Skip to content
Permalink
45310fe6be
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Azure-Sentinel/Workbooks/MicrosoftCloudAppSecurity.json

Go to file
 
 
Cannot retrieve contributors at this time
812 lines (812 sloc) 28.1 KB
Raw Blame
{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "87d8d6ec-8b29-40c9-a6a9-8a6d14379152",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 1209600000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
},
{
"id": "dc5a9545-e05c-452d-8501-587f70af2b60",
"version": "KqlParameterItem/1.0",
"name": "Score",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "McasShadowItReporting\r\n| summarize Count = count() by AppScore\r\n| order by Count desc, AppScore asc\r\n| project Value = AppScore, Label = strcat(AppScore, ' - ', Count)",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "b76c0ad5-42fb-45a0-96c4-2666c74701cc",
"version": "KqlParameterItem/1.0",
"name": "Tags",
"type": 2,
"query": "McasShadowItReporting\r\n| mvexpand Tag = AppTags\r\n| summarize Count = count() by tostring(Tag)\r\n| order by Count desc, tostring(Tag) asc\r\n| project Value = tostring(Tag), Label = strcat(tostring(Tag), ' - ', Count)",
"value": null,
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "3deb4b27-e062-4c2a-9e64-08e907475209",
"version": "KqlParameterItem/1.0",
"name": "DataStream",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "McasShadowItReporting\r\n| summarize Count = dcount(AppName) by StreamName\r\n| order by Count desc\r\n| project Value = StreamName, Label = strcat(StreamName, ' - ', Count)",
"value": [
"Global view"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "All"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where ProductName == \"Microsoft Cloud App Security\"\r\n| where AlertType contains \"DISCOVERY\"\r\n| sort by TimeGenerated \r\n| summarize Count= count() by AlertName, AlertSeverity,Name_ = tostring(parse_json(Entities)[0].Name), AppId = tostring(parse_json(Entities)[0].AppId)\r\n| take 10",
"size": 4,
"exportFieldName": "AppId",
"exportParameterName": "AppId",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "10 latest Discovery alerts",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertType",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Description",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AlertName",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true
}
},
{
"columnMatch": "AlertSeverity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Name_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AppId_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Entities",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ExtendedLinks",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "count_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
]
},
"tileSettings": {
"titleContent": {
"columnMatch": "AlertName",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"rightContent": {
"columnMatch": "AlertSeverity",
"formatOptions": {
"showIcon": true
}
},
"secondaryContent": {
"columnMatch": "Name_",
"formatOptions": {
"showIcon": true
}
},
"showBorder": false
}
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where ProductName == \"Microsoft Cloud App Security\"\r\n| where AlertType contains \"DISCOVERY\"\r\n| extend AppId = tostring(parse_json(Entities)[0].AppId)\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| summarize Count= count() by AlertType, Description,AlertName, AlertSeverity,Name_ = tostring(parse_json(Entities)[0].Name), AppId, Entities, ExtendedLinks, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Alerts details ",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "AlertType",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Description",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AlertName",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true
}
},
{
"columnMatch": "AlertSeverity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Name_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AppId",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Entities",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ExtendedLinks",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "AlertType",
"label": "AlertType"
},
{
"columnId": "Description",
"label": "Description"
},
{
"columnId": "AlertName",
"label": "AlertName"
},
{
"columnId": "AlertSeverity",
"label": "AlertSeverity"
},
{
"columnId": "Name_",
"label": "Name_"
},
{
"columnId": "AppId",
"label": "AppId"
},
{
"columnId": "Entities",
"label": "Entities"
},
{
"columnId": "ExtendedLinks",
"label": "ExtendedLinks"
},
{
"columnId": "TimeGenerated",
"label": "TimeGenerated"
},
{
"columnId": "Count",
"label": "Count"
}
]
}
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\r\n| where ProductName == \"Microsoft Cloud App Security\"\r\n| where AlertType contains \"DISCOVERY\"\r\n| extend AppId = tostring(parse_json(Entities)[0].AppId)\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| summarize Count= count() by AlertName, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Alerts trand, by alert name",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = McasShadowItReporting\r\n| where '{Tags}' == '' or AppTags has \"{Tags}\"\r\n| where AppScore in ({Score}) or '{Score:label}' == \"All\"\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| where StreamName in ({DataStream}) or '{DataStream:label}' == \"All\";\r\ndata\r\n| summarize Sum = sum(TotalBytes)/1048576 by AppCategory\r\n| join kind = fullouter (datatable(AppCategory:string)['Medium', 'high', 'low']) on AppCategory\r\n| project AppCategory = iff(AppCategory == '', AppCategory1, AppCategory), Sum = iff(AppCategory == '', 0, Sum)\r\n| join kind = inner (data\r\n | make-series Trend = sum(TotalBytes)/1048576 default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by AppCategory)\r\n on AppCategory\r\n| project-away AppCategory1, TimeGenerated\r\n| extend AppCategorys = AppCategory\r\n| union (\r\n data \r\n | summarize Sum = sum(TotalBytes)/1048576\r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = sum(TotalBytes)/1048576 default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend AppCategory = 'All', AppCategorys = '*' \r\n)\r\n| order by Sum desc\r\n| take 10",
"size": 4,
"exportFieldName": "AppCategory",
"exportParameterName": "AppCategoryFilter",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Top 10 application categories, by traffic in MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "AppCategory",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"rightContent": {
"columnMatch": "Sum",
"formatter": 12,
"formatOptions": {
"showIcon": true
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "greenDark",
"showIcon": true
}
},
"showBorder": false
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "McasShadowItReporting\r\n| where '{Tags}' == '' or AppTags has \"{Tags}\"\r\n| where AppCategory == '{AppCategoryFilter}' or '{AppCategoryFilter}' == \"All\"\r\n| where AppScore in ({Score}) or '{Score:label}' == \"All\"\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| where StreamName in ({DataStream}) or '{DataStream:label}' == \"All\"\r\n| summarize TrafficUpload = sum(UploadedBytes)/1048576, TrafficDownload = sum(DownloadedBytes)/1048576 by UserName\r\n| order by TrafficUpload, TrafficDownload",
"size": 0,
"exportFieldName": "UserName",
"exportParameterName": "UserNameFilter",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "User traffic in MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "UserName",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TrafficUpload",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "TrafficDownload",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "purple",
"showIcon": true
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "UserName",
"label": "UserName"
},
{
"columnId": "TrafficUpload",
"label": "TrafficUpload"
},
{
"columnId": "TrafficDownload",
"label": "TrafficDownload"
}
]
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = McasShadowItReporting\r\n| where '{Tags}' == '' or AppTags has \"{Tags}\"\r\n| where AppCategory == '{AppCategoryFilter}' or '{AppCategoryFilter}' == \"All\"\r\n| where UserName == '{UserNameFilter}' or '{UserNameFilter}' == \"All\"\r\n| where AppScore in ({Score}) or '{Score:label}' == \"All\"\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| where StreamName in ({DataStream}) or '{DataStream:label}' == \"All\";\r\nlet appData = data\r\n| summarize TotalUsers = dcount(UserName) by AppScore\r\n| join kind=inner (data\r\n | make-series Trend = sum(UploadedBytes)/1048576 default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by AppScore\r\n | project-away TimeGenerated) on AppScore\r\n| order by TotalUsers desc, AppScore asc\r\n| project AppScore, TotalUsers, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalUsers = dcount(UserName) by AppName , AppScore\r\n| join kind=inner (data\r\n | make-series Trend = sum(UploadedBytes)/1048576 default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by AppScore, AppName\r\n | project-away TimeGenerated) on AppScore, AppName\r\n| order by TotalUsers desc, AppScore asc\r\n| project AppScore, AppName, TotalUsers, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on AppScore\r\n| project Id, Name = AppName, Type = 'AppName', ['Total Users'] = TotalUsers, ['Trend By Traffic'] = Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = strcat(\"Score: \", tostring(AppScore)), Type = 'AppScore', ['Total Users'] = TotalUsers, ['Trend By Traffic'] = Trend, AppScore )\r\n| order by AppScore desc, ['Total Users'] desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Application scores distribution",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Id",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Name",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Total Users",
"formatter": 8,
"formatOptions": {
"palette": "purple",
"showIcon": true
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ParentId",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AppScore",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AppCategory Count",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"filter": true,
"hierarchySettings": {
"idColumn": "Id",
"parentColumn": "ParentId",
"treeType": 0,
"expanderColumn": "Name"
},
"labelSettings": [
{
"columnId": "Id",
"label": "Id"
},
{
"columnId": "Name",
"label": "Name"
},
{
"columnId": "Type",
"label": "Type"
},
{
"columnId": "Total Users",
"label": "Total Users"
},
{
"columnId": "Trend By Traffic",
"label": "Trend By Traffic"
},
{
"columnId": "ParentId",
"label": "ParentId"
},
{
"columnId": "AppScore",
"label": "AppScore"
}
]
}
},
"customWidth": "50",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "McasShadowItReporting\r\n| where '{Tags}' == '' or AppTags has \"{Tags}\"\r\n| where AppCategory == '{AppCategoryFilter}' or '{AppCategoryFilter}' == \"All\"\r\n| where UserName == '{UserNameFilter}' or '{UserNameFilter}' == \"All\"\r\n| where AppScore in ({Score}) or '{Score:label}' == \"All\"\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| where StreamName in ({DataStream}) or '{DataStream:label}' == \"All\"\r\n| summarize sum(TotalBytes)/1048576 by AppName, bin(TimeGenerated,1d)",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Usage trand",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "McasShadowItReporting\r\n| where '{Tags}' == '' or AppTags has \"{Tags}\"\r\n| where AppCategory == '{AppCategoryFilter}' or '{AppCategoryFilter}' == \"All\"\r\n| where UserName == '{UserNameFilter}' or '{UserNameFilter}' == \"All\"\r\n| where AppScore in ({Score}) or '{Score:label}' == \"All\"\r\n| where AppId == '{AppId}' or '{AppId}' == \"All\"\r\n| where StreamName in ({DataStream}) or '{DataStream:label}' == \"All\"\r\n| summarize count() by AppName, UserName, IpAddress, AppScore, UploadedBytes, DownloadedBytes, bin(TimeGenerated, {TimeRange:grain})\r\n| order by AppScore asc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Descovery logs, by score",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "AppName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "UserName",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "IpAddress",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "AppScore",
"formatter": 8,
"formatOptions": {
"min": 0,
"max": 10,
"palette": "hotCold",
"showIcon": true
}
},
{
"columnMatch": "UploadedBytes",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "DownloadedBytes",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "count_",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": [
{
"columnId": "AppName",
"label": "AppName"
},
{
"columnId": "UserName",
"label": "UserName"
},
{
"columnId": "IpAddress",
"label": "IpAddress"
},
{
"columnId": "AppScore",
"label": "AppScore"
},
{
"columnId": "UploadedBytes",
"label": "UploadedBytes"
},
{
"columnId": "DownloadedBytes",
"label": "DownloadedBytes"
},
{
"columnId": "TimeGenerated",
"label": "TimeGenerated"
},
{
"columnId": "count_",
"label": "count_"
}
]
}
},
"name": "query - 6"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-MicrosoftCloudAppSecurity",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}