637 строки
25 KiB
JSON
637 строки
25 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Zscaler web overview"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"query": "",
|
|
"crossComponentResources": [],
|
|
"parameters": [
|
|
{
|
|
"id": "e246fdd8-f37f-4290-a205-7ffa192ea860",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 86400000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
}
|
|
},
|
|
{
|
|
"id": "fe452f11-ddc9-4b85-b441-b8f6be3b33a8",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SourceIP",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n| where SourceTranslatedAddress != \"\" \r\n| summarize Count = count() by SourceTranslatedAddress\r\n| project Value = SourceTranslatedAddress, Label = strcat(SourceTranslatedAddress, \" count: \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "2f749931-c232-471f-b91f-f91514fd7fa7",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "DestinationIP",
|
|
"type": 2,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceEventClassID !contains \"Allow\" \r\n| where DeviceProduct == \"NSSWeblog\" \r\n| where DestinationIP != \"\" \r\n| summarize Count = count() by DestinationIP\r\n| project Value = DestinationIP, Label = strcat(DestinationIP, \" count: \", Count)",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"selectAllValue": "All"
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n| where DestinationServiceName !=\"\"\r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| summarize Count = count() by DestinationServiceName\r\n| order by Count desc",
|
|
"size": 0,
|
|
"exportFieldName": "DestinationServiceName",
|
|
"exportParameterName": "DestinationServiceNameFilter",
|
|
"exportDefaultValue": "All",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Apps being accessed",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "DestinationServiceName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "purple",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "40",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n| where DestinationServiceName !=\"\"\r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| where DestinationServiceName == '{DestinationServiceNameFilter}' or '{DestinationServiceNameFilter}' == \"All\"\r\n| summarize Count = count() by DestinationServiceName, bin(TimeGenerated, {TimeRange:grain})\r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Apps being accessed over time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"customWidth": "60",
|
|
"name": "query - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n| where DeviceEventClassID contains \"Allow\"\r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| where DestinationServiceName has_any (\"Microsoft\", \"Skype\", \"SharePoint\", \"OneDrive\", \"Outlook\", \"office.com\", \"Sharepoint Online\", \"Microsoft Forms\", \"Microsoft Azure\")\r\n| summarize Count = count() by DestinationServiceName",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Microsoft services",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "DestinationServiceName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "greenBlue",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| parse AdditionalExtensions with * \"devicemodel=\" devicemodel\r\n| where devicemodel != \"\" and devicemodel !startswith \"NA\"\r\n| summarize count() by devicemodel ",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Devices",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceProduct == \"NSSWeblog\"\r\n| where DeviceEventClassID == \"Allowed\" or DeviceEventClassID == \"Allow\"\r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| where DeviceProduct == \"NSSWeblog\"\r\n| summarize Downloads = sum( ReceivedBytes)/1024.0/1024.0 , Uploads = sum( SentBytes)/1024.0/1024.0 by Location = SourceUserPrivileges",
|
|
"size": 0,
|
|
"exportFieldName": "Location",
|
|
"exportParameterName": "LocationFilter",
|
|
"exportDefaultValue": "All",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Upload and download data in MB, by location - click to filter",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "SourceUserPrivileges",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Downloads",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Uploads",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"palette": "green",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceProduct == \"NSSWeblog\"\r\n| where DeviceEventClassID == \"Allowed\" or DeviceEventClassID == \"Allow\"\r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| where SourceUserPrivileges == '{LocationFilter}' or '{LocationFilter}' == \"All\"\r\n| summarize Downloads = sum( ReceivedBytes)/1024.0/1024.0 , Uploads = sum( SentBytes)/1024.0/1024.0 by bin(TimeGenerated, {TimeRange:grain}) ",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Upload and download data in MB over time",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let data = CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where ApplicationProtocol !=\"\"\r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| where DeviceProduct == \"NSSWeblog\";\r\nlet appData = data\r\n| summarize TotalCount = count() by ApplicationProtocol\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by ApplicationProtocol\r\n | project-away TimeGenerated) on ApplicationProtocol\r\n| order by TotalCount desc, ApplicationProtocol asc\r\n| project ApplicationProtocol, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by RequestMethod , ApplicationProtocol\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by ApplicationProtocol, RequestMethod \r\n | project-away TimeGenerated) on ApplicationProtocol, RequestMethod \r\n| order by TotalCount desc, ApplicationProtocol asc\r\n| project ApplicationProtocol, RequestMethod , TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on ApplicationProtocol\r\n| project Id, Name = RequestMethod , Type = 'RequestMethod', ['ApplicationProtocol Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = ApplicationProtocol, Type = 'ApplicationProtocol', ['ApplicationProtocol Count'] = TotalCount, Trend)\r\n| order by ['ApplicationProtocol Count'] desc, Name asc",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Protocols and methods",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Id",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Name",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Type",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ApplicationProtocol Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "gray",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Trend",
|
|
"formatter": 9,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blueDark",
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "ParentId",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"hierarchySettings": {
|
|
"idColumn": "Id",
|
|
"parentColumn": "ParentId",
|
|
"treeType": 0,
|
|
"expanderColumn": "Name"
|
|
},
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "70",
|
|
"name": "query - 8"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceEventClassID == \"Allowed\"\r\n| where DeviceProduct == \"NSSWeblog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| where RequestMethod != \"\" \r\n| where RequestMethod != \"None\" \r\n| summarize count() by RequestMethod \r\n",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Allowed HTTP methods",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "query - 9"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\"\r\n| where DeviceProduct == \"NSSWeblog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| where SourceUserPrivileges == \"Road Warrior\" \r\n| summarize URLS_BLOCKED = count() by bin(TimeGenerated, {TimeRange:grain}), Activity",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Block reasons for road warriors",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"name": "query - 15"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "---\r\n### Block actvities"
|
|
},
|
|
"name": "text - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\"\r\n| where SourceUserPrivileges != \"\" \r\n| where DeviceProduct == \"NSSWeblog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| summarize Count = count() by DestinationHostName\r\n| top 10 by Count\r\n| order by Count desc",
|
|
"size": 0,
|
|
"exportFieldName": "DestinationHostName",
|
|
"exportParameterName": "DestinationHostName",
|
|
"exportDefaultValue": "All",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top blocked domains for HTTP/S requests",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "DestinationHostName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "DestinationHostName",
|
|
"label": "Destination Host Name"
|
|
},
|
|
{
|
|
"columnId": "Count"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 16"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\"\r\n| where DeviceProduct == \"NSSWeblog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| where SourceUserPrivileges != SourceUserName\r\n| summarize Count = count() by SourceUserName\r\n| top 10 by Count\r\n| order by Count desc",
|
|
"size": 0,
|
|
"exportFieldName": "SourceUserName",
|
|
"exportParameterName": "SourceUserName",
|
|
"exportDefaultValue": "All",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top blocked users for HTTP/S requests",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "SourceUserName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 1000,
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 12"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\"\r\n| where DeviceProduct == \"NSSWeblog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| summarize Count = count() by Activity\r\n| sort by Count \r\n| top 10 by Count\r\n",
|
|
"size": 0,
|
|
"exportFieldName": "Activity",
|
|
"exportParameterName": "Activity",
|
|
"exportDefaultValue": "All",
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Top Block Reasons for HTTP/S Requests",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "coldHot",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"customWidth": "33",
|
|
"name": "query - 13"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceEventClassID !contains \"Allow\"\r\n| where SourceUserPrivileges != \"\" \r\n| where DeviceProduct == \"NSSWeblog\" \r\n| where (SourceTranslatedAddress in ({SourceIP}) or '{SourceIP:label}' == \"All\") and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n| where (DestinationHostName == '{DestinationHostName}' or '{DestinationHostName}' == \"All\") and (SourceUserName == '{SourceUserName}' or '{SourceUserName}' == \"All\") and (Activity == '{Activity}' or '{Activity}' == \"All\")\r\n| summarize Count = count() by DestinationHostName, SourceUserName, Activity, DestinationIP, Location = SourceUserPrivileges\r\n| order by Count desc",
|
|
"size": 0,
|
|
"exportToExcelOptions": "visible",
|
|
"title": "Block activities summary",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "DestinationHostName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SourceUserName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"showIcon": true
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Count",
|
|
"formatter": 4,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"palette": "blue",
|
|
"showIcon": true
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"labelSettings": []
|
|
}
|
|
},
|
|
"name": "query - 14"
|
|
}
|
|
],
|
|
"styleSettings": {},
|
|
"fromTemplateId": "sentinel-ZscalerWebOverview",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
} |