Forge
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
fde110c7da8a1aedb8d63af851d1c8269b3a5810

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

Azure-Sentinel/Dashboards

Dashboards/Cisco.json

2665lines · modecode

RawDownload
Update Cisco.json2e2637d
7 years ago
1{
2 "name": "CiscoDashboard_{Workspace_Name}",
3 "type": "Microsoft.Portal/dashboards",
4 "location": "{Dashboard_Location}",
5 "tags": {
6 "dashboardKey": "CiscoDashboard",
7 "hidden-title": "Cisco - {Workspace_Name}",
8 "version": "1.1",
9 "workspaceName": "{Workspace_Name}"
10 },
11 "properties": {
12 "lenses": {
13 "0": {
14 "order": 0,
15 "parts": {
16 "0": {
17 "position": {
18 "x": 1,
19 "y": 0,
20 "colSpan": 18,
21 "rowSpan": 1
22 },
23 "metadata": {
24 "inputs": [],
25 "type": "Extension/HubsExtension/PartType/MarkdownPart",
26 "settings": {
27 "content": {
28 "settings": {
29 "content": "<div style='font-size:300%;'>Cisco overview</div>\n\n",
30 "title": "",
31 "subtitle": " "
32 }
33 }
34 }
35 }
36 },
37 "1": {
38 "position": {
39 "x": 19,
40 "y": 0,
41 "colSpan": 6,
42 "rowSpan": 1
43 },
44 "metadata": {
45 "inputs": [],
46 "type": "Extension/HubsExtension/PartType/MarkdownPart",
47 "settings": {
48 "content": {
49 "settings": {
50 "content": "<img width='450' height='50' src='https://bitwizards.com/bitwizards/media/blogs/jeff-mitchell/2015/may/cisco-router/2015-05-05-topimage.jpg'/>\n",
51 "title": "",
52 "subtitle": " "
53 }
54 }
55 }
56 }
57 },
58 "2": {
59 "position": {
60 "x": 0,
61 "y": 1,
62 "colSpan": 13,
63 "rowSpan": 4
64 },
65 "metadata": {
66 "inputs": [
67 {
68 "name": "ComponentId",
69 "value": {
70 "SubscriptionId": "{Subscription_Id}",
71 "ResourceGroup": "{Resource_Group}",
72 "Name": "{Workspace_Name}",
73 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
74 }
75 },
76 {
77 "name": "Query",
78 "value": "//severity count\nCommonSecurityLog\n| where DeviceVendor =~ 'Cisco'\n| where DeviceProduct =~ 'ASA'\n| summarize SeverityVolume= count() by LogSeverity\n"
79 },
80 {
81 "name": "Dimensions",
82 "value": {
83 "xAxis": {
84 "name": "LogSeverity",
85 "type": "String"
86 },
87 "yAxis": [
88 {
89 "name": "SeverityVolume",
90 "type": "Int64"
91 }
92 ],
93 "splitBy": [],
94 "aggregation": "Sum"
95 }
96 },
97 {
98 "name": "Version",
99 "value": "1.0"
100 },
101 {
102 "name": "DashboardId",
103 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
104 },
105 {
106 "name": "PartId",
107 "value": "d669fb39-3d3c-4109-8019-08f17d5ae112"
108 },
109 {
110 "name": "PartTitle",
111 "value": "Analytics"
112 },
113 {
114 "name": "PartSubTitle",
115 "value": "{Workspace_Name}"
116 },
117 {
118 "name": "resourceTypeMode",
119 "value": "workspace"
120 },
121 {
122 "name": "ControlType",
123 "value": "AnalyticsDonut"
124 },
125 {
126 "name": "SpecificChart",
127 "isOptional": true
128 },
129 {
130 "name": "TimeRange",
131 "value": "P1D"
132 }
133 ],
134 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
135 "settings": {
136 "content": {
137 "PartTitle": "Traffic, by event severity",
138 "PartSubTitle": " "
139 }
140 },
141 "asset": {
142 "idInputName": "ComponentId",
143 "type": "ApplicationInsights"
144 }
145 }
146 },
147 "3": {
148 "position": {
149 "x": 13,
150 "y": 1,
151 "colSpan": 6,
152 "rowSpan": 4
153 },
154 "metadata": {
155 "inputs": [
156 {
157 "name": "ComponentId",
158 "value": {
159 "SubscriptionId": "{Subscription_Id}",
160 "ResourceGroup": "{Resource_Group}",
161 "Name": "{Workspace_Name}",
162 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
163 }
164 },
165 {
166 "name": "Query",
167 "value": "//no. of concurrent sessions\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '302010'\n| extend ConcurrentSession= extract('%ASA-6-302010: ([0-9]*?) in use,',1,Message)\n| summarize AvgSession=avg(toint(ConcurrentSession)) by TimeGenerated\n"
