Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/Citrix.json

1752 строки
64 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Citrix Analytics workbook\n---"
},
"name": "text - 2"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "662447f0-e745-457f-89a1-ff5f01055084",
"cellValue": "selectTab",
"linkTarget": "parameter",
"linkLabel": "User Risk Scores Overview",
"subTarget": "User Risk Scores Overview",
"style": "link"
},
{
"id": "505e4c6a-34a3-4174-9b34-1112ce3a5da7",
"cellValue": "selectTab",
"linkTarget": "parameter",
"linkLabel": "User Details",
"subTarget": "User Details",
"style": "link"
},
{
"id": "235fc368-f144-4902-a49a-7cae1c2bd765",
"cellValue": "selectTab",
"linkTarget": "parameter",
"linkLabel": "User Profile",
"subTarget": "User Profile",
"style": "link"
},
{
"id": "aeffe548-46af-4ef2-8f4a-7f49c4dd515a",
"cellValue": "selectTab",
"linkTarget": "parameter",
"linkLabel": "Received Events",
"subTarget": "Received Events",
"style": "link"
},
{
"id": "51102296-4355-472a-9c85-d24ef52f460b",
"cellValue": "selectTab",
"linkTarget": "parameter",
"linkLabel": "Risk Indicator Details",
"subTarget": "Risk Indicator Details",
"style": "link"
},
{
"id": "5567e348-a5b1-43b5-841f-173effea84e3",
"cellValue": "selectTab",
"linkTarget": "parameter",
"linkLabel": "Risk Indicator Overview",
"subTarget": "Risk Indicator Overview",
"style": "link"
}
]
},
"name": "links - 7"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "53e9d4bb-61d8-4a42-b766-79bd877c37a0",
"version": "KqlParameterItem/1.0",
"name": "timeRange",
"label": "Select Time Range",
"type": 4,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 3600000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let userProfileCount = CitrixAnalytics_userProfile_CL | count; \nlet indicatorEventDetailCount = CitrixAnalytics_indicatorEventDetails_CL | count; \nlet indicatorSummaryCount = CitrixAnalytics_indicatorSummary_CL | count ;\nlet riskScoreChangeCount = CitrixAnalytics_riskScoreChange_CL | count ;\nprint toscalar(userProfileCount)\n +toscalar(indicatorEventDetailCount)\n +toscalar ( indicatorSummaryCount)\n +toscalar ( userProfileCount)\n +toscalar ( riskScoreChangeCount);",
"size": 4,
"title": "# Received Events",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "print_0",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "query - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let riskIndicatorSummaryCount = CitrixAnalytics_indicatorSummary_CL\n| count; \nprint toscalar(riskIndicatorSummaryCount);",
"size": 4,
"title": "# Risk Indicator Summary Received",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "print_0",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let indicatorEventDetailsCount = CitrixAnalytics_indicatorEventDetails_CL | count; \nprint toscalar(indicatorEventDetailsCount);",
"size": 4,
"title": "# Risk Indicator Event Details Received",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "print_0",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "query - 6",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let riskScoreChangeCount = CitrixAnalytics_riskScoreChange_CL | count ;\nprint toscalar(riskScoreChangeCount);",
"size": 4,
"title": "# Risk Score Changes Received",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "print_0",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "query - 7",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let userProfileCount = CitrixAnalytics_userProfile_CL \n| where event_type_s == \"userProfileRiskscore\"| count; \nprint toscalar(userProfileCount);",
"size": 4,
"title": "# User Profile Risk Score Received",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "print_0",
"formatter": 12,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 2",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let userProfileCount = CitrixAnalytics_userProfile_CL \n| where event_type_s == \"userProfileLocation\"| count; \nprint toscalar(userProfileCount);",
"size": 4,
"title": "# User Profile Location Received",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "print_0",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 3",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let userProfileCount = CitrixAnalytics_userProfile_CL \n| where event_type_s == \"userProfileApp\"| count; \nprint toscalar(userProfileCount);",
"size": 4,
"title": "# User Profile App Received",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "print_0",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let userProfileCount = CitrixAnalytics_userProfile_CL \n| where event_type_s == \"userProfileUsage\"| count; \nprint toscalar(userProfileCount);",
"size": 4,
"title": "# User Profile Usage Received",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "print_0",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 4 - Copy",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let userProfileCount = CitrixAnalytics_userProfile_CL \n| where event_type_s == \"userProfileDevice\"| count; \nprint toscalar(userProfileCount);",
"size": 4,
"title": "# User Profile Device Received",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "print_0",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 4 - Copy - Copy",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_indicatorSummary_CL | project bin(TimeGenerated, 1d), event_type_s\n| union CitrixAnalytics_indicatorEventDetails_CL | project bin(TimeGenerated, 1d), event_type_s\n| union CitrixAnalytics_riskScoreChange_CL | project bin(TimeGenerated, 1d), event_type_s\n| union CitrixAnalytics_userProfile_CL | project bin(TimeGenerated, 1d), event_type_s\n| summarize count() by bin(TimeGenerated, 1d), event_type_s",
"size": 1,
"title": "Citrix Analytics Events Received (over time)",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"chartSettings": {
"showMetrics": false,
"showLegend": true
}
},
"name": "query - 10"
}
]
},
"conditionalVisibility": {
"parameterName": "selectTab",
"comparison": "isEqualTo",
"value": "Received Events"
},
"name": "Received Events Group"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "20eb1db0-15d3-49f8-97c2-cc7d2ece19a8",
"version": "KqlParameterItem/1.0",
"name": "timeRange",
"label": "Select Time Range",
"type": 4,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 3600000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "13b1b7f0-0f2b-41f5-a3d3-081aedc97122",
"version": "KqlParameterItem/1.0",
"name": "entityType",
"label": "Select Entity Type",
"type": 2,
"query": "CitrixAnalytics_indicatorSummary_CL\n| summarize by entity_type_s",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": "user"
},
{
"id": "d690abe2-3fe1-44c6-9dfc-0d3d2d35efd0",
"version": "KqlParameterItem/1.0",
"name": "riskIndicatorType",
"label": "Select Risk Indicator Type",
"type": 2,
"query": "CitrixAnalytics_indicatorSummary_CL\n| summarize by indicator_type_s",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": "custom"
},
{
"id": "75e42b30-91c5-47f5-81eb-bc17517a48fc",
"version": "KqlParameterItem/1.0",
"name": "dataSource",
"label": "Select Data Source",
"type": 2,
"query": "CitrixAnalytics_indicatorSummary_CL\n| summarize by data_source_s",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": "Citrix Virtual Apps and Desktops"
},
{
"id": "80b819b1-b5f0-443c-961c-f55caf925083",
"version": "KqlParameterItem/1.0",
"name": "riskIndicatorCategory",
"label": "Select Risk Indicator Category",
"type": 2,
"query": "CitrixAnalytics_indicatorSummary_CL\n| summarize by indicator_category_s",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": "Compromised users"
},
{
"id": "1fa3e1ca-41da-42c7-b2cb-73043d3e1553",
"version": "KqlParameterItem/1.0",
"name": "riskIndicator",
"label": "Select Risk Indicator",
"type": 2,
"query": "CitrixAnalytics_indicatorSummary_CL\n| summarize by indicator_name_s",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": "CVAD-Session started outside of geofence"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_indicatorSummary_CL\n| where data_source_s == \"{dataSource}\"\n| where indicator_category_s == \"{riskIndicatorCategory}\"\n| where entity_type_s == \"{entityType}\"\n| where indicator_type_s == \"{riskIndicatorType}\"\n| where indicator_name_s == \"{riskIndicator}\"\n| project TimeGenerated, data_source_s, indicator_category_s, indicator_name_s, entity_id_s, entity_type_s, severity_s, risk_probability_s, indicator_uuid_g",
"size": 0,
"title": "Risk Indicator (History)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"exportFieldName": "indicator_uuid_g",
"exportParameterName": "indicator_uuid_g",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_indicatorEventDetails_CL\n| where indicator_uuid_g == '{indicator_uuid_g}'",
"size": 0,
"title": "Risk Indicator Event Details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"name": "query - 2"
}
]
},
"conditionalVisibility": {
"parameterName": "selectTab",
"comparison": "isEqualTo",
"value": "Risk Indicator Details"
},
"name": "Risk Indicator Details Group"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "014e8f3c-0356-4fd9-8b03-21a172ec01f4",
"version": "KqlParameterItem/1.0",
"name": "timeRange",
"label": "Select Time Range",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 3600000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where cur_riskscore_d > 64\n| where cur_riskscore_d < 100\n| where entity_type_s == 'user'\n| summarize count()",
"size": 4,
"title": "High Risk Users",
"color": "redBright",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 1,
"formatOptions": {
"showIcon": true
},
"tooltipFormat": {
"tooltip": "Risk Score of 64 to 100"
}
}
],
"labelSettings": [
{
"columnId": "Count",
"label": "High Risk Users"
}
]
},
"tileSettings": {
"titleContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "redBright"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
"showBorder": false
}
},
"customWidth": "33",
"name": "query - 6 - Copy - Copy",
"styleSettings": {
"padding": "10px",
"maxWidth": "33%",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where cur_riskscore_d > 34\n| where cur_riskscore_d < 63\n| where entity_type_s == 'user'\n| summarize count()",
"size": 4,
"title": "Medium Risk Users",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 1,
"formatOptions": {
"showIcon": true
},
"tooltipFormat": {
"tooltip": "Risk Score of 33 to 64"
}
}
],
"labelSettings": [
{
"columnId": "Count",
"label": "Medium Risk Users"
}
]
},
"tileSettings": {
"titleContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "yellow"
}
},
"showBorder": false
}
},
"customWidth": "33",
"name": "query - 6 - Copy",
"styleSettings": {
"padding": "10px",
"maxWidth": "33%",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where cur_riskscore_d > 1\n| where cur_riskscore_d < 33\n| where entity_type_s == 'user'\n| summarize count()",
"size": 4,
"title": "Low Risk Users",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 1,
"formatOptions": {
"showIcon": true
},
"tooltipFormat": {
"tooltip": "Risk Score of 0 to 33"
}
}
],
"labelSettings": [
{
"columnId": "Count",
"label": "Low Risk Users"
}
]
},
"tileSettings": {
"titleContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "gray"
}
},
"showBorder": false
}
},
"customWidth": "33",
"name": "query - 6",
"styleSettings": {
"padding": "10px",
"maxWidth": "33%",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "( CitrixAnalytics_userProfile_CL\n| where cur_riskscore_d > 64\n| where cur_riskscore_d < 100\n| where entity_type_s == 'user'\n| summarize count() by bin(TimeGenerated,1d), severity=\"High\")\n| union (CitrixAnalytics_userProfile_CL\n| where cur_riskscore_d > 34\n| where cur_riskscore_d < 63\n| where entity_type_s == 'user'\n| summarize count() by bin(TimeGenerated,1d), severity=\"Medium\")\n| union (CitrixAnalytics_userProfile_CL\n| where cur_riskscore_d > 1\n| where cur_riskscore_d < 33\n| where entity_type_s == 'user'\n| summarize count() by bin(TimeGenerated,1d), severity=\"Low\")\n| order by severity, TimeGenerated asc \n| render barchart ",
"size": 1,
"aggregation": 3,
"title": "Users Risk Profile (over time)",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"chartSettings": {
"xAxis": "TimeGenerated",
"group": "severity",
"createOtherGroup": null,
"showMetrics": false,
"showLegend": true,
"seriesLabelSettings": [
{
"seriesName": "High",
"label": "High",
"color": "redBright"
},
{
"seriesName": "Medium",
"label": "Medium",
"color": "orange"
},
{
"seriesName": "Low",
"label": "Low",
"color": "gray"
}
],
"ySettings": {
"numberFormatSettings": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"name": "query - 6"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "885a817d-ab3e-498f-99cf-280f4e0c79aa",
"version": "KqlParameterItem/1.0",
"name": "userName",
"label": "User Name",
"type": 1,
"value": "kevin",
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| join CitrixAnalytics_indicatorSummary_CL on tenant_id_s, entity_id_s\n| summarize count() by entity_id_s, indicator_category_s, cur_riskscore_d\n| evaluate pivot(indicator_category_s)\n| where entity_id_s contains \"{userName}\"",
"size": 0,
"title": "Risky Users",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "cur_riskscore_d",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": ">",
"thresholdValue": "64",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": ">",
"thresholdValue": "34",
"representation": "yellow"
},
{
"operator": ">",
"thresholdValue": "1",
"representation": "gray"
},
{
"operator": "Default",
"thresholdValue": null,
"text": "{0}{1}"
}
]
}
}
],
"labelSettings": [
{
"columnId": "entity_id_s",
"label": "User"
},
{
"columnId": "cur_riskscore_d",
"label": "Risk Score"
}
]
}
},
"name": "query - 1"
}
]
},
"name": "group - 7"
}
]
},
"conditionalVisibility": {
"parameterName": "selectTab",
"comparison": "isEqualTo",
"value": "User Risk Scores Overview"
},
"name": "UserRiskScoresOverviewGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "3c5195b6-5487-4abc-9d70-75eda370b6da",
"version": "KqlParameterItem/1.0",
"name": "timeRange",
"label": "Select Time Range",
"type": 4,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 3600000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "fa764770-1f4d-44b0-9d05-25d83fba61dd",
