{
"name": "AmazonWebServicesUserActivities-{Workspace_Name}",
"type": "Microsoft.Portal/dashboards",
"location": "{Dashboard_Location}",
"tags": {
"dashboardKey": "AmazonWebServicesUserActivities",
"hidden-title": "Amazon Web Services User Activities - {Workspace_Name}",
"version": "1.1",
"workspaceName": "{Workspace_Name}"
},
"properties": {
"lenses": {
"0": {
"order": 0,
"parts": {
"0": {
"position": {
"x": 1,
"y": 0,
"colSpan": 24,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style=\"font-size:300%;\">AWS user activities</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"1": {
"position": {
"x": 0,
"y": 1,
"colSpan": 8,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\r\n| where EventName contains \"Login\"\r\n| project TimeGenerated, UserIdentityArn, SourceIpAddress, LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\r\n| summarize count() by TimeGenerated, LoginResult\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "LoginResult",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AmazonWebServicesUserActivities_{Workspace_Name}"
},
{
"name": "PartId",
"value": "5730f174-ea6e-4628-8b66-9df48510aff2"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "centralworkspace"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Sign-in events",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"2": {
"position": {
"x": 8,
"y": 1,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\r\n| where EventName contains \"login\" or EventName contains \"signin\"\r\n| extend Result = tostring(parse_json(ResponseElements).ConsoleLogin)\r\n| summarize Success = sum(Result == \"Success\"), Failure = sum(Result != \"Success\") by UserIdentityUserName, UserIdentityAccountId, SourceIpAddress\r\n| summarize NumberOfIPs = count() by UserIdentityUserName, UserIdentityAccountId, Success, Failure\r\n| sort by Failure desc \r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AmazonWebServicesUserActivities_{Workspace_Name}"
},
{
"name": "PartId",
"value": "8a369977-cdbf-4a60-93e0-815cb9f614a6"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "centralworkspace"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "User sign-ins, by failure rate, and IP addresses",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"3": {
"position": {
"x": 20,
"y": 1,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\r\n| where UserIdentityType == \"IAMUser\"\r\n| summarize NumberOfEvents = count() by UserIdentityUserName\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AmazonWebServicesUserActivities_{Workspace_Name}"
},
{
"name": "PartId",
"value": "17bfeed3-9644-40bb-85fe-3d3336420c8f"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "centralworkspace"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Active users",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"4": {
"position": {
"x": 0,
"y": 5,
"colSpan": 8,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\r\n| where EventName contains \"Login\"\r\n| where tostring(parse_json(ResponseElements).ConsoleLogin) == \"Success\"\r\n| project TimeGenerated, UserIdentityArn, SourceIpAddress\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AmazonWebServicesUserActivities_{Workspace_Name}"
},
{
"name": "PartId",
"value": "3385826b-4283-441a-bd1d-af4719f58460"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "centralworkspace"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Failed sign-ins",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"5": {
"position": {
"x": 8,
"y": 5,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\n| where EventName == \"GetCallerIdentity\"\n| where UserIdentityType == \"AssumedRole\" \n| summarize by SourceIpAddress, TimeGenerated, UserIdentityAccountId, UserIdentityPrincipalid, AWSRegion\n| sort by TimeGenerated desc nulls last \n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/rg-tccc-prod-ops-mgmt/providers/Microsoft.Portal/dashboards/b6cd42bc-e973-4f56-a8ae-51c3bebbd218"
},
{
"name": "PartId",
"value": "b06aac41-b77c-412d-8a46-0bdeb1d7676d"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "ws-tccc-use2-0001"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Suspicious assumed-role account reconnaissance",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"6": {
"position": {
"x": 20,
"y": 5,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\r\n| summarize NumberOfEvents = count() by UserIdentityAccountId\r\n| where UserIdentityAccountId != \"\"\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AmazonWebServicesUserActivities_{Workspace_Name}"
},
{
"name": "PartId",
"value": "429389b1-1258-4d39-aae3-8c470bc9fa9c"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "centralworkspace"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Active account IDs",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"7": {
"position": {
"x": 0,
"y": 9,
"colSpan": 13,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\r\n| where EventName contains \"login\" or EventName contains \"signin\"\r\n| summarize count() by EventTypeName, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "EventTypeName",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AmazonWebServicesUserActivities_{Workspace_Name}"
},
{
"name": "PartId",
"value": "b76629c0-1b01-4e55-b2c4-dcce81866561"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "centralworkspace"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Sign-in types",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"8": {
"position": {
"x": 13,
"y": 9,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\r\n| summarize count() by AWSRegion, TimeGenerated\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "AWSRegion",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AmazonWebServicesUserActivities_{Workspace_Name}"
},
{
"name": "PartId",
"value": "03d63029-7b60-4fc0-9069-fa4fffdeb54c"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "centralworkspace"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Activities, by region",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"9": {
"position": {
"x": 0,
"y": 13,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\r\n| summarize count() by UserIdentityType, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "UserIdentityType",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AmazonWebServicesUserActivities_{Workspace_Name}"
},
{
"name": "PartId",
"value": "fe5e5fa6-c41d-4daa-98e9-c05221645c2e"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "centralworkspace"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "User identity types",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"10": {
"position": {
"x": 9,
"y": 13,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\r\n| summarize count() by UserIdentityType\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "UserIdentityType",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AmazonWebServicesUserActivities_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ec187a28-6c5a-466e-b21c-245f66c87965"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "centralworkspace"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "User identity types",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"11": {
"position": {
"x": 14,
"y": 13,
"colSpan": 11,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AWSCloudTrail\r\n| summarize count() by UserAgent, TimeGenerated\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "UserAgent",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AmazonWebServicesUserActivities_{Workspace_Name}"
},
{
"name": "PartId",
"value": "cfd76ba1-6c6b-4ed6-9864-65f3526aaba8"
},
{
"name": "PartTitle",
"value": " "
},
{
"name": "PartSubTitle",
"value": "centralworkspace"
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "User agents",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"12": {
"position": {
"x": 0,
"y": 0,
"colSpan": 1,
"rowSpan": 1
},
"metadata": {
"inputs": [
{
"name": "subscriptionId",
"value": "{Subscription_Id}"
},
{
"name": "resourceGroup",
"value": "{Resource_Group}"
},
{
"name": "workspaceName",
"value": "{Workspace_Name}"
},
{
"name": "dashboardName",
"value": "AmazonWebServicesUserActivities"
},
{
"name": "menuItemToOpen",
"value": "Dashboards"
}
],
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
"defaultMenuItemId": "0"
}
}
}
}
}
}
}cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Dashboards/AWS_user_activities.json
1003lines · modepreview
unknown