{ "version": "Notebook/1.0", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "" ], "parameters": [ { "id": "997c84bc-c454-47f7-a288-99429173dfeb", "version": "KqlParameterItem/1.0", "name": "Subscription", "type": 6, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "value": [], "typeSettings": { "additionalResourceOptions": [], "includeAll": false }, "label": "☁️Subscription" }, { "id": "73638b3d-aa3f-4872-a56b-a0eaf3fc7714", "version": "KqlParameterItem/1.0", "name": "Workspace", "type": 5, "isRequired": true, "query": "Resources | where type =~ \"microsoft.operationalinsights/workspaces\" | order by name | project id, name, selected=row_number()==1, group=resourceGroup", "crossComponentResources": [ "{Subscription}" ], "typeSettings": { "additionalResourceOptions": [] }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "value": "", "label": "πŸ—‚οΈ Workspace" }, { "id": "9fa77675-1222-4936-89d0-285da325bba0", "version": "KqlParameterItem/1.0", "name": "TimeRange", "label": "⏱️ Time Range", "type": 4, "description": "Used as the \"outer\" time range for the query. the query text may further alter the range", "isRequired": true, "value": { "durationMs": 1209600000 }, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 }, { "durationMs": 172800000 }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2419200000 }, { "durationMs": 2592000000 }, { "durationMs": 5184000000 }, { "durationMs": 7776000000 } ], "allowCustom": true } }, { "id": "a0406b61-d150-4fd8-80d7-b2e0f97585c4", "version": "KqlParameterItem/1.0", "name": "Help", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]", "label": "πŸ“– Help" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.resourcegraph/resources" }, "customWidth": "50", "name": "parameters - 1" }, { "type": 1, "content": { "json": "### Change Log \r\n\r\n|Version|Description|\r\n|---|---|\r\n|v1.0|Initial Version.| " }, "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Change Log" }, "name": "text - 7 - Copy" }, { "type": 1, "content": { "json": "### Help file\r\n\r\nSupport new AWS S3 connector, and these signals:\r\n- GuardDuty\r\n- VPCFlow Logs\r\n- CloudTrail \r\n\r\n" }, "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 7" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "f9950e6b-4957-4c0b-a43b-fde1eafebaab", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "☁ CloudTrail", "subTarget": "cloudtrail", "style": "link" }, { "id": "39fcc03c-466c-4417-b009-2912a0ce1d8c", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "πŸ›‘οΈ GuardDuty", "subTarget": "guardduty", "style": "link" }, { "id": "dbc501df-e7cc-41d6-b0a8-35dbff843429", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "🏞 VPCFlow", "subTarget": "vpcflow", "style": "link" }, { "id": "353f29f7-ab93-443b-951b-fc8792800edf", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "πŸ“ˆ Table Status", "subTarget": "status", "style": "link" } ] }, "name": "links - 6" }, { "type": 1, "content": { "json": "## select a workspace to see saved queries." }, "conditionalVisibilities": [ { "parameterName": "Workspace", "comparison": "isEqualTo" }, { "parameterName": "Subscription", "comparison": "isNotEqualTo" } ], "name": "no workspace set" }, { "type": 1, "content": { "json": "## select one or more subscriptions, then pick a workspace to get started" }, "conditionalVisibility": { "parameterName": "Subscription", "comparison": "isEqualTo" }, "name": "no subscription selected" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Group: GuardDuty", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSGuardDuty\r\n| summarize count() by bin(TimeGenerated,{TimeRange:grain})", "size": 4, "title": "πŸ“Š Data flow over Time. TimeRange selected: {TimeRange:label} with Automatic Time Grain of: {TimeRange:grain}", "color": "pink", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart" }, "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSGuardDuty\r\n| summarize count() by ActivityType, Severity", "size": 1, "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 0" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": " AWSGuardDuty\r\n | extend tokens = split(ActivityType,\":\")\r\n | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\"/\")\r\n | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1]\r\n | extend UniqueFindingId = Id\r\n | extend AWSAcoundId = AccountId\r\n | extend ip_ = ServiceDetails.action.awsApiCallAction.remoteIpDetails.ipAddressV4\r\n | project-away tokens,ActivityType, Id, AccountId\r\n | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition\r\n | extend Severity= iff(Severity between (7.0..8.9),\"High\",iff(Severity between\r\n (4.0..6.9), \"Medium\", iff(Severity between (1.0..3.9),\"Low\",\"Unknown\")))", "size": 1, "title": "Guardduty Severity", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Severity", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "High", "representation": "redBright", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Medium", "representation": "orange", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Low", "representation": "green", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "gray", "text": "{0}{1}" } ] } } ] } }, "name": "query - 0 