Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/ZscalerOffice365Apps.json

186 строки
7.0 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Zscaler Office 365 overview"
},
"name": "text - 0"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "ff5a2a6c-cf01-432a-ab49-e59918ead8ab",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 259200000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DestinationServiceName contains \"Microsoft\" or DestinationServiceName contains \"Skype\" or DestinationServiceName contains \"Sharepoint\" or DestinationServiceName contains \"Onedrive\" or DestinationServiceName contains \"Outlook\" or DestinationServiceName contains \"office.com\"\r\n| where DeviceEventClassID contains \"Allow\" \r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), DestinationServiceName",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Microsoft services activity over time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DestinationServiceName contains \"Microsoft\" or DestinationServiceName contains \"Skype\" or DestinationServiceName contains \"Sharepoint\" or DestinationServiceName contains \"Onedrive\" or DestinationServiceName contains \"Outlook\" or DestinationServiceName contains \"office.com\"\r\n| where DeviceEventClassID contains \"Allow\" \r\n| summarize BW_usage_MB = sum((ReceivedBytes+SentBytes)/1024.0/1024.0) by bin(TimeGenerated, {TimeRange:grain}), SourceUserPrivileges",
"size": 0,
"exportToExcelOptions": "visible",
"title": "BW consumption, by Microsoft apps (based on Location)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"customWidth": "50",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DestinationServiceName contains \"Microsoft\" or DestinationServiceName contains \"Skype\" or DestinationServiceName contains \"Sharepoint\" or DestinationServiceName contains \"Onedrive\" or DestinationServiceName contains \"Outlook\" or DestinationServiceName contains \"office.com\"\r\n| where DeviceEventClassID contains \"Allow\" \r\n| summarize sum((ReceivedBytes+SentBytes)/1024.0/1024.0) by bin(TimeGenerated, {TimeRange:grain}), DestinationServiceName",
"size": 0,
"exportToExcelOptions": "visible",
"title": "BW consumption, by Microsoft Apps (based on App)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DestinationServiceName contains \"Microsoft\" or DestinationServiceName contains \"Skype\" or DestinationServiceName contains \"Sharepoint\" or DestinationServiceName contains \"Onedrive\" or DestinationServiceName contains \"Outlook\" or DestinationServiceName contains \"office.com\"\r\n| where DeviceEventClassID !contains \"Allow\" \r\n| where DeviceCustomString2 == \"Phishing\"\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), DestinationServiceName",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Phishing attempts disguised as Microsoft services",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "DestinationServiceName",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 5"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-ZscalerOffice365Apps",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку