{ "version": "Notebook/1.0", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "12e24ac4-d5f3-42ec-9c32-118fd5438150", "version": "KqlParameterItem/1.0", "name": "TimeRange", "type": 4, "isRequired": true, "value": { "durationMs": 7776000000 }, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 }, { "durationMs": 172800000 }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2419200000 }, { "durationMs": 2592000000 }, { "durationMs": 5184000000 }, { "durationMs": 7776000000 } ], "allowCustom": true } } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 6" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "71ab978a-c66d-47dc-aa0a-6a1a1b5d4d93", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "User Insights", "subTarget": "DataType", "style": "link" }, { "id": "4ba27946-dc0b-4978-b5d6-97591a3bac6e", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Authentications", "subTarget": "OverTime", "style": "link" } ] }, "name": "links - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SigninLogs\r\n|extend OS= DeviceDetail.operatingSystem\r\n|extend Browser =extract(\"([a-zA-Z]+)\",1,tostring(DeviceDetail.browser))\r\n|where OS!=\"\"\r\n|where Browser !=\"\"\r\n|where AppDisplayName !=\"\"\r\n|summarize OperatingSystem = dcount(UserId) by tostring(OS)\r\n|sort by OS desc\r\n|render columnchart \r\n", "size": 1, "showAnalytics": true, "title": "Platform", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DataType" }, "customWidth": "50", "showPin": true, "name": "query - 0", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SigninLogs\n|extend OS= DeviceDetail.operatingSystem\n|extend Browser =extract(\"([a-zA-Z]+)\",1,tostring(DeviceDetail.browser))\n|where OS!=\"\"\n|where Browser !=\"\"\n|where AppDisplayName !=\"\"\n|summarize Browsers = count() by Browser\n|render columnchart \n", "size": 1, "showAnalytics": true, "title": "Browser", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "Count", "formatter": 4, "formatOptions": { "showIcon": true, "aggregation": "Count" }, "numberFormat": { "unit": 17, "options": { "style": "decimal" } } } ] } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DataType" }, "customWidth": "50", "name": "query - 1", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SigninLogs\n| where AppDisplayName !=\"\"\n| where Location != \"\"\n| summarize signInCount = count() by Location\n| render columnchart \n", "size": 0, "title": "Location", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "map", "mapSettings": { "locInfo": "CountryRegion", "locInfoColumn": "Location", "sizeSettings": "signInCount", "sizeAggregation": "Sum", "labelSettings": "Location", "legendMetric": "signInCount", "legendAggregation": "Sum", "itemColorSettings": { "nodeColorField": "signInCount", "colorAggregation": "Sum", "type": "heatmap", "heatmapPalette": "greenRed" } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DataType" }, "customWidth": "50", "name": "query - 8" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SigninLogs\n| extend User = tolower(Identity)\n| project IPAddress, User\n| summarize Total = count() by IPAddress,User\n| order by Total desc\n", "size": 0, "title": "IP Address", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Total", "formatter": 8, "formatOptions": { "palette": "purpleBlueGreen" } } ], "rowLimit": 10000 }, "mapSettings": { "locInfo": "CountryRegion", "locInfoColumn": "Location", "sizeSettings": "signInCount", "sizeAggregation": "Sum", "labelSettings": "Location", "legendMetric": "signInCount", "legendAggregation": "Sum", "itemColorSettings": { "nodeColorField": "signInCount", "colorAggregation": "Sum", "type": "heatmap", "heatmapPalette": "greenRed" } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DataType" }, "customWidth": "50", "name": "query - 8 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": " AuditLogs \r\n | where LoggedByService == \"B2C\" \r\n and Result == \"success\" \r\n and Category == \"Authentication\" \r\n and OperationName in (\"Issue an id_token to the application\",\"Exchange token\",\"Issue an authorization code to the application\",\"Issue an access token to the application\")\r\n | order by TimeGenerated desc \r\n | summarize TotalAuth = count() by ClientId = tostring(AdditionalDetails[2][\"value\"])\r\n | order by TotalAuth desc\r\n | render barchart \r\n \r\n", "size": 0, "showAnalytics": true, "title": "Authentications Per Application", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "TotalAuth", "formatter": 4, "formatOptions": { "palette": "greenDarkDark" } } ] }, "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "ClientId", "formatter": 1 }, "leftContent": { "columnMatch": "TotalAuth", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "chartSettings": { "xAxis": "TotalAuth", "yAxis": [ "ClientId" ] } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OverTime" }, "customWidth": "50", "showPin": true, "name": "query - 2", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let GetIdPType = (IdPName:string) { iff(IdPName == \"LocalAccountUsername\",\"LocalAccount\",\"Federated\")};\nlet GetIdPValue = (IdPName:string,IdpName:string) { iff(IdPName == \"LocalAccountUsername\",\"Local\",IdpName)};\nAuditLogs\n | where OperationName == \"Validate local account credentials\"\n or OperationName == \"Federate with an identity provider\"\n | project OperationName, Result, IdpType=GetIdPValue(extractjson(\"$.[4].key\",tostring(AdditionalDetails)),extractjson(\"$.[4].value\",tostring(AdditionalDetails)))\n // Check for the case of federation: Azure AD B2C Audit logs does not provide federated identity provider name and it is always set to \"N/A\"\n | extend IdpType = iff(OperationName contains \"Federate with an identity provider\", iff(IdpType ==\"N/A\", \"Federated\",IdpType ) , IdpType)\n | summarize Count =count() by IdentityProvider=IdpType\n | order by Count \n", "size": 0, "showAnalytics": true, "title": "Authentications Per Identity Provider", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "greenBlue" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false } } } ] }, "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "IdP", "formatter": 1 }, "leftContent": { "columnMatch": "IdentityProviders", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OverTime" }, "customWidth": "50", "name": "query - 3", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AuditLogs \r\n| where OperationName contains \"issue\" \r\n| project ActivityDateTime, UserId=extractjson(\"$.[0].id\",tostring(TargetResources)) , \r\nPolicy=extractjson(\"$.[1].value\",tostring(AdditionalDetails)) , \r\nAppId=extractjson(\"$.[2].value\",tostring(AdditionalDetails)),\r\nOperationName \r\n| summarize Count = count() by Policy\r\n| sort by Count\r\n| render table \r\n", "size": 3, "showAnalytics": true, "title": "Authentications Per Policy", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "blueDark" } } ] }, "tileSettings": { "titleContent": { "formatter": 1, "formatOptions": { "showIcon": true } }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { "showIcon": true } }, "showBorder": false }, "graphSettings": { "type": 0, "topContent": { "columnMatch": "Policy", "formatter": 1 }, "centerContent": { "columnMatch": "Count", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } }, "nodeIdField": "Policy", "sourceIdField": "Count", "targetIdField": "Count", "graphOrientation": 3, "showOrientationToggles": false, "edgeSize": "Count", "edgeLabel": "Policy", "nodeSize": { "sizeField": "Policy", "minSize": null, "maxSize": null }, "staticNodeSize": 100, "colorSettings": null, "hivesMargin": 5 }, "mapSettings": { "locInfo": "LatLong", "sizeSettings": "Count", "sizeAggregation": "Sum", "legendMetric": "Count", "legendAggregation": "Sum", "itemColorSettings": { "type": "heatmap", "colorAggregation": "Sum", "nodeColorField": "Count", "heatmapPalette": "greenRed" } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OverTime" }, "customWidth": "50", "showPin": true, "name": "query - 5", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SigninLogs\r\n| where ResultType != \"0\" \r\n| summarize by UserPrincipalName, ResultDescription, ResultType, tostring( DeviceDetail), IPAddress\r\n| sort by ResultType asc \r\n| summarize Total=count() by ResultDescription\r\n| order by Total\r\n| render columnchart \r\n\r\n", "size": 0, "showAnalytics": true, "title": "Authentications Failure Reasons", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Total", "formatter": 8, "formatOptions": { "palette": "coldHot" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "coldHot" } } ] }, "tileSettings": { "titleContent": { "formatter": 1, "formatOptions": { "showIcon": true } }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { "showIcon": true } }, "showBorder": false }, "graphSettings": { "type": 0, "topContent": { "columnMatch": "Policy", "formatter": 1 }, "centerContent": { "columnMatch": "Count", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } }, "nodeIdField": "Policy", "sourceIdField": "Count", "targetIdField": "Count", "graphOrientation": 3, "showOrientationToggles": false, "edgeSize": "Count", "edgeLabel": "Policy", "nodeSize": { "sizeField": "Policy", "minSize": null, "maxSize": null }, "staticNodeSize": 100, "colorSettings": null, "hivesMargin": 5 }, "mapSettings": { "locInfo": "LatLong", "sizeSettings": "Count", "sizeAggregation": "Sum", "legendMetric": "Count", "legendAggregation": "Sum", "itemColorSettings": { "type": "heatmap", "colorAggregation": "Sum", "nodeColorField": "Count", "heatmapPalette": "greenRed" } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OverTime" }, "customWidth": "50", "showPin": true, "name": "query - 5 - Copy", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SigninLogs\n| where ResultType != 0\n| summarize FailedSignIns=count() by bin(TimeGenerated,1d) \n|render timechart \n", "size": 0, "title": "Failed Sign-Ins (Timechart)", "color": "orange", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OverTime" }, "name": "query - 9" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SigninLogs\n| where ResultType == 0\n| summarize SuccessfulSigns=count() by bin(TimeGenerated,1d) \n|render timechart \n", "size": 0, "title": "Successful Sign-Ins (Timechart)", "color": "greenDark", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OverTime" }, "name": "query - 10" } ], "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }