diff --git a/Solutions/Microsoft PowerBI/Workbooks/Images/Preview/MicrosoftPowerBIActivityWorkbookBlack.png b/Solutions/Microsoft PowerBI/Workbooks/Images/Preview/MicrosoftPowerBIActivityWorkbookBlack.png new file mode 100644 index 00000000000..74fcac0e99a Binary files /dev/null and b/Solutions/Microsoft PowerBI/Workbooks/Images/Preview/MicrosoftPowerBIActivityWorkbookBlack.png differ diff --git a/Solutions/Microsoft PowerBI/Workbooks/Images/Preview/MicrosoftPowerBIActivityWorkbookWhite.png b/Solutions/Microsoft PowerBI/Workbooks/Images/Preview/MicrosoftPowerBIActivityWorkbookWhite.png new file mode 100644 index 00000000000..ac057edb7d0 Binary files /dev/null and b/Solutions/Microsoft PowerBI/Workbooks/Images/Preview/MicrosoftPowerBIActivityWorkbookWhite.png differ diff --git a/Solutions/Microsoft PowerBI/Workbooks/MicrosoftPowerBIActivityWorkbook.json b/Solutions/Microsoft PowerBI/Workbooks/MicrosoftPowerBIActivityWorkbook.json new file mode 100644 index 00000000000..19fb3190cfb --- /dev/null +++ b/Solutions/Microsoft PowerBI/Workbooks/MicrosoftPowerBIActivityWorkbook.json @@ -0,0 +1,684 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "ccd5adcd-8d59-4cfe-99ec-98075de2e253", + "version": "KqlParameterItem/1.0", + "name": "DefaultSubscription_Internal", + "type": 1, + "isRequired": true, + "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "1ca69445-60fc-4806-b43d-ac7e6aad630a", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\r\n", + "crossComponentResources": [ + "value::selected" + ], + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "e94aafa3-c5d9-4523-89f0-4e87aa754511", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "query": "where type =~ 'microsoft.operationalinsights/workspaces'\n| project id", + "crossComponentResources": [ + "{Subscription}" + ], + "value": "", + "typeSettings": { + "resourceTypeFilter": { + "microsoft.operationalinsights/workspaces": true + }, + "additionalResourceOptions": [] + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "eafaa0ec-7c3a-4ee5-babe-9850080c909d", + "version": "KqlParameterItem/1.0", + "name": "resourceGroup", + "type": 1, + "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where id == \"{Workspace}\"\r\n| project resourceGroup", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "c4b69c01-2263-4ada-8d9c-43433b739ff3", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": false + }, + "value": { + "durationMs": 7776000000 + } + }, + { + "id": "c71f3009-a3f4-4aa5-aaf0-d0f667100e56", + "version": "KqlParameterItem/1.0", + "name": "Help", + "label": "Show Help", + "type": 10, + "description": "This will show some help information to help you understand the page you are on", + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]" + } + ], + "style": "above", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 1, + "content": { + "json": "# Microsoft PowerBI Activity Workbook" + }, + "name": "text - 11" + }, + { + "type": 1, + "content": { + "json": "#### Please select subscription and workspace for the workbook to load.\r\n#### Please change the TimeRange to relead the datasets between different timeframe.\r\n\r\n#### This workbook contains\r\n- Overview \r\n\t- Activity Over Time \r\n\t- Events Occured\r\n\t- Workspace Used\r\n\t- Report Accessed\r\n\t- Dataset Accessed\r\n\t- Activity by DistributionMethod\r\n\t- Activity through UserAgent\r\n- Datasets\r\n\t- Dataset Directly Accessed\r\n\t- Activity Directly on Datastes\r\n\t- Direct Datasets Activities\r\n- Reports\r\n\t- Activities Across Reports\r\n- IP and User Activity Trend\r\n\t- IP Address Activity Trend\r\n\t- User Activity Trend\r\n\t- User Activity Across IP Addresses" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 11 - Copy" + }, + { + "type": 1, + "content": { + "json": "### Overview", + "style": "info" + }, + "name": "text - 16" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "PowerBIActivity\r\n| summarize count() by Activity, bin(TimeGenerated,{TimeRange:grain})", + "size": 0, + "title": "Activity Over Time for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "PowerBIActivity\r\n|summarize count() by Activity", + "size": 0, + "title": "Events Occured for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 6 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "PowerBIActivity\r\n|summarize count() by PbiWorkspaceName", + "size": 0, + "title": "Workspace Used for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 6 - Copy - Copy - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "PowerBIActivity\r\n|summarize count() by ReportName", + "size": 0, + "title": "Report Accessed for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "filter": true + }, + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "ReportName", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "PowerBIActivity\r\n|summarize count() by DatasetName", + "size": 0, + "title": "Dataset used for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "filter": true + }, + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "DatasetName", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "PowerBIActivity\r\n| summarize count() by DistributionMethod", + "size": 0, + "title": "Activity by DistributionMethod for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "query - 19" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "PowerBIActivity\r\n| summarize count() by UserAgent", + "size": 0, + "title": "Activity through UserAgent for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "query - 19 - Copy" + }, + { + "type": 1, + "content": { + "json": "### Datasets", + "style": "info" + }, + "name": "text - 17" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "PowerBIActivity\r\n| where isempty(ReportName) and isnotempty(DatasetName)\r\n|summarize count() by DatasetName", + "size": 0, + "title": "Dataset dircetly accessed for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "filter": true + }, + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "DatasetName", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "PowerBIActivity\r\n| where isempty(ReportName) and isnotempty(DatasetName)\r\n| summarize count() by Activity", + "size": 0, + "title": "Activity directly on Datasets for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "filter": true + }, + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "DatasetName", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let PbiTrend = (PowerBIActivity\r\n| where isnotempty(DatasetName)\r\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by DatasetName);\r\nlet PbiSummary = (PowerBIActivity\r\n| where isnotempty(DatasetName)\r\n|summarize TotalActivity = count(), CreateDataset = countif(Activity ==\"CreateDataset\"),UpdateDatasetParameters\r\n = countif(Activity ==\"UpdateDatasetParameters\") by DatasetName);\r\nPbiTrend\r\n| join kind=inner(\r\nPbiSummary\r\n) on DatasetName", + "size": 0, + "title": "Direct Datasets Activities for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Trend", + "formatter": 21, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 5 + }, + { + "columnMatch": "DatasetName1", + "formatter": 5 + }, + { + "columnMatch": "TotalActivity", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "CreateDataset", + "formatter": 4, + "formatOptions": { + "palette": "greenDarkDark" + } + }, + { + "columnMatch": "UpdateDatasetParameters", + "formatter": 4, + "formatOptions": { + "palette": "brown" + } + } + ], + "filter": true + } + }, + "name": "query - 13" + }, + { + "type": 1, + "content": { + "json": "### Reports", + "style": "info" + }, + "name": "text - 18" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let PbiTrend = (PowerBIActivity\r\n| where isnotempty(DatasetName) and isnotempty(ReportName)\r\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by ReportName, DatasetName);\r\nlet PbiSummary = (PowerBIActivity\r\n| where isnotempty(DatasetName) and isnotempty(ReportName)\r\n|summarize TotalActivity = count(), ViewReport = countif(Activity ==\"ViewReport\"),CreateReport = countif(Activity ==\"CreateReport\") by ReportName, DatasetName);\r\nPbiTrend\r\n| join kind=inner(\r\nPbiSummary\r\n) on ReportName,DatasetName", + "size": 0, + "title": "Activities Across Reports for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 5 + }, + { + "columnMatch": "ReportName1", + "formatter": 5 + }, + { + "columnMatch": "DatasetName1", + "formatter": 5 + }, + { + "columnMatch": "TotalActivity", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "ViewReport", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "CreateReport", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "ReportName" + ], + "expandTopLevel": true + } + } + }, + "name": "query - 13 - Copy" + }, + { + "type": 1, + "content": { + "json": "### IP and User Activity Trend", + "style": "info" + }, + "name": "text - 19" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let PbiTrend = (PowerBIActivity\r\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by SrcIpAddr);\r\nlet PbiSummary = (PowerBIActivity\r\n|summarize count() by SrcIpAddr);\r\nPbiTrend\r\n| join kind=inner(\r\nPbiSummary\r\n) on SrcIpAddr", + "size": 0, + "title": "IP Address Activity Trend for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 5 + }, + { + "columnMatch": "SrcIpAddr1", + "formatter": 5 + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let PbiTrend = (PowerBIActivity\r\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by ActorName);\r\nlet PbiSummary = (PowerBIActivity\r\n|summarize count() by ActorName);\r\nPbiTrend\r\n| join kind=inner(\r\nPbiSummary\r\n) on ActorName", + "size": 0, + "title": "User Activity Trend for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 5 + }, + { + "columnMatch": "ActorName1", + "formatter": 5 + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "PowerBIActivity\r\n|summarize count() by ActorName, SrcIpAddr", + "size": 0, + "title": "User Activity Across IP Addresses for {TimeRange:label}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + }, + { + "columnMatch": "SrcIpAddr", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "ActorName" + ] + } + } + }, + "name": "query - 6 - Copy - Copy - Copy - Copy - Copy - Copy - Copy" + } + ], + "fallbackResourceIds": [], + "fromTemplateId": "sentinel-MicrosoftPowerBIActivityWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index a0220185038..ef608534131 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -4889,7 +4889,7 @@ "subtitle": "", "provider": "Talon Security" }, - { + { "workbookKey": "DNSSolutionWorkbook", "logoFileName": "", "description": "This workbook is included as part of DNS Essentials solution and gives a summary of analysed DNS traffic, helps with threat analysis and investigating suspicious Domains, IPs and DNS traffic analysis. DNS Essentials Solution also includes playbooks to periodically summarize the logs thus enhancing user experience and improving data search. For the effective usage of workbook, we highly recommend to enable the summarization playbooks that are provided with this solution.", @@ -4951,5 +4951,18 @@ "templateRelativePath": "SAP -Security Audit log and Initial Access.json", "subtitle": "", "provider": "Microsoft" - } + }, + { + "workbookKey": "MicrosoftPowerBIActivityWorkbook", + "logoFileName": "", + "description": "This workbook provides details on Microsoft PowerBI Activity", + "dataTypesDependencies": ["PowerBIActivity"], + "dataConnectorsDependencies": ["Microsoft PowerBI (Preview)"], + "previewImagesFileNames": [ "MicrosoftPowerBIActivityWorkbookBlack.png", "MicrosoftPowerBIActivityWhite.png"], + "version": "1.0.0", + "title": "Microsoft PowerBI Activity Workbook", + "templateRelativePath": "MicrosoftPowerBIActivityWorkbook.json", + "subtitle": "", + "provider": "Microsoft" + } ]