Skip to content

Commit

Permalink
Update AzureActiveDirectorySignins.json
Browse files Browse the repository at this point in the history
  • Loading branch information
@t-shaviv
t-shaviv committed Jun 6, 2021
1 parent 0445d3d commit 58c9d27
Showing 1 changed file with 5 additions and 31 deletions.
36 changes: 5 additions & 31 deletions Workbooks/AzureActiveDirectorySignins.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,35 +211,6 @@
"selectAllValue": ""
},
"jsonData": "[\"SignInLogs\", \"NonInteractiveUserSignInLogs\"]"
},
{
"version": "KqlParameterItem/1.0",
"name": "Country",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SigninLogs\r\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Country = iff(LocationDetails.countryOrRegion == '', 'Unknown country', tostring(LocationDetails.countryOrRegion))\r\n| summarize Count = count() by Country\r\n| order by Count desc, Country asc\r\n| project Value = Country, Label = strcat(Country, ' - ', Count, ' sign-ins'), Selected = false\r\n",
"value": [
"value::all"
],
"typeSettings": {
"limitSelectTo": 100,
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*",
"showDefault": false
},
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"id": "1811a412-73bf-4ee0-bab8-7129c143b318"
}
],
"style": "pills",
Expand Down Expand Up @@ -313,7 +284,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "\r\nlet nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status);\r\nlet data = \r\nunion SigninLogs,nonInteractive\r\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\r\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\r\n|where UserDisplayName in ({Users}) \r\n| extend Country = iff(LocationDetails.countryOrRegion == '', 'Unknown country', tostring(LocationDetails.countryOrRegion))\r\n|where Country in ({Country}) or '*' in ({Country})\r\n| extend City = iff(LocationDetails.city == '', 'Unknown city', tostring(LocationDetails.city))\r\n| extend errorCode = Status.errorCode\r\n| extend SigninStatus = case(errorCode == 0, \"Success\", errorCode == 50058, \"Pending user action\",errorCode == 50140, \"Pending user action\", errorCode == 51006, \"Pending user action\", errorCode == 50059, \"Pending user action\",errorCode == 65001, \"Pending user action\", errorCode == 52004, \"Pending user action\", errorCode == 50055, \"Pending user action\", errorCode == 50144, \"Pending user action\", errorCode == 50072, \"Pending user action\", errorCode == 50074, \"Pending user action\", errorCode == 16000, \"Pending user action\", errorCode == 16001, \"Pending user action\", errorCode == 16003, \"Pending user action\", errorCode == 50127, \"Pending user action\", errorCode == 50125, \"Pending user action\", errorCode == 50129, \"Pending user action\", errorCode == 50143, \"Pending user action\", errorCode == 81010, \"Pending user action\", errorCode == 81014, \"Pending user action\", errorCode == 81012 ,\"Pending user action\", \"Failure\")\r\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\r\nlet countryData = data\r\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \"Success\"), FailureCount = countif(SigninStatus == \"Failure\"), InterruptCount = countif(SigninStatus == \"Pending user action\") by Country,Category\r\n| join kind=inner\r\n(\r\n data\r\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country\r\n| project-away TimeGenerated\r\n)\r\non Country\r\n| project Country, TotalCount, SuccessCount,FailureCount,InterruptCount,Trend,Category\r\n| order by TotalCount desc, Country asc;\r\ndata\r\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \"Success\"), FailureCount = countif(SigninStatus == \"Failure\"), InterruptCount = countif(SigninStatus == \"Pending user action\") by Country, City,Category\r\n| join kind=inner\r\n(\r\n data \r\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country, City\r\n| project-away TimeGenerated\r\n)\r\non Country, City\r\n| order by TotalCount desc, Country asc\r\n| project Country, City,TotalCount, SuccessCount,FailureCount,InterruptCount, Trend,Category\r\n| join kind=inner\r\n(\r\n countryData\r\n)\r\non Country\r\n| project Id = City, Name = City, Type = 'City', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = Country,Category\r\n| union (countryData\r\n| project Id = Country, Name = Country, Type = 'Country', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = 'root',Category)\r\n| where Category in ({Category})\r\n| order by ['Sign-in Count'] desc, Name asc\r\n",
"query": "let nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status);\r\nlet data = \r\nunion SigninLogs,nonInteractive\r\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\r\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\r\n|where UserDisplayName in ({Users}) \r\n| extend Country = iff(LocationDetails.countryOrRegion == '', 'Unknown country', tostring(LocationDetails.countryOrRegion))\r\n| extend City = iff(LocationDetails.city == '', 'Unknown city', tostring(LocationDetails.city))\r\n| extend errorCode = Status.errorCode\r\n| extend SigninStatus = case(errorCode == 0, \"Success\", errorCode == 50058, \"Pending user action\",errorCode == 50140, \"Pending user action\", errorCode == 51006, \"Pending user action\", errorCode == 50059, \"Pending user action\",errorCode == 65001, \"Pending user action\", errorCode == 52004, \"Pending user action\", errorCode == 50055, \"Pending user action\", errorCode == 50144, \"Pending user action\", errorCode == 50072, \"Pending user action\", errorCode == 50074, \"Pending user action\", errorCode == 16000, \"Pending user action\", errorCode == 16001, \"Pending user action\", errorCode == 16003, \"Pending user action\", errorCode == 50127, \"Pending user action\", errorCode == 50125, \"Pending user action\", errorCode == 50129, \"Pending user action\", errorCode == 50143, \"Pending user action\", errorCode == 81010, \"Pending user action\", errorCode == 81014, \"Pending user action\", errorCode == 81012 ,\"Pending user action\", \"Failure\")\r\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\r\nlet countryData = data\r\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \"Success\"), FailureCount = countif(SigninStatus == \"Failure\"), InterruptCount = countif(SigninStatus == \"Pending user action\") by Country,Category\r\n| join kind=inner\r\n(\r\n data\r\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country\r\n| project-away TimeGenerated\r\n)\r\non Country\r\n| project Country, TotalCount, SuccessCount,FailureCount,InterruptCount,Trend,Category\r\n| order by TotalCount desc, Country asc;\r\ndata\r\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \"Success\"), FailureCount = countif(SigninStatus == \"Failure\"), InterruptCount = countif(SigninStatus == \"Pending user action\") by Country, City,Category\r\n| join kind=inner\r\n(\r\n data \r\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country, City\r\n| project-away TimeGenerated\r\n)\r\non Country, City\r\n| order by TotalCount desc, Country asc\r\n| project Country, City,TotalCount, SuccessCount,FailureCount,InterruptCount, Trend,Category\r\n| join kind=inner\r\n(\r\n countryData\r\n)\r\non Country\r\n| project Id = City, Name = City, Type = 'City', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = Country,Category\r\n| union (countryData\r\n| project Id = Country, Name = Country, Type = 'Country', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = 'root',Category)\r\n| where Category in ({Category})\r\n| order by ['Sign-in Count'] desc, Name asc\r\n",
"size": 1,
"showAnalytics": true,
"title": "Sign-ins by Location",
Expand Down Expand Up @@ -427,7 +398,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\r\nlet details = dynamic({ \"Name\":\"\", \"Type\":\"*\"});\r\nlet data = union SigninLogs,nonInteractive\r\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\r\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\r\n|where UserDisplayName in ({Users}) \r\n| extend Country = tostring(LocationDetails.countryOrRegion)\r\n|where Country in ({Country}) or '*' in ({Country})\r\n| extend City = tostring(LocationDetails.city)\r\n| extend errorCode = Status.errorCode\r\n| extend SigninStatus = case(errorCode == 0, \"Success\", errorCode == 50058, \"Pending user action\",errorCode == 50140, \"Pending user action\", errorCode == 51006, \"Pending user action\", errorCode == 50059, \"Pending user action\",errorCode == 65001, \"Pending user action\", errorCode == 52004, \"Pending user action\", errorCode == 50055, \"Pending user action\", errorCode == 50144, \"Pending user action\", errorCode == 50072, \"Pending user action\", errorCode == 50074, \"Pending user action\", errorCode == 16000, \"Pending user action\", errorCode == 16001, \"Pending user action\", errorCode == 16003, \"Pending user action\", errorCode == 50127, \"Pending user action\", errorCode == 50125, \"Pending user action\", errorCode == 50129, \"Pending user action\", errorCode == 50143, \"Pending user action\", errorCode == 81010, \"Pending user action\", errorCode == 81014, \"Pending user action\", errorCode == 81012 ,\"Pending user action\", \"Failure\")\r\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\r\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\r\ndata\r\n| top 200 by TimeGenerated desc\r\n| extend TimeFromNow = now() - TimeGenerated\r\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\r\n| where Category in ({Category})\r\n\r\n\r\n",
"query": "let selectedCountry = dynamic([{LocationDetail}]);\r\nlet nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\r\nlet details = dynamic({ \"Name\":\"\", \"Type\":\"*\"});\r\nlet data = union SigninLogs,nonInteractive\r\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\r\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\r\n|where UserDisplayName in ({Users}) \r\n| extend Country = tostring(LocationDetails.countryOrRegion)\r\n| where array_length(selectedCountry) == 0 or \"*\" in (selectedCountry) or Country in (selectedCountry)\r\n| extend City = tostring(LocationDetails.city)\r\n| extend errorCode = Status.errorCode\r\n| extend SigninStatus = case(errorCode == 0, \"Success\", errorCode == 50058, \"Pending user action\",errorCode == 50140, \"Pending user action\", errorCode == 51006, \"Pending user action\", errorCode == 50059, \"Pending user action\",errorCode == 65001, \"Pending user action\", errorCode == 52004, \"Pending user action\", errorCode == 50055, \"Pending user action\", errorCode == 50144, \"Pending user action\", errorCode == 50072, \"Pending user action\", errorCode == 50074, \"Pending user action\", errorCode == 16000, \"Pending user action\", errorCode == 16001, \"Pending user action\", errorCode == 16003, \"Pending user action\", errorCode == 50127, \"Pending user action\", errorCode == 50125, \"Pending user action\", errorCode == 50129, \"Pending user action\", errorCode == 50143, \"Pending user action\", errorCode == 81010, \"Pending user action\", errorCode == 81014, \"Pending user action\", errorCode == 81012 ,\"Pending user action\", \"Failure\")\r\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\r\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\r\ndata\r\n| top 200 by TimeGenerated desc\r\n| extend TimeFromNow = now() - TimeGenerated\r\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\r\n| where Category in ({Category})\r\n\r\n\r\n",
"size": 1,
"showAnalytics": true,
"title": "Location Sign-in details",
Expand Down Expand Up @@ -1400,6 +1371,9 @@
"name": "query - 7 - Copy"
}
],
"fallbackResourceIds": [
"/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc/providers/microsoft.operationalinsights/workspaces/cybersecuritysoc"
],
"fromTemplateId": "sentinel-AzureActiveDirectorySigninLogs",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

0 comments on commit 58c9d27

Please sign in to comment.