"version": "KqlParameterItem/1.0",
"name": "riskIndicatorType",
"label": "Select Risk Indicator Type",
"type": 2,
"query": "CitrixAnalytics_indicatorSummary_CL\n| summarize by indicator_type_s",
"value": "custom",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "d822a164-cbef-4b76-a0b6-2240cbe93bda",
"version": "KqlParameterItem/1.0",
"name": "entityType",
"label": "Select Entity Type",
"type": 2,
"query": "CitrixAnalytics_indicatorSummary_CL\n| summarize by entity_type_s",
"value": "user",
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_indicatorSummary_CL\n| where indicator_type_s == \"{riskIndicatorType}\"\n| where entity_type_s == \"{entityType}\"\n| summarize count() by TimeGenerated, indicator_name_s",
"size": 0,
"title": "Risk Indicators Received",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"chartSettings": {
"showMetrics": false,
"showLegend": true
}
},
"customWidth": "50",
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_indicatorSummary_CL\n| where indicator_type_s == \"{riskIndicatorType}\"\n| where entity_type_s == \"{entityType}\"\n| summarize Count = count() by indicator_name_s\n| top 10 by Count desc",
"size": 0,
"title": "Top 10 Risk Indicators",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"chartSettings": {
"showMetrics": false,
"showLegend": true
}
},
"customWidth": "50",
"name": "query - 7",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_indicatorEventDetails_CL\n| join CitrixAnalytics_indicatorSummary_CL on indicator_uuid_g\n| where indicator_type_s == \"{riskIndicatorType}\"\n| where entity_type_s == \"{entityType}\"\n| where country_s != \"NA\"\n| summarize count() by city_s, country_s",
"size": 2,
"title": "Citrix Analytics Risk Indicator by Geo Location",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "country_s",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": null
}
},
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
}
]
},
"conditionalVisibility": {
"parameterName": "selectTab",
"comparison": "isEqualTo",
"value": "Risk Indicator Overview"
},
"name": "Risk Indicator Overview Group"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "2f53dae0-6c61-4d32-9b16-971eb0da8987",
"version": "KqlParameterItem/1.0",
"name": "timeRange",
"label": "Select Time Range",
"type": 4,
"typeSettings": {
"selectableValues": [
{
"durationMs": 3600000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
}
]
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 86400000
}
},
{
"id": "08875964-ddb1-4731-a048-0c4272c95fe8",
"version": "KqlParameterItem/1.0",
"name": "userName",
"label": "Search for User",
"type": 1,
"isRequired": true,
"timeContext": {
"durationMs": 86400000
},
"value": "0"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_riskScoreChange_CL\n| where entity_id_s contains \"{userName}\"\n| order by TimeGenerated desc \n| project cur_riskscore_d\n| limit 1",
"size": 4,
"title": "Current Risk Score",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "cur_riskscore_d",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "100",
"name": "query - 3",
"styleSettings": {
"margin": "100",
"maxWidth": "100"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_riskScoreChange_CL\n| where entity_id_s contains \"{userName}\"\n| summarize by cur_riskscore_d, TimeGenerated",
"size": 1,
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"chartSettings": {
"showMetrics": false,
"showLegend": true
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_indicatorSummary_CL\n| where entity_id_s contains \"{userName}\"\n| summarize count() by indicator_name_s",
"size": 3,
"title": "Risk Indicator (ratio)",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"showMetrics": false,
"showLegend": true
}
},
"customWidth": "50",
"name": "query - 1",
"styleSettings": {
"maxWidth": "100",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_indicatorEventDetails_CL\n| where entity_id_s contains \"{userName}\"\n| where country_s != \"NA\"\n| project country_s\n",
"size": 0,
"title": "Risk Indicator (Geo Distribution)",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "country_s",
"sizeAggregation": "Sum",
"legendMetric": "country_s",
"legendAggregation": "Count",
"itemColorSettings": null
}
},
"customWidth": "50",
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| join CitrixAnalytics_indicatorSummary_CL on tenant_id_s, entity_id_s\n| where entity_id_s contains \"{userName}\"\n| where event_type_s == \"userProfileDevice\"\n| project data_source_s, indicator_category_s, indicator_name_s, device_s",
"size": 0,
"title": "Related Devices",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"labelSettings": [
{
"columnId": "data_source_s",
"label": "Data Source"
},
{
"columnId": "indicator_category_s",
"label": "Indicator Category"
},
{
"columnId": "indicator_name_s",
"label": "Indicator Name"
},
{
"columnId": "device_s",
"label": "Device"
}
]
}
},
"customWidth": "50",
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_indicatorSummary_CL\n| join CitrixAnalytics_indicatorEventDetails_CL on tenant_id_s, entity_id_s\n| where entity_id_s contains \"{userName}\"\n| project data_source_s, indicator_category_s, indicator_name_s, client_ip_s",
"size": 0,
"title": "Related IP's",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"labelSettings": [
{
"columnId": "data_source_s",
"label": "Data Source"
},
{
"columnId": "indicator_category_s",
"label": "Indicator Category"
},
{
"columnId": "indicator_name_s",
"label": "Indicator Name"
},
{
"columnId": "client_ip_s",
"label": "Client IP"
}
]
}
},
"customWidth": "50",
"name": "query - 6",
"styleSettings": {
"showBorder": true
}
}
]
},
"conditionalVisibility": {
"parameterName": "selectTab",
"comparison": "isEqualTo",
"value": "User Details"
},
"name": "User Details Group"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "78720f79-3173-44cc-856c-e61c42cc0fbf",
"version": "KqlParameterItem/1.0",
"name": "timeRange",
"label": "Select Time Range",
"type": 4,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 3600000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where event_type_s == \"userProfileApp\"\n| summarize sum(cnt_d) by app_s\n| take 10\n| order by sum_cnt_d desc ",
"size": 3,
"title": "Top 10 User Applications",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 9",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where event_type_s == \"userProfileDevice\"\n| summarize sum(cnt_d) by device_s\n| take 10\n| order by sum_cnt_d desc ",
"size": 3,
"title": "Top 10 User Devices",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 10",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where event_type_s == \"userProfileLocation\"\n| summarize sum(cnt_d) by city_s, country_s\n| take 10\n| order by sum_cnt_d desc ",
"size": 3,
"title": "Top 10 User Locations",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 11",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Content Collaboration Data Usage Details",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where event_type_s == \"userProfileUsage\"\n| summarize sum(uploaded_file_cnt_d)",
"size": 4,
"title": "Files Uploaded",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "sum_uploaded_file_cnt_d",
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "query - 8",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where event_type_s == \"userProfileUsage\"\n| summarize sum(downloaded_file_cnt_d)",
"size": 4,
"title": "Files Downloaded",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "sum_downloaded_file_cnt_d",
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "query - 9",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where event_type_s == \"userProfileUsage\"\n| summarize sum(shared_file_cnt_d)",
"size": 4,
"title": "Files Shared",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "sum_shared_file_cnt_d",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "query - 10",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where event_type_s == \"userProfileUsage\"\n| summarize sum(deleted_file_cnt_d)",
"size": 4,
"title": "Files Deleted",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "sum_deleted_file_cnt_d",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "query - 11",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where event_type_s == \"userProfileUsage\"\n| summarize sum(downloaded_bytes_d)/1000000000",
"size": 4,
"title": "Data Downloaded (in GB)",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Column1",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "query - 12",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CitrixAnalytics_userProfile_CL\n| where event_type_s == \"userProfileUsage\"\n| summarize sum(uploaded_bytes_d)/1000000000",
"size": 4,
"title": "Data Uploaded (in GB)",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "timeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Column1",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "50",
"name": "query - 13",
"styleSettings": {
"showBorder": true
}
}
]
},
"name": "Content Collaboration Data Usage Details Group"
}
]
},
"conditionalVisibility": {
"parameterName": "selectTab",
"comparison": "isEqualTo",
"value": "User Profile"
},
"name": "User Profile Group"
}
],
"fallbackResourceIds": [
],
"styleSettings": {
"paddingStyle": "narrow",
"spacingStyle": "narrow"
},
"fromTemplateId": "sentinel-Citrix",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку