Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/MicrosoftCloudAppSecurity.json

813 строки
27 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "87d8d6ec-8b29-40c9-a6a9-8a6d14379152",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 1209600000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
},
{
"id": "dc5a9545-e05c-452d-8501-587f70af2b60",
"version": "KqlParameterItem/1.0",
"name": "Score",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "McasShadowItReporting\r\n| summarize Count = count() by AppScore\r\n| order by Count desc, AppScore asc\r\n| project Value = AppScore, Label = strcat(AppScore, ' - ', Count)",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "b76c0ad5-42fb-45a0-96c4-2666c74701cc",
"version": "KqlParameterItem/1.0",
"name": "Tags",
"type": 2,
"query": "McasShadowItReporting\r\n| mvexpand Tag = AppTags\r\n| summarize Count = count() by tostring(Tag)\r\n| order by Count desc, tostring(Tag) asc\r\n| project Value = tostring(Tag), Label = strcat(tostring(Tag), ' - ', Count)",
"value": null,
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "3deb4b27-e062-4c2a-9e64-08e907475209",
"version": "KqlParameterItem/1.0",
"name": "DataStream",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "McasShadowItReporting\r\n| summarize Count = dcount(AppName) by StreamName\r\n| order by Count desc\r\n| project Value = StreamName, Label = strcat(StreamName, ' - ', Count)",
"value": [
"Global view"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "All"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where ProductName == \"Microsoft Cloud App Security\"\r\n| where AlertType contains \"DISCOVERY\"\r\n| sort by TimeGenerated \r\n| summarize Count= count() by AlertName, AlertSeverity,Name_ = tostring(parse_json(Entities)[0].Name), AppId = tostring(parse_json(Entities)[0].AppId)\r\n| take 10",
"size": 4,
"exportFieldName": "AppId",
"exportParameterName": "AppId",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "10 latest Discovery alerts",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertType",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Description",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AlertName",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true
}
},
{
"columnMatch": "AlertSeverity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Name_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AppId_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Entities",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ExtendedLinks",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "count_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
]
},
"tileSettings": {
"titleContent": {
"columnMatch": "AlertName",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"rightContent": {
"columnMatch": "AlertSeverity",
"formatOptions": {
"showIcon": true
}
},
"secondaryContent": {
"columnMatch": "Name_",
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
}
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where ProductName == \"Microsoft Cloud App Security\"\r\n| where AlertType contains \"DISCOVERY\"\r\n| extend AppId = tostring(parse_json(Entities)[0].AppId)\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| summarize Count= count() by AlertType, Description,AlertName, AlertSeverity,Name_ = tostring(parse_json(Entities)[0].Name), AppId, Entities, ExtendedLinks, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Alerts details ",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertType",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Description",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AlertName",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true
}
},
{
"columnMatch": "AlertSeverity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Name_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AppId",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Entities",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ExtendedLinks",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "AlertType",
"label": "AlertType"
},
{
"columnId": "Description",
"label": "Description"
},
{
"columnId": "AlertName",
"label": "AlertName"
},
{
"columnId": "AlertSeverity",
"label": "AlertSeverity"
},
{
"columnId": "Name_",
"label": "Name_"
},
{
"columnId": "AppId",
"label": "AppId"
},
{
"columnId": "Entities",
"label": "Entities"
},
{
"columnId": "ExtendedLinks",
"label": "ExtendedLinks"
},
{
"columnId": "TimeGenerated",
"label": "TimeGenerated"
},
{
"columnId": "Count",
"label": "Count"
}
]
}
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where ProductName == \"Microsoft Cloud App Security\"\r\n| where AlertType contains \"DISCOVERY\"\r\n| extend AppId = tostring(parse_json(Entities)[0].AppId)\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| summarize Count= count() by AlertName, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Alerts trand, by alert name",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = McasShadowItReporting\r\n| where '{Tags}' == '' or AppTags has \"{Tags}\"\r\n| where AppScore in ({Score}) or '{Score:label}' == \"All\"\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| where StreamName in ({DataStream}) or '{DataStream:label}' == \"All\";\r\ndata\r\n| summarize Sum = sum(TotalBytes)/1048576 by AppCategory\r\n| join kind = fullouter (datatable(AppCategory:string)['Medium', 'high', 'low']) on AppCategory\r\n| project AppCategory = iff(AppCategory == '', AppCategory1, AppCategory), Sum = iff(AppCategory == '', 0, Sum)\r\n| join kind = inner (data\r\n | make-series Trend = sum(TotalBytes)/1048576 default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by AppCategory)\r\n on AppCategory\r\n| project-away AppCategory1, TimeGenerated\r\n| extend AppCategorys = AppCategory\r\n| union (\r\n data \r\n | summarize Sum = sum(TotalBytes)/1048576\r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = sum(TotalBytes)/1048576 default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend AppCategory = 'All', AppCategorys = '*' \r\n)\r\n| order by Sum desc\r\n| take 10",
"size": 4,
"exportFieldName": "AppCategory",
"exportParameterName": "AppCategoryFilter",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Top 10 application categories, by traffic in MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "AppCategory",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"rightContent": {
"columnMatch": "Sum",
"formatter": 12,
"formatOptions": {
"showIcon": true
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "greenDark",
"showIcon": true
}
},
"showBorder": false
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "McasShadowItReporting\r\n| where '{Tags}' == '' or AppTags has \"{Tags}\"\r\n| where AppCategory == '{AppCategoryFilter}' or '{AppCategoryFilter}' == \"All\"\r\n| where AppScore in ({Score}) or '{Score:label}' == \"All\"\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| where StreamName in ({DataStream}) or '{DataStream:label}' == \"All\"\r\n| summarize TrafficUpload = sum(UploadedBytes)/1048576, TrafficDownload = sum(DownloadedBytes)/1048576 by UserName\r\n| order by TrafficUpload, TrafficDownload",
"size": 0,
"exportFieldName": "UserName",
"exportParameterName": "UserNameFilter",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "User traffic in MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "UserName",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TrafficUpload",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "TrafficDownload",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "purple",
"showIcon": true
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "UserName",
"label": "UserName"
},
{
"columnId": "TrafficUpload",
"label": "TrafficUpload"
},
{
"columnId": "TrafficDownload",
"label": "TrafficDownload"
}
]
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = McasShadowItReporting\r\n| where '{Tags}' == '' or AppTags has \"{Tags}\"\r\n| where AppCategory == '{AppCategoryFilter}' or '{AppCategoryFilter}' == \"All\"\r\n| where UserName == '{UserNameFilter}' or '{UserNameFilter}' == \"All\"\r\n| where AppScore in ({Score}) or '{Score:label}' == \"All\"\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| where StreamName in ({DataStream}) or '{DataStream:label}' == \"All\";\r\nlet appData = data\r\n| summarize TotalUsers = dcount(UserName) by AppScore\r\n| join kind=inner (data\r\n | make-series Trend = sum(UploadedBytes)/1048576 default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by AppScore\r\n | project-away TimeGenerated) on AppScore\r\n| order by TotalUsers desc, AppScore asc\r\n| project AppScore, TotalUsers, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalUsers = dcount(UserName) by AppName , AppScore\r\n| join kind=inner (data\r\n | make-series Trend = sum(UploadedBytes)/1048576 default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by AppScore, AppName\r\n | project-away TimeGenerated) on AppScore, AppName\r\n| order by TotalUsers desc, AppScore asc\r\n| project AppScore, AppName, TotalUsers, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on AppScore\r\n| project Id, Name = AppName, Type = 'AppName', ['Total Users'] = TotalUsers, ['Trend By Traffic'] = Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = strcat(\"Score: \", tostring(AppScore)), Type = 'AppScore', ['Total Users'] = TotalUsers, ['Trend By Traffic'] = Trend, AppScore )\r\n| order by AppScore desc, ['Total Users'] desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Application scores distribution",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Id",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Name",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Total Users",
"formatter": 8,
"formatOptions": {
"palette": "purple",
"showIcon": true
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ParentId",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AppScore",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AppCategory Count",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"filter": true,
"hierarchySettings": {
"idColumn": "Id",
"parentColumn": "ParentId",
"treeType": 0,
"expanderColumn": "Name"
},
"labelSettings": [
{
"columnId": "Id",
"label": "Id"
},
{
"columnId": "Name",
"label": "Name"
},
{
"columnId": "Type",
"label": "Type"
},
{
"columnId": "Total Users",
"label": "Total Users"
},
{
"columnId": "Trend By Traffic",
"label": "Trend By Traffic"
},
{
"columnId": "ParentId",
"label": "ParentId"
},
{
"columnId": "AppScore",
"label": "AppScore"
}
]
}
},
"customWidth": "50",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "McasShadowItReporting\r\n| where '{Tags}' == '' or AppTags has \"{Tags}\"\r\n| where AppCategory == '{AppCategoryFilter}' or '{AppCategoryFilter}' == \"All\"\r\n| where UserName == '{UserNameFilter}' or '{UserNameFilter}' == \"All\"\r\n| where AppScore in ({Score}) or '{Score:label}' == \"All\"\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| where StreamName in ({DataStream}) or '{DataStream:label}' == \"All\"\r\n| summarize sum(TotalBytes)/1048576 by AppName, bin(TimeGenerated,1d)",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Usage trand",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "McasShadowItReporting\r\n| where '{Tags}' == '' or AppTags has \"{Tags}\"\r\n| where AppCategory == '{AppCategoryFilter}' or '{AppCategoryFilter}' == \"All\"\r\n| where UserName == '{UserNameFilter}' or '{UserNameFilter}' == \"All\"\r\n| where AppScore in ({Score}) or '{Score:label}' == \"All\"\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| where StreamName in ({DataStream}) or '{DataStream:label}' == \"All\"\r\n| summarize count() by AppName, UserName, IpAddress, AppScore, UploadedBytes, DownloadedBytes, bin(TimeGenerated, {TimeRange:grain})\r\n| order by AppScore asc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Descovery logs, by score",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "AppName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "UserName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IpAddress",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AppScore",
"formatter": 8,
"formatOptions": {
"min": 0,
"max": 10,
"palette": "hotCold",
"showIcon": true
}
},
{
"columnMatch": "UploadedBytes",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "DownloadedBytes",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "count_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": [
{
"columnId": "AppName",
"label": "AppName"
},
{
"columnId": "UserName",
"label": "UserName"
},
{
"columnId": "IpAddress",
"label": "IpAddress"
},
{
"columnId": "AppScore",
"label": "AppScore"
},
{
"columnId": "UploadedBytes",
"label": "UploadedBytes"
},
{
"columnId": "DownloadedBytes",
"label": "DownloadedBytes"
},
{
"columnId": "TimeGenerated",
"label": "TimeGenerated"
},
{
"columnId": "count_",
"label": "count_"
}
]
}
},
"name": "query - 6"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-MicrosoftCloudAppSecurity",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку