diff --git a/Workbooks/Images/Preview/syslogoverview-black.png b/Workbooks/Images/Preview/syslogoverview-black.png new file mode 100644 index 00000000000..3d47eebd365 Binary files /dev/null and b/Workbooks/Images/Preview/syslogoverview-black.png differ diff --git a/Workbooks/Images/Preview/syslogoverview-white.png b/Workbooks/Images/Preview/syslogoverview-white.png new file mode 100644 index 00000000000..f9ecac46b11 Binary files /dev/null and b/Workbooks/Images/Preview/syslogoverview-white.png differ diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index f04f7f1fc79..e9c82dd2ce9 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -1664,5 +1664,18 @@ "templateRelativePath": "SentinelWorkspaceReconTools.json", "subtitle": "", "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "SyslogOverview", + "logoFileName": "", + "description": "A workbook designed to show an overview about the data ingested through Syslog.", + "dataTypesDependencies": ["Syslog"], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ "syslogoverview-white.png", "syslogoverview-black.png" ], + "version": "1.0.0", + "title": "Syslog Overview", + "templateRelativePath": "syslogoverview.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" } ] diff --git a/Workbooks/syslogoverview.json b/Workbooks/syslogoverview.json new file mode 100644 index 00000000000..4f71711a7c8 --- /dev/null +++ b/Workbooks/syslogoverview.json @@ -0,0 +1,617 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "# Syslog Overview\r\n\r\nThis workbook is designed to show an overview about the data ingested through Syslog.\r\nThis can span across multiple wokspaces as well.\r\n\r\nPlease use the filters make the needed chioce for \r\n\r\n- Subscriptions\r\n- TimeRange\r\n- Wokspaces\r\n- HostNames\r\n- Facilities\r\n- Severity Level" + }, + "name": "text - 1" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "21dea311-7dfc-41fb-99f6-d72f0f0c33c9", + "version": "KqlParameterItem/1.0", + "name": "Subscriptions", + "type": 6, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::1", + "value::all" + ], + "includeAll": false + } + }, + { + "id": "9b289ad1-7eaa-411d-b2b0-43c69cf5aa14", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "value": { + "durationMs": 43200000 + } + }, + { + "id": "0698db8c-7a3a-4aec-bfb2-eb59942b0375", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "where type =~ 'microsoft.operationalinsights/workspaces'", + "crossComponentResources": [ + "{Subscriptions}" + ], + "typeSettings": { + "additionalResourceOptions": [] + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": [] + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "Global" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "1c90369f-1844-4d13-a46d-43a3359be543", + "version": "KqlParameterItem/1.0", + "name": "HostName", + "type": 5, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "Syslog\r\n| distinct HostName", + "crossComponentResources": [ + "{Workspace}" + ], + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "5daf3466-52d9-4674-b14d-d9cf72444235", + "version": "KqlParameterItem/1.0", + "name": "Facility", + "type": 5, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| distinct Facility", + "crossComponentResources": [ + "{Workspace}" + ], + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "3e5d94d9-5faf-49df-af2f-f93f7f858fc9", + "version": "KqlParameterItem/1.0", + "name": "SeverityLevel", + "type": 5, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| distinct SeverityLevel", + "crossComponentResources": [ + "{Workspace}" + ], + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "1b53f2a7-c0e9-48a1-9e9c-213c6581182d", + "version": "KqlParameterItem/1.0", + "name": "Message", + "type": 1, + "isRequired": true, + "query": "Syslog\r\n| distinct Facility\r\n| summarize Selected = countif(Facility in ({Facility:value})), Total = count()\r\n| project Message = strcat(' ', Selected, ' out of ', Total, ' facilities selected')", + "crossComponentResources": [ + "{Workspace}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "Local" + }, + { + "type": 1, + "content": { + "json": "|Hosts|Facility|Severity|\r\n|--|--|--|--|\r\n|{HostName}|{Facility}|{SeverityLevel}|\r\n\r\n#### {Message}" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by HostName, bin(TimeGenerated,{TimeRange:grain})", + "size": 0, + "title": "Data Ingestion Trend", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize arg_max(TimeGenerated,*) by HostName\r\n| extend ['Last Log Seen Ago'] = datetime_diff('second',now(), TimeGenerated)\r\n| order by ['Last Log Seen Ago'] desc \r\n| project HostName, ['Last Log Seen Ago']\r\n| join (Syslog\r\n | where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n | where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n | where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n | make-series SyslogIngestionTrend = count(SeverityLevel) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by HostName) on HostName", + "size": 0, + "title": "Host Heartbeat & Trend", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Last Log Seen Ago", + "formatter": 8, + "formatOptions": { + "palette": "red" + }, + "numberFormat": { + "unit": 24, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "HostName1", + "formatter": 5 + }, + { + "columnMatch": "SyslogIngestionTrend", + "formatter": 10, + "formatOptions": { + "palette": "green" + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 5 + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by HostName", + "size": 0, + "title": "Host names", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "query - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by Facility", + "size": 0, + "title": "Facility", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "customWidth": "50", + "name": "query - 7 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by SeverityLevel", + "size": 0, + "title": "Severity Level", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "customWidth": "50", + "name": "query - 7 - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where HostName in ({HostName}) or '*' in ({HostName})\r\n| where Facility in ({Facility}) or '*' in ({Facility})\r\n| where SeverityLevel in ({SeverityLevel}) or '*' in ({SeverityLevel})\r\n| summarize count(SeverityLevel) by SeverityLevel \r\n| extend jkey = 1\r\n| join (Syslog\r\n| where HostName in ({HostName}) or '*' in ({HostName})\r\n| where Facility in ({Facility}) or '*' in ({Facility})\r\n| where SeverityLevel in ({SeverityLevel}) or '*' in ({SeverityLevel})\r\n| make-series Trend = count(SeverityLevel) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SeverityLevel) on SeverityLevel", + "size": 1, + "title": "Severity Trend Summary", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "SeverityLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "debug", + "representation": "question", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "notice", + "representation": "Normal", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "info", + "representation": "1", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "warn", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "err", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "alert", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "emerg", + "representation": "4", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "crit", + "representation": "critical", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + "leftContent": { + "columnMatch": "count_SeverityLevel", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 21, + "formatOptions": { + "min": 0, + "max": 5000, + "palette": "green" + } + }, + "showBorder": true, + "sortCriteriaField": "count_SeverityLevel", + "sortOrderField": 2 + } + }, + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize SyslogEventCount=count(SeverityLevel) by Facility, HostName\r\n| join (Syslog\r\n | where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n | where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n | where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n | make-series SyslogTimeLine = count(SeverityLevel) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Facility,HostName) on Facility,HostName\r\n| project-away Facility1, TimeGenerated", + "size": 0, + "title": "Syslog Trend", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Facility", + "formatter": 5 + }, + { + "columnMatch": "HostName", + "formatter": 5 + }, + { + "columnMatch": "SyslogEventCount", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "SyslogTimeLine", + "formatter": 21, + "formatOptions": { + "min": 0, + "max": 1000, + "palette": "green" + } + } + ], + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "HostName" + ], + "expandTopLevel": true, + "finalBy": "Facility" + } + } + }, + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| extend Pack=pack_all()\r\n| extend TimeFromNow = now() - TimeGenerated\r\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1s), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago') \r\n| project [\"Time\"]=strcat('🕒', TimeAgo), HostName, SeverityLevel, Facility, SyslogMessage, ProcessName, [\"Details\"]=Pack\r\n", + "size": 2, + "showAnalytics": true, + "title": "Timeline", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "SeverityLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "debug", + "representation": "question", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "emerg", + "representation": "4", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "crit", + "representation": "4", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "err", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "warning", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "notice", + "representation": "Normal", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "info", + "representation": "info", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "alert", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Details", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkLabel": "🔍 View Details", + "linkIsContextBlade": true + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 6" + } + ], + "fallbackResourceIds": [], + "fromTemplateId": "sentinel-syslogoverview", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +}