github.com/Azure/Azure-Sentinel/blob/368ddf53f09a09610f57ec74118f678935dcda73/Workbooks/AksSecurity.json)**<br>\r\n **- [Insecure Protocols](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/InsecureProtocols.json)**<br>\r\n **- [Azure KeyVault Workbook](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/AzureKeyVaultWorkbook.json)**<br>\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Rare Domains seen in Cloud Logs](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml)**<br>\r\n **- [Recon Activity with Interactive Logon Correlation](https://github.com/Azure/Azure-Sentinel/blob/9ab2fd683fd040c26fd04ae1cbb520d425bf3b19/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml)**<br>\r\n **- [User created by unauthorized user](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml)**<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Conversion2"
|
||
},
|
||
"name": "text-Conversion2 - Copy"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Conversion2"
|
||
},
|
||
"name": "Conversion2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"name": "text - 7"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Converting Value"
|
||
},
|
||
"customWidth": "100",
|
||
"name": "group-Conversion"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nLogs from some Data sources (such as Firewall/VPN appliances/DNS and more) consist of IP addresses that are contextually relevant when looking for ambiguous/malicious behavior. KQL has some native commands that help deal with IP addresses to compare and/or match the IP addresses in the logs ingested.\r\n\r\nIP Addresses could potentially lead investigations that can be suggestive of compromises from specific Geographical locations, subnets and/or insider risk.\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Match IP addresses in the ingested logs with a known IP subnet",
|
||
"subTarget": "IP1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "40988c97-79b0-481a-b5a8-390f16783e15",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Compare IP addresses in the ingested logs with a known IP subnet",
|
||
"subTarget": "IP2",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "8d63e5f2-3281-40f9-9e13-c3ef98331b24",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "3. Check if IP Addresses in the ingested log is a private network IP",
|
||
"subTarget": "IP3",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "03b07076-b700-4b7a-a464-1648a2f6003b",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "4. Matching IP Addresses in a text field",
|
||
"subTarget": "IP4",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "95a6481a-ae90-4a9b-8fc5-5fc295616779",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "5. Lookup IP Addresses against a GeoIP table",
|
||
"subTarget": "IP5",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Match IP addresses in the ingested logs with a known IP subnet\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [ipv4_is_match()](https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-is-matchfunction)** <br>\r\n\r\n **- [ipv6_is_match()](https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv6-is-matchfunction)** <br>\r\n\r\n<table class=MsoTableGrid border=1 cellspacing=0 cellpadding=0\r\n style='margin-center:-5.65pt;border-collapse:collapse;border:none'>\r\n <tr>\r\n <td width=96 valign=top style='width:71.75pt;border:solid windowtext 1.0pt;\r\n padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpFirst style='margin:0in;line-height:normal'>Return\r\n Value</p>\r\n </td>\r\n <td width=289 valign=top style='width:217.05pt;border:solid windowtext 1.0pt;\r\n border-left:none;padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpLast style='margin:0in;line-height:normal'>Translation</p>\r\n </td>\r\n </tr>\r\n <tr>\r\n <td width=96 valign=top style='width:71.75pt;border:solid windowtext 1.0pt;\r\n border-top:none;padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpFirst style='margin:0in;line-height:normal'>true</p>\r\n </td>\r\n <td width=289 valign=top style='width:217.05pt;border-top:none;border-left:\r\n none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;\r\n padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpLast style='margin:0in;line-height:normal'><span\r\n lang=EN-AU>If the long representation of the first IPv4 string argument is\r\n equal to the second IPv4 string argument.</span></p>\r\n </td>\r\n </tr>\r\n <tr>\r\n <td width=96 valign=top style='width:71.75pt;border:solid windowtext 1.0pt;\r\n border-top:none;padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpFirst style='margin:0in;line-height:normal'>false</p>\r\n </td>\r\n <td width=289 valign=top style='width:217.05pt;border-top:none;border-left:\r\n none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;\r\n padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpLast style='margin:0in;line-height:normal'><span\r\n lang=EN-AU>If the long representation of the first IPv4 string argument is NOT\r\n equal to the second IPv4 string argument.</span></p>\r\n </td>\r\n </tr>\r\n <tr>\r\n <td width=96 valign=top style='width:71.75pt;border:solid windowtext 1.0pt;\r\n border-top:none;padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpFirst style='margin:0in;line-height:normal'>null</p>\r\n </td>\r\n <td width=289 valign=top style='width:217.05pt;border-top:none;border-left:\r\n none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;\r\n padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpLast style='margin:0in;line-height:normal'><span\r\n lang=EN-AU>If conversion for one of the two IPv4 strings wasn't successful.</span></p>\r\n </td>\r\n </tr>\r\n</table>\r\n **[ipv4_is_in_range()](https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-is-in-range-function)** <br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Populate a column if an IPv4 address is within a known network subnet**\r\n\r\n<p style=\"color:red;\"> Heartbeat<br> | extend HRSubnetIP = iif(ipv4_is_match(ComputerIP,\"52.188.0.0\", 16),\"true\",\"false\")</p>\r\n\r\n OR <br>\r\n\r\n<p style=\"color:red;\"> Heartbeat<br> | extend HRSubnetIP = iif(ipv4_is_in_range(ComputerIP,\"52.188.0.0/16\") == 1,\"true\",\"false\")</p>\r\n\r\n** - Filter out 127.0.0.1 as Client IP from DNS Events**\r\n\r\n<p style=\"color:red;\"> DnsEvents<br> | where SubType =~ \"LookupQuery\"<br> | where ipv4_is_match(\"127.0.0.1\", ClientIP) == False</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample Use cases:</h3>\r\n\r\n** - Detect a Port Scan**\r\n\r\n<p style=\"color:red;\"> let threshold = 50; <br> SophosXGFirewall<br> | where Log_Type =~ \"Firewall\"<br> | where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))<br> | summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)<br> | where dcount_Dst_Port > threshold<br> | extend timestamp = TimeGenerated, IPCustomEntity = Src_IP</p>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP1"
|
||
},
|
||
"name": "text-IP1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "e7207231-60b5-464d-b621-e40159efac01",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA8WUTW%2FaQBCG7%2F4VI3PBEgWMAqGqqNTykVhBkRty6M1a2wNeYe%2B6u2MoVdTf3jEkIEhyaqWOfFh73tmZZ2bXnc6HCwuUJVMlJLU6dzidDj8Ad1Kl%2BQ5ig2INlCH8qNBItBBjrrcgFWmwWAojCCHOdbJm1w4MFnoj1QoabDAP7qfw9WH65W7%2F3jhsflnLu1YXEuqyyuscAhKdV4UCuQShIAg3VyDS1KC1IC1sJWVSsWqt9FaBQtpqswZbxbx0blEYilGQ8wT4k1ClcPuw2PuCEEYg5bIpy81VJG1UCEqy5lgXZUVogrDl9nttfzhsd9tdtwX%2BwGu53Dt0W%2B5S5BZdj%2BtsvGmvGnBp%2F4dQqsgItcJ3IDv%2BwPVgNAL%2F34LOZM65QFcEfu%2B6ztT2QVgY5xIVMS8sjS5gcr%2BA6Ya%2FWGei7PPqCbYZGgQmetyVCKPf4M61XlflNz6XO%2FcoOJ%2Bie0zEkzvkCcI926wm%2BjueCRImxAMJtSFYJEI5ORJfFp5YpvOUu97vfnIWusy0%2FX4zkwa3Is%2BPpc71KjrCvHhPJEpT85Kmu4fhY7gwScRTG3qgzSvmax7l4Ezn994UfqyFw3PlwPO4BFsVhTDyF0Ka6EpRc2Ipqjm9%2BpY%2FayGWqvkoC7xBhfWPIG1Bv%2FCOBIfQ6CUUPp96czqlxPGWRFFyuy72CsJxZUkXU0WSduw%2F5P0DOqGDc84EAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-IP1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "1e99b042-4f50-44a5-a03f-4db24073f14c",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA8WUTW%2FaQBCG7%2F4VI3PBEgWMAqGqqNTykVhBkRty6M1a2wNeYe%2B6u2MoVdTf3jEkIEhyaqWOfFh73tmZZ2bXnc6HCwuUJVMlJLU6dzidDj8Ad1Kl%2BQ5ig2INlCH8qNBItBBjrrcgFWmwWAojCCHOdbJm1w4MFnoj1QoabDAP7qfw9WH65W7%2F3jhsflnLu1YXEuqyyuscAhKdV4UCuQShIAg3VyDS1KC1IC1sJWVSsWqt9FaBQtpqswZbxbx0blEYilGQ8wT4k1ClcPuw2PuCEEYg5bIpy81VJG1UCEqy5lgXZUVogrDl9nttfzhsd9tdtwX%2BwGu53Dt0W%2B5S5BZdj%2BtsvGmvGnBp%2F4dQqsgItcJ3IDv%2BwPVgNAL%2F34LOZM65QFcEfu%2B6ztT2QVgY5xIVMS8sjS5gcr%2BA6Ya%2FWGei7PPqCbYZGgQmetyVCKPf4M61XlflNz6XO%2FcoOJ%2Bie0zEkzvkCcI926wm%2BjueCRImxAMJtSFYJEI5ORJfFp5YpvOUu97vfnIWusy0%2FX4zkwa3Is%2BPpc71KjrCvHhPJEpT85Kmu4fhY7gwScRTG3qgzSvmax7l4Ezn994UfqyFw3PlwPO4BFsVhTDyF0Ka6EpRc2Ipqjm9%2BpY%2FayGWqvkoC7xBhfWPIG1Bv%2FCOBIfQ6CUUPp96czqlxPGWRFFyuy72CsJxZUkXU0WSduw%2F5P0DOqGDc84EAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-IP1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rule:\r\n\r\n **- [Port Scan Detected](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SophosXGFirewall/PortScanDetected.yaml)**<br>\r\n **- [Potential DGA detected](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml)**\r\n\r\n#### Workbooks:\r\n\r\n **- [Sophos XG Firewall](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/SophosXGFirewall.json)**<br>\r\n **- [Better Mobile Threat Defense (MTD)](https://github.com/Azure/Azure-Sentinel/blob/1397ce50af10c32531a68a7a0e3b1b51b4304f4b/Workbooks/BETTER_MTD_Workbook.json)**\r\n\r\n#### Hunting queries:\r\n\r\n **- [Abnormally long DNS URI queries](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/DnsEvents/DNS_LongURILookup.yaml)**<br>\r\n **- [Potential DGA detected](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/DnsEvents/DNS_HighPercentNXDomainCount.yaml)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP1"
|
||
},
|
||
"name": "text-IP1 - Copy"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP1"
|
||
},
|
||
"name": "IP1"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Compare IP addresses in the ingested logs with a known IP subnet\r\n\r\n<h3 style=\"color:blue;\"> Commands to be used:</h3>\r\n\r\n **- [ipv4_compare()](https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-comparefunction)** <br>\r\n\r\n **- [ipv6_compare()](https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv6-comparefunction)** <br>\r\n\r\n<table class=MsoTableGrid border=1 cellspacing=0 cellpadding=0\r\n style='margin-left:30.35pt;border-collapse:collapse;border:none'>\r\n <tr>\r\n <td width=96 valign=top style='width:71.75pt;border:solid windowtext 1.0pt;\r\n padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpFirst style='margin:0in;line-height:normal'>Return\r\n Value</p>\r\n </td>\r\n <td width=289 valign=top style='width:217.05pt;border:solid windowtext 1.0pt;\r\n border-left:none;padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpLast style='margin:0in;line-height:normal'>Translation</p>\r\n </td>\r\n </tr>\r\n <tr>\r\n <td width=96 valign=top style='width:71.75pt;border:solid windowtext 1.0pt;\r\n border-top:none;padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpFirst style='margin:0in;line-height:normal'>0</p>\r\n </td>\r\n <td width=289 valign=top style='width:217.05pt;border-top:none;border-left:\r\n none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;\r\n padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpLast style='margin:0in;line-height:normal'><span\r\n lang=EN-AU>If the long representation of the first IPv4 string argument is\r\n equal to the second IPv4 string argument.</span></p>\r\n </td>\r\n </tr>\r\n <tr>\r\n <td width=96 valign=top style='width:71.75pt;border:solid windowtext 1.0pt;\r\n border-top:none;padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpFirst style='margin:0in;line-height:normal'>1</p>\r\n </td>\r\n <td width=289 valign=top style='width:217.05pt;border-top:none;border-left:\r\n none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;\r\n padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpLast style='margin:0in;line-height:normal'><span\r\n lang=EN-AU>If the long representation of the first IPv4 string argument is\r\n greater than the second IPv4 string argument.</span></p>\r\n </td>\r\n </tr>\r\n <tr>\r\n <td width=96 valign=top style='width:71.75pt;border:solid windowtext 1.0pt;\r\n border-top:none;padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpFirst style='margin:0in;line-height:normal'>-1</p>\r\n </td>\r\n <td width=289 valign=top style='width:217.05pt;border-top:none;border-left:\r\n none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;\r\n padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpLast style='margin:0in;line-height:normal'><span\r\n lang=EN-AU>If the long representation of the first IPv4 string argument is\r\n less than the second IPv4 string argument.</span></p>\r\n </td>\r\n </tr>\r\n <tr>\r\n <td width=96 valign=top style='width:71.75pt;border:solid windowtext 1.0pt;\r\n border-top:none;padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpFirst style='margin:0in;line-height:normal'>null</p>\r\n </td>\r\n <td width=289 valign=top style='width:217.05pt;border-top:none;border-left:\r\n none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;\r\n padding:0in 5.4pt 0in 5.4pt'>\r\n <p class=MsoListParagraphCxSpLast style='margin:0in;line-height:normal'><span\r\n lang=EN-AU>If conversion for one of the two IPv4 strings wasn't successful.</span></p>\r\n </td>\r\n </tr>\r\n</table>\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Populate a column if an IPv4 address is within a known network subnet**\r\n\r\n<p style=\"color:red;\"> Heartbeat<br> | extend HRSubnetIP = ipv4_compare(ComputerIP,\"52.188.0.0\", 16)<br> | extend HRSubnetIP = iif((HRSubnetIP == 0), \"true\", \"false\")</p>\r\n\r\n** - Tag communications as External/Internal based on IP Addresses**\r\n\r\n<p style=\"color:red;\"> VMConnection<br> | extend compare = ipv4_compare(DestinationIp,\"10.0.0.0/8\")<br> | extend Channel = iif(compare != 0 and DestinationIp != \"127.0.0.1\",\"External\",\"Internal\")</p>\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP2"
|
||
},
|
||
"name": "text-IP2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "357621da-bdcd-4ebc-ae0f-3d7647d14255",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA3VRXU%2FCMBR951ccywskk23ED154QCRxQQ1R46vptos0226x7UATf7zdkKioZ0t219uennNuGB4fIGHrTJ05pflnoxOG%2FgXmivPyDakhWcCtCC81GUUWKZV6C8VOw9JaGukIaamzwrfeYKjSG8XP6HrgOrmd4eJuNpm3%2F90d%2BaGWf9EIWeh1XTZ3SGS6rCuGWkIyksXmBDLPDVkLZbFVbqXY7ypYbxlMbqtNAVunvuxckTQuJek676BXR5zj6u6%2B7SULjKHWm5OnTFfeD%2FWm%2Fls7MskiEKfDQTwaDaJBJALEZ%2F3%2Fzqtlr%2Fd9ZYyoH0D4jMkfFEtZWhJ9b6j7J34ldYgmigf57DOoqppVJpvJWUiLmZdjWJZhwrsCqbSUQzcZYbJLiGzn8Waqmakd%2BZeLT8%2BHEVySdYrbS5J1IOJo0D7hSHxLYLqSnrD8tL9nOvLW%2FYBy%2FOBolkU8PG95YhGIvWxf7oWL%2FgewdGDMqAIAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-IP2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "c41c796a-dc28-4b92-abe0-e084ec951032",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA3VRXU%2FCMBR951ccywskk23ED154QCRxQQ1R46vptos0226x7UATf7zdkKioZ0t219uennNuGB4fIGHrTJ05pflnoxOG%2FgXmivPyDakhWcCtCC81GUUWKZV6C8VOw9JaGukIaamzwrfeYKjSG8XP6HrgOrmd4eJuNpm3%2F90d%2BaGWf9EIWeh1XTZ3SGS6rCuGWkIyksXmBDLPDVkLZbFVbqXY7ypYbxlMbqtNAVunvuxckTQuJek676BXR5zj6u6%2B7SULjKHWm5OnTFfeD%2FWm%2Fls7MskiEKfDQTwaDaJBJALEZ%2F3%2Fzqtlr%2Fd9ZYyoH0D4jMkfFEtZWhJ9b6j7J34ldYgmigf57DOoqppVJpvJWUiLmZdjWJZhwrsCqbSUQzcZYbJLiGzn8Waqmakd%2BZeLT8%2BHEVySdYrbS5J1IOJo0D7hSHxLYLqSnrD8tL9nOvLW%2FYBy%2FOBolkU8PG95YhGIvWxf7oWL%2FgewdGDMqAIAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-IP2"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP2"
|
||
},
|
||
"name": "IP2"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 3. Check if IP Addresses in the ingested log is a private network IP\r\n\r\n<h3 style=\"color:blue;\"> Commands to be used:</h3>\r\n\r\n **- [ipv4_is_private()](https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-is-privatefunction)** \r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Check if an IP Address is private**\r\n\r\n<p style=\"color:red;\"> W3CIISLog<br> | extend IsPrivate = iif(ipv4_is_private(cIP),\"true\",\"false\")</p>\r\n\r\n** - Filter out all Public IPs from logs**\r\n\r\n<p style=\"color:red;\"> AzureDiagnostics<br> | where ipv4_is_private(primaryIPv4Address_s)</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample Use cases:</h3>\r\n\r\n** - Detect the presence of an External Proxy**\r\n\r\n<p style=\"color:red;\"> Corelight <br> | where EventType =~ 'http'<br> | where isnotempty(HttpProxiedHeaders)<br> | where ipv4_is_private(SrcIpAddr) == 'False'<br> | extend IPCustomEntity = SrcIpAddr</p>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP3"
|
||
},
|
||
"name": "text-IP3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "69ef7f8a-e5a3-49fe-b22d-e0dde695ee98",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA6WRT0sDMRDF7%2FsphvbQFpQe9NpDrSsNFVlU8FjS7HR3aDZZJ7OrK%2BJnN1vFP1VPPgIhTDL5vXnT6fGBlAvCjRHy7nshmU7jAliRy20HG0a9AykR7htkwgAbtP4ByImHgLVmLQgb680uljpgrHxLroBhFFyqqxTOrtP5an8evjU%2FZPlTPciiRLMD2oJ2oDKY5zljCEABaqY2fp7cnSyUurn0RfIM%2BCjoclAheyvCDIi2Y6rb0zWF9fuTsVHZ5GgQB4CDo8FW24CDSfxs%2BKt%2BuDhUj3lBVpDBNwLaWsiajSUTgQNs2VdgfRGS%2BVPDeE66cD4ImRB5H0pkhEO8uFeaO5W1p%2B9%2B1%2BGffOcoaGQfZB0bojMIfj%2FUNI6MnY7M7B%2B7ZOEZLRWlfNClLTq57eo4zBcYlSL16JM8OC9Y1dKNl7HQtyDMl6hz5Ij8l8EbNqrurU1gNoPRRZ%2FA6Et82aIJ4qvUCUkXM%2Fy4%2Fwr0VnmhyQIAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-IP3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "aa1206ab-a6d9-434c-ba66-0b8616b85c35",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA6WRT0sDMRDF7%2FsphvbQFpQe9NpDrSsNFVlU8FjS7HR3aDZZJ7OrK%2BJnN1vFP1VPPgIhTDL5vXnT6fGBlAvCjRHy7nshmU7jAliRy20HG0a9AykR7htkwgAbtP4ByImHgLVmLQgb680uljpgrHxLroBhFFyqqxTOrtP5an8evjU%2FZPlTPciiRLMD2oJ2oDKY5zljCEABaqY2fp7cnSyUurn0RfIM%2BCjoclAheyvCDIi2Y6rb0zWF9fuTsVHZ5GgQB4CDo8FW24CDSfxs%2BKt%2BuDhUj3lBVpDBNwLaWsiajSUTgQNs2VdgfRGS%2BVPDeE66cD4ImRB5H0pkhEO8uFeaO5W1p%2B9%2B1%2BGffOcoaGQfZB0bojMIfj%2FUNI6MnY7M7B%2B7ZOEZLRWlfNClLTq57eo4zBcYlSL16JM8OC9Y1dKNl7HQtyDMl6hz5Ij8l8EbNqrurU1gNoPRRZ%2FA6Et82aIJ4qvUCUkXM%2Fy4%2Fwr0VnmhyQIAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-IP3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rule:\r\n\r\n **- [Ubiquiti - Large ICMP to external server](https://github.com/Azure/Azure-Sentinel/blob/a6f6275b4ba79f8bfcefe7ae72afcb055a5bbf80/Solutions/Ubiquiti/Analytic%20Rules/UbiquitiL2RLargeIcmp.yaml)**<br>\r\n **- [Corelight - External Proxy Detected](https://github.com/Azure/Azure-Sentinel/blob/a6f6275b4ba79f8bfcefe7ae72afcb055a5bbf80/Solutions/Corelight/Analytic%20Rules/CorelightExternalProxyDetected.yaml)**<br>\r\n **- [OracleDBAudit - Connection to database from external IP](https://github.com/Azure/Azure-Sentinel/blob/a6f6275b4ba79f8bfcefe7ae72afcb055a5bbf80/Solutions/OracleDatabaseAudit/Analytic%20Rules/OracleDBAuditConnectFromExternalIp.yaml)**<br>\r\n **- [Exchange SSRF Autodiscover ProxyShell - Detection](https://github.com/Azure/Azure-Sentinel/blob/1ec69a144ea9e405de6cbbc4b109f7fa6d61c164/Detections/W3CIISLog/ProxyShellPwn2Own.yaml)**<br>\r\n\r\n#### Workbooks:\r\n\r\n **- [Ubiquiti](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Solutions/Ubiquiti/Workbooks/Ubiquiti.json)**\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Exchange Server Suspicious URIs Visited](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/W3CIISLog/ExchangeServerSuspiciousURIsVisited.yaml)**<br>\r\n **- [Ubiquiti - Hidden internal DNS server](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Solutions/Ubiquiti/Hunting%20Queries/UbiquitiInternalDnsServer.yaml)**<br>\r\n **- [Suspected ProxyToken Exploitation](https://github.com/Azure/Azure-Sentinel/blob/6d573b82c76896a8d077557e60e9d59d87034878/Hunting%20Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml)**<br>\r\n **- [Exchange Server ProxyLogon URIs](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml)**<br>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP3"
|
||
},
|
||
"name": "text-IP3 - Copy"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP3"
|
||
},
|
||
"name": "IP3"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 4. Matching IP Addresses in a text field\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [has_ipv4()](https://docs.microsoft.com/azure/data-explorer/kusto/query/has-ipv4-function)**<br>\r\n **- [has_any_ipv4()](https://docs.microsoft.com/azure/data-explorer/kusto/query/has-any-ipv4-function)**\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Filter logs based on an IP Address**\r\n\r\n<p style=\"color:red;\"> AzureDiagnostics<br> | where Category contains \"PeeringRouteLog\"<br> | where has_any_ipv4(nexthop_s,\"192.168.12.41\")</p>\r\n\r\n** - Filter logs based on a list of IP Addresses**\r\n\r\n<p style=\"color:red;\"> let IPList = dynamic([\"192.168.12.41\",\"192.168.12.45\",\"10.71.2.13\"]);<br> AzureDiagnostics<br> | where Category contains \"PeeringRouteLog\"<br> | where has_any_ipv4(nexthop_s,IPList)</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample Use cases:</h3>\r\n\r\n** - Look for an IP Address match in multiple fields**\r\n\r\n<p style=\"color:red;\"> CommonSecurityLog <br> | where isnotempty(SourceIP) or isnotempty(DestinationIP)<br> | where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)<br> | extend IPMatch = case(<br> SourceIP in (IPList), \"SourceIP\",<br> DestinationIP in (IPList), \"DestinationIP\",<br> \"Message\")</p>\r\n\r\n** - Look for an IP Address match in Threat Intelligence Indicators**\r\n\r\n<p style=\"color:red;\"> let SrcIP = ThreatIntelligenceIndicator <br> | summarize SrcIPList = make_set(NetworkSourceIP); <br> CommonSecurityLog <br> | where isnotempty(SourceIP) or isnotempty(DestinationIP)<br> | where SourceIP in (SrcIP) or DestinationIP in (SrcIP) or has_any_ipv4 (Message, toscalar(SrcIP))<br> | extend IPMatch = case(SourceIP in (SrcIP), \"SourceIP\", DestinationIP in (SrcIP), \"DestinationIP\",\"Message\")</p>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP4"
|
||
},
|
||
"name": "text-IP4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "5a9a0353-078b-451a-8356-56948c35c7ee",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7VUTW%2FaQBC98ytG5mIkCiVNvxRxoEkqoZAIhd6qCi3rwaxY79DdcVJH%2BfEd8%2BGAG5RKUUa%2B7Ly3O2%2FmjdztvqvF0AX2uWZD7hBodLvyAVwZl9gCZh7VEniB8DtHbzDADC3dg3FMEHClvGKEmSW9FKgAjxndGZdCUwJGw5tL%2BHZ7Obhan5ubx%2BtajkYp5LuxjB4spfK%2BCpgAOVAOhmMYJInHEBqDh9zjhVGpo8BGh8Yj3C%2FQI5yLtpR8AZocK%2BMCRGOULlx6SznjiNKo4i5UmCpXTM3q7jR2%2BIcXtJqGdtT7etLpffrS6Z10TntRSyQ1n41%2Feq3H8WbAmsBA872eMDQssiRGJdSHpHAqMzr%2BWdNzqO9jeX7f%2BdzrSO5D9Kt19qaz2ah75UhGREuYkz%2F0FDLFeiFbBllu2awswtygTULjnLKM3AR17g0XIrNSaYIjxmzFRTyh3GscjlsgD%2B%2FlL1CG4FS59QJWN3f0sl687aq8eUCvg%2FtDgfhaRKsU27AbyiPInNAlkrhe99IHLY7Hz9VqQ7RLR%2B3jVYV2gAk32tZ97WK%2B5MKPhfwHZB8do7UmRadRDonRislvdnXitdzsb6n7zIooQwl5lilvHnDD3653ppY4DcjxDfI9%2BWXl39nb%2B73WccTuJ%2ByI20xBK6v8lvmftm%2FIL7lesWqmP3n%2BF56VujnXBQAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-IP4"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "e24cf34a-03a1-49d8-b83c-c41931b02782",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA7VUTW%2FaQBC98ytG5mIkCiVNvxRxoEkqoZAIhd6qCi3rwaxY79DdcVJH%2BfEd8%2BGAG5RKUUa%2B7Ly3O2%2FmjdztvqvF0AX2uWZD7hBodLvyAVwZl9gCZh7VEniB8DtHbzDADC3dg3FMEHClvGKEmSW9FKgAjxndGZdCUwJGw5tL%2BHZ7Obhan5ubx%2BtajkYp5LuxjB4spfK%2BCpgAOVAOhmMYJInHEBqDh9zjhVGpo8BGh8Yj3C%2FQI5yLtpR8AZocK%2BMCRGOULlx6SznjiNKo4i5UmCpXTM3q7jR2%2BIcXtJqGdtT7etLpffrS6Z10TntRSyQ1n41%2Feq3H8WbAmsBA872eMDQssiRGJdSHpHAqMzr%2BWdNzqO9jeX7f%2BdzrSO5D9Kt19qaz2ah75UhGREuYkz%2F0FDLFeiFbBllu2awswtygTULjnLKM3AR17g0XIrNSaYIjxmzFRTyh3GscjlsgD%2B%2FlL1CG4FS59QJWN3f0sl687aq8eUCvg%2FtDgfhaRKsU27AbyiPInNAlkrhe99IHLY7Hz9VqQ7RLR%2B3jVYV2gAk32tZ97WK%2B5MKPhfwHZB8do7UmRadRDonRislvdnXitdzsb6n7zIooQwl5lilvHnDD3653ppY4DcjxDfI9%2BWXl39nb%2B73WccTuJ%2ByI20xBK6v8lvmftm%2FIL7lesWqmP3n%2BF56VujnXBQAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-IP4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rule:\r\n\r\n **- [Manganese_VPN-IOCs](https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml)**<br>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"name": "text - 4"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP4"
|
||
},
|
||
"name": "group - IP4"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 5. Lookup IP Addresses against a GeoIP table\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n **- [ipv4_lookup](https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin)**<br>\r\n\r\n **- [externaldata](https://docs.microsoft.com/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuredataexplorer)**<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample Use cases:</h3>\r\n\r\n** - Lookup IP Address in the Azure Activity table against a GeoIP table**\r\n\r\n<p style=\"color:red;\"> let IP_Data =\r\n <br> externaldata(network:string,geoname_id:long,continent_code:string,continent_name:string,<br> country_iso_code:string,country_name:string,is_anonymous_proxy:bool,<br> is_satellite_provider:bool)<br> ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'];<br> AzureActivity<br> | where isnotempty(CallerIpAddress)<br> | evaluate ipv4_lookup(IP_Data, CallerIpAddress, network, return_unmatched = true)<br> | project TimeGenerated, Caller, CallerIpAddress, CategoryValue,OperationNameValue,<br> ResourceProviderValue,ActivityStatusValue,ResourceGroup,continent_name,country_name</p>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP5"
|
||
},
|
||
"name": "text-IP4 - Copy"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 5"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA3VSwWrcMBC971cM5JANOGsoOW3pYZuGZUlIQlJ6CcXI9mCrK2tUaeSNQz%2B%2BI8dLEtMKY5g3o9F7bybPz2dnZwP7WLEm%2BzGxyHP5AK61rc0ApUe1B24Rfkf0GgOUaOgA2jJBQKe8YoTSULWX1AAeO%2Bq1beBEDtzsbq%2Fg68PV5nqMT16bz7n89yQiN0T76GB3D5u69hiCPD3y2bxEL3%2BR0GsegFVpEFSjtCgDBVskuTOiC4MsDYpvihV8AXxm9FaZopZ4aZEP5PdrsUNoZw2SVR0Wul4bkrgiy9qi5aKiGo9Vb2gqnlAQOFr2Q6EDzcpf8XfFmQ6FsmSHjmIonKfnYV0SmYQHsdQYzZjwXtfox9TZ02nL7MI6z706rBrNbSxjQJ%2FYCJdVRV2eNAXkkIsQ7T6da9df5J0KInnMvcdXVehPf35ejE4ejVz8gUOL4qwOlhg7x8PyUhmDfuemCZxJDfbKxDT61Kgw45CWk8cZzC5kMLmcyX5w9LaItlNctVjLPGQPMbUUsb%2BwYviuO9yixbRZ9bHXP3peSr4hP%2FwQJpjBnUs3ZJ9vxeUJe8BA0Vd4P%2Fk4wUetj6w4hlnt1lN0GXwccYrfZvgXff6mPE8DAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-IP5"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "24dd3e02-4daf-4af5-bd5d-5c4953daae34",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA3VSwWrcMBC971cM5JANOGsoOW3pYZuGZUlIQlJ6CcXI9mCrK2tUaeSNQz%2B%2BI8dLEtMKY5g3o9F7bybPz2dnZwP7WLEm%2BzGxyHP5AK61rc0ApUe1B24Rfkf0GgOUaOgA2jJBQKe8YoTSULWX1AAeO%2Bq1beBEDtzsbq%2Fg68PV5nqMT16bz7n89yQiN0T76GB3D5u69hiCPD3y2bxEL3%2BR0GsegFVpEFSjtCgDBVskuTOiC4MsDYpvihV8AXxm9FaZopZ4aZEP5PdrsUNoZw2SVR0Wul4bkrgiy9qi5aKiGo9Vb2gqnlAQOFr2Q6EDzcpf8XfFmQ6FsmSHjmIonKfnYV0SmYQHsdQYzZjwXtfox9TZ02nL7MI6z706rBrNbSxjQJ%2FYCJdVRV2eNAXkkIsQ7T6da9df5J0KInnMvcdXVehPf35ejE4ejVz8gUOL4qwOlhg7x8PyUhmDfuemCZxJDfbKxDT61Kgw45CWk8cZzC5kMLmcyX5w9LaItlNctVjLPGQPMbUUsb%2BwYviuO9yixbRZ9bHXP3peSr4hP%2FwQJpjBnUs3ZJ9vxeUJe8BA0Vd4P%2Fk4wUetj6w4hlnt1lN0GXwccYrfZvgXff6mPE8DAAA%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-IP5"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "IP5"
|
||
},
|
||
"name": "group - IP5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"name": "text - 7"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Dealing with IP Addresses"
|
||
},
|
||
"name": "group-IPAddresses"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nDealing/Manipulating fields is almost always required. Logs when ingested may contain information in some fields that need to be concatenated or split for better understanding and/or processing in security context for detections, reporting or hunting.\r\n\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. Concatenate field to form a single string and write it to a new column",
|
||
"subTarget": "Fields1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "40988c97-79b0-481a-b5a8-390f16783e15",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Split characters from a string field and extract a part of it",
|
||
"subTarget": "Fields2",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "27997138-96d1-4ee8-8ca1-ecae9b973d24",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "3. Conditionally write in a column",
|
||
"subTarget": "Fields3",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "67938a08-0efa-4a6f-a6c3-bd2973969aea",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "4. Validate and/or filter on a field value being empty or null",
|
||
"subTarget": "Fields4",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "f9497a5c-41b0-43fb-b34a-ac5949dede84",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "5. Conditionally populate a field based on other values in logs",
|
||
"subTarget": "Fields5",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. Concatenate field to form a single string and write it to a new column\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n ** [strcat()](https://docs.microsoft.com/azure/data-explorer/kusto/query/strcatfunction)** \r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Concatenated string that uses constant string and values from Fields**\r\n\r\n<p style=\"color:red;\"> DeviceInfo<br> | extend Info = strcat(\"Device with Hostname\",DeviceName,\" and <br> Public IP Address –\", PublicIP,\" was found sending unusual traffic. Please investigate\")</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Identify when a password change occurs on a host **\r\n\r\n<p style=\"color:red;\"> SecurityEvent <br> | where EventID in (4723,4724) <br> | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated),<br> ResultDescriptions = makeset(Activity), ActionCount = count() by Resource = Computer, <br> OperationName = strcat(\"TargetAccount: \", TargetUserName),<br> UserId = Account, Type </p>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields1"
|
||
},
|
||
"name": "text-Fields1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA3VS227bMAx9z1cQzosDeA2wFRgwoA9ek25Ghy7o5QMUiY6F2JInUk497GH%2FsD%2Fcl5RyOiBtMcIXiTwkDy%2FL5btXUjniEDVb714aZsulPADX1pl2hG1AtQduEH5EDBYJttj6A1jHHgh7FRQjbFuv92IaIWDnB%2Bt2MBeBb9XNGj7frsvr6T4%2FBn%2FN5b%2BSiFx6pyWFk9eAcE6xuVEMkYSM9lKHcvzPopyBQbVRTHXwHVxZbA3NVjhYjZWr%2FewX4KOEM5BucJEcJX6eHSFwsNzAV0%2FsVIdZcdTeyLnIpuCbuG2thmoDpTEBieDv7z9Z8ayvNgI7KEnuo4BJ8iRW0UWKqgUOqq6tPoNNi4pQmjggsd1JbdkiFTt%2FKW%2F6dyIJXhl0bOsRDg06UNArooMPBnSj3A7Bax0DgU%2B2Rmqa3aEoLI%2FrQRylFeIXEKZbtRI6kJ9%2FfP%2BhkM%2F5QswUu04F%2BxPhjlXge9vhA2tpWmddnm5f0GFaALMoYO3MCUA9vgHcIsWWV0g62D4tHk3APRJyXsoqDsJMcOW0lZfSQRaATv98kXZLAvgYZEgXshVdHxlDAd%2F7lEAc0pBO5nmvwg651JP%2FJ5ARHTUPhCFBJVE6VkZ8nlECGXt8AlbX3PwsAwAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-Fields1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "24dd3e02-4daf-4af5-bd5d-5c4953daae34",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA3VS227bMAx9z1cQzosDeA2wFRgwoA9ek25Ghy7o5QMUiY6F2JInUk497GH%2FsD%2Fcl5RyOiBtMcIXiTwkDy%2FL5btXUjniEDVb714aZsulPADX1pl2hG1AtQduEH5EDBYJttj6A1jHHgh7FRQjbFuv92IaIWDnB%2Bt2MBeBb9XNGj7frsvr6T4%2FBn%2FN5b%2BSiFx6pyWFk9eAcE6xuVEMkYSM9lKHcvzPopyBQbVRTHXwHVxZbA3NVjhYjZWr%2FewX4KOEM5BucJEcJX6eHSFwsNzAV0%2FsVIdZcdTeyLnIpuCbuG2thmoDpTEBieDv7z9Z8ayvNgI7KEnuo4BJ8iRW0UWKqgUOqq6tPoNNi4pQmjggsd1JbdkiFTt%2FKW%2F6dyIJXhl0bOsRDg06UNArooMPBnSj3A7Bax0DgU%2B2Rmqa3aEoLI%2FrQRylFeIXEKZbtRI6kJ9%2FfP%2BhkM%2F5QswUu04F%2BxPhjlXge9vhA2tpWmddnm5f0GFaALMoYO3MCUA9vgHcIsWWV0g62D4tHk3APRJyXsoqDsJMcOW0lZfSQRaATv98kXZLAvgYZEgXshVdHxlDAd%2F7lEAc0pBO5nmvwg651JP%2FJ5ARHTUPhCFBJVE6VkZ8nlECGXt8AlbX3PwsAwAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-Fields1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rule:\r\n\r\n **- [Anomalous sign-in location by user account and authenticating application](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/SigninLogs/AnomalousUserAppSigninLocationIncrease-detection.yaml)**<br>\r\n\r\n **- [Azure DevOps Service Conection Abuse](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/AzureDevOpsAuditing/AzDOServiceConnectionUsage.yaml)**<br>\r\n\r\n **- [Correlate Unfamiliar sign-in properties and atypical travel alerts](https://github.com/Azure/Azure-Sentinel/blob/ade86a8cf8026f3a3e3ad28be8a5e89aa1479067/Detections/SecurityAlert/CorrelateIPC_Unfamiliar-Atypical.yaml)**<br>\r\n\r\n#### Workbooks:\r\n\r\n **- [Azure Active Directory Signin Logs](https://github.com/Azure/Azure-Sentinel/blob/403cff4851d7712b4c524f287a483de84f7db34b/Workbooks/AzureActiveDirectorySignins.json)**<br>\r\n\r\n **- [Analytics Efficiency](https://github.com/Azure/Azure-Sentinel/blob/f4133f38e2bc3f964c8e1de22db27d0ff5536986/Workbooks/AnalyticsEfficiency.json)**<br>\r\n\r\n **- [Azure DDoS Standard Workbook](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/AzDDoSStandardWorkbook.json)**<br>\r\n\r\n **- [AKS Security](https://github.com/Azure/Azure-Sentinel/blob/368ddf53f09a09610f57ec74118f678935dcda73/Workbooks/AksSecurity.json)**\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Abnormally long DNS URI queries](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/DnsEvents/DNS_LongURILookup.yaml)**<br>\r\n\r\n **- [Tracking Privileged Account Rare Activity](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml)**<br>\r\n\r\n **- [Solorigate DNS Pattern](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting%20Queries/DnsEvents/Solorigate-DNS-Pattern.yaml)**<br>\r\n\r\n **- [Azure Active Directory sign-in burst from multiple locations](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/SigninLogs/signinBurstFromMultipleLocations.yaml)**"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields1"
|
||
},
|
||
"name": "text-Fields1 - Copy"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields1"
|
||
},
|
||
"name": "Fields1"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Split characters from a string field and extract a part of it.\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n ** [split()](https://docs.microsoft.com/azure/data-explorer/kusto/query/splitfunction)** \r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Split the FQDN and extract the hostname**\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | extend Hostname = tostring(split(Computer,\".\")[0])<br> | project TimeGenerated, Hostname, Account, AccountType, EventSourceName, <br> EventID, Activity</p>\r\n\r\n** - Split the Account field and extract the Account Name**\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | extend AccountName = tostring(split(Account,\"\\\\\\\")[1])<br> | project TimeGenerated, Hostname, Account, AccountType, EventSourceName, <br> EventID, Activity</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Identify user account interactive logons to new devices **\r\n\r\n<p style=\"color:red;\"> let cloudApiTerms = dynamic([\"api\", \"east\", \"west\"]);<br> DnsEvents<br> | where Name endswith \".com\" or Name endswith \".org\" or Name endswith \".net\"<br> | extend domain_split = split(Name, \".\")<br> | where tostring(domain_split[-5]) != \"\" and tostring(domain_split[-6]) == \"\"<br> | extend sub_domain = tostring(domain_split[0])<br> | where sub_domain !contains \"-\"<br> | extend sub_directories = strcat(domain_split[-3], \" \", domain_split[-4])<br> | where ActionType == \"InteractiveLogon\" and<br> | where sub_directories has_any(cloudApiTerms)<br> //Based on sample communications the subdomain is always between 20 and 30 bytes<br> | where strlen(sub_domain) < 32 and strlen(sub_domain) > 20<br> | extend domain = strcat(tostring(domain_split[-2]), \".\", tostring(domain_split[-1]))<br> | extend subdomain_no = countof(sub_domain, @\"(\\d)\", \"regex\")<br> | extend subdomain_ch = countof(sub_domain, @\"([a-z])\", \"regex\")<br> | where subdomain_no > 1<br> | extend percentage_numerical = toreal(subdomain_no) / toreal(strlen(sub_domain)) * 100<br> | where percentage_numerical < 50 and percentage_numerical > 5<br> | summarize count(), make_set(Name), FirstSeen=min(TimeGenerated), <br> LastSeen=max(TimeGenerated) by Name<br> | order by count_ asc<br> | extend timestamp = FirstSeen</p>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields2"
|
||
},
|
||
"name": "text-Fields2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "f821a07f-a9ff-4670-9542-d9f60a91e838",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA81VS0%2FbQBC%2B51dMzcWuEhKg9FKCGgq0EShSG24hijbrIdli77q76wQjfnzH6%2BBHHj13FSn2vOebb8fdbmfrDKWxOuVWKNlUtLpd%2BgHcCRlGGcw1smewS4Q%2FKWqBBuYYqTUIaRUYTJhmFmEeKf5Mqgw0xmol5AKO6MD9cHQDV79uBnfu%2FagIvl3LwZMXMk4iYV0Btz%2BvR8BkCPhiNeOFcKmMlSzG1hh5qoXNblYobestN0Ky%2FbHRQx8sPWoqzTd5SP%2BbipPUom57x14w6U0Dckq0%2Bo0U%2BUHE%2BB0l5s2F7TJIGwacq1Ta8uEhS0jqco5VqjmOnJkTDK9zMytWVFXeyVHz7IBTO83GN7ngSWAU7iDwrh39A4WNzWgvEO89eY%2BPBMTJfwfEMKQY4imD1KAGtmmXCIg5BmKFEKmFkob6AolrCHElOJpWhBZ4pNJwkIgH1LGh1sOMyhfcn3gsEV4bPGTG5v9rpP9p8KV1LY0r2hAK6yVqdMACoWjWwi7BO%2BYq9kDpHbnSi71yidarRhGqmAk5c9BTQcUICrByIpZZyyHVHSad82kAH%2FrgeY4HB4w%2Bk1E%2FN6rSmnQ%2BK4zqBGi4FVegyF4z%2F8CVtPRgwOtsBxSaSKLcWqBWrObMbpVyNqW%2BgBBuij%2FVcg3cFsoJ5IoeVoO9z%2BfqOm0WVku7ZGbGZOY3Bh0Qba6YwRCUBMPiJEKgqcWpFFShcFxZulibHoUBFq1Zlm83u0aUcNpzAJ%2F1aKlZrMhATUYo%2FQqfAC7g7NQZ79FdUqDt2VdQHRjf6TRwZGgfmi%2Fd0aAxiY1aKortrod6qpXRhq%2Be%2FxgGOc81LvDF2%2BvNl4e9J6zzOt0KUA6kyn4JJ1XkBGkNEHUWOJNpTB8PziJHPvqkRH7dL4BuKd7BMICPcNLrlQn3hr2A82Jge7WXcE7uJo1jpsUrFk36BHLMntFgcf%2Fo9VZoY8c0%2Fn4spN%2FYfaS9Z%2B9K9rKlzL98bv%2B%2B0QIIaUvRe7GmmOEVIpacjCU%2BEgxlrr9vQFSlnAcAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-Fields2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "d4201134-6e70-4c04-96d1-1db49a4c9b6d",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA81VS0%2FbQBC%2B51dMzcWuEhKg9FKCGgq0EShSG24hijbrIdli77q76wQjfnzH6%2BBHHj13FSn2vOebb8fdbmfrDKWxOuVWKNlUtLpd%2BgHcCRlGGcw1smewS4Q%2FKWqBBuYYqTUIaRUYTJhmFmEeKf5Mqgw0xmol5AKO6MD9cHQDV79uBnfu%2FagIvl3LwZMXMk4iYV0Btz%2BvR8BkCPhiNeOFcKmMlSzG1hh5qoXNblYobestN0Ky%2FbHRQx8sPWoqzTd5SP%2BbipPUom57x14w6U0Dckq0%2Bo0U%2BUHE%2BB0l5s2F7TJIGwacq1Ta8uEhS0jqco5VqjmOnJkTDK9zMytWVFXeyVHz7IBTO83GN7ngSWAU7iDwrh39A4WNzWgvEO89eY%2BPBMTJfwfEMKQY4imD1KAGtmmXCIg5BmKFEKmFkob6AolrCHElOJpWhBZ4pNJwkIgH1LGh1sOMyhfcn3gsEV4bPGTG5v9rpP9p8KV1LY0r2hAK6yVqdMACoWjWwi7BO%2BYq9kDpHbnSi71yidarRhGqmAk5c9BTQcUICrByIpZZyyHVHSad82kAH%2FrgeY4HB4w%2Bk1E%2FN6rSmnQ%2BK4zqBGi4FVegyF4z%2F8CVtPRgwOtsBxSaSKLcWqBWrObMbpVyNqW%2BgBBuij%2FVcg3cFsoJ5IoeVoO9z%2BfqOm0WVku7ZGbGZOY3Bh0Qba6YwRCUBMPiJEKgqcWpFFShcFxZulibHoUBFq1Zlm83u0aUcNpzAJ%2F1aKlZrMhATUYo%2FQqfAC7g7NQZ79FdUqDt2VdQHRjf6TRwZGgfmi%2Fd0aAxiY1aKortrod6qpXRhq%2Be%2FxgGOc81LvDF2%2BvNl4e9J6zzOt0KUA6kyn4JJ1XkBGkNEHUWOJNpTB8PziJHPvqkRH7dL4BuKd7BMICPcNLrlQn3hr2A82Jge7WXcE7uJo1jpsUrFk36BHLMntFgcf%2Fo9VZoY8c0%2Fn4spN%2FYfaS9Z%2B9K9rKlzL98bv%2B%2B0QIIaUvRe7GmmOEVIpacjCU%2BEgxlrr9vQFSlnAcAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-Fields2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytic Rules:\r\n\r\n **- [Cisco ASA - average attack detection rate increase](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml)**<br>\r\n\r\n **- [Multiple users email forwarded to same destination](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/OfficeActivity/Office_MailForwarding.yaml)**<br>\r\n\r\n **- [Mail redirect via ExO transport rule](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/OfficeActivity/Mail_redirect_via_ExO_transport_rule.yaml)**<br>\r\n\r\n **- [Audit policy manipulation using auditpol utility](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml)**<br>\r\n\r\n#### Workbooks:\r\n\r\n **- [Azure Purview](https://github.com/Azure/Azure-Sentinel/blob/9297bcb5c7c6d41959dc2d8f70db78dda3ae03aa/Workbooks/AzurePurview.json)**<br>\r\n\r\n **- [Azure Network Watcher](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/AzureNetworkWatcher.json)**<br>\r\n\r\n **- [ForcePoint CASB](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/ForcepointCASB.json)**<br>\r\n\r\n **- [User Entity Behavior Analytics](https://github.com/Azure/Azure-Sentinel/blob/2d4e84c672900d5e4929544f553d465285238e48/Workbooks/UserEntityBehaviorAnalytics.json)**<br>\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Abnormally long DNS URI queries](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/DnsEvents/DNS_LongURILookup.yaml)**<br>\r\n\r\n **- [Solorigate DNS Pattern](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting%20Queries/DnsEvents/Solorigate-DNS-Pattern.yaml)**<br>\r\n\r\n **- [Solorigate Encoded Domain in URL](https://github.com/Azure/Azure-Sentinel/blob/158019e9f69d847f506d2f1ba05af0bad64b66dd/Hunting%20Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml)**<br>\r\n\r\n **- [External user from a new organisation added to Teams](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/OfficeActivity/ExternalUserFromNewOrgAddedToTeams.yaml)**<br>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields2"
|
||
},
|
||
"name": "text-Fields2 - Copy"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields2"
|
||
},
|
||
"name": "Fields2"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 3. Conditionally write in a column\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n ** [iif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/iiffunction)** \r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Report of Windows machines that are/are not Protected by Windows Defender**\r\n\r\n<p style=\"color:red;\"> ProtectionStatus<br> | where OSName != \"Linux\"<br> | extend WinDefenderStatus = iif(TypeofProtection == \"Windows <br> Defender\",\"Enabled\",\"Unknown\")<br> | project Computer, ComputerIP_Hidden, WinDefenderStatus, OSName, ThreatStatus, <br> ThreatStatusRank</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Count Number of Logon and Logoff events for a host in the last 12 hours**\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | where TimeGenerated > ago(12h)<br> | where Computer contains \"DC00\"<br> | extend EventType = iif(EventID == 4624,\"Successful Logon\", iif(EventID == 4634,\"Successful <br> logoff\",\"\"))<br> | where isnotempty(EventType)<br> | summarize Count = count() by EventType</p>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields3"
|
||
},
|
||
"name": "text-Fields3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "f3214d74-807f-42f1-8407-b9a901ee898f",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA3VSTY%2FaQAy98yvccAEpFbt01RuVWkAtWkRXQNVjNSQOmZJ40hnPsqn2x9cTIMuHaiWKJ372PD97MHh%2FZTNybH3C2tBloDMYyAPwqCktathYVDvgHOGPR6vRwQYLswdNbMBhpaxihE1hkp2EarBYmmdNW%2BiKwXy2mMKX5fTzY3PuHopfc%2FmvBSJLrIxlMBn8FEZm76BUSa5JmHCuGJTFgbxAhuHJGsaEMQ1MTvAJZkgp2s4xKh2vWLF3nVfY5yip31cLVSK8G0E01%2BRfIongC0tWKHLKPyTBCLTOeuu6QpO9VYSRJF%2FfGMXRlNSmwFS8H7Qjs6eoL8Ura35LHoxNWXlGG7fe7OnXN52mSPHt1fGRaAzrXKbCp7%2Fnp6WiXVCte2k3gzizAB8bTwwLX27QBqnnZis9KREgeFkG%2BIzEDjJjQUFuHMsCNFtRKPHvh%2FLPW9dZYeKt5noa4K2%2Ba13iVyQMq5LCJ1Bb07sf5v0WcOoeEkOsNDmIJuO7u7M5NAWD6Ef9m%2FNsEmR%2F%2BDh8iKOVTxJ0LvPFgXwU3%2BI%2BXOKKpjUZTdR%2Fo6KdLBKWFde99s4Qdb4sldV%2F8ajVSLjKt9cPq9Yi%2FwE46mwOaAMAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-Fields3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "bc8cb9ad-cad5-441d-9e0b-43562b142683",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA3VSTY%2FaQAy98yvccAEpFbt01RuVWkAtWkRXQNVjNSQOmZJ40hnPsqn2x9cTIMuHaiWKJ372PD97MHh%2FZTNybH3C2tBloDMYyAPwqCktathYVDvgHOGPR6vRwQYLswdNbMBhpaxihE1hkp2EarBYmmdNW%2BiKwXy2mMKX5fTzY3PuHopfc%2FmvBSJLrIxlMBn8FEZm76BUSa5JmHCuGJTFgbxAhuHJGsaEMQ1MTvAJZkgp2s4xKh2vWLF3nVfY5yip31cLVSK8G0E01%2BRfIongC0tWKHLKPyTBCLTOeuu6QpO9VYSRJF%2FfGMXRlNSmwFS8H7Qjs6eoL8Ura35LHoxNWXlGG7fe7OnXN52mSPHt1fGRaAzrXKbCp7%2Fnp6WiXVCte2k3gzizAB8bTwwLX27QBqnnZis9KREgeFkG%2BIzEDjJjQUFuHMsCNFtRKPHvh%2FLPW9dZYeKt5noa4K2%2Ba13iVyQMq5LCJ1Bb07sf5v0WcOoeEkOsNDmIJuO7u7M5NAWD6Ef9m%2FNsEmR%2F%2BDh8iKOVTxJ0LvPFgXwU3%2BI%2BXOKKpjUZTdR%2Fo6KdLBKWFde99s4Qdb4sldV%2F8ajVSLjKt9cPq9Yi%2FwE46mwOaAMAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-Fields3"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytic Rules:\r\n\r\n **- [Mass Export of Dynamics 365 Records to Excel](https://github.com/Azure/Azure-Sentinel/blob/a6f6275b4ba79f8bfcefe7ae72afcb055a5bbf80/Solutions/Dynamics%20365/Analytic%20Rules/MassExportOfDynamicstoExcel.yaml)**<br>\r\n\r\n **- [Dynamics 365 - User Bulk Retrieval Outside Normal Activity](https://github.com/Azure/Azure-Sentinel/blob/a6f6275b4ba79f8bfcefe7ae72afcb055a5bbf80/Solutions/Dynamics%20365/Analytic%20Rules/UserBulkRetreivalOutsideNormalActivity.yaml)**<br>\r\n\r\n **- [HAFNIUM Suspicious File Downloads](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/http_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml)**\r\n\r\n#### Workbooks:\r\n\r\n **- [Azure Network Watcher](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/AzureNetworkWatcher.json)**<br>\r\n\r\n **- [Microsoft Sentinel Security Alerts](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/AzureSentinelSecurityAlerts.json)**<br>\r\n\r\n **- [Web Application Firewall Events](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/WebApplicationFirewallWAFTypeEvents.json)**<br>\r\n\r\n **- [Threat Intelligence Workbook](https://github.com/Azure/Azure-Sentinel/blob/e12de62f4f34221a030679a2f872db3e4cb1085d/Workbooks/ThreatIntelligence.json)**<br>\r\n\r\n#### Hunting Queries:\r\n\r\n **- [Alerts related to account](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml)**<br>\r\n\r\n **- [User returning more data than daily average](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/LAQueryLogs/UserReturningMoreDataThanDailyAverage.yaml)**<br>\r\n\r\n **- [External user from a new organisation added to Teams](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/OfficeActivity/ExternalUserFromNewOrgAddedToTeams.yaml)**"
|
||
},
|
||
"customWidth": "70",
|
||
"name": "samples-Fields3"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields3"
|
||
},
|
||
"name": "Fields3"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 4. Validate and/or filter on a field value being empty or null\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n ** [isempty()](https://docs.microsoft.com/azure/data-explorer/kusto/query/isemptyfunction)** or **[isnotempty()](https://docs.microsoft.com/azure/data-explorer/kusto/query/isnotemptyfunction)**\r\n<br>\r\n\r\n ** [isnull()](https://docs.microsoft.com/azure/data-explorer/kusto/query/isnullfunction)** or **[isnotnull()](https://docs.microsoft.com/azure/data-explorer/kusto/query/isnotnullfunction)**\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Filter out records where the EventData field doesn't have a value in the Windows Security Events**\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | where isnotempty(EventData)<br> | extend IsDomainAccount = iif(Account startswith \"Contoso\",\"True\",\"False\")<br> | project TimeGenerated, IsDomainAccount, Account, AccountType, EventSourceName, <br> EventID, Activity</p>\r\n\r\n<br>\r\n\r\n** - Filter out records where the OfficeObjectID field have a value in the Office365 logs**\r\n\r\n<p style=\"color:red;\"> OfficeActivity<br> | where isempty(OfficeObjectId)<br> | sort by TimeGenerated desc nulls last</p>\r\n\r\n<br>\r\n\r\n** - Filter out records where the Event ID = 4688 and ParentProcessName field have a null value in the Windows Security Events**\r\n\r\n<p style=\"color:red;\"> SecurityEvent<br> | where EventID == 4688 and isnotnull(ParentProcessName)</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Check for a known IP IoC in the Azure AD SignIn Logs **\r\n\r\n<p style=\"color:red;\"> let IPList = dynamic([\"154.223.45.38\",\"185.141.207.140\",\"185.234.73.19\",<br> \"216.245.210.106\",\"51.91.48.210\",\"46.255.230.229\"]);<br> (union isfuzzy=true <br> (SigninLogs<br> | where isnotempty(IPAddress)<br> | where IPAddress in (IPList)<br> | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, <br> IPCustomEntity = IPAddress<br> ),<br> (AADNonInteractiveUserSignInLogs<br> | where isnotempty(IPAddress)<br> | where IPAddress in (IPList)<br> | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, <br> IPCustomEntity = IPAddress<br> )<br> )</p>\r\n\r\n<br>\r\n** - Check for least common Parent And Child Process Pairs within the Security Events collected from the Windows Security Events**\r\n\r\n<p style=\"color:red;\"> let Allowlist = dynamic (['foo.exe', 'baz.exe']);<br> let Sensitivity = 5;<br> SecurityEvent<br> | where EventID == 4688 and isnotnull(ParentProcessName)<br> | extend ProcArray = split(NewProcessName, '\\\\'), ParentProcArray = split(ParentProcessName, <br> '\\\\')<br> // ProcArrayLength is Folder Depth<br> | extend ProcArrayLength = arraylength(ProcArray), ParentProcArrayLength = <br> arraylength(ParentProcArray)<br> | extend LastIndex = ProcArrayLength - 1, ParentLastIndex = ParentProcArrayLength - 1<br> | extend Proc = ProcArray[LastIndex], ParentProc = ParentProcArray[ParentLastIndex]<br> | where Proc !in (Allowlist)<br> | extend ParentChildPair = strcat(ParentProc , ' > ', Proc)<br> | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), <br> TimesSeen = count(), HostCount = dcount(Computer), Hosts = makeset(Computer), <br> UserCount = dcount(SubjectUserName), <br> Users = makeset(SubjectUserName) by ParentChildPair<br> | where TimesSeen < Sensitivity</p>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields4"
|
||
},
|
||
"name": "text-Fields4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "dded20ac-fb46-4c06-a57b-a05c1bf2e986",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA91W32%2FiRhB%2B56%2BYkocYiXNiArlEVypRSFrrUA6VnPqQ5mFjD2Ebe5furkOI%2Bsd3xgbHNtzprn3rCgnv7Dfj%2BfXN%2BuTkXWOFyjqTRU5qVT9onZzQD%2BCjVHGygQeD4gncEuGvDI1ECw%2BY6DVI5TRYXAkjHMJDoqMnOtqAwVQ%2FS%2FUIR7RgGt5cwc%2B%2FXY0%2B5vujwnjTly8uduRaJg4N6MyR7Uib2MJ6iQZzn66eUbmJcAIWEpMYYo1WHTtYimcEAc8iyZBczbG%2FU0B6bWGOUWak2xTKtrXb59vW31vr0irtMF25jVe%2BpEOn%2BOJQxRDaiU6FVKMo0plyMAQpF95uZ50wzq6lW0J7rClTVre70L41GfL%2FtUgsttnayug%2FMXJwK1P8BRVyMuNu03oXmg%2B3mxV2iwDmOjMR3oh0JwgnDHPymWJqAS1K4lF97dWlsnYqX837p8VCRvjpgZ0PJ9vkH0p6ATw7H0CiH21uuxCVHr4lvMh2zXTMSbLaOG6tWpIgRhuBypLEQiKsa31nlN%2FUWUCxDaF%2FfnEBgoo%2BE4aEM6MjtJYzXg%2Bcnfm2luM0HG67bQVhWHlt3ops3NtzoPMvwh4vMXqChTbk8pPSawXhDEI93jk9es3IkdEE5vJRhQqmXLgEKRmzqbTc6vFGiVRG3l07GPT9Xu%2FM7w%2F8swtu7eBi4Af9wO%2Bdvqf%2F052od9b335%2F5wSULesG53yONXnDqB6fnLBoE%2FmXg9y9Yxvs%2BIQasdkrmL9v3nQ8tL1M0qygZi%2Bz1dTOk4YV5Hj12U6rprr0OEDicjeLYUMo6NUQp5si9IrodoqB5vuHlqPWI1OmKoq9ztYRsmTnOrNPplXJc7iF8tmhmRqpIrkSSk7RUCGcN7JubBcgbjSY3mkpAXSqYLsjWiqr8n8LNIZ3Wf%2BvlBGkIQKTTlJqk4AmMiDzjpSSGbilDB9IQy2kwb5u9wUwykCQ0eGi%2BLIxOv0pipsQoobswqbECvLvjhdY%2BvuBxF44fxGv%2ByC3MGnNUVhajj3QGH75w%2FXz3HChvJpaOjBFs3q4S6bwbXFeg5NMfx51uZZjV0Xu2CwXOdgmeonqku01auNZJTDN0giu3PODDFjgEwbsk33nl6b4Xh%2FF1TCXWKdU8VDG%2BkEbTxjsIduZrsIMvJHDd%2B6rBu1L%2FvurwvrG7xuvuy3Lm%2BB%2BYd2XHVEuWq%2BWdyg3KpXAmEtVaAFUBfgLqKN7lt2KWpsLIV%2Bph%2Ftpgmn527FQqlVcjLaX5SsUVgHjZA%2FDezhEVnefE9kj4q7ZuvP28iQvpWKerjObR9tTm5p7QYu2Ix0BDcZ7lNzqf5A1bgKr6TQRf%2BY3MlPl8c%2FfHKqP%2BAYkUf7jnCgAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-Fields4"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "3181b43f-0978-42de-9b69-4205a965637a",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA91W32%2FiRhB%2B56%2BYkocYiXNiArlEVypRSFrrUA6VnPqQ5mFjD2Ebe5furkOI%2Bsd3xgbHNtzprn3rCgnv7Dfj%2BfXN%2BuTkXWOFyjqTRU5qVT9onZzQD%2BCjVHGygQeD4gncEuGvDI1ECw%2BY6DVI5TRYXAkjHMJDoqMnOtqAwVQ%2FS%2FUIR7RgGt5cwc%2B%2FXY0%2B5vujwnjTly8uduRaJg4N6MyR7Uib2MJ6iQZzn66eUbmJcAIWEpMYYo1WHTtYimcEAc8iyZBczbG%2FU0B6bWGOUWak2xTKtrXb59vW31vr0irtMF25jVe%2BpEOn%2BOJQxRDaiU6FVKMo0plyMAQpF95uZ50wzq6lW0J7rClTVre70L41GfL%2FtUgsttnayug%2FMXJwK1P8BRVyMuNu03oXmg%2B3mxV2iwDmOjMR3oh0JwgnDHPymWJqAS1K4lF97dWlsnYqX837p8VCRvjpgZ0PJ9vkH0p6ATw7H0CiH21uuxCVHr4lvMh2zXTMSbLaOG6tWpIgRhuBypLEQiKsa31nlN%2FUWUCxDaF%2FfnEBgoo%2BE4aEM6MjtJYzXg%2Bcnfm2luM0HG67bQVhWHlt3ops3NtzoPMvwh4vMXqChTbk8pPSawXhDEI93jk9es3IkdEE5vJRhQqmXLgEKRmzqbTc6vFGiVRG3l07GPT9Xu%2FM7w%2F8swtu7eBi4Af9wO%2Bdvqf%2F052od9b335%2F5wSULesG53yONXnDqB6fnLBoE%2FmXg9y9Yxvs%2BIQasdkrmL9v3nQ8tL1M0qygZi%2Bz1dTOk4YV5Hj12U6rprr0OEDicjeLYUMo6NUQp5si9IrodoqB5vuHlqPWI1OmKoq9ztYRsmTnOrNPplXJc7iF8tmhmRqpIrkSSk7RUCGcN7JubBcgbjSY3mkpAXSqYLsjWiqr8n8LNIZ3Wf%2BvlBGkIQKTTlJqk4AmMiDzjpSSGbilDB9IQy2kwb5u9wUwykCQ0eGi%2BLIxOv0pipsQoobswqbECvLvjhdY%2BvuBxF44fxGv%2ByC3MGnNUVhajj3QGH75w%2FXz3HChvJpaOjBFs3q4S6bwbXFeg5NMfx51uZZjV0Xu2CwXOdgmeonqku01auNZJTDN0giu3PODDFjgEwbsk33nl6b4Xh%2FF1TCXWKdU8VDG%2BkEbTxjsIduZrsIMvJHDd%2B6rBu1L%2FvurwvrG7xuvuy3Lm%2BB%2BYd2XHVEuWq%2BWdyg3KpXAmEtVaAFUBfgLqKN7lt2KWpsLIV%2Bph%2Ftpgmn527FQqlVcjLaX5SsUVgHjZA%2FDezhEVnefE9kj4q7ZuvP28iQvpWKerjObR9tTm5p7QYu2Ix0BDcZ7lNzqf5A1bgKr6TQRf%2BY3MlPl8c%2FfHKqP%2BAYkUf7jnCgAA"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-Fields4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rule:\r\n\r\n **- [Threat Intel map IP entity to AzureActivity](https://github.com/Azure/Azure-Sentinel/blob/2cad1a602c99d6e3f8be2548e31e4ca63ed75c6f/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml)**<br>\r\n\r\n **- [Cisco ASA - average attack detection rate increase](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml)**<br>\r\n\r\n **- [Known PHOSPHORUS group domains/IP - October 2020](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml)**<br>\r\n\r\n **- [Mass secret retrieval from Azure Key Vault](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml)**<br>\r\n\r\n#### Workbooks:\r\n **- [Insights IOC Workbook](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/IntsightsIOCWorkbook.json)**<br>\r\n\r\n **- [Threat Intelligence Workbook](https://github.com/Azure/Azure-Sentinel/blob/e12de62f4f34221a030679a2f872db3e4cb1085d/Workbooks/ThreatIntelligence.json)**<br>\r\n\r\n **- [Azure Information Protection](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml)**<br>\r\n\r\n **- [Proof Point Threat Dashboard](https://github.com/Azure/Azure-Sentinel/blob/c37ffc1532ae5760f71b27dd049c77cab5abfece/Workbooks/ProofPointThreatDashboard.json)**<br>\r\n\r\n#### Hunting Queries:\r\n **- [Rare Custom Script Extension](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/AzureActivity/Rare_Custom_Script_Extension.yaml)**<br>\r\n\r\n **- [Azure Resources assigned Public IP Addresses](https://github.com/Azure/Azure-Sentinel/blob/2cad1a602c99d6e3f8be2548e31e4ca63ed75c6f/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml)**<br>\r\n\r\n **- [Anomalous Resource Creation and related Network Activity](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml)**<br>\r\n\r\n **- [Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs](https://github.com/Azure/Azure-Sentinel/blob/301819b3d4217428d848a95ea8d19fd351edc6df/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml)**<br>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields4"
|
||
},
|
||
"name": "text-Fields4 - Copy"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields4"
|
||
},
|
||
"name": "FIelds4"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 5. Conditionally use field values to populate/project a field\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n ** [case()](https://docs.microsoft.com/azure/data-explorer/kusto/query/casefunction)**\r\n<br>\r\n\r\n ** [column_ifexists()](https://docs.microsoft.com/azure/data-explorer/kusto/query/columnifexists)**\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - List Business orgs based on Source IPs**\r\n\r\n<p style=\"color:red;\"> AzureDiagnostics<br> | extend BusinessOrg = case(ipv4_is_match(primaryIPv4Address_s,\"10.2.2.0/8\"),\"HR\",<br> ipv4_is_match(primaryIPv4Address_s,\"10.71.0.0/8\"),\"IT\",ipv4_is_match(primaryIPv4Address_s,<br> \"172.18.0.4\"),\"Finance\",\"Operations\")</p>\r\n<br>\r\n\r\n** - Create and update a field value based on a value from another column if it exists, or else, use a default value**\r\n\r\n<p style=\"color:red;\"> AzureDiagnostics<br> | extend RuleName = column_ifexists('ruleName_s',\"\"),<br> MACAddress = column_ifexists('macAddress_s',\"\")<br> | project TimeGenerated, Category, OperationName, RuleName, MACAddress</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Order Security Alerts based on Severity (High to Low) **\r\n\r\n<p style=\"color:red;\"> SecurityAlert<br> | where TimeGenerated > ago(7d)<br> | extend severityOrder = case (<br> AlertSeverity == \"High\", 3,<br> AlertSeverity == \"Medium\", 2,<br> AlertSeverity == \"Low\", 1,<br> AlertSeverity == \"Informational\", 0,<br> -1)<br> | order by severityOrder<br> | where IPAddress in (IPList)<br> | project-away severityOrder</p>"
|
||
},
|
||
"customWidth": "100",
|
||
"name": "text-Fields5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "bd771360-4c2f-4cdb-b2ba-85bf18d03989",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA51UXW%2FaQBB851eszEOMZD5MkcgLlQhNGyskIJJ3dPjW5hr7zr0PKFF%2FfNcGHEhLFXWNBGZndscztrvd9ruKpLHaxVYoed5odLv0AbgXkmc7WGlkL2DXCD8caoEGVpipLQhpFRgsmGYWYZWp%2BIVaO9CYq42QKTSpYBo93sLN4nZ8X50398Pfa7lYpZCpMBZunBESjQGlU1rDDHJQEp6U0zFCNDeN8avT%2BEWwVCpjRWwavwB%2FWpS85s50CiOIieuLYjNYCrPMmY3XfqFFzvQumm8GY841QZcm8MJep09Hr3vttQLvbuEFH2QNw07vSIueP0QDLxz2O%2BE1EQcl7auQTMboBd6sQDKYQjJeq3SjeV5%2FGHxSJXxC6VE8jGxwBa9%2BQiIw47BhmcM3J9nhj0SrnOCKAtcQq8zlEkQCwpKbFARJVRowMxiAM%2BU0jglzmd3T%2F5HCwmX4yHIsI6jGLkWyH%2Blf6UNvaa4Cj64fHsaTgzl%2Fg%2Bcsrq2rCLSl0Oo7xhaeRY7fUJamIQ9gQl%2Bp0rsAaiPLRUEt53TXf%2Fg705x8esLYaWF3MM5Q29P7EzdYNfw7ka6Bnpip2rYaR3wFJ%2FFbMhvPpcNnYKnyh7z1ZqE5TNsv3d%2FK4DeAqppUbxuNwCsXegF8Ci70H5ALlxOifwlBUqkdXmpHMlE6ryxlGQF7QTssxapKHb0JzuTWVxnNj8kKCX40Lx%2FvkwDbbMveUX8D2KAsobwEAAA%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-Fields5"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "6cd5b72f-a175-4ad6-a21e-c66d1b51bd2b",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA51UXW%2FaQBB851eszEOMZD5MkcgLlQhNGyskIJJ3dPjW5hr7zr0PKFF%2FfNcGHEhLFXWNBGZndscztrvd9ruKpLHaxVYoed5odLv0AbgXkmc7WGlkL2DXCD8caoEGVpipLQhpFRgsmGYWYZWp%2BIVaO9CYq42QKTSpYBo93sLN4nZ8X50398Pfa7lYpZCpMBZunBESjQGlU1rDDHJQEp6U0zFCNDeN8avT%2BEWwVCpjRWwavwB%2FWpS85s50CiOIieuLYjNYCrPMmY3XfqFFzvQumm8GY841QZcm8MJep09Hr3vttQLvbuEFH2QNw07vSIueP0QDLxz2O%2BE1EQcl7auQTMboBd6sQDKYQjJeq3SjeV5%2FGHxSJXxC6VE8jGxwBa9%2BQiIw47BhmcM3J9nhj0SrnOCKAtcQq8zlEkQCwpKbFARJVRowMxiAM%2BU0jglzmd3T%2F5HCwmX4yHIsI6jGLkWyH%2Blf6UNvaa4Cj64fHsaTgzl%2Fg%2Bcsrq2rCLSl0Oo7xhaeRY7fUJamIQ9gQl%2Bp0rsAaiPLRUEt53TXf%2Fg705x8esLYaWF3MM5Q29P7EzdYNfw7ka6Bnpip2rYaR3wFJ%2FFbMhvPpcNnYKnyh7z1ZqE5TNsv3d%2FK4DeAqppUbxuNwCsXegF8Ci70H5ALlxOifwlBUqkdXmpHMlE6ryxlGQF7QTssxapKHb0JzuTWVxnNj8kKCX40Lx%2FvkwDbbMveUX8D2KAsobwEAAA%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "TryOwnEnv-Fields5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rule:\r\n\r\n **- [Threat Intel map IP entity to AzureActivity](https://github.com/Azure/Azure-Sentinel/blob/2cad1a602c99d6e3f8be2548e31e4ca63ed75c6f/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml)**<br>\r\n\r\n **- [Cisco ASA - average attack detection rate increase](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml)**<br>\r\n\r\n **- [Known PHOSPHORUS group domains/IP - October 2020](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml)**<br>\r\n\r\n **- [Mass secret retrieval from Azure Key Vault](https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml)**<br>\r\n\r\n#### Workbooks:\r\n **- [Insights IOC Workbook](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Workbooks/IntsightsIOCWorkbook.json)**<br>\r\n\r\n **- [Threat Intelligence Workbook](https://github.com/Azure/Azure-Sentinel/blob/e12de62f4f34221a030679a2f872db3e4cb1085d/Workbooks/ThreatIntelligence.json)**<br>\r\n\r\n **- [Azure Information Protection](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml)**<br>\r\n\r\n **- [Proof Point Threat Dashboard](https://github.com/Azure/Azure-Sentinel/blob/c37ffc1532ae5760f71b27dd049c77cab5abfece/Workbooks/ProofPointThreatDashboard.json)**<br>\r\n\r\n#### Hunting Queries:\r\n **- [Rare Custom Script Extension](https://github.com/Azure/Azure-Sentinel/blob/76578d41f67181e6c1acb16b520f48a31d248036/Hunting%20Queries/AzureActivity/Rare_Custom_Script_Extension.yaml)**<br>\r\n\r\n **- [Azure Resources assigned Public IP Addresses](https://github.com/Azure/Azure-Sentinel/blob/2cad1a602c99d6e3f8be2548e31e4ca63ed75c6f/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml)**<br>\r\n\r\n **- [Anomalous Resource Creation and related Network Activity](https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml)**<br>\r\n\r\n **- [Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs](https://github.com/Azure/Azure-Sentinel/blob/301819b3d4217428d848a95ea8d19fd351edc6df/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml)**<br>\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields5"
|
||
},
|
||
"name": "text-Fields5 - Copy"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Fields5"
|
||
},
|
||
"name": "Fields5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "60",
|
||
"name": "text - 5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "30",
|
||
"name": "text - 7"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Dealing with Fields"
|
||
},
|
||
"customWidth": "100",
|
||
"name": "group-Fields"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# {Category}\r\n\r\n\r\n<h2 style=\"color:blue;\">Overview:</h2>\r\n\r\nWatchlists are lookup lists in Microsoft Sentinel that can be used for correlation with the events in the Microsoft Sentinel environment. Once created, these can be used in search, detection rules, threat hunting and automated responses.\r\n\r\nCommon scenarios for using watchlists include:\r\n\r\n1. Investigating threats and responding to incidents quickly with the rapid import of IP addresses, file hashes, and other data from CSV files. Once imported, you can use watchlist name-value pairs for joins and filters in alert rules, threat hunting, workbooks, notebooks, and general queries.\r\n\r\n2. Importing business data as a watchlist. For example, import user lists with privileged system access, or terminated employees, and then use the watchlist to create allowlists and blocklists used to detect or prevent those users from logging in to the network.\r\n\r\n3. Reducing alert fatigue. Create allowlists to suppress alerts from a group of users, such as users from authorized IP addresses that perform tasks that would normally trigger the alert, and prevent benign events from becoming alerts.\r\n\r\n4. Enriching event data. Use watchlists to enrich your event data with name-value combinations derived from external data sources.\r\n\r\n[Use Microsoft Sentinel Watchlists](https://docs.microsoft.com/azure/kusto/query/ingestiontimefunctionhttps://docs.microsoft.com/azure/sentinel/watchlists)\r\n\r\n<br>\r\n"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h2 style=\"color:blue;\">I want to:</h2>"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "list",
|
||
"links": [
|
||
{
|
||
"id": "10c45a2a-2b70-422e-9997-0e4f315f7727",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "1. List items in a Watchlist",
|
||
"subTarget": "Watchlist1",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "40988c97-79b0-481a-b5a8-390f16783e15",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "2. Correlate Watchlist items",
|
||
"subTarget": "Watchlist2",
|
||
"preText": "",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "933821e1-7aae-4adc-b830-d600a5fafe35",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "3. Get Watchlist Aliases in Microsoft Sentinel",
|
||
"subTarget": "Watchlist3",
|
||
"style": "link"
|
||
},
|
||
{
|
||
"id": "3087160d-f62e-4610-bd0c-b227fdd5375e",
|
||
"cellValue": "Section",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "4. Correlate entities with UEBA Watchlists for Behavioral Analytics",
|
||
"subTarget": "Watchlist4",
|
||
"style": "link"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "30",
|
||
"name": "links - 1"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 1. List items in a Watchlist\r\n\r\nRetrieving Watchlist items from the Log Analytics Workspace.\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n ** _GetWatchlist()** \r\n<br>\r\n More details on using using Watchlists in queries available ** [here](https://docs.microsoft.com/azure/sentinel/watchlists#use-watchlists-in-queries)**\r\n\r\n\r\n\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Returns top 10 watchlist items after sorting the entire watchlist by TimeGenerated**\r\n\r\n<p style=\"color:red;\"> _GetWatchlist('ipwatchlist') <br> | sort by TimeGenerated desc nulls last <br> | top 10</p>\r\n\r\n** - Returns all Watchlist items added in the last 24 hours **\r\n\r\n<p style=\"color:red;\"> _GetWatchlist('ipwatchlist') <br> | where TimeGenerated > ago(24h)</p>\r\n\r\n<br>"
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist1"
|
||
},
|
||
"name": "text-Watchlist1"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist1"
|
||
},
|
||
"name": "spacing1 - Watchlist1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b1f79330-0e49-4c7a-b93d-773efd47d889",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA4WPQUvDQBCF7%2F0VD3Joe5Bo6cmDoFBKqXgoQo%2ByScZm6GY37kwMBX%2B8m5RqmyI%2B5rK8tzPfS9ObgVZONDS5sneXxihN4wBrdoU9IAtk9tCS8NFQYBJkZH0LduohVJtglJBZn%2B%2BjdUCgyn%2By2yGJwvPqZYGnzeJx3b%2BT4%2FIhy5%2FqQDakTXAC9TXubtEazUvLomClSmDelQLEB%2B2OdpzklAOdBSPVK1e0JEcdbDF6W5JuT%2FZkzPVPdjwdffXLrj6hIMnhGmsF1ojG3JEoMia%2Fump80nkVYy22wx5FEY%2Bw6yt0BzCbo%2FRNkPv%2FeNuSYt9L2geYnZ%2FM5uX0Gw20Ydj7AQAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist1"
|
||
},
|
||
"name": "TryLADemo-Watchlist1"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "24dd3e02-4daf-4af5-bd5d-5c4953daae34",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA4WPQUvDQBCF7%2F0VD3Joe5Bo6cmDoFBKqXgoQo%2ByScZm6GY37kwMBX%2B8m5RqmyI%2B5rK8tzPfS9ObgVZONDS5sneXxihN4wBrdoU9IAtk9tCS8NFQYBJkZH0LduohVJtglJBZn%2B%2BjdUCgyn%2By2yGJwvPqZYGnzeJx3b%2BT4%2FIhy5%2FqQDakTXAC9TXubtEazUvLomClSmDelQLEB%2B2OdpzklAOdBSPVK1e0JEcdbDF6W5JuT%2FZkzPVPdjwdffXLrj6hIMnhGmsF1ojG3JEoMia%2Fump80nkVYy22wx5FEY%2Bw6yt0BzCbo%2FRNkPv%2FeNuSYt9L2geYnZ%2FM5uX0Gw20Ydj7AQAA"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist1"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Watchlist1"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist1"
|
||
},
|
||
"name": "Watchlist1"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 2. Correlate Watchlist items\r\n\r\n<h3 style=\"color:blue;\"> Operators to be used:</h3>\r\n\r\n ** _GetWatchlist()** \r\n<br>\r\n More details on using using Watchlists in queries available ** [here](https://docs.microsoft.com/azure/sentinel/watchlists#use-watchlists-in-queries)**\r\n\r\n •\tData in any table can be queried against data from a watchlist by treating the watchlist as a table for joins and lookups.\r\n\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Returns the records that match the IPs from a Watchlist**\r\n\r\n<p style=\"color:red;\"> Heartbeat <br> | lookup kind=leftouter _GetWatchlist('mywatchlist') \r\n on $left.RemoteIPCountry == $right.SearchKey</p>\r\n<br>\r\n** - Alert if item found in Watchlist**\r\n\r\n<p style=\"color:red;\"> let UserList = _GetWatchlist('users')<br> | summarize make_set(Email);<br> AzureActivity <br> | where Caller in (UserList)</p>\r\n<br>\r\n** - Alert if item not found in Watchlist**\r\n\r\n<p style=\"color:red;\"> AzureActivity <br> | join kind = leftanti _GetWatchlist('users') \r\n on $left.Caller == $right.Email</p>\r\n<br>\r\n<h3 style=\"color:blue;\"> Sample use cases:</h3>\r\n\r\n** - Known Malicious IP found in MCAS Logs**\r\n\r\n<p style=\"color:red;\"> let ipioc = _GetWatchlist('badips') | summarize make_list('IpAddress'); <br> McasShadowItReporting<br> | where IpAddress in (ipioc)<br> | project TimeGenerated, EnrichedUserName, AppName, AppCategory, AppScore</p>\r\n<br>\r\n** - Monitor users running Log Analytics queries that contain filters for VIPUser watchlist**\r\n\r\n<p style=\"color:red;\"> LAQueryLogs <br>\r\n | where QueryText has_any (\"_GetWatchlist('VIPUsers')\")<br> | project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget<br> | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail</p>"
|
||
},
|
||
"customWidth": "70",
|
||
"name": "text-Watchlist2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "spacing - Watchlist2",
|
||
"styleSettings": {
|
||
"maxWidth": "70%"
|
||
}
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "ac331a51-663e-48de-9577-ebba08a35742",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA61UX0%2FbMBB%2F76c4ARKt1NEPgPqQdRWL2iLWsu0Ruc61MXV8mX2hC9qH3znQdAuwF2blIfadfb8%2FPo9GHzojdYF9pdmQ%2BzvQG43kA5gZl9ka1h7VDjhH%2BFGhNxhgjZb2YBwTBCyVV4ywtqR3EqrBY0EPxm3hVAbM0%2BspfFxOk1kzP306vIvlzRGBLJEr70IDwaMmn8V%2FxVAo1nmznN4E2HgqQMH3uGhN4N5nVJ7XqLj3CyzRriphJ5TGFjdMFaOHuyvkNr9%2FXtT7w%2BR8AOTgLKZeLIUQY3ozocqxr2E8hjNvtjlfrKSCzmdYC8zTV8cL%2Ft0RCSYWPYPZgGEsYCNlMlH3DyYWGb4G9HOZwLgLu5JIOB8Iy1AVhfLmEUWaHd4F5P60UMYOLnvJY%2BUxEbcfDNeSus%2FRI0yUldqxWP9w%2FuB%2FcnHEr%2FHpgrknCUdvhFyUXDk2b7A82vKM%2FehGQ%2FV96GeO9g4WyhptqApyr47wF5NkBXPahsYOUxrSL71Yq8yUEeYLM57iaZlkmccgKZe9hVZhlauM9ikvsSTP0jatN21qY09TL3pcerpHzXBrCrxCh7H7siFMnTc6xyzaeK0KHEJSlu3PRJK25OtmspIWwvfptCBnmDw0poCvnIsNL%2BJA4pSt2ejQvhZNq2pyrITHxliOWzay%2BVt6E9FC23S9efJFNtWNyAcZmpVb%2FMmQq3CnXA39k47ozweJpif%2FUChJPjU3ZCgPimALPLEGHYsgw2ORGAwluYBL2jcN36bfKr%2FF%2BJZIGsqVYDk%2BsCpKuQXdUlrHrZMqMBVTucwsr0YL4Ddt8wl9iwUAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-Watchlist2"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b0c0e733-fcbd-4c60-a00b-9a526e06f05b",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA61UX0%2FbMBB%2F76c4ARKt1NEPgPqQdRWL2iLWsu0Ruc61MXV8mX2hC9qH3znQdAuwF2blIfadfb8%2FPo9GHzojdYF9pdmQ%2BzvQG43kA5gZl9ka1h7VDjhH%2BFGhNxhgjZb2YBwTBCyVV4ywtqR3EqrBY0EPxm3hVAbM0%2BspfFxOk1kzP306vIvlzRGBLJEr70IDwaMmn8V%2FxVAo1nmznN4E2HgqQMH3uGhN4N5nVJ7XqLj3CyzRriphJ5TGFjdMFaOHuyvkNr9%2FXtT7w%2BR8AOTgLKZeLIUQY3ozocqxr2E8hjNvtjlfrKSCzmdYC8zTV8cL%2Ft0RCSYWPYPZgGEsYCNlMlH3DyYWGb4G9HOZwLgLu5JIOB8Iy1AVhfLmEUWaHd4F5P60UMYOLnvJY%2BUxEbcfDNeSus%2FRI0yUldqxWP9w%2FuB%2FcnHEr%2FHpgrknCUdvhFyUXDk2b7A82vKM%2FehGQ%2FV96GeO9g4WyhptqApyr47wF5NkBXPahsYOUxrSL71Yq8yUEeYLM57iaZlkmccgKZe9hVZhlauM9ikvsSTP0jatN21qY09TL3pcerpHzXBrCrxCh7H7siFMnTc6xyzaeK0KHEJSlu3PRJK25OtmspIWwvfptCBnmDw0poCvnIsNL%2BJA4pSt2ejQvhZNq2pyrITHxliOWzay%2BVt6E9FC23S9efJFNtWNyAcZmpVb%2FMmQq3CnXA39k47ozweJpif%2FUChJPjU3ZCgPimALPLEGHYsgw2ORGAwluYBL2jcN36bfKr%2FF%2BJZIGsqVYDk%2BsCpKuQXdUlrHrZMqMBVTucwsr0YL4Ddt8wl9iwUAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist2"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Watchlist2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<h3 style=\"color:blue;\"> Check out the relevant samples found in Microsoft Sentinel:</h3>\r\n\r\n#### Analytics Rule:\r\n\r\n **- [SAP – Security Audit Log Configuration Change](https://github.com/Azure/Azure-Sentinel/tree/645bad572223880eaf8bd79989ef1fe8e5b2a3f0/Solutions/SAP/Analytics)**\r\n\r\n#### Workbooks:\r\n\r\n **- [Incident Overview Workbook](https://github.com/Azure/Azure-Sentinel/blob/0a4d50238b8d6dfc342d8275465d62c3c55a2444/Workbooks/IncidentOverview.json)**\r\n\r\n **- [SOC Process Framework Workbook](https://github.com/Azure/Azure-Sentinel/blob/c382e7b782bd9fe1622ae757068f32e88d96b988/Workbooks/SOCProcessFramework.json)**\r\n"
|
||
},
|
||
"customWidth": "70",
|
||
"name": "samples-Watchlist2"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist2"
|
||
},
|
||
"name": "Watchlist2"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 3. Get Watchlist Aliases in Microsoft Sentinel\r\n\r\nTo get a list of watchlist aliases from the Azure portal, the **[_GetWatchlistAlias](https://docs.microsoft.com/azure/sentinel/watchlists#view-list-of-watchlists-aliases)** operator can be run by navigating to Microsoft Sentinel > General > Logs and running the _GetWatchlistAlias operator without any arguments.\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Returns 10 watchlist aliases configured in Microsoft Sentinel**\r\n\r\n<p style=\"color:red;\"> _GetWatchlistAlias<br> | take 10</p>\r\n\r\n** - Returns all Watchlists aliases that have the string VIP in the Alias configured in Microsoft Sentinel**\r\n\r\n<p style=\"color:red;\"> _GetWatchlistAlias<br> | where WatchlistAlias contains \"VIP\"</p>\r\n\r\n<br>"
|
||
},
|
||
"name": "text - 0"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "a09e26ab-08e6-43f5-9cb6-b4c838365ca9",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA32QwU7DMBBE7%2FmKUXNGgU8IUoWiogoVCY5oky61FWODvWlUxMezDqKioTDywd71zj5NVV3M1PgkcejEBn%2FaKKpKD7CyfusOaCNTDzGMt4Gj5YSWXRhhvQQkfqVIwmhd6HptHRD5Jeyt36FU4bZZL3G9Wdar6V1%2Bmc9Z%2FlQG2bAM0SdcXWIk6YyzSUDOUlKWLvhnuxsibxUI9bvecM9erGdX4OmG5fF7ps4jxQeEelYztS7P6hfzXD%2BhyDkcN6QjlhgSGNrzFJwGnQN5aO4yZK5MLP%2FDn2UfDeuf03K2EbIKs9ANi0%2Bo%2Fl%2FN6gEAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-Watchlist3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "440ae5ff-3d2d-447b-a6d8-f1df69193195",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA32QwU7DMBBE7%2FmKUXNGgU8IUoWiogoVCY5oky61FWODvWlUxMezDqKioTDywd71zj5NVV3M1PgkcejEBn%2FaKKpKD7CyfusOaCNTDzGMt4Gj5YSWXRhhvQQkfqVIwmhd6HptHRD5Jeyt36FU4bZZL3G9Wdar6V1%2Bmc9Z%2FlQG2bAM0SdcXWIk6YyzSUDOUlKWLvhnuxsibxUI9bvecM9erGdX4OmG5fF7ps4jxQeEelYztS7P6hfzXD%2BhyDkcN6QjlhgSGNrzFJwGnQN5aO4yZK5MLP%2FDn2UfDeuf03K2EbIKs9ANi0%2Bo%2Fl%2FN6gEAAA%3D%3D"
|
||
},
|
||
{
|
||
"name": "timespan",
|
||
"source": "static",
|
||
"value": "P1D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist3"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Watchlist3"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist3"
|
||
},
|
||
"name": "Watchlist3"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## 4. Correlate entities with UEBA Watchlists for Behavioral Analytics\r\n\r\nMicrosoft Sentinel now comes with Built-in watchlists templates for UEBA data which can be customized. These can then be correlated with analytic rules, view it in the entity pages and investigation graphs as insights, create custom uses such as to track VIP or sensitive users and more.\r\n<br>\r\n\r\n<h3 style=\"color:blue;\"> Sample query:</h3>\r\n\r\n** - Correlate High-Value Assets Watchlist with Security Events**\r\n\r\n<p style=\"color:red;\"> let HVA = _GetWatchlist('HighValueAssets')<br> | extend AssetFQDN = tolower('Asset FQDN');<br> SecurityEvent<br> | where EventID == 4624<br> | extend Computer = tolower(Computer)<br> | join kind = inner HVA on $left.Computer == $right.AssetFQDN</p>\r\n\r\n** - Correlate Service Accounts' logon activity with Security Events**\r\n\r\n<p style=\"color:red;\"> let ServiceAccounts = _GetWatchlist('ServiceAccounts')<br> | extend sAMAccountName = tolower(tostring(split('Service Principal Name',\"@\")[0]));<br> SecurityEvent<br> | where EventID == 4624<br> | extend Account = tolower(tostring(split(Account,\"\\\\\\\")[1]))<br> | join kind = inner ServiceAccounts on $left.Account == $right.sAMAccountName</p>\r\n\r\n<h3 style=\"color:blue;\"> Sample Use cases:</h3>\r\n\r\n** - Alert on malicious file activity around a high value Assets that also have identified vulnerabiites**\r\n\r\n<p style=\"color:red;\"> let watchlst=(_GetWatchlist('Hva')) | project svrname;<br> let secalert=(SecurityAlert<br> |where TimeGenerated > ago(1d)<br> |where AlertName contains \"MTP File activity alert\"<br> |extend HostName_ = tostring(parse_json(Entities)[0].HostName)<br> |extend AppendDom=strcat(HostName_,\".contoso.azure\"));<br> secalert<br> | join MDE_TVM_PublicExploits_CL on $left.AppendDom == $right.DeviceName_s<br> | where TimeGenerated > ago(1d)<br> | where VulnerabilitySeverityLevel_s == \"High\" and AppendHost in~ (watchlst)<br> | distinct DisplayName, AlertSeverity, VulnerabilitySeverityLevel_s, VulnerabilityDescription_s</p>"
|
||
},
|
||
"customWidth": "70",
|
||
"name": "text-Watchlist4"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "40",
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "e5e94994-631c-4c7d-8533-780719e3ea13",
|
||
"cellValue": "https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F8bdcebd2-ea3d-41c9-bb40-e02bdbafc506%2FresourceGroups%2Foms%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Foms101/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAAwtOTS4tyiypdC1LzSsBAIySJcsNAAAA/timespan/P1D",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in LA Demo",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "DemoLogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "/Demo"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA6VVbW%2FaMBD%2Bzq84pZVIJArrVO1LxTRW6Itaqm6t2Id1QiZcG7fGzuxLKBPab985kPDSMmmahRRh391z9zyPk1brYGtdaEc2i0kavXlQa7X4B3Ap9VjNYGRRPAMlCD8ztBIdjFCZKUhNBhymwgpCGCkTP%2FPRDCxOTC71I%2BzxgquL6x58%2FtrrXBb%2F9xbFt3vZuXwjJ8ZaVB7kXD4mBwOhMoSOc0gOvgmKEyUdwVRSArcYZ1bSDHo5anI1hQTngw60YXiGVAWHdV%2BpKLSoU49qc8AXQj1eVD790r3mLDI8KdqwXmyC361Hx7USpkDhzGmCFheYF11ot%2BHow%2FujVcUTM0kzQrtWsNzyuE9Ganhmsvlcas1xvmWjYV%2FhAzVX2W3Yt9w3NasWmZ69N9cr3rfXJrG3aHMZM6txbDImrg7KPHIHgu2Rez53srvMLBNfM70VsM606%2FSX29digmvskGFrsoVClyq5qgE3vBnLVCjwCfVG8CmIvr%2F7Ef27JEvc3ZjLgEZwf88Yh4zxplLb41eqVQCVaJvT%2Fp9yHYWWPNhEKBlLkzl4kApXegnLQGMQkDA25OtXhhJBIJQzkIgcQY6ZIvkgcQx5pngmMZKScKHutNDRUTvcuj65qEcRzCG15gljApdbzVMdF1kOY%2BEbbIelKkW%2FtflClDs5wTP0SMSgH0E8mvBwHJXHRWxhiNhoElI7CPp3N3C6OaCPCmrzpZ7nrF5loqWQ%2FGZy%2BOSMDns8IfGby5ulWYZGVXInTfnRNZM2Z8aCwjKkETR9D8aZpviVWQy808rpSj%2F0u73h3aA%2FvMlGrEXvJVVGkhueXK2ZoQRYs0MXvXE8ytBVft1JzfJ8UCrEFp3dYo6e3Ct%2BqqHztQP%2FXgtAVEP5SdiqvyEspfTFxiwi3ySCrmS3i1kx64L4smjjr1hbp110sZWp%2F5QM3R%2FmZj6magYAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "23",
|
||
"name": "TryLADemo-Watchlist4"
|
||
},
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "paragraph",
|
||
"links": [
|
||
{
|
||
"id": "b762536a-47a3-410e-ba68-b4d4fed7751c",
|
||
"linkTarget": "OpenBlade",
|
||
"linkLabel": "🔍 Try it in your environment",
|
||
"style": "primary",
|
||
"linkIsContextBlade": true,
|
||
"bladeOpenContext": {
|
||
"bladeName": "LogsBlade",
|
||
"extensionName": "Microsoft_Azure_Monitoring_Logs",
|
||
"bladeParameters": [
|
||
{
|
||
"name": "resourceId",
|
||
"source": "static",
|
||
"value": "{Workspace}"
|
||
},
|
||
{
|
||
"name": "source",
|
||
"source": "static",
|
||
"value": "LogsBlade.AnalyticsShareLinkToQuery"
|
||
},
|
||
{
|
||
"name": "q",
|
||
"source": "static",
|
||
"value": "H4sIAAAAAAAAA6VVbW%2FaMBD%2Bzq84pZVIJArrVO1LxTRW6Itaqm6t2Id1QiZcG7fGzuxLKBPab985kPDSMmmahRRh391z9zyPk1brYGtdaEc2i0kavXlQa7X4B3Ap9VjNYGRRPAMlCD8ztBIdjFCZKUhNBhymwgpCGCkTP%2FPRDCxOTC71I%2BzxgquL6x58%2FtrrXBb%2F9xbFt3vZuXwjJ8ZaVB7kXD4mBwOhMoSOc0gOvgmKEyUdwVRSArcYZ1bSDHo5anI1hQTngw60YXiGVAWHdV%2BpKLSoU49qc8AXQj1eVD790r3mLDI8KdqwXmyC361Hx7USpkDhzGmCFheYF11ot%2BHow%2FujVcUTM0kzQrtWsNzyuE9Ganhmsvlcas1xvmWjYV%2FhAzVX2W3Yt9w3NasWmZ69N9cr3rfXJrG3aHMZM6txbDImrg7KPHIHgu2Rez53srvMLBNfM70VsM606%2FSX29digmvskGFrsoVClyq5qgE3vBnLVCjwCfVG8CmIvr%2F7Ef27JEvc3ZjLgEZwf88Yh4zxplLb41eqVQCVaJvT%2Fp9yHYWWPNhEKBlLkzl4kApXegnLQGMQkDA25OtXhhJBIJQzkIgcQY6ZIvkgcQx5pngmMZKScKHutNDRUTvcuj65qEcRzCG15gljApdbzVMdF1kOY%2BEbbIelKkW%2FtflClDs5wTP0SMSgH0E8mvBwHJXHRWxhiNhoElI7CPp3N3C6OaCPCmrzpZ7nrF5loqWQ%2FGZy%2BOSMDns8IfGby5ulWYZGVXInTfnRNZM2Z8aCwjKkETR9D8aZpviVWQy808rpSj%2F0u73h3aA%2FvMlGrEXvJVVGkhueXK2ZoQRYs0MXvXE8ytBVft1JzfJ8UCrEFp3dYo6e3Ct%2BqqHztQP%2FXgtAVEP5SdiqvyEspfTFxiwi3ySCrmS3i1kx64L4smjjr1hbp110sZWp%2F5QM3R%2FmZj6magYAAA%3D%3D"
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "29",
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist4"
|
||
},
|
||
{
|
||
"parameterName": "Workspace",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "TryOwnEnv-Watchlist4"
|
||
}
|
||
]
|
||
},
|
||
"customWidth": "70",
|
||
"conditionalVisibility": {
|
||
"parameterName": "Section",
|
||
"comparison": "isEqualTo",
|
||
"value": "Watchlist4"
|
||
},
|
||
"name": "Watchlist4"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isEqualTo",
|
||
"value": "Using Watchlist Data"
|
||
},
|
||
"name": "group-Watchists"
|
||
},
|
||
{
|
||
"type": 12,
|
||
"content": {
|
||
"version": "NotebookGroup/1.0",
|
||
"groupType": "editable",
|
||
"items": [
|
||
{
|
||
"type": 11,
|
||
"content": {
|
||
"version": "LinkItem/1.0",
|
||
"style": "toolbar",
|
||
"links": [
|
||
{
|
||
"id": "b33d38af-b036-4bce-8462-4a5d306fc95c",
|
||
"cellValue": "Category",
|
||
"linkTarget": "parameter",
|
||
"linkLabel": "Back to Category",
|
||
"subTarget": "Home",
|
||
"style": "link",
|
||
"icon": "StatusUpsell"
|
||
}
|
||
]
|
||
},
|
||
"name": "links - BacktoCategory"
|
||
}
|
||
]
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Category",
|
||
"comparison": "isNotEqualTo",
|
||
"value": "Home"
|
||
},
|
||
"name": "group-ResetCategory"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": ""
|
||
},
|
||
"customWidth": "85",
|
||
"name": "text - 24"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "[Submit your feedback](https://forms.office.com/r/qNS7cRmPWS)"
|
||
},
|
||
"customWidth": "15",
|
||
"name": "text - 25"
|
||
}
|
||
],
|
||
"fromTemplateId": "sentinel-AdvancedKQL",
|
||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||
}
|