Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Azure-Sentinel/Workbooks/LinuxMachines.json
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "version": "Notebook/1.0", | |
| "items": [ | |
| { | |
| "type": 1, | |
| "content": { | |
| "json": "## Linux Machines" | |
| }, | |
| "name": "text - 0" | |
| }, | |
| { | |
| "type": 9, | |
| "content": { | |
| "version": "KqlParameterItem/1.0", | |
| "query": "", | |
| "crossComponentResources": [], | |
| "parameters": [ | |
| { | |
| "id": "1025a43d-241c-4e40-95dc-c9eb9c789bc5", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "TimeRange", | |
| "type": 4, | |
| "isRequired": true, | |
| "value": { | |
| "durationMs": 1209600000 | |
| }, | |
| "typeSettings": { | |
| "selectableValues": [ | |
| { | |
| "durationMs": 300000 | |
| }, | |
| { | |
| "durationMs": 900000 | |
| }, | |
| { | |
| "durationMs": 1800000 | |
| }, | |
| { | |
| "durationMs": 3600000 | |
| }, | |
| { | |
| "durationMs": 14400000 | |
| }, | |
| { | |
| "durationMs": 43200000 | |
| }, | |
| { | |
| "durationMs": 86400000 | |
| }, | |
| { | |
| "durationMs": 172800000 | |
| }, | |
| { | |
| "durationMs": 259200000 | |
| }, | |
| { | |
| "durationMs": 604800000 | |
| }, | |
| { | |
| "durationMs": 1209600000 | |
| }, | |
| { | |
| "durationMs": 2419200000 | |
| }, | |
| { | |
| "durationMs": 2592000000 | |
| }, | |
| { | |
| "durationMs": 5184000000 | |
| }, | |
| { | |
| "durationMs": 7776000000 | |
| } | |
| ], | |
| "allowCustom": true | |
| } | |
| }, | |
| { | |
| "id": "bc241870-7874-4927-8c74-d17e747522b1", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Computer", | |
| "type": 5, | |
| "isRequired": true, | |
| "multiSelect": true, | |
| "quote": "'", | |
| "delimiter": ",", | |
| "query": "Syslog\r\n| summarize syslogEventsCount = count() by Computer\r\n| sort by syslogEventsCount desc\r\n| project Computer\r\n", | |
| "value": [ | |
| "value::all" | |
| ], | |
| "typeSettings": { | |
| "additionalResourceOptions": [ | |
| "value::all" | |
| ], | |
| "selectAllValue": "All" | |
| }, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "e073f36e-2fb5-421d-9099-217205b247f5", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Severity", | |
| "type": 2, | |
| "isRequired": true, | |
| "multiSelect": true, | |
| "quote": "'", | |
| "delimiter": ",", | |
| "value": [ | |
| "value::all" | |
| ], | |
| "typeSettings": { | |
| "additionalResourceOptions": [ | |
| "value::all" | |
| ], | |
| "selectAllValue": "*" | |
| }, | |
| "jsonData": "[\"Emergency\", \"Alert\", \"Critical\", \"Error\", \"Warning\", \"Notice\", \"Informational\", \"Debug\"]", | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange" | |
| } | |
| ], | |
| "style": "pills", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| "name": "parameters - 1" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "Syslog\r\n| summarize count() by SeverityLevel\r\n| extend severityNumber = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 0, iif(SeverityLevel == 'alert', 1, iif(SeverityLevel == 'crit', 2, iif(SeverityLevel == 'err' or SeverityLevel == 'error', 3, iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 4, iif(SeverityLevel == 'notice', 5, iif(SeverityLevel == 'info', 6, iif(SeverityLevel == 'debug', 7, 8))))))))\r\n| sort by severityNumber asc\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| project-away severityNumber\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n", | |
| "size": 4, | |
| "exportToExcelOptions": "visible", | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "visualization": "tiles", | |
| "tileSettings": { | |
| "titleContent": { | |
| "columnMatch": "SeverityLevel", | |
| "formatter": 1, | |
| "formatOptions": { | |
| "showIcon": true | |
| } | |
| }, | |
| "leftContent": { | |
| "columnMatch": "count_", | |
| "formatter": 12, | |
| "formatOptions": { | |
| "palette": "hotCold", | |
| "showIcon": true | |
| }, | |
| "numberFormat": { | |
| "unit": 17, | |
| "options": { | |
| "style": "decimal", | |
| "maximumFractionDigits": 2, | |
| "maximumSignificantDigits": 3 | |
| } | |
| } | |
| }, | |
| "showBorder": false, | |
| "sortOrderField": 2 | |
| } | |
| }, | |
| "name": "query - 2" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"emerg\")\r\n| summarize count() by Computer, TimeGenerated\r\n", | |
| "size": 1, | |
| "exportToExcelOptions": "visible", | |
| "title": "\"Emergency\" level events, by computer", | |
| "noDataMessage": "No emergency events within the defined scope", | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "visualization": "timechart" | |
| }, | |
| "customWidth": "33", | |
| "name": "query - 2 - Copy" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"crit\")\r\n| summarize count() by Computer, TimeGenerated\r\n", | |
| "size": 1, | |
| "exportToExcelOptions": "visible", | |
| "title": "\"Critical\" level events, by computer", | |
| "noDataMessage": "No critical events within the defined scope", | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "visualization": "timechart" | |
| }, | |
| "customWidth": "33", | |
| "name": "query - 2 - Copy" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| where SeverityLevel in (\"alert\")\r\n| summarize count() by Computer, TimeGenerated\r\n", | |
| "size": 1, | |
| "exportToExcelOptions": "visible", | |
| "title": "\"Alert\" level events, by computer", | |
| "noDataMessage": "No alert events within the defined scope", | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "visualization": "timechart" | |
| }, | |
| "customWidth": "33", | |
| "name": "query - 2 - Copy - Copy" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "Syslog\r\n| where Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| extend SeverityNumber = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 0, iif(SeverityLevel == 'alert', 1, iif(SeverityLevel == 'crit', 2, iif(SeverityLevel == 'err' or SeverityLevel == 'error', 3, iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 4, iif(SeverityLevel == 'notice', 5, iif(SeverityLevel == 'info', 6, iif(SeverityLevel == 'debug', 7, 8))))))))\r\n| where Severity in ({Severity})\r\n|extend Computer = iif(isempty(_ResourceId), Computer, _ResourceId)\r\n| project TimeGenerated, Computer, SeverityLevel, SeverityNumber, Facility, HostIP, ProcessNameAndID = strcat(ProcessName, ' (', iff(isempty(ProcessID), \"-\", tostring(ProcessID)), ')') \r\n", | |
| "size": 0, | |
| "exportToExcelOptions": "visible", | |
| "title": "Events", | |
| "noDataMessage": "No events", | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "gridSettings": { | |
| "formatters": [ | |
| { | |
| "columnMatch": "TimeGenerated", | |
| "formatter": 0, | |
| "formatOptions": { | |
| "showIcon": true | |
| } | |
| }, | |
| { | |
| "columnMatch": "Computer", | |
| "formatter": 0, | |
| "formatOptions": { | |
| "showIcon": true | |
| } | |
| }, | |
| { | |
| "columnMatch": "SeverityLevel", | |
| "formatter": 0, | |
| "formatOptions": { | |
| "showIcon": true | |
| } | |
| }, | |
| { | |
| "columnMatch": "SeverityNumber", | |
| "formatter": 8, | |
| "formatOptions": { | |
| "min": 7, | |
| "max": 0, | |
| "palette": "redDark", | |
| "showIcon": true | |
| } | |
| }, | |
| { | |
| "columnMatch": "Facility", | |
| "formatter": 0, | |
| "formatOptions": { | |
| "showIcon": true | |
| } | |
| }, | |
| { | |
| "columnMatch": "HostIP", | |
| "formatter": 0, | |
| "formatOptions": { | |
| "showIcon": true | |
| } | |
| }, | |
| { | |
| "columnMatch": "ProcessNameAndID", | |
| "formatter": 0, | |
| "formatOptions": { | |
| "showIcon": true | |
| } | |
| } | |
| ], | |
| "labelSettings": [] | |
| } | |
| }, | |
| "name": "query - 2 - Copy - Copy - Copy" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by SyslogMessage\r\n", | |
| "size": 0, | |
| "exportToExcelOptions": "visible", | |
| "title": "Syslog messages of events", | |
| "noDataMessage": "No messages", | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "visualization": "piechart" | |
| }, | |
| "customWidth": "50", | |
| "name": "query - 7" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, ProcessName\r\n| project Process = strcat(ProcessName, ' (', Facility, ')'), Count = count_ \r\n", | |
| "size": 0, | |
| "exportToExcelOptions": "visible", | |
| "title": "Process names of events", | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "visualization": "piechart" | |
| }, | |
| "customWidth": "50", | |
| "name": "query - 11" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, SeverityLevel\r\n", | |
| "size": 0, | |
| "exportToExcelOptions": "visible", | |
| "title": "Event distribution, by facility", | |
| "noDataMessage": "No events", | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "visualization": "piechart" | |
| }, | |
| "customWidth": "50", | |
| "name": "query - 7 - Copy - Copy - Copy" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "Syslog\r\n| where \"{Computer:lable}\" == \"All\" or Computer in ({Computer})\r\n| extend Severity = iif(SeverityLevel == 'emerg' or SeverityLevel == 'panic', 'Emergency', iif(SeverityLevel == 'alert', 'Alert', iif(SeverityLevel == 'crit', 'Critical', iif(SeverityLevel == 'err' or SeverityLevel == 'error', 'Error', iif(SeverityLevel == 'warning' or SeverityLevel == 'warn', 'Warning', iif(SeverityLevel == 'notice', 'Notice', iif(SeverityLevel == 'info', 'Informational', iif(SeverityLevel == 'debug', 'Debug', 'Unknown'))))))))\r\n| where \"*\" in ({Severity}) or Severity in ({Severity})\r\n| summarize count() by Facility, SeverityLevel", | |
| "size": 0, | |
| "exportToExcelOptions": "visible", | |
| "title": "Severity levels, by facility", | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "visualization": "categoricalbar" | |
| }, | |
| "customWidth": "50", | |
| "name": "query - 11 - Copy" | |
| } | |
| ], | |
| "styleSettings": {}, | |
| "fromTemplateId": "sentinel-LinuxMachines", | |
| "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" | |
| } |