{
"name": "AzureADAuditlogsDashboard_{Workspace_Name}",
"type": "Microsoft.Portal/dashboards",
"location": "{Dashboard_Location}",
"tags": {
"dashboardKey": "AzureADAuditLogsDashboard",
"hidden-title": "Azure AD Audit - {Workspace_Name}",
"version": "1.1",
"workspaceName": "{Workspace_Name}"
},
"properties": {
"lenses": {
"0": {
"order": 0,
"parts": {
"0": {
"position": {
"x": 1,
"y": 0,
"colSpan": 22,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Audit logs</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"1": {
"position": {
"x": 0,
"y": 1,
"colSpan": 15,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| summarize count() by Result, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Result",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "75dec2fe-d2af-4552-b599-2343c4c59d00"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Area"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Audit log events, by time",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"2": {
"position": {
"x": 15,
"y": 1,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Result == \"failure\"\r\n| summarize count() by Category\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Category",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "2fe1a90b-3da8-4b91-bc11-0f47b0bf35c6"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Failed operations, by category",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"3": {
"position": {
"x": 20,
"y": 1,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| summarize count() by Result\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Result",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "49cc0c45-e377-43d9-bc61-764486214a04"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Failed operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"4": {
"position": {
"x": 0,
"y": 5,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| summarize count() by Category\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Category",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "810f220f-ef51-48fd-8951-d5fae9143bf0"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Audit log event, by category",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"5": {
"position": {
"x": 6,
"y": 5,
"colSpan": 13,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\r\n| where initiator!= \"\" \r\n| summarize count() by initiator, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "initiator",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "60f2aa9f-7066-4e39-88dd-063517733118"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "User activity",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"6": {
"position": {
"x": 19,
"y": 5,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\r\n| where initiatingUserPrincipalName != \"\" \r\n| summarize Activities = count() by initiatingUserPrincipalName\r\n| sort by Activities desc nulls last \r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "c3e7627d-1241-4e42-92f9-bed86a645df9"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top active users",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\n| where initiator!= \"\" \n| summarize Activities = count() by initiator| sort by Activities desc\n",
"GridColumnsWidth": {
"initiatingUserPrincipalName": "232px",
"Activities": "205px"
}
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"7": {
"position": {
"x": 0,
"y": 9,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| extend initiatorType = iff(tostring(InitiatedBy.user.userPrincipalName) != \"\", 'User', iff(tostring(InitiatedBy.app.displayName) != \"\", 'App', 'None'))\r\n| summarize count() by initiatorType\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "initiatorType",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "d4ceb580-1840-4f4c-94d6-d37d16684f3f"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Audit log events, by initiator type",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"8": {
"position": {
"x": 6,
"y": 9,
"colSpan": 13,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| extend initiator = tostring(InitiatedBy.app.displayName)\r\n| where initiator != \"\" \r\n| summarize count() by initiator, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "initiator",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "be42cb13-eaa2-48d7-abaa-c708b129f9c1"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Application activity",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"9": {
"position": {
"x": 19,
"y": 9,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| extend initiator= tostring(InitiatedBy.app.displayName)\r\n| where initiator!= \"\" \r\n| summarize Activities = count() by initiator| sort by Activities desc nulls last \r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "f01548dc-8b73-4ceb-b753-2ae86e4a8be1"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top active applications",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| extend initiator= tostring(InitiatedBy.app.displayName)\n| where initiator!= \"\" \n| summarize Activities = count() by initiator| sort by Activities desc\n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"10": {
"position": {
"x": 0,
"y": 13,
"colSpan": 25,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>User management activities</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"11": {
"position": {
"x": 0,
"y": 14,
"colSpan": 16,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| summarize count() by TimeGenerated, Result\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Result",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "f2d8bb07-0c70-49ca-9d5d-2b46a51d3447"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Area"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "User management events",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"12": {
"position": {
"x": 16,
"y": 14,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| where Result == \"failure\"\r\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\r\n| project TimeGenerated, initiatingUserPrincipalName, OperationName, ResultReason \r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "b0873481-1d40-416e-b239-8b67dd6be955"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Failed user management activities",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"13": {
"position": {
"x": 0,
"y": 18,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| where OperationName !contains \"password\"\r\n| summarize Activities = count() by OperationName, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Activities",
"type": "Int64"
}
],
"splitBy": [
{
"name": "OperationName",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "c1ebc325-f3da-404b-bd0d-022d2538271b"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "User management operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"14": {
"position": {
"x": 12,
"y": 18,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| where OperationName !contains \"password\"\r\n| summarize Activities = count() by OperationName\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "OperationName",
"type": "String"
},
"yAxis": [
{
"name": "Activities",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "56fdd088-cc67-4dab-9ec6-2801051ffdec"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "User management operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"15": {
"position": {
"x": 17,
"y": 18,
"colSpan": 8,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\r\n| where initiatingUserPrincipalName != \"\" \r\n| summarize Activities = count() by initiatingUserPrincipalName\r\n| sort by Activities desc nulls last \r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "c4167301-8e94-43bf-a4bb-32774122a124"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top active users",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"16": {
"position": {
"x": 0,
"y": 22,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| extend initiatingUserPrincipalName = iff(tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"N/A\")\r\n| where OperationName contains \"password\"\r\n| summarize Activities = count() by OperationName, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Activities",
"type": "Int64"
}
],
"splitBy": [
{
"name": "OperationName",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "7c54d051-1636-4ef9-b72d-d6606cd4f044"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "User password management operations",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| where Category == \"UserManagement\"\n| where OperationName contains \"password\"\n| summarize Activities = count() by OperationName, TimeGenerated\n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"17": {
"position": {
"x": 12,
"y": 22,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| where OperationName contains \"password\"\r\n| summarize Activities = count() by OperationName\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "OperationName",
"type": "String"
},
"yAxis": [
{
"name": "Activities",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "4c691280-9025-4828-9934-984814ec896e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "User password management operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"18": {
"position": {
"x": 17,
"y": 22,
"colSpan": 8,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| extend initiator = tostring(InitiatedBy.app.displayName)\r\n| where initiator != \"\" \r\n| summarize count() by initiator, OperationName\r\n| sort by count_ desc \r\n| summarize NumberOfOperations = sum(count_), Top3Operations = makelist(OperationName, 3) by initiator\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ed829606-d9c8-4dbd-8b06-e257c1c8483e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top active applications",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| where Category == \"UserManagement\"\n| extend initiator = tostring(InitiatedBy.app.displayName)\n| where initiator != \"\" \n| summarize count() by initiator, OperationName\n| sort by count_ desc \n| summarize NumberOfOperations = sum(count_), Top3Operations = makelist(OperationName, 3) by initiator\n| sort by NumberOfOperations desc"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"19": {
"position": {
"x": 0,
"y": 26,
"colSpan": 25,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Group management activities</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"20": {
"position": {
"x": 0,
"y": 27,
"colSpan": 16,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"GroupManagement\"\r\n| summarize count() by TimeGenerated, Result\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Result",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ebe9f0d5-f7c5-42c2-b20a-5d9330f996ec"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Area"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Group management events",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"21": {
"position": {
"x": 16,
"y": 27,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| where Result == \"failure\"\r\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\r\n| project TimeGenerated, initiatingUserPrincipalName, OperationName, ResultReason \r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "3ca63e54-7e67-4d67-ba79-6361d75ce8a0"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Failed group management activities",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| where Category == \"GroupManagement\"\n| where Result == \"failure\"\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\n| project TimeGenerated, initiator, OperationName, ResultReason \n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"22": {
"position": {
"x": 0,
"y": 31,
"colSpan": 19,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"GroupManagement\"\r\n| project TimeGenerated, OperationName, initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName), numTargets = array_length(TargetResources)\r\n| where initiatingUserPrincipalName != \"\" \r\n| summarize sum(numTargets) by OperationName, initiatingUserPrincipalName, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "sum_numTargets",
"type": "Int64"
}
],
"splitBy": [
{
"name": "OperationName",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "447d088e-c5bd-4884-b9a9-030ef539dc24"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Group management operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"23": {
"position": {
"x": 19,
"y": 31,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"GroupManagement\"\r\n| summarize count() by OperationName\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "OperationName",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "79b5c96e-59ae-432b-8d27-0abd701a0ab3"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Group management operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"24": {
"position": {
"x": 0,
"y": 35,
"colSpan": 13,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"GroupManagement\"\r\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\r\n| where initiatingUserPrincipalName != \"\" \r\n| summarize count() by initiatingUserPrincipalName, OperationName\r\n| sort by count_ desc \r\n| summarize NumberOfOperations = sum(count_), Top3Operations = makelist(OperationName, 3) by initiatingUserPrincipalName\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "4d196303-23db-4cc5-b889-6145023282c8"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top active users",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| where Category == \"GroupManagement\"\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\n| where initiator!= \"\" \n| summarize count() by initiator, OperationName\n| sort by count_ desc \n| summarize NumberOfOperations = sum(count_), Top3Operations = makelist(OperationName, 3) by initiator\n| sort by NumberOfOperations desc"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"25": {
"position": {
"x": 13,
"y": 35,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"GroupManagement\"\r\n| extend initiator = tostring(InitiatedBy.app.displayName)\r\n| where initiator != \"\" \r\n| summarize count() by initiator, OperationName\r\n| sort by count_ desc \r\n| summarize NumberOfOperations = sum(count_), Top3Operations = makelist(OperationName, 3) by initiator\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "e9bc2106-70f3-4d57-9dfb-ff006ddaddbf"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top active applications",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| where Category == \"GroupManagement\"\n| extend initiator = tostring(InitiatedBy.app.displayName)\n| where initiator != \"\" \n| summarize count() by initiator, OperationName\n| sort by count_ desc \n| summarize NumberOfOperations = sum(count_), Top3Operations = makelist(OperationName, 3) by initiator\n| sort by NumberOfOperations desc"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"26": {
"position": {
"x": 0,
"y": 39,
"colSpan": 25,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Role management activities</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"27": {
"position": {
"x": 0,
"y": 40,
"colSpan": 16,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"RoleManagement\"\r\n| summarize count() by Result, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Result",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "b799e7f3-9930-448f-9600-a3dcf8ccc7cb"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Role management events",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"28": {
"position": {
"x": 16,
"y": 40,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| where Result == \"failure\"\r\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\r\n| project TimeGenerated, initiator, OperationName, ResultReason \r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "27700183-94e7-4fbf-a6bd-c0ff0b9fb20d"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Failed role management activities",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| where Category == \"RoleManagement\"\n| where Result == \"failure\"\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\n| project TimeGenerated, initiator, OperationName, ResultReason \n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"29": {
"position": {
"x": 0,
"y": 44,
"colSpan": 20,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"RoleManagement\"\r\n| summarize count() by OperationName, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "OperationName",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "fe9345f6-783c-4a17-94a7-ccebfeb68735"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Role management operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"30": {
"position": {
"x": 20,
"y": 44,
"colSpan": 5,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"RoleManagement\"\r\n| summarize count() by OperationName\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "OperationName",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "b3859a1f-3d8c-49ce-a32a-33d1a9b4294a"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Role management operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"31": {
"position": {
"x": 0,
"y": 48,
"colSpan": 13,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"RoleManagement\"\r\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\r\n| where initiator!= \"\" \r\n| summarize Activities = count() by initiator, OperationName\r\n| sort by Activities desc\r\n| summarize NumberOfOperations = sum(Activities), Top3Operations = makelist(OperationName, 3) by initiator\r\n| sort by NumberOfOperations desc\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "5ffd6c0e-4bf0-4a91-93d1-f4b65867abb9"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top active users",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"32": {
"position": {
"x": 13,
"y": 48,
"colSpan": 12,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| extend initiator = tostring(InitiatedBy.app.displayName)\r\n| where initiator != \"\" \r\n| summarize count() by initiator, OperationName\r\n| sort by count_ desc \r\n| summarize NumberOfOperations = sum(count_), Top3Operations = makelist(OperationName, 3) by initiator\r\n| sort by NumberOfOperations desc\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "6abf0b4a-9901-4396-8d3b-97d1ae1ee59c"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Top active applications",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| where Category == \"RoleManagement\"\n| extend initiator = tostring(InitiatedBy.app.displayName)\n| where initiator != \"\" \n| summarize count() by initiator, OperationName\n| sort by count_ desc \n| summarize NumberOfOperations = sum(count_), Top3Operations = makelist(OperationName, 3) by initiator\n| sort by NumberOfOperations desc\n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"33": {
"position": {
"x": 0,
"y": 52,
"colSpan": 25,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Application management activities</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"34": {
"position": {
"x": 0,
"y": 53,
"colSpan": 16,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"ApplicationManagement\"\r\n| summarize count() by Result, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Result",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "230277cd-700b-49ae-a653-668ae7aed55f"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Application management events",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"35": {
"position": {
"x": 16,
"y": 53,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| where Result == \"failure\"\r\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\r\n| project TimeGenerated, initiator, OperationName, ResultReason \r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "e6e78f98-c5a7-4651-aeea-427030e1ae4c"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Failed application management activities",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| where Category == \"ApplicationManagement\"\n| where Result == \"failure\"\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\n| project TimeGenerated, initiator, OperationName, ResultReason \n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"36": {
"position": {
"x": 0,
"y": 57,
"colSpan": 19,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"ApplicationManagement\"\r\n| summarize count() by OperationName, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "OperationName",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "2870a1c5-22dc-4f96-9d34-694a43335140"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Application management operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"37": {
"position": {
"x": 19,
"y": 57,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"ApplicationManagement\"\r\n| summarize count() by OperationName\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "OperationName",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "f61f0ce9-f717-4881-a66d-fa40d91a1457"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Application management operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"38": {
"position": {
"x": 0,
"y": 61,
"colSpan": 25,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Device activities</div>",
"title": "",
"subtitle": ""
}
}
}
}
},
"39": {
"position": {
"x": 0,
"y": 62,
"colSpan": 16,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"Device\"\r\n| summarize count() by Result, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Result",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "28fa792d-4749-4783-ac8b-060325f42ee1"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Device events",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"40": {
"position": {
"x": 16,
"y": 62,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"UserManagement\"\r\n| where Result == \"failure\"\r\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\r\n| project TimeGenerated, initiator, OperationName, ResultReason \r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "3a34af7d-ef42-4329-b60b-45d223441a5b"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Failed device operations",
"PartSubTitle": " ",
"Query": "AuditLogs\n| where SourceSystem == \"Azure AD\"\n| where Category == \"Device\"\n| where Result == \"failure\"\n| extend initiator= tostring(InitiatedBy.user.userPrincipalName)\n| project TimeGenerated, initiator, OperationName, ResultReason \n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"41": {
"position": {
"x": 0,
"y": 66,
"colSpan": 19,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"Device\"\r\n| summarize count() by OperationName, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "OperationName",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "f2fe31fb-f411-4857-9425-8d3b1caa9d3e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Bar"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Device operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"42": {
"position": {
"x": 19,
"y": 66,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| where Category == \"Device\"\r\n| summarize count() by OperationName\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "OperationName",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureADAuditLogsDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "72e7db1f-646f-4aa7-9e07-a3516e8f51ec"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": " "
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Device operations",
"PartSubTitle": " "
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"43": {
"position": {
"x": 0,
"y": 0,
"colSpan": 1,
"rowSpan": 1
},
"metadata": {
"inputs": [
{
"name": "subscriptionId",
"value": "{Subscription_Id}"
},
{
"name": "resourceGroup",
"value": "{Resource_Group}"
},
{
"name": "workspaceName",
"value": "{Workspace_Name}"
},
{
"name": "dashboardName",
"value": "AzureADAuditlogsDashboard"
},
{
"name": "menuItemToOpen",
"value": "Dashboards"
}
],
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
"defaultMenuItemId": "0"
}
},
"44": {
"position": {
"x": 23,
"y": 0,
"colSpan": 2,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style=\"max-width: 50px\">\n<svg viewBox=\"0 0 50 50\" class=\"fxs-portal-svg\" role=\"presentation\" focusable=\"false\" xmlns:svg=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" id=\"FxSymbol0-03c\" width=\"100%\" height=\"100%\"><g><title></title><path d=\"M25.001 50.001a4.575 4.575 0 0 1-3.261-1.352L1.351 28.261A4.64 4.64 0 0 1 0 25c0-1.214.492-2.402 1.351-3.26L21.74 1.352A4.578 4.578 0 0 1 25.001 0c1.231 0 2.39.48 3.261 1.352L48.648 21.74A4.565 4.565 0 0 1 50 25a4.574 4.574 0 0 1-1.353 3.263L28.262 48.649a4.578 4.578 0 0 1-3.261 1.352\" class=\"msportalfx-svg-c15\"></path><path d=\"M38.614 21.093a3.91 3.91 0 0 0-3.91 3.909c0 .792.239 1.527.645 2.143l-7.744 7.744a4.55 4.55 0 0 0-.656-.373V14.759c1.167-.676 1.961-1.924 1.961-3.37a3.91 3.91 0 0 0-7.818 0c0 1.446.794 2.694 1.96 3.37v19.756a4.48 4.48 0 0 0-.632.353l-7.753-7.753a3.88 3.88 0 0 0 .628-2.113 3.909 3.909 0 1 0-3.908 3.909 3.88 3.88 0 0 0 1.274-.23l8.15 8.15a4.552 4.552 0 1 0 8.387.032l8.173-8.172c.392.132.804.22 1.241.22a3.909 3.909 0 0 0 .002-7.818z\" class=\"msportalfx-svg-c01\"></path><path opacity=\".5\" d=\"M40.471 24.983l-1.784 1.785L24.065 12.15l1.784-1.784z\" class=\"msportalfx-svg-c01\"></path><path opacity=\".5\" d=\"M24.166 10.377l1.784 1.785-14.62 14.62-1.785-1.784z\" class=\"msportalfx-svg-c01\"></path><path d=\"M27.665 38.614a2.71 2.71 0 1 1-5.42-.002 2.71 2.71 0 0 1 5.42.002m-.491-27.225a2.174 2.174 0 1 1-4.347 0 2.174 2.174 0 0 1 4.347 0M13.563 25.001a2.175 2.175 0 1 1-4.35-.002 2.175 2.175 0 0 1 4.35.002m27.225 0a2.175 2.175 0 1 1-4.35-.002 2.175 2.175 0 0 1 4.35.002\" class=\"msportalfx-svg-c13\"></path><path opacity=\".1\" d=\"M28.262 1.352A4.578 4.578 0 0 0 25.001 0c-1.231 0-2.389.48-3.26 1.352L1.352 21.74A4.635 4.635 0 0 0 0 25c0 1.215.492 2.403 1.352 3.261l11.543 11.544L34.61 7.699l-6.348-6.347z\" class=\"msportalfx-svg-c01\"></path></g></svg>\n</div>",
"title": "",
"subtitle": ""
}
}
}
}
}
}
}
}
}
}cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Dashboards/Azure_AD_Audit_Logs.json
3374lines · modepreview
unknown