Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Azure-Sentinel/Workbooks/EventAnalyzer.json

Go to file
 
 
Cannot retrieve contributors at this time
1081 lines (1081 sloc) 37.5 KB
Raw Blame
Open in GitHub Desktop
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Event Analyzer\n---\n\nEvent Analyzer is a visualizing workbook to explore and audit Windows Event Log and explore all events details and attributes for viewing, analyzing and monitoring events recorded in Microsoft Windows event logs. The analyzer speeds up the analysis of event logs (security, application, system, setup, directory service, DNS and others)."
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"value::all"
],
"parameters": [
{
"id": "6bdfb4ab-a58b-4035-bfca-4b4bdb67aa60",
"version": "KqlParameterItem/1.0",
"name": "DefaultWorkspace",
"type": 5,
"isRequired": true,
"value": "/subscriptions/<subs_ID>/resourcegroups/<rg_name>/providers/microsoft.operationalinsights/workspaces/<workspace_name>",
"isHiddenWhenLocked": true,
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"resourceType": "microsoft.insights/components"
},
{
"id": "66c96524-06de-4fb2-be22-3314ff7f96b0",
"version": "KqlParameterItem/1.0",
"name": "ContextFree",
"type": 1,
"query": "{\"version\":\"1.0.0\",\"content\":\"\\\"{DefaultWorkspace}\\\"\",\"transformers\":null}",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 8
},
{
"id": "9ecea5c4-8730-4503-a052-95a2418ddd70",
"version": "KqlParameterItem/1.0",
"name": "Selection",
"type": 1,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend match = strcat(\"'\", id, \"'\") =~ \"{DefaultWorkspace:value}\"\r\n| order by match desc, name asc\r\n| take 1\r\n| project value = tostring(pack('sub', subscriptionId, 'rg', resourceGroup, 'ws', id))",
"crossComponentResources": [
"value::all"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"conditionalVisibility": {
"parameterName": "_",
"comparison": "isEqualTo",
"value": "_"
},
"name": "parameters - 3"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscriptions}"
],
"parameters": [
{
"id": "401c9381-d3bc-4594-be03-c322c0c6a135",
"version": "KqlParameterItem/1.0",
"name": "Subscriptions",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "summarize by subscriptionId\r\n| project value = strcat('/subscriptions/', subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ todynamic('{Selection}').sub, true, false)",
"crossComponentResources": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "8f5a2b0e-71bf-49f4-b570-c3d84c7cc7f6",
"version": "KqlParameterItem/1.0",
"name": "Workspaces",
"type": 7,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| summarize by id, name\r\n| project id, selected = iff(id =~ todynamic('{Selection}').ws, true, false)",
"crossComponentResources": [
"{Subscriptions}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*"
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "bcb5eb6b-b6a8-47c4-95a2-87753cb10ea8",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
},
"resourceType": "microsoft.insights/components"
},
{
"id": "1c1b8f51-b434-468a-b256-29826c15d9e1",
"version": "KqlParameterItem/1.0",
"name": "TestConnectivity",
"type": 1,
"query": "InsightsMetrics\r\n| where TimeGenerated {TimeRange}\r\n| take 1",
"isHiddenWhenLocked": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit File Share",
"subTarget": "1",
"preText": "",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit File System",
"subTarget": "2",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit Filtering Platform Connection",
"subTarget": "3",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit Handle Manipulation",
"subTarget": "4",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit Kernel Object",
"subTarget": "5",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit Other Object Access Events",
"subTarget": "6",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit Registry",
"subTarget": "7",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit Removable Storage",
"subTarget": "8",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit SAM",
"subTarget": "9",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit Policy Change",
"subTarget": "10",
"style": "link"
},
{
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit Sensitive Privilege Use",
"subTarget": "11",
"style": "link"
}
]
},
"name": "links - 4"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "Events:\r\n- A network share object was accessed\r\n- A network share object was added\r\n- A network share object was modified\r\n- A network share object was deleted\r\n- SPN check for SMB/SMB2 failed"
},
"name": "text - 1",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (5140, 5142, 5143, 5144, 5168)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Account",
"formatter": 1
},
"leftContent": {
"columnMatch": "Task",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Account",
"formatter": 1
},
"centerContent": {
"columnMatch": "Task",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"xAxis": "TimeGenerated",
"yAxis": [
"EventID"
],
"showLegend": true,
"xSettings": {},
"ySettings": {}
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (5140, 5142, 5143, 5144, 5168)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"filter": true
}
},
"showPin": false,
"name": "query - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "1"
},
"name": "AuditFileShare"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "Events: \r\n- A handle to an object was requested \r\n- The handle to an object was closed \r\n- An object was deleted- An attempt was made to access an object\r\n- An attempt was made to create a hard link- The state of a transaction has changed \r\n- A file was virtualized\r\n- Permissions on an object were changed"
},
"name": "text - 1",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663, 4664, 4985, 5051, 4670)\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity ",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"chartSettings": {
"showLegend": true,
"xSettings": {},
"ySettings": {}
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663, 4664, 4985, 5051, 4670)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "2"
},
"name": "AuditFileSystem",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "Events:\r\n - The handle to an object was closed\r\n - An attempt was made to duplicate a handle to an object"
},
"name": "text - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4658, 4690)\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity ",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 2592000000
},
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4658, 4690)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "4"
},
"name": "AuditHandleManipulation",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "Events:\r\n- The Windows Firewall Service blocked an application from accepting incoming connections on the network\r\n- The Windows Filtering Platform blocked a packet\r\n- A more restrictive Windows Filtering Platform filter has blocked a packet\r\n- The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections\r\n- The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections\r\n- The Windows Filtering Platform has permitted a connection\r\n- The Windows Filtering Platform has blocked a connection\r\n- The Windows Filtering Platform has permitted a bind to a local port\r\n- The Windows Filtering Platform has blocked a bind to a local port"
},
"name": "text - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (5031, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159)\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 2592000000
},
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (5031, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "3"
},
"name": "AuditFilterPlatformConnection",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "Events:\r\n- A handle to an object was requested\r\n- The handle to an object was closed\r\n- An object was deleted\r\n- An attempt was made to access an object"
},
"name": "text - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663)\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity ",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4660, 4663)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "5"
},
"name": "AuditKernelObject",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "Events:\r\n- An application attempted to access a blocked ordinal through the TBS\r\n- Indirect access to an object was requested\r\n- The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded\r\n- The DoS attack has subsided and normal processing is being resumed\r\n- A scheduled task was created\r\n- A scheduled task was deleted\r\n- A scheduled task was enabled\r\n- A scheduled task was disabled\r\n- A scheduled task was updated\r\n- An object in the COM+ Catalog was modified\r\n- An object was deleted from the COM+ Catalog\r\n- An object was added to the COM+ Catalog"
},
"name": "text - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4671, 4691, 5148, 5149, 4698, 4699, 4700, 4701, 4702, 5888, 5889, 5890)\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity \r\n| top 1000 by TimeGenerated desc",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TImeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Account",
"formatter": 1
},
"leftContent": {
"columnMatch": "EventID",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4671, 4691, 5148, 5149, 4698, 4699, 4700, 4701, 4702, 5888, 5889, 5890)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TImeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "6"
},
"name": "AuditOtherObject",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "Events:\r\n- An attempt was made to access an object\r\n- A handle to an object was requested\r\n- The handle to an object was closed\r\n- An object was deleted\r\n- A registry value was modified\r\n- A registry key was virtualized\r\n- Permissions on an object were changed"
},
"name": "text - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4663, 4656, 4658, 4660, 4657, 5039, 4670)\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity \r\n| top 1000 by TimeGenerated desc",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4663, 4656, 4658, 4660, 4657, 5039, 4670)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "7"
},
"name": "AuditRegistry",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "Events:\r\n- A handle to an object was requested\r\n- The handle to an object was closed\r\n- An attempt was made to access an object"
},
"name": "text - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4663)\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity \r\n| top 1000 by TimeGenerated desc",
"size": 4,
"showAnnotations": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4656, 4658, 4663)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "8"
},
"name": "AuditRemovable",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "Events:\r\n- A handle to an object was requested"
},
"name": "text - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4661\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity ",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 2592000000
},
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4661\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "9"
},
"name": "AuditSAM",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "Events:\r\n- The audit policy (SACL) on an object was changed\r\n- System audit policy was changed\r\n- Auditing settings on object were changed\r\n- The Per-user audit policy table was created\r\n- The CrashOnAuditFail value has changed\r\n- Auditing settings on object were changed\r\n- Special Groups Logon table modified\r\n- Per User Audit Policy was changed\r\n- An attempt was made to register a security event source\r\n- An attempt was made to unregister a security event source"
},
"name": "text - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905)\r\n| project TimeGenerated, Account , AccountType , Computer , EventSourceName , Channel , Task , EventData , EventID , Activity \r\n| top 1000 by TimeGenerated desc",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 2592000000
},
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "10"
},
"name": "AuditPolicyChange",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"loadType": "always",
"items": [
{
"type": 1,
"content": {
"json": "Events:\r\n- A privileged service was called\r\n- An operation was attempted on a privileged object\r\n- The state of a transaction has changed"
},
"name": "text - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4673, 4674, 4985)\r\n| project TimeGenerated, Account , Computer , EventData , EventID , Activity ",
"size": 1,
"showAnnotations": true,
"timeContext": {
"durationMs": 2592000000
},
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID in (4673, 4674, 4985)\r\n| project Account , Computer , EventData , EventID , Activity ",
"size": 1,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "11"
},
"name": "AuditSensitive",
"styleSettings": {
"showBorder": true
}
}
],
"styleSettings": {
"progressStyle": "loader"
},
"fromTemplateId": "sentinel-EventAnalyzerWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}