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSGuardDuty\r\n| extend tokens = split(ActivityType,\":\")\r\n| extend AWSAcoundId = AccountId\r\n| extend \r\n country_ = ServiceDetails.action.awsApiCallAction.remoteIpDetails.country.countryName, \r\n city_ = ServiceDetails.action.awsApiCallAction.remoteIpDetails.city.cityName, \r\n lat_ = ServiceDetails.action.awsApiCallAction.remoteIpDetails.geoLocation.lat, \r\n lon_ = ServiceDetails.action.awsApiCallAction.remoteIpDetails.geoLocation.lon \r\n| summarize count() by tostring(country_), tostring(lat_), tostring(lon_)", "size": 1, "title": "Guardduty Map", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "map", "gridSettings": { "formatters": [ { "columnMatch": "Severity", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "High", "representation": "redBright", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Medium", "representation": "orange", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Low", "representation": "green", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "gray", "text": "{0}{1}" } ] } } ] }, "mapSettings": { "locInfo": "LatLong", "latitude": "lat_", "longitude": "lon_", "sizeSettings": "count_", "sizeAggregation": "Sum", "labelSettings": "country_", "legendMetric": "count_", "legendAggregation": "Sum", "itemColorSettings": { "nodeColorField": "count_", "colorAggregation": "Sum", "type": "heatmap", "heatmapPalette": "greenRed" } } }, "name": "query -location map" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": " AWSGuardDuty\r\n | summarize count() by Region, Partition", "size": 1, "title": "Guardduty by Region", "timeContext": { "durationMs": 2592000000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "customWidth": "50", "name": "query -region" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": " AWSGuardDuty\r\n | extend tokens = split(ActivityType,\":\")\r\n | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\"/\")\r\n | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] \r\n | extend AWSAcoundId = AccountId\r\n | summarize count() by tostring(ThreatPurpose), tostring(ThreatFamilyName), tostring(ResourceTypeAffected), AWSAcoundId", "size": 1, "title": "Guardduty by Threat", "timeContext": { "durationMs": 2592000000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "customWidth": "50", "name": "query -Threat" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": " AWSGuardDuty\r\n | extend tokens = split(ActivityType,\":\")\r\n | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\"/\")\r\n | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] \r\n | extend AWSAcoundId = AccountId\r\n | extend ip_ = ServiceDetails.action.awsApiCallAction.remoteIpDetails.ipAddressV4, city_ = ServiceDetails.action.awsApiCallAction.remoteIpDetails.city.cityName\r\n | summarize count() by AWSAcoundId, ipAddressV4=tostring(ip_), CityName = tostring(city_)\r\n | order by count_ desc", "size": 1, "title": "Guardduty by IP, click for GeoLocation api details", "timeContext": { "durationMs": 2592000000 }, "exportFieldName": "ipAddressV4", "exportParameterName": "ipAddress", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "count_", "formatter": 4, "formatOptions": { "palette": "greenRed" } } ] } }, "customWidth": "50", "name": "query - IP count" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscriptionid}/resourceGroups/{Workspace:resourceGroup}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={ipAddress}&api-version=2021-09-01-preview\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$\",\"columns\":[]}}]}", "size": 4, "title": "πŸ–§ Lookup IP Address: {ipAddress} from Microsoft geoLocation api", "queryType": 12, "gridSettings": { "formatters": [ { "columnMatch": "country", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "Default", "thresholdValue": null, "representation": "Globe", "text": "{0}{1}" } ] } }, { "columnMatch": "ipAddr", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "Default", "thresholdValue": null, "representation": "gray", "text": "{0}{1}" } ] } } ] } }, "conditionalVisibility": { "parameterName": "ipAddress", "comparison": "isNotEqualTo" }, "name": "query - geoLocation api" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "guardduty" }, "name": "group - guardDuty" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Group: CloudTrail", "items": [ { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "e19485ef-72e1-4618-8a67-608ba16f543f", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "πŸ”Ž Overview", "subTarget": "overview", "style": "link" }, { "id": "2fb1e1e8-193f-4a50-a5d3-a9619f0628d3", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "πŸ‘€ User", "subTarget": "user", "preText": "selectedTab", "style": "link" }, { "id": "3f1622e1-f64f-4fb0-8c84-c1d6e2d51705", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "πŸ–§ Network", "subTarget": "network", "style": "link" } ] }, "name": "links - Cloud Trail sub menu" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where EventName contains \"Login\"\r\n| project TimeGenerated, UserIdentityArn, SourceIpAddress, LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin), EventName, UserIdentityUserName\r\n| where LoginResult != \"\"\r\n| summarize count() by TimeGenerated, LoginResult, EventName, UserIdentityUserName, bin(TimeGenerated, {TimeRange:grain})", "size": 0, "title": "Sign-in events", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart" }, "customWidth": "50", "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let data = AWSCloudTrail\r\n| where EventName contains \"Login\"\r\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\r\n| where LoginResult != \"\";\r\nlet appData = data\r\n| summarize TotalCount = count() by LoginResult\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by LoginResult\r\n | project-away TimeGenerated) on LoginResult\r\n| order by TotalCount desc, LoginResult asc\r\n| project LoginResult, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by EventName , LoginResult\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by LoginResult, EventName\r\n | project-away TimeGenerated) on LoginResult, EventName\r\n| order by TotalCount desc, LoginResult asc\r\n| project LoginResult, EventName, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on LoginResult\r\n| project Id, Name = EventName, Type = 'EventName', ['LoginResults Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = LoginResult, Type = 'LoginResult', ['LoginResults Count'] = TotalCount, Trend)\r\n| order by ['LoginResults Count'] desc, Name asc", "size": 0, "title": "Sign-in events results", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Id", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "Name", "formatter": 18, "formatOptions": { "showIcon": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Success", "representation": "success", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Failure", "representation": "failed", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "Blank", "text": "{0}{1}" } ] } }, { "columnMatch": "LoginResults Count", "formatter": 8, "formatOptions": { "min": 0, "palette": "blueDark", "showIcon": true } }, { "columnMatch": "Trend", "formatter": 9, "formatOptions": { "min": 0, "palette": "purple", "showIcon": true } }, { "columnMatch": "ParentId", "formatter": 5, "formatOptions": { "showIcon": true } } ], "hierarchySettings": { "idColumn": "Id", "parentColumn": "ParentId", "treeType": 0, "expanderColumn": "Name" } } }, "customWidth": "50", "name": "query - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where EventName contains \"login\" or EventName contains \"signin\"\r\n| extend Result = tostring(parse_json(ResponseElements).ConsoleLogin)\r\n| where Result != \"\"\r\n| summarize Success = sum(Result == \"Success\"), Failure = sum(Result == \"Failure\") by UserIdentityUserName, UserIdentityAccountId, SourceIpAddress, EventName\r\n//| summarize NumberOfIPs = count() by UserIdentityUserName, UserIdentityAccountId, Success, Failure, EventName\r\n| sort by Failure desc \r\n", "size": 0, "title": "User sign-ins, by failure rate, and IP addresses", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "UserIdentityUserName", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "UserIdentityAccountId", "formatter": 0, "formatOptions": { "showIcon": true, "aggregation": "Unique" } }, { "columnMatch": "SourceIpAddress", "formatter": 0, "formatOptions": { "showIcon": true, "aggregation": "Unique" } }, { "columnMatch": "EventName", "formatter": 0, "formatOptions": { "showIcon": true, "aggregation": "Unique" } }, { "columnMatch": "Success", "formatter": 8, "formatOptions": { "min": 0, "palette": "greenRed", "showIcon": true, "aggregation": "Sum" } }, { "columnMatch": "Failure", "formatter": 8, "formatOptions": { "palette": "greenRed", "showIcon": true, "aggregation": "Sum" } }, { "columnMatch": "NumberOfIPs", "formatter": 4, "formatOptions": { "min": 0, "palette": "blue", "showIcon": true, "aggregation": "Unique" } } ], "hierarchySettings": { "treeType": 1, "groupBy": [ "UserIdentityUserName" ] } }, "sortBy": [] }, "customWidth": "50", "name": "query - 4" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where EventName contains \"login\" or EventName contains \"signin\"\r\n| summarize count() by Event = strcat(EventTypeName, \": \", EventName), bin(TimeGenerated, {TimeRange:grain})\r\n", "size": 0, "title": "Console and API signin events over time", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "barchart" }, "customWidth": "50", "name": "query - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where EventName contains \"Login\"\r\n| where tostring(parse_json(ResponseElements).ConsoleLogin) == \"Failure\"\r\n| summarize count() by UserIdentityUserName, UserIdentityArn, SourceIpAddress, ErrorMessage, UserAgent, AWSRegion, TimeGenerated ", "size": 0, "title": "Failed sign-ins", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "UserIdentityUserName", "formatter": 7, "formatOptions": { "linkTarget": "GenericDetails", "linkIsContextBlade": true, "showIcon": true } }, { "columnMatch": "UserIdentityArn", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "UserAgent", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "AWSRegion", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "TimeGenerated", "formatter": 6, "formatOptions": { "showIcon": true }, "dateFormat": { "formatName": "fullDateTimePattern" } }, { "columnMatch": "count_", "formatter": 8, "formatOptions": { "min": 0, "palette": "redDark", "showIcon": true } } ], "filter": true } }, "name": "query - 8" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where UserIdentityType == \"IAMUser\"\r\n| summarize NumberOfEvents = count() by UserIdentityUserName, bin(TimeGenerated, {TimeRange:grain})\r\n", "size": 0, "title": "Active users", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "barchart" }, "customWidth": "33", "name": "query - 9" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| summarize NumberOfEvents = count() by UserIdentityAccountId , bin(TimeGenerated, {TimeRange:grain})\r\n| where UserIdentityAccountId != \"\"", "size": 0, "title": "Active account IDs", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "barchart" }, "customWidth": "33", "name": "query - 10" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| summarize count() by UserIdentityType, bin(TimeGenerated, {TimeRange:grain})", "size": 0, "title": "User identity types", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "barchart" }, "customWidth": "33", "name": "query - 15" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n//| where UserIdentityAccountId != \"\"\r\n//| where UserIdentityUserName != \"\"\r\n| summarize NumberOfEvents = count() by UserIdentityAccountId, UserIdentityUserName, EventName,SourceIpAddress, UserIdentityType, EventTypeName, TimeGenerated\r\n| order by NumberOfEvents desc", "size": 0, "showAnalytics": true, "title": "Summary", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "UserIdentityAccountId", "formatter": 7, "formatOptions": { "linkTarget": "GenericDetails", "linkIsContextBlade": true, "showIcon": true } }, { "columnMatch": "EventName", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "SourceIpAddress", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "EventTypeName", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "TimeGenerated", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "NumberOfEvents", "formatter": 4, "formatOptions": { "min": 0, "palette": "purple", "showIcon": true } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "50", "name": "query - 15" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where EventName == \"GetCallerIdentity\"\r\n| where UserIdentityType == \"AssumedRole\" \r\n| summarize Count = count() by SourceIpAddress, UserIdentityAccountId, UserIdentityPrincipalid, AWSRegion, TimeGenerated\r\n| sort by Count desc nulls last ", "size": 0, "title": "Suspicious assumed-role account reconnaissance", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Count", "formatter": 8, "formatOptions": { "min": 0, "palette": "redDark", "showIcon": true } } ] } }, "customWidth": "50", "name": "query - 11" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let data = AWSCloudTrail;\r\nlet appData = data\r\n| summarize TotalCount = count() by AWSRegion\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by AWSRegion\r\n | project-away TimeGenerated) on AWSRegion\r\n| order by TotalCount desc, AWSRegion asc\r\n| project AWSRegion, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by EventName , AWSRegion\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by AWSRegion, EventName\r\n | project-away TimeGenerated) on AWSRegion, EventName\r\n| order by TotalCount desc, AWSRegion asc\r\n| project AWSRegion, EventName, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on AWSRegion\r\n| project Id, Name = EventName, Type = 'EventName', ['AWSRegions Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = AWSRegion, Type = 'AWSRegion', ['AWSRegions Count'] = TotalCount, Trend)\r\n| order by ['AWSRegions Count'] desc, Name asc", "size": 0, "showAnalytics": true, "title": "Activities, by region - click to filter", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "exportParameterName": "RegionFilter", "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Id", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "AWSRegions Count", "formatter": 4, "formatOptions": { "min": 0, "palette": "orange", "showIcon": true } }, { "columnMatch": "Trend", "formatter": 10, "formatOptions": { "min": 0, "palette": "lightBlue", "showIcon": true } }, { "columnMatch": "ParentId", "formatter": 5, "formatOptions": { "showIcon": true } } ], "filter": true, "hierarchySettings": { "idColumn": "Id", "parentColumn": "ParentId", "treeType": 0, "expanderColumn": "Name" } } }, "customWidth": "50", "name": "query - 13" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let details = dynamic({RegionFilter});\r\nAWSCloudTrail\r\n| where details.Type == \"*\" or (details.Type == \"EventName\" and details.Name == EventName) or (details.Type == \"AWSRegion\" and details.Name == AWSRegion)\r\n| summarize count() by AWSRegion, bin(TimeGenerated, {TimeRange:grain})\r\n", "size": 0, "title": "Activities, by region over time", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "linechart" }, "customWidth": "50", "name": "query - 12" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| summarize Count = count() by UserAgent\r\n| order by Count\r\n", "size": 0, "showAnalytics": true, "title": "User agent activities - click to filter", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "UserAgent", "exportParameterName": "UserAgent", "exportDefaultValue": "All", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Count", "formatter": 8, "formatOptions": { "min": 0, "palette": "blueDark", "showIcon": true } } ], "filter": true } }, "customWidth": "40", "name": "query - 16" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where '{UserAgent}' == UserAgent or '{UserAgent}' == \"All\"\r\n| summarize Count = count() by UserAgent, TimeGenerated", "size": 0, "title": "User agent activities over time", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "linechart" }, "customWidth": "60", "name": "query - 17" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "user" }, "name": "group - User" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let data = AWSCloudTrail;\r\ndata\r\n| summarize Count = count() by AWSRegion\r\n| join kind = fullouter (datatable(AWSRegion:string)['OneDrive', 'SharePoint']) on AWSRegion\r\n| project AWSRegion = iff(AWSRegion == '', AWSRegion1, AWSRegion), Count = iff(AWSRegion == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by AWSRegion)\r\n on AWSRegion\r\n| project-away AWSRegion1, TimeGenerated\r\n| extend AWSRegion = AWSRegion\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend AWSRegion = 'All', AWSRegions = '*' \r\n)\r\n| order by Count desc\r\n| take 10\r\n", "size": 4, "title": "Top 10 active regions - click to filter", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "AWSRegion", "exportParameterName": "AWSRegion", "exportDefaultValue": "All", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "tiles", "tileSettings": { "titleContent": { "columnMatch": "AWSRegion", "formatter": 1, "formatOptions": { "showIcon": true } }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { "palette": "auto", "showIcon": true }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } }, "secondaryContent": { "columnMatch": "Trend", "formatter": 9, "formatOptions": { "min": 0, "palette": "blue", "showIcon": true } }, "showBorder": false } }, "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n//| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"replace\" or EventName startswith \"delete\" or EventName startswith \"authorize\" or EventName startswith \"revoke\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where AWSRegion == '{AWSRegion}' or '{AWSRegion}' == \"All\"\r\n| summarize count() by AWSRegion, bin(TimeGenerated, {TimeRange:grain})", "size": 0, "title": "Network events, by region", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "barchart" }, "customWidth": "50", "name": "query - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n//| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"replace\" or EventName startswith \"delete\" or EventName startswith \"authorize\" or EventName startswith \"revoke\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where AWSRegion == '{AWSRegion}' or '{AWSRegion}' == \"All\"\r\n| summarize count() by EventName, bin(TimeGenerated, {TimeRange:grain})", "size": 0, "title": "Network event types", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart" }, "customWidth": "50", "name": "query - 4" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName == \"AuthorizeSecurityGroupEgress\" or EventName == \"AuthorizeSecurityGroupIngress\" or EventName == \"CreateSecurityGroup\" or EventName == \"RevokeSecurityGroupEgress\" or EventName == \"RevokeSecurityGroupIngress\" or EventName == \"DeleteSecurityGroup\" or EventName == \"ReplaceNetworkAclEntry\" or EventName == \"CreateNetworkAcl\" or EventName == \"DeleteNetworkAcl\")\r\n| summarize Count = count() by EventName, UserIdentityArn, AWSRegion, EventTypeName, SessionIssuerType, EventSource, SourceIpAddress\r\n| project-rename TotalChanges = Count\r\n| order by TotalChanges desc\r\n", "size": 0, "title": "Click to filter by event name", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "EventName", "exportParameterName": "EventName", "exportDefaultValue": "All", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "EventName", "formatter": 7, "formatOptions": { "linkTarget": "GenericDetails", "linkIsContextBlade": true, "showIcon": true } }, { "columnMatch": "UserIdentityArn", "formatter": 0, "formatOptions": { "showIcon": true, "aggregation": "Unique" } }, { "columnMatch": "AWSRegion", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "EventTypeName", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "SessionIssuerType", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "EventSource", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "SourceIpAddress", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "TotalChanges", "formatter": 4, "formatOptions": { "min": 0, "palette": "purple", "showIcon": true } } ], "filter": true } }, "customWidth": "50", "name": "query - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName == \"AuthorizeSecurityGroupEgress\" or EventName == \"AuthorizeSecurityGroupIngress\" or EventName == \"CreateSecurityGroup\" or EventName == \"RevokeSecurityGroupEgress\" or EventName == \"RevokeSecurityGroupIngress\" or EventName == \"DeleteSecurityGroup\" or EventName == \"ReplaceNetworkAclEntry\" or EventName == \"CreateNetworkAcl\" or EventName == \"DeleteNetworkAcl\")\r\n| where EventName == '{EventName}' or '{EventName}' == \"All\"\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), EventName\r\n| project-rename TotalChanges = count_\r\n", "size": 0, "title": "Network ACL events over time", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "barchart" }, "customWidth": "50", "name": "query - 7" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"delete\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| summarize count() by EventName, UserIdentityArn, AWSRegion, EventTypeName, SessionIssuerType, EventSource, SourceIpAddress\r\n| project-rename TotalChanges = count_ \r\n| order by TotalChanges desc\r\n\r\n", "size": 0, "title": "Click to filter by event name", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "EventName", "exportParameterName": "EventName", "exportDefaultValue": "All", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "EventName", "formatter": 7, "formatOptions": { "linkTarget": "GenericDetails", "linkIsContextBlade": true, "showIcon": true } }, { "columnMatch": "AWSRegion", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "EventTypeName", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "SessionIssuerType", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "EventSource", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "SourceIpAddress", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "TotalChanges", "formatter": 4, "formatOptions": { "min": 0, "palette": "blueDark", "showIcon": true } } ] } }, "customWidth": "50", "name": "query - 9" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"delete\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where EventName == '{EventName}' or '{EventName}' == \"All\"\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), EventName\r\n| project-rename TotalChanges = count_\r\n", "size": 0, "title": "Create and Delete network events over time", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "barchart" }, "customWidth": "50", "name": "query - 10" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where EventSource == \"ec2.amazonaws.com\" and (EventName == \"AllocateAddress\" or EventName == \"ReleaseAddress\" or EventName == \"AssociateAddress\" or EventName == \"DisassociateAddress\") \r\n| extend AllocationID1 = todynamic(ResponseElements).[\"allocationId\"]\r\n| extend AllocationID2 = todynamic(RequestParameters).[\"allocationId\"]\r\n| extend AssociationID = todynamic(ResponseElements).[\"associationId\"]\r\n| extend ElasticIP = todynamic(ResponseElements).[\"publicIp\"]\r\n| extend AllocationID = coalesce(AllocationID1, AllocationID2)\r\n| summarize count() by TimeGenerated, UserIdentityArn, EventName, tostring(todynamic(RequestParameters).[\"instanceId\"]), tostring(AllocationID), tostring(AssociationID), tostring(ElasticIP) \r\n| project-rename InstanceID = RequestParameters_instanceId\r\n| project-away count_\r\n", "size": 0, "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "name": "query - 12" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| summarize Count = count() by AWSRegion", "size": 0, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 8" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "network" }, "name": "group - network" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| summarize count() by bin(TimeGenerated,{TimeRange:grain})", "size": 4, "title": "πŸ“Š Data flow over Time. TimeRange selected: {TimeRange:label} with Automatic Time Grain of: {TimeRange:grain}", "color": "pink", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart" }, "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| extend accountId_ = tostring(parse_json(Resources)[0].accountId)\r\n| where isnotempty(accountId_)\r\n| summarize count() by accountId_", "size": 4, "title": "Account IDs", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "piechart" }, "customWidth": "50", "name": "query - 0" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSCloudTrail\r\n| where isnotempty(EventSource)\r\n| summarize count() by EventSource\r\n| order by count_ desc", "size": 0, "title": "EventSource list", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "count_", "formatter": 4, "formatOptions": { "palette": "greenRed" } } ] }, "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "EventSource", "formatter": 1 }, "leftContent": { "columnMatch": "count_", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } } }, "customWidth": "50", "name": "query - 0 - Copy" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "overview" }, "name": "group - ct overview" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "cloudtrail" }, "name": "group - CloudTrail" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Group: VPCFlow ", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSVPCFlow\r\n| summarize count() by bin(TimeGenerated,{TimeRange:grain})", "size": 1, "title": "πŸ“Š Data flow over Time. TimeRange selected: {TimeRange:label} with Automatic Time Grain of: {TimeRange:grain}", "color": "pink", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart" }, "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSVPCFlow\r\n| summarize count() by AccountId", "size": 4, "title": "Account IDs", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "piechart" }, "customWidth": "50", "name": "query - 0" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSVPCFlow\r\n//| summarize reject_ = countif(Action == 'REJECT'), accept_ = countif(Action == 'ACCEPT'), other_ = countif(Action == '-') by Action\r\n| summarize count() by Action, AccountId", "size": 1, "title": "Account IDs by Action", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "tiles", "tileSettings": { "titleContent": { "columnMatch": "AccountId", "formatter": 1 }, "subtitleContent": { "columnMatch": "Action" }, "leftContent": { "columnMatch": "count_", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "showBorder": false } }, "customWidth": "50", "name": "query -ids by Action" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "fe452f11-ddc9-4b85-b441-b8f6be3b33a8", "version": "KqlParameterItem/1.0", "name": "Action", "type": 2, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AWSVPCFlow\r\n| summarize Count = count() by Action\r\n| order by Count desc\r\n| project Value = Action, Label = strcat(Action, \" count: \", Count)", "crossComponentResources": [ "{Workspace}" ], "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "All", "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "d83accb3-5f6c-4794-ae8b-b6045265c539", "version": "KqlParameterItem/1.0", "name": "SourceIP", "type": 2, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AWSVPCFlow\r\n| where (Action in ({Action}) or '{Action:label}' == \"All\")\r\n| where isnotempty(DstAddr) \r\n| summarize Count = count() by SrcAddr\r\n| order by Count desc\r\n| project Value = SrcAddr, Label = strcat(SrcAddr, \" count: \", Count)", "crossComponentResources": [ "{Workspace}" ], "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "All", "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "d5fa439b-b1d7-491e-8953-5e4f7bf74f81", "version": "KqlParameterItem/1.0", "name": "SourcePort", "type": 2, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AWSVPCFlow\r\n| where (Action in ({Action}) or '{Action:label}' == \"All\")\r\n| summarize Count = count() by SrcPort\r\n| order by Count desc\r\n| project Value = SrcPort, Label = strcat(SrcPort, \" count: \", Count)", "crossComponentResources": [ "{Workspace}" ], "value": null, "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "All", "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "2f749931-c232-471f-b91f-f91514fd7fa7", "version": "KqlParameterItem/1.0", "name": "DestinationIP", "type": 2, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AWSVPCFlow\r\n| where (Action in ({Action}) or '{Action:label}' == \"All\")\r\n| where isnotempty(DstAddr) \r\n| summarize Count = count() by DstAddr\r\n| order by Count desc\r\n| project Value = DstAddr, Label = strcat(DstAddr, \" count: \", Count)", "crossComponentResources": [ "{Workspace}" ], "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "All", "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "5ecf989b-46cc-4cde-80fb-720d1ad2a5e2", "version": "KqlParameterItem/1.0", "name": "DestinationPort", "type": 2, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AWSVPCFlow\r\n| where (Action in ({Action}) or '{Action:label}' == \"All\")\r\n| where isnotempty(DstPort) \r\n| summarize Count = count() by DstPort\r\n| order by Count desc\r\n| project Value = DstPort, Label = strcat(DstPort, \" count: \", Count)", "crossComponentResources": [ "{Workspace}" ], "value": null, "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "All", "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 1" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSVPCFlow\r\n| where (SrcAddr in ({SourceIP}) or '{SourceIP:label}' == \"All\") \r\n and (SrcPort in ({SourcePort}) or '{SourcePort:label}' == \"All\") \r\n and (DstAddr in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n and (DstPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n and (Action in ({Action}) or '{Action:label}' == \"All\")", "size": 0, "title": "All data - Filter. Rows {$rowCount} for {TimeRange:label}", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "exportedParameters": [ { "fieldName": "SrcAddr", "parameterName": "SrcAddr", "parameterType": 1 }, { "fieldName": "DstAddr", "parameterName": "DstAddr", "parameterType": 1 } ], "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "name": "query - 0 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscriptionid}/resourceGroups/{Workspace:resourceGroup}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={SrcAddr}&api-version=2021-09-01-preview\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$\",\"columns\":[]}}]}", "size": 4, "title": "πŸ–§ Lookup Source Address: {SrcAddr} from Microsoft geoLocation api", "queryType": 12, "gridSettings": { "formatters": [ { "columnMatch": "country", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "Default", "thresholdValue": null, "representation": "Globe", "text": "{0}{1}" } ] } }, { "columnMatch": "ipAddr", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "Default", "thresholdValue": null, "representation": "gray", "text": "{0}{1}" } ] } } ] } }, "conditionalVisibility": { "parameterName": "SrcAddr", "comparison": "isNotEqualTo" }, "name": "query - geoLocation api SRC" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscriptionid}/resourceGroups/{Workspace:resourceGroup}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={DstAddr}&api-version=2021-09-01-preview\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$\",\"columns\":[]}}]}", "size": 4, "title": "πŸ–§ Lookup Destination Address: {DstAddr} from Microsoft geoLocation api", "queryType": 12, "gridSettings": { "formatters": [ { "columnMatch": "country", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "Default", "thresholdValue": null, "representation": "Globe", "text": "{0}{1}" } ] } }, { "columnMatch": "ipAddr", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "Default", "thresholdValue": null, "representation": "gray", "text": "{0}{1}" } ] } } ] } }, "conditionalVisibility": { "parameterName": "DstAddr", "comparison": "isNotEqualTo" }, "name": "query - geoLocation api DST" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AWSVPCFlow\r\n| top 20 by Bytes\r\n| extend Gbytes = Bytes", "size": 0, "title": "Top 20 by Bytes", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Bytes", "formatter": 8, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "Gbytes", "formatter": 0, "numberFormat": { "unit": 36, "options": { "style": "decimal" } } } ], "filter": true } }, "name": "query - bytes" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "vpcflow" }, "name": "group -VPCflow logs" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let tableList = dynamic(['AWSGuardDuty', 'AWSVPCFlow', 'AWSCloudTrail']);\r\nUsage\r\n| where DataType in (tableList)\r\n| summarize sum(_BilledSize), LastLogReceived = max(TimeGenerated), minsSinceLastLogReceived = datetime_diff('minute',now(), max(TimeGenerated)) by DataType, IsBillable \r\n| join \r\n(\r\n Usage\r\n | make-series count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DataType\r\n) on DataType\r\n| project-away DataType1\r\n\r\n\r\n", "size": 1, "title": "Data Availability Check. Data for {TimeRange:label}", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "DataType", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } }, { "columnMatch": "sum__BilledSize", "formatter": 0, "numberFormat": { "unit": 36, "options": { "style": "decimal", "maximumFractionDigits": 2 } } }, { "columnMatch": "minsSinceLastLogReceived", "formatter": 0, "numberFormat": { "unit": 25, "options": { "style": "decimal" } } }, { "columnMatch": "count_", "formatter": 10, "formatOptions": { "palette": "pink" } }, { "columnMatch": "TimeGenerated", "formatter": 5 } ], "labelSettings": [ { "columnId": "sum__BilledSize", "label": "Sum of Billed Data" }, { "columnId": "minsSinceLastLogReceived", "label": "Time Since Last Log Recieved" }, { "columnId": "count_", "label": "Trend" } ] }, "sortBy": [] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "status" }, "name": "query - status" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let tableList = dynamic(['AWSGuardDuty', 'AWSVPCFlow', 'AWSCloudTrail']);\r\nUsage\r\n| where DataType in (tableList)\r\n| summarize count() by bin(TimeGenerated,{TimeRange:grain}), DataType\r\n\r\n", "size": 1, "title": "Data Count over time. Data for {TimeRange:label}", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart", "gridSettings": { "formatters": [ { "columnMatch": "DataType", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } }, { "columnMatch": "sum__BilledSize", "formatter": 0, "numberFormat": { "unit": 36, "options": { "style": "decimal", "maximumFractionDigits": 2 } } }, { "columnMatch": "count_", "formatter": 10, "formatOptions": { "palette": "pink" } }, { "columnMatch": "TimeGenerated", "formatter": 5 } ], "labelSettings": [ { "columnId": "count_", "label": "Trend" } ] }, "sortBy": [] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "status" }, "customWidth": "50", "name": "query - status - data count" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let tableList = dynamic(['AWSGuardDuty', 'AWSVPCFlow', 'AWSCloudTrail']);\r\nUsage\r\n| where DataType in (tableList)\r\n| where _IsBillable=true\r\n| summarize sum(_BilledSize) by bin(TimeGenerated,{TimeRange:grain}), DataType\r\n\r\n", "size": 1, "title": "Data Capacity over time. Data for {TimeRange:label}", "timeContext": { "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart", "gridSettings": { "formatters": [ { "columnMatch": "DataType", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } }, { "columnMatch": "sum__BilledSize", "formatter": 0, "numberFormat": { "unit": 36, "options": { "style": "decimal", "maximumFractionDigits": 2 } } }, { "columnMatch": "count_", "formatter": 10, "formatOptions": { "palette": "pink" } }, { "columnMatch": "TimeGenerated", "formatter": 5 } ], "labelSettings": [ { "columnId": "count_", "label": "Trend" } ] }, "sortBy": [], "chartSettings": { "ySettings": { "numberFormatSettings": { "unit": 36, "options": { "style": "decimal", "useGrouping": true } } } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "status" }, "customWidth": "50", "name": "query - status - data capacity" } ], "fromTemplateId": "sentinel-AWSS3Workbook", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }