From 16e1547131658671cb4ed1ad89f7233388ca80b6 Mon Sep 17 00:00:00 2001 From: Samik Roy Date: Tue, 21 Sep 2021 00:58:59 +0530 Subject: [PATCH 1/2] Logged By Service Trend Added a widget to show the trend based on Logged by Service. --- Workbooks/AzureActiveDirectoryAuditLogs.json | 87 +++++--------------- 1 file changed, 21 insertions(+), 66 deletions(-) diff --git a/Workbooks/AzureActiveDirectoryAuditLogs.json b/Workbooks/AzureActiveDirectoryAuditLogs.json index 304e5da7e5a..e29eb19ba02 100644 --- a/Workbooks/AzureActiveDirectoryAuditLogs.json +++ b/Workbooks/AzureActiveDirectoryAuditLogs.json @@ -12,8 +12,6 @@ "type": 9, "content": { "version": "KqlParameterItem/1.0", - "query": "", - "crossComponentResources": [], "parameters": [ { "id": "bc372bf5-2dcd-4efa-aa85-94b6e6fafe14", @@ -166,15 +164,14 @@ "version": "KqlItem/1.0", "query": "let data = AuditLogs\r\n| where \"{Category:lable}\" == \"All\" or Category in ({Category})\r\n| where \"{Result:lable}\" == \"All\" or Result in ({Result})\r\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\r\n| where initiatingUserPrincipalName != \"\" \r\n| where \"{User:lable}\" == \"All\" or initiatingUserPrincipalName in ({User});\r\ndata\r\n| summarize Count = count() by Category\r\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\r\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\r\n on Category\r\n| project-away Category1, TimeGenerated\r\n| extend Category = Category\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend Category = 'All', Categorys = '*' \r\n)\r\n| order by Count desc\r\n| take 10", "size": 4, - "exportFieldName": "Category", - "exportParameterName": "CategoryFIlter", - "exportDefaultValue": "All", - "exportToExcelOptions": "visible", "title": "Categories volume", "timeContext": { - "durationMs": 0 + "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", + "exportFieldName": "Category", + "exportParameterName": "CategoryFIlter", + "exportDefaultValue": "All", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", @@ -221,16 +218,15 @@ "version": "KqlItem/1.0", "query": "let data = AuditLogs\r\n| where \"{Result:lable}\" == \"All\" or Result in ({Result})\r\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n| where \"{User:lable}\" == \"All\" or initiator in ({User})\r\n| where \"{Category:lable}\" == \"All\" or Category in ({Category})\r\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \"All\";\r\nlet appData = data\r\n| summarize TotalCount = count() by OperationName, Category\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\r\n | project-away TimeGenerated) on OperationName\r\n| order by TotalCount desc, OperationName asc\r\n| project OperationName, TotalCount, Trend, Category\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\"), Category, OperationName\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n | project-away TimeGenerated) on OperationName, initiator\r\n| order by TotalCount desc, OperationName asc\r\n| project OperationName, initiator, TotalCount, Category, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on OperationName\r\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\r\n| order by ['Operations Count'] desc, Name asc", "size": 0, - "exportParameterName": "UserInfo", - "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}", "showAnalytics": true, - "showExportToExcel": true, - "exportToExcelOptions": "visible", "title": "User activities", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", + "exportParameterName": "UserInfo", + "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}", + "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { @@ -242,13 +238,6 @@ "showIcon": true } }, - { - "columnMatch": "Name", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, { "columnMatch": "Type", "formatter": 5, @@ -286,13 +275,6 @@ } } }, - { - "columnMatch": "Category", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, { "columnMatch": "ParentId", "formatter": 5, @@ -308,8 +290,7 @@ "parentColumn": "ParentId", "treeType": 0, "expanderColumn": "Name" - }, - "labelSettings": [] + } } }, "customWidth": "70", @@ -322,10 +303,9 @@ "version": "KqlItem/1.0", "query": "let details = dynamic({UserInfo});\r\nAuditLogs\r\n| where \"{Category:lable}\" == \"All\" or Category in ({Category})\r\n| where \"{Result:lable}\" == \"All\" or Result in ({Result})\r\n| extend initiatingUserPrincipalName = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n//| where initiatingUserPrincipalName != \"\" \r\n| where \"{User:lable}\" == \"All\" or initiatingUserPrincipalName in ({User})\r\n| where details.Type == '*' or (details.Type == 'initiator' and initiatingUserPrincipalName == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\r\n| summarize Activities = count() by initiatingUserPrincipalName\r\n| sort by Activities desc nulls last ", "size": 0, - "exportToExcelOptions": "visible", "title": "Top active users", "timeContext": { - "durationMs": 0 + "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, @@ -341,69 +321,43 @@ "version": "KqlItem/1.0", "query": "let details = dynamic({UserInfo});\r\nlet data = AuditLogs\r\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n| where details.Type == '*' or (details.Type == 'initiator' and initiator == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\r\n| where \"{Category:lable}\" == \"All\" or Category in ({Category})\r\n| where \"{Result:lable}\" == \"All\" or Result in ({Result})\r\n| where \"{User:lable}\" == \"All\" or initiator in ({User});\r\nlet appData = data\r\n| summarize TotalCount = count() by Result\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result\r\n | project-away TimeGenerated) on Result\r\n| order by TotalCount desc, Result asc\r\n| project Result, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by OperationName, Result\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result, OperationName\r\n | project-away TimeGenerated) on Result, OperationName\r\n| order by TotalCount desc, Result asc\r\n| project Result, OperationName, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on Result\r\n| project Id, Name = OperationName, Type = 'Operation', ['Results Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = Result, Type = 'Result', ['Results Count'] = TotalCount, Trend)\r\n| order by ['Results Count'] desc, Name asc", "size": 0, - "exportParameterName": "ResultInfo", - "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}", - "exportToExcelOptions": "visible", "title": "Result status", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", + "exportParameterName": "ResultInfo", + "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "Id", - "formatter": 5, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Name", - "formatter": 0, - "formatOptions": { - "showIcon": true - } + "formatter": 5 }, { "columnMatch": "Type", - "formatter": 5, - "formatOptions": { - "showIcon": true - } + "formatter": 5 }, { "columnMatch": "Results Count", "formatter": 8, "formatOptions": { "min": 0, - "palette": "grayBlue", - "showIcon": true + "palette": "grayBlue" } }, { "columnMatch": "Trend", "formatter": 9, "formatOptions": { - "palette": "greenDark", - "showIcon": true + "palette": "greenDark" } }, { "columnMatch": "ParentId", - "formatter": 5, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Category", - "formatter": 0, - "formatOptions": { - "showIcon": true - } + "formatter": 5 } ], "hierarchySettings": { @@ -411,15 +365,16 @@ "parentColumn": "ParentId", "treeType": 0, "expanderColumn": "Name" - }, - "labelSettings": [] + } } }, "customWidth": "70", "name": "query - 5" } ], - "styleSettings": {}, + "fallbackResourceIds": [ + "" + ], "fromTemplateId": "sentinel-AzureActiveDirectoryAuditLogs", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} \ No newline at end of file +} From aa330d7cfe114bb218c29e19ffc59a074e9e13cf Mon Sep 17 00:00:00 2001 From: Samik Roy Date: Tue, 21 Sep 2021 01:01:44 +0530 Subject: [PATCH 2/2] Added trend based on Logged by Service Added a widget to show the trend based on Logged by Service. --- Workbooks/WorkbooksMetadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 46cb3d5e026..13710da2f7f 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -188,7 +188,7 @@ "dataTypesDependencies": [ "AuditLogs" ], "dataConnectorsDependencies": [ "AzureActiveDirectory" ], "previewImagesFileNames": [ "AzureADAuditLogsBlack1.png", "AzureADAuditLogsWhite1.png" ], - "version": "1.1", + "version": "1.2", "title": "Azure AD Audit logs", "templateRelativePath": "AzureActiveDirectoryAuditLogs.json", "subtitle": "",