168 },
169 {
170 "name": "Dimensions",
171 "value": {
172 "xAxis": {
173 "name": "TimeGenerated",
174 "type": "DateTime"
175 },
176 "yAxis": [
177 {
178 "name": "AvgSession",
179 "type": "Double"
180 }
181 ],
182 "splitBy": [],
183 "aggregation": "Sum"
184 }
185 },
186 {
187 "name": "Version",
188 "value": "1.0"
189 },
190 {
191 "name": "DashboardId",
192 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
193 },
194 {
195 "name": "PartId",
196 "value": "a396b4a0-be52-4965-bb96-a0cd793540eb"
197 },
198 {
199 "name": "PartTitle",
200 "value": "Analytics"
201 },
202 {
203 "name": "PartSubTitle",
204 "value": "{Workspace_Name}"
205 },
206 {
207 "name": "resourceTypeMode",
208 "value": "workspace"
209 },
210 {
211 "name": "ControlType",
212 "value": "AnalyticsChart"
213 },
214 {
215 "name": "SpecificChart",
216 "value": "Bar"
217 },
218 {
219 "name": "TimeRange",
220 "value": "P1D"
221 }
222 ],
223 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
224 "settings": {
225 "content": {
226 "PartTitle": "Average concurrent sessions, by time",
227 "PartSubTitle": " "
228 }
229 },
230 "asset": {
231 "idInputName": "ComponentId",
232 "type": "ApplicationInsights"
233 }
234 }
235 },
236 "4": {
237 "position": {
238 "x": 19,
239 "y": 1,
240 "colSpan": 6,
241 "rowSpan": 4
242 },
243 "metadata": {
244 "inputs": [
245 {
246 "name": "ComponentId",
247 "value": {
248 "SubscriptionId": "{Subscription_Id}",
249 "ResourceGroup": "{Resource_Group}",
250 "Name": "{Workspace_Name}",
251 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
252 }
253 },
254 {
255 "name": "Query",
256 "value": "//Count by Action\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceAction != ''\n| summarize ActionCount= count() by SimplifiedDeviceAction\n"
257 },
258 {
259 "name": "Dimensions",
260 "value": {
261 "xAxis": {
262 "name": "SimplifiedDeviceAction",
263 "type": "String"
264 },
265 "yAxis": [
266 {
267 "name": "ActionCount",
268 "type": "Int64"
269 }
270 ],
271 "splitBy": [],
272 "aggregation": "Sum"
273 }
274 },
275 {
276 "name": "Version",
277 "value": "1.0"
278 },
279 {
280 "name": "DashboardId",
281 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
282 },
283 {
284 "name": "PartId",
285 "value": "ff598f07-4502-4992-9164-7fc607d3b625"
286 },
287 {
288 "name": "PartTitle",
289 "value": "Analytics"
290 },
291 {
292 "name": "PartSubTitle",
293 "value": "{Workspace_Name}"
294 },
295 {
296 "name": "resourceTypeMode",
297 "value": "workspace"
298 },
299 {
300 "name": "ControlType",
301 "value": "AnalyticsChart"
302 },
303 {
304 "name": "SpecificChart",
305 "value": "Bar"
306 },
307 {
308 "name": "TimeRange",
309 "value": "P1D"
310 }
311 ],
312 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
313 "settings": {
314 "content": {
315 "PartTitle": "Summary of firewall events",
316 "PartSubTitle": " "
317 }
318 },
319 "asset": {
320 "idInputName": "ComponentId",
321 "type": "ApplicationInsights"
322 }
323 }
324 },
325 "5": {
326 "position": {
327 "x": 0,
328 "y": 5,
329 "colSpan": 6,
330 "rowSpan": 4
331 },
332 "metadata": {
333 "inputs": [
334 {
335 "name": "ComponentId",
336 "value": {
337 "SubscriptionId": "{Subscription_Id}",
338 "ResourceGroup": "{Resource_Group}",
339 "Name": "{Workspace_Name}",
340 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
341 }
342 },
343 {
344 "name": "Query",
345 "value": "//Max Sessions\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '302010'\n| extend MaxSessions= extract('%ASA-6-302010:.*, ([0-9].*?) most used',1,Message)\n| summarize AvgSession=avg(toint(MaxSessions)) by TimeGenerated\n"
346 },
347 {
348 "name": "Dimensions",
349 "value": {
350 "xAxis": {
351 "name": "TimeGenerated",
352 "type": "DateTime"
353 },
354 "yAxis": [
355 {
356 "name": "AvgSession",
357 "type": "Double"
358 }
359 ],
360 "splitBy": [],
361 "aggregation": "Sum"
362 }
363 },
364 {
365 "name": "Version",
366 "value": "1.0"
367 },
368 {
369 "name": "DashboardId",
370 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
371 },
372 {
373 "name": "PartId",
374 "value": "9e0f12d6-a118-4163-8826-1864f3bd6007"
375 },
376 {
377 "name": "PartTitle",
378 "value": "Analytics"
379 },
380 {
381 "name": "PartSubTitle",
382 "value": "{Workspace_Name}"
383 },
384 {
385 "name": "resourceTypeMode",
386 "value": "workspace"
387 },
388 {
389 "name": "ControlType",
390 "value": "AnalyticsChart"
391 },
392 {
393 "name": "SpecificChart",
394 "value": "Bar"
395 },
396 {
397 "name": "TimeRange",
398 "value": "P1D"
399 }
400 ],
401 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
402 "settings": {
403 "content": {
404 "PartTitle": "Average max concurrent sessions, by time",
405 "PartSubTitle": " "
406 }
407 },
408 "asset": {
409 "idInputName": "ComponentId",
410 "type": "ApplicationInsights"
411 }
412 }
413 },
414 "6": {
415 "position": {
416 "x": 6,
417 "y": 5,
418 "colSpan": 7,
419 "rowSpan": 4
420 },
421 "metadata": {
422 "inputs": [
423 {
424 "name": "ComponentId",
425 "value": {
426 "SubscriptionId": "{Subscription_Id}",
427 "ResourceGroup": "{Resource_Group}",
428 "Name": "{Workspace_Name}",
429 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
430 }
431 },
432 {
433 "name": "Query",
434 "value": "//volume by time\nCommonSecurityLog\n| where DeviceVendor =~ 'Cisco'\n| where DeviceProduct =~ 'ASA'\n| summarize Volme=count() by TimeGenerated\n"
435 },
436 {
437 "name": "Dimensions",
438 "value": {
439 "xAxis": {
440 "name": "TimeGenerated",
441 "type": "DateTime"
442 },
443 "yAxis": [
444 {
445 "name": "Volme",
446 "type": "Int64"
447 }
448 ],
449 "splitBy": [],
450 "aggregation": "Sum"
451 }
452 },
453 {
454 "name": "Version",
455 "value": "1.0"
456 },
457 {
458 "name": "DashboardId",
459 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
460 },
461 {
462 "name": "PartId",
463 "value": "0a05ab08-5e9d-4073-8cba-1fd25c08a2a2"
464 },
465 {
466 "name": "PartTitle",
467 "value": "Analytics"
468 },
469 {
470 "name": "PartSubTitle",
471 "value": "{Workspace_Name}"
472 },
473 {
474 "name": "resourceTypeMode",
475 "value": "workspace"
476 },
477 {
478 "name": "ControlType",
479 "value": "AnalyticsChart"
480 },
481 {
482 "name": "SpecificChart",
483 "value": "Line"
484 },
485 {
486 "name": "TimeRange",
487 "value": "P1D"
488 }
489 ],
490 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
491 "settings": {
492 "content": {
493 "PartTitle": "Event trends, by time",
494 "PartSubTitle": " "
495 }
496 },
497 "asset": {
498 "idInputName": "ComponentId",
499 "type": "ApplicationInsights"
500 }
501 }
502 },
503 "7": {
504 "position": {
505 "x": 13,
506 "y": 5,
507 "colSpan": 6,
508 "rowSpan": 4
509 },
510 "metadata": {
511 "inputs": [
512 {
513 "name": "ComponentId",
514 "value": {
515 "SubscriptionId": "{Subscription_Id}",
516 "ResourceGroup": "{Resource_Group}",
517 "Name": "{Workspace_Name}",
518 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
519 }
520 },
521 {
522 "name": "Query",
523 "value": "//severity by time\nCommonSecurityLog\n| where DeviceVendor =~ 'Cisco'\n| where DeviceProduct =~ 'ASA'\n| summarize SeverityVolume= count() by LogSeverity, TimeGenerated\n"
524 },
525 {
526 "name": "Dimensions",
527 "value": {
528 "xAxis": {
529 "name": "TimeGenerated",
530 "type": "DateTime"
531 },
532 "yAxis": [
533 {
534 "name": "SeverityVolume",
535 "type": "Int64"
536 }
537 ],
538 "splitBy": [
539 {
540 "name": "LogSeverity",
541 "type": "String"
542 }
543 ],
544 "aggregation": "Sum"
545 }
546 },
547 {
548 "name": "Version",
549 "value": "1.0"
550 },
551 {
552 "name": "DashboardId",
553 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
554 },
555 {
556 "name": "PartId",
557 "value": "97999b99-b3a8-4c07-8970-f3299f7cd50a"
558 },
559 {
560 "name": "PartTitle",
561 "value": "Analytics"
562 },
563 {
564 "name": "PartSubTitle",
565 "value": "{Workspace_Name}"
566 },
567 {
568 "name": "resourceTypeMode",
569 "value": "workspace"
570 },
571 {
572 "name": "ControlType",
573 "value": "AnalyticsChart"
574 },
575 {
576 "name": "SpecificChart",
577 "value": "Bar"
578 },
579 {
580 "name": "TimeRange",
581 "value": "P1D"
582 }
583 ],
584 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
585 "settings": {
586 "content": {
587 "PartTitle": "Event severity, by time",
588 "PartSubTitle": " "
589 }
590 },
591 "asset": {
592 "idInputName": "ComponentId",
593 "type": "ApplicationInsights"
594 }
595 }
596 },
597 "8": {
598 "position": {
599 "x": 19,
600 "y": 5,
601 "colSpan": 6,
602 "rowSpan": 4
603 },
604 "metadata": {
605 "inputs": [
606 {
607 "name": "ComponentId",
608 "value": {
609 "SubscriptionId": "{Subscription_Id}",
610 "ResourceGroup": "{Resource_Group}",
611 "Name": "{Workspace_Name}",
612 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
613 }
614 },
615 {
616 "name": "Query",
617 "value": "//top 5 reason for packet drop\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '733100'\n| extend TraficType= extract('%ASA-4-733100: \\\\[(.*?)\\\\]',1,Message)\n| summarize AttackCount=count() by TraficType\n| top 5 by AttackCount desc\n"
618 },
619 {
620 "name": "Dimensions",
621 "value": {
622 "xAxis": {
623 "name": "TraficType",
624 "type": "String"
625 },
626 "yAxis": [
627 {
628 "name": "AttackCount",
629 "type": "Int64"
630 }
631 ],
632 "splitBy": [],
633 "aggregation": "Sum"
634 }
635 },
636 {
637 "name": "Version",
638 "value": "1.0"
639 },
640 {
641 "name": "DashboardId",
642 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
643 },
644 {
645 "name": "PartId",
646 "value": "c179ca70-97c8-4398-b366-be6d295b5d9d"
647 },
648 {
649 "name": "PartTitle",
650 "value": "Analytics"
651 },
652 {
653 "name": "PartSubTitle",
654 "value": "{Workspace_Name}"
655 },
656 {
657 "name": "resourceTypeMode",
658 "value": "workspace"
659 },
660 {
661 "name": "ControlType",
662 "value": "AnalyticsDonut"
663 },
664 {
665 "name": "TimeRange",
666 "value": "P1D"
667 },
668 {
669 "name": "SpecificChart",
670 "isOptional": true
671 }
672 ],
673 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
674 "settings": {
675 "content": {
676 "PartTitle": "Top 5 reasons for packet drop",
677 "PartSubTitle": " "
678 }
679 },
680 "asset": {
681 "idInputName": "ComponentId",
682 "type": "ApplicationInsights"
683 }
684 }
685 },
686 "9": {
687 "position": {
688 "x": 0,
689 "y": 9,
690 "colSpan": 25,
691 "rowSpan": 1
692 },
693 "metadata": {
694 "inputs": [],
695 "type": "Extension/HubsExtension/PartType/MarkdownPart",
696 "settings": {
697 "content": {
698 "settings": {
699 "content": "<div style='font-size:300%;'>Firewall log trends and activities</div>",
700 "title": "",
701 "subtitle": " "
702 }
703 }
704 }
705 }
706 },
707 "10": {
708 "position": {
709 "x": 0,
710 "y": 10,
711 "colSpan": 6,
712 "rowSpan": 4
713 },
714 "metadata": {
715 "inputs": [
716 {
717 "name": "ComponentId",
718 "value": {
719 "SubscriptionId": "{Subscription_Id}",
720 "ResourceGroup": "{Resource_Group}",
721 "Name": "{Workspace_Name}",
722 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
723 }
724 },
725 {
726 "name": "Query",
727 "value": "//Communication direction count by time\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection != ''\n| summarize DirectionVolume=count() by CommunicationDirection, TimeGenerated\n"
728 },
729 {
730 "name": "Dimensions",
731 "value": {
732 "xAxis": {
733 "name": "TimeGenerated",
734 "type": "DateTime"
735 },
736 "yAxis": [
737 {
738 "name": "DirectionVolume",
739 "type": "Int64"
740 }
741 ],
742 "splitBy": [
743 {
744 "name": "CommunicationDirection",
745 "type": "String"
746 }
747 ],
748 "aggregation": "Sum"
749 }
750 },
751 {
752 "name": "Version",
753 "value": "1.0"
754 },
755 {
756 "name": "DashboardId",
757 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
758 },
759 {
760 "name": "PartId",
761 "value": "ecdf022f-f258-4d0b-a9f5-2e87a5c57d89"
762 },
763 {
764 "name": "PartTitle",
765 "value": "Analytics"
766 },
767 {
768 "name": "PartSubTitle",
769 "value": "{Workspace_Name}"
770 },
771 {
772 "name": "resourceTypeMode",
773 "value": "workspace"
774 },
775 {
776 "name": "ControlType",
777 "value": "AnalyticsChart"
778 },
779 {
780 "name": "SpecificChart",
781 "value": "Bar"
782 },
783 {
784 "name": "TimeRange",
785 "value": "P1D"
786 }
787 ],
788 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
789 "settings": {
790 "content": {
791 "PartTitle": "Inbound Outbound Time Trend",
792 "PartSubTitle": " "
793 }
794 },
795 "asset": {
796 "idInputName": "ComponentId",
797 "type": "ApplicationInsights"
798 }
799 }
800 },
801 "11": {
802 "position": {
803 "x": 6,
804 "y": 10,
805 "colSpan": 6,
806 "rowSpan": 4
807 },
808 "metadata": {
809 "inputs": [
810 {
811 "name": "ComponentId",
812 "value": {
813 "SubscriptionId": "{Subscription_Id}",
814 "ResourceGroup": "{Resource_Group}",
815 "Name": "{Workspace_Name}",
816 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
817 }
818 },
819 {
820 "name": "Query",
821 "value": "//out bound\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains 'outbound'\n| summarize TrafficVolume=count() by SimplifiedDeviceAction, TimeGenerated\n"
822 },
823 {
824 "name": "Dimensions",
825 "value": {
826 "xAxis": {
827 "name": "TimeGenerated",
828 "type": "DateTime"
829 },
830 "yAxis": [
831 {
832 "name": "TrafficVolume",
833 "type": "Int64"
834 }
835 ],
836 "splitBy": [
837 {
838 "name": "SimplifiedDeviceAction",
839 "type": "String"
840 }
841 ],
842 "aggregation": "Sum"
843 }
844 },
845 {
846 "name": "Version",
847 "value": "1.0"
848 },
849 {
850 "name": "DashboardId",
851 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
852 },
853 {
854 "name": "PartId",
855 "value": "6c479c3a-08af-4814-aed6-d92fa263d9cb"
856 },
857 {
858 "name": "PartTitle",
859 "value": "Analytics"
860 },
861 {
862 "name": "PartSubTitle",
863 "value": "{Workspace_Name}"
864 },
865 {
866 "name": "resourceTypeMode",
867 "value": "workspace"
868 },
869 {
870 "name": "ControlType",
871 "value": "AnalyticsChart"
872 },
873 {
874 "name": "SpecificChart",
875 "value": "Bar"
876 },
877 {
878 "name": "TimeRange",
879 "value": "P1D"
880 }
881 ],
882 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
883 "settings": {
884 "content": {
885 "PartTitle": "Outbound traffic connection, by time",
886 "PartSubTitle": " "
887 }
888 },
889 "asset": {
890 "idInputName": "ComponentId",
891 "type": "ApplicationInsights"
892 }
893 }
894 },
895 "12": {
896 "position": {
897 "x": 12,
898 "y": 10,
899 "colSpan": 6,
900 "rowSpan": 4
901 },
902 "metadata": {
903 "inputs": [
904 {
905 "name": "ComponentId",
906 "value": {
907 "SubscriptionId": "{Subscription_Id}",
908 "ResourceGroup": "{Resource_Group}",
909 "Name": "{Workspace_Name}",
910 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
911 }
912 },
913 {
914 "name": "Query",
915 "value": "//allowd vs denied for in bound\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains 'inbound'\n| where SimplifiedDeviceAction in ('Deny', 'Allow')\n| summarize TrafficVolume=count() by SimplifiedDeviceAction, TimeGenerated\n"
916 },
917 {
918 "name": "Dimensions",
919 "value": {
920 "xAxis": {
921 "name": "TimeGenerated",
922 "type": "DateTime"
923 },
924 "yAxis": [
925 {
926 "name": "TrafficVolume",
927 "type": "Int64"
928 }
929 ],
930 "splitBy": [
931 {
932 "name": "SimplifiedDeviceAction",
933 "type": "String"
934 }
935 ],
936 "aggregation": "Sum"
937 }
938 },
939 {
940 "name": "Version",
941 "value": "1.0"
942 },
943 {
944 "name": "DashboardId",
945 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
946 },
947 {
948 "name": "PartId",
949 "value": "6b76c1d9-8896-4cb0-8cc7-29e599fca0fd"
950 },
951 {
952 "name": "PartTitle",
953 "value": "Analytics"
954 },
955 {
956 "name": "PartSubTitle",
957 "value": "{Workspace_Name}"
958 },
959 {
960 "name": "resourceTypeMode",
961 "value": "workspace"
962 },
963 {
964 "name": "ControlType",
965 "value": "AnalyticsChart"
966 },
967 {
968 "name": "SpecificChart",
969 "value": "Bar"
970 },
971 {
972 "name": "TimeRange",
973 "value": "P1D"
974 }
975 ],
976 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
977 "settings": {
978 "content": {
979 "PartTitle": "Inbound traffic events, by time",
980 "PartSubTitle": " "
981 }
982 },
983 "asset": {
984 "idInputName": "ComponentId",
985 "type": "ApplicationInsights"
986 }
987 }
988 },
989 "13": {
990 "position": {
991 "x": 18,
992 "y": 10,
993 "colSpan": 6,
994 "rowSpan": 4
995 },
996 "metadata": {
997 "inputs": [
998 {
999 "name": "ComponentId",
1000 "value": {
1001 "SubscriptionId": "{Subscription_Id}",
1002 "ResourceGroup": "{Resource_Group}",
1003 "Name": "{Workspace_Name}",
1004 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1005 }
1006 },
1007 {
1008 "name": "Query",
1009 "value": "//Communication direction count\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection != ''\n| summarize DirectionVolume=count() by CommunicationDirection\n"
1010 },
1011 {
1012 "name": "Dimensions",
1013 "value": {
1014 "xAxis": {
1015 "name": "CommunicationDirection",
1016 "type": "String"
1017 },
1018 "yAxis": [
1019 {
1020 "name": "DirectionVolume",
1021 "type": "Int64"
1022 }
1023 ],
1024 "splitBy": [],
1025 "aggregation": "Sum"
1026 }
1027 },
1028 {
1029 "name": "Version",
1030 "value": "1.0"
1031 },
1032 {
1033 "name": "DashboardId",
1034 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1035 },
1036 {
1037 "name": "PartId",
1038 "value": "f0dc387c-fe5e-4ec2-a418-a4d314a5e3c1"
1039 },
1040 {
1041 "name": "PartTitle",
1042 "value": "Analytics"
1043 },
1044 {
1045 "name": "PartSubTitle",
1046 "value": "{Workspace_Name}"
1047 },
1048 {
1049 "name": "resourceTypeMode",
1050 "value": "workspace"
1051 },
1052 {
1053 "name": "ControlType",
1054 "value": "AnalyticsDonut"
1055 },
1056 {
1057 "name": "TimeRange",
1058 "value": "P1D"
1059 },
1060 {
1061 "name": "SpecificChart",
1062 "isOptional": true
1063 }
1064 ],
1065 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1066 "settings": {
1067 "content": {
1068 "PartTitle": "Summary of inbound and outbound traffic",
1069 "PartSubTitle": " "
1070 }
1071 },
1072 "asset": {
1073 "idInputName": "ComponentId",
1074 "type": "ApplicationInsights"
1075 }
1076 }
1077 },
1078 "14": {
1079 "position": {
1080 "x": 24,
1081 "y": 10,
1082 "colSpan": 6,
1083 "rowSpan": 4
1084 },
1085 "metadata": {
1086 "inputs": [
1087 {
1088 "name": "ComponentId",
1089 "value": {
1090 "SubscriptionId": "{Subscription_Id}",
1091 "ResourceGroup": "{Resource_Group}",
1092 "Name": "{Workspace_Name}",
1093 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1094 }
1095 },
1096 {
1097 "name": "Query",
1098 "value": "//Reason for packet Drop time trend\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '733100'\n| extend TraficType= extract('%ASA-4-733100: \\\\[(.*?)\\\\]',1,Message)\n| summarize AttackCount=count() by TraficType, TimeGenerated\n"
1099 },
1100 {
1101 "name": "Dimensions",
1102 "value": {
1103 "xAxis": {
1104 "name": "TimeGenerated",
1105 "type": "DateTime"
1106 },
1107 "yAxis": [
1108 {
1109 "name": "AttackCount",
1110 "type": "Int64"
1111 }
1112 ],
1113 "splitBy": [
1114 {
1115 "name": "TraficType",
1116 "type": "String"
1117 }
1118 ],
1119 "aggregation": "Sum"
1120 }
1121 },
1122 {
1123 "name": "Version",
1124 "value": "1.0"
1125 },
1126 {
1127 "name": "DashboardId",
1128 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1129 },
1130 {
1131 "name": "PartId",
1132 "value": "2d3b7b1c-cfd0-4bb8-ad55-578d74c3a15d"
1133 },
1134 {
1135 "name": "PartTitle",
1136 "value": "Analytics"
1137 },
1138 {
1139 "name": "PartSubTitle",
1140 "value": "{Workspace_Name}"
1141 },
1142 {
1143 "name": "resourceTypeMode",
1144 "value": "workspace"
1145 },
1146 {
1147 "name": "ControlType",
1148 "value": "AnalyticsChart"
1149 },
1150 {
1151 "name": "SpecificChart",
1152 "value": "Bar"
1153 },
1154 {
1155 "name": "TimeRange",
1156 "value": "P1D"
1157 }
1158 ],
1159 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1160 "settings": {
1161 "content": {
1162 "PartTitle": "Reason for packet drop, by time",
1163 "PartSubTitle": " "
1164 }
1165 },
1166 "asset": {
1167 "idInputName": "ComponentId",
1168 "type": "ApplicationInsights"
1169 }
1170 }
1171 },
1172 "15": {
1173 "position": {
1174 "x": 0,
1175 "y": 14,
1176 "colSpan": 25,
1177 "rowSpan": 1
1178 },
1179 "metadata": {
1180 "inputs": [],
1181 "type": "Extension/HubsExtension/PartType/MarkdownPart",
1182 "settings": {
1183 "content": {
1184 "settings": {
1185 "content": "<div style='font-size:300%;'>Top 5 allowed and blocked ports</div>\n",
1186 "title": "",
1187 "subtitle": " "
1188 }
1189 }
1190 }
1191 }
1192 },
1193 "16": {
1194 "position": {
1195 "x": 0,
1196 "y": 15,
1197 "colSpan": 6,
1198 "rowSpan": 4
1199 },
1200 "metadata": {
1201 "inputs": [
1202 {
1203 "name": "ComponentId",
1204 "value": {
1205 "SubscriptionId": "{Subscription_Id}",
1206 "ResourceGroup": "{Resource_Group}",
1207 "Name": "{Workspace_Name}"
1208 }
1209 },
1210 {
1211 "name": "Query",
1212 "value": "//top 5 port inbound Allow \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '106100' \n| where SimplifiedDeviceAction == 'Allow' \n| where Message contains ' -> inside' \n| extend DestinationPortS=tostring(DestinationPort) \n| summarize PortCount=count() by DestinationPortS \n| top 5 by PortCount desc"
1213 },
1214 {
1215 "name": "TimeRange",
1216 "value": "P1D"
1217 },
1218 {
1219 "name": "Dimensions",
1220 "value": {
1221 "xAxis": {
1222 "name": "DestinationPortS",
1223 "type": "String"
1224 },
1225 "yAxis": [
1226 {
1227 "name": "PortCount",
1228 "type": "Int64"
1229 }
1230 ],
1231 "splitBy": [],
1232 "aggregation": "Sum"
1233 }
1234 },
1235 {
1236 "name": "Version",
1237 "value": "1.0"
1238 },
1239 {
1240 "name": "DashboardId",
1241 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1242 },
1243 {
1244 "name": "PartId",
1245 "value": "eb8b5c71-cb66-4b8c-a05e-e128d1c24005"
1246 },
1247 {
1248 "name": "PartTitle",
1249 "value": "Analytics"
1250 },
1251 {
1252 "name": "PartSubTitle",
1253 "value": "{Workspace_Name}"
1254 },
1255 {
1256 "name": "resourceTypeMode",
1257 "value": "workspace"
1258 },
1259 {
1260 "name": "ControlType",
1261 "value": "AnalyticsChart"
1262 },
1263 {
1264 "name": "SpecificChart",
1265 "value": "Bar"
1266 }
1267 ],
1268 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1269 "settings": {
1270 "content": {
1271 "PartTitle": "Top 5 allowed inbound ports",
1272 "PartSubTitle": " "
1273 }
1274 },
1275 "asset": {
1276 "idInputName": "ComponentId",
1277 "type": "ApplicationInsights"
1278 }
1279 }
1280 },
1281 "17": {
1282 "position": {
1283 "x": 6,
1284 "y": 15,
1285 "colSpan": 6,
1286 "rowSpan": 4
1287 },
1288 "metadata": {
1289 "inputs": [
1290 {
1291 "name": "ComponentId",
1292 "value": {
1293 "SubscriptionId": "{Subscription_Id}",
1294 "ResourceGroup": "{Resource_Group}",
1295 "Name": "{Workspace_Name}",
1296 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1297 }
1298 },
1299 {
1300 "name": "Query",
1301 "value": "//top 5 port inbound deny\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains 'inbound'\n| where SimplifiedDeviceAction == 'Deny'\n| extend DestinationPortS=tostring(DestinationPort)\n| summarize PortCount=count() by DestinationPortS\n| top 5 by PortCount desc\n"
1302 },
1303 {
1304 "name": "Dimensions",
1305 "value": {
1306 "xAxis": {
1307 "name": "DestinationPortS",
1308 "type": "String"
1309 },
1310 "yAxis": [
1311 {
1312 "name": "PortCount",
1313 "type": "Int64"
1314 }
1315 ],
1316 "splitBy": [],
1317 "aggregation": "Sum"
1318 }
1319 },
1320 {
1321 "name": "Version",
1322 "value": "1.0"
1323 },
1324 {
1325 "name": "DashboardId",
1326 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1327 },
1328 {
1329 "name": "PartId",
1330 "value": "3ea9408e-4fda-4e29-90cf-c8fc01db6b74"
1331 },
1332 {
1333 "name": "PartTitle",
1334 "value": "Analytics"
1335 },
1336 {
1337 "name": "PartSubTitle",
1338 "value": "{Workspace_Name}"
1339 },
1340 {
1341 "name": "resourceTypeMode",
1342 "value": "workspace"
1343 },
1344 {
1345 "name": "ControlType",
1346 "value": "AnalyticsChart"
1347 },
1348 {
1349 "name": "SpecificChart",
1350 "value": "Bar"
1351 },
1352 {
1353 "name": "TimeRange",
1354 "value": "P1D"
1355 }
1356 ],
1357 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1358 "settings": {
1359 "content": {
1360 "PartTitle": "Top 5 blocked inbound ports",
1361 "PartSubTitle": " "
1362 }
1363 },
1364 "asset": {
1365 "idInputName": "ComponentId",
1366 "type": "ApplicationInsights"
1367 }
1368 }
1369 },
1370 "18": {
1371 "position": {
1372 "x": 12,
1373 "y": 15,
1374 "colSpan": 6,
1375 "rowSpan": 4
1376 },
1377 "metadata": {
1378 "inputs": [
1379 {
1380 "name": "ComponentId",
1381 "value": {
1382 "SubscriptionId": "{Subscription_Id}",
1383 "ResourceGroup": "{Resource_Group}",
1384 "Name": "{Workspace_Name}",
1385 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1386 }
1387 },
1388 {
1389 "name": "Query",
1390 "value": "//top 5 port outbound Allow\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '106100'\n| where SimplifiedDeviceAction == 'Allow'\n| where Message contains ' -> management'\n| extend DestinationPortS=tostring(DestinationPort)\n| summarize PortCount=count() by DestinationPortS\n| top 5 by PortCount desc\n"
1391 },
1392 {
1393 "name": "Dimensions",
1394 "value": {
1395 "xAxis": {
1396 "name": "DestinationPortS",
1397 "type": "String"
1398 },
1399 "yAxis": [
1400 {
1401 "name": "PortCount",
1402 "type": "Int64"
1403 }
1404 ],
1405 "splitBy": [],
1406 "aggregation": "Sum"
1407 }
1408 },
1409 {
1410 "name": "Version",
1411 "value": "1.0"
1412 },
1413 {
1414 "name": "DashboardId",
1415 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1416 },
1417 {
1418 "name": "PartId",
1419 "value": "beaae82d-5eb9-45f9-a31c-1f96dec4eae4"
1420 },
1421 {
1422 "name": "PartTitle",
1423 "value": "Analytics"
1424 },
1425 {
1426 "name": "PartSubTitle",
1427 "value": "{Workspace_Name}"
1428 },
1429 {
1430 "name": "resourceTypeMode",
1431 "value": "workspace"
1432 },
1433 {
1434 "name": "ControlType",
1435 "value": "AnalyticsDonut"
1436 },
1437 {
1438 "name": "TimeRange",
1439 "value": "P1D"
1440 },
1441 {
1442 "name": "SpecificChart",
1443 "isOptional": true
1444 }
1445 ],
1446 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1447 "settings": {
1448 "content": {
1449 "PartTitle": "Top 5 allowed outbound ports",
1450 "PartSubTitle": " "
1451 }
1452 },
1453 "asset": {
1454 "idInputName": "ComponentId",
1455 "type": "ApplicationInsights"
1456 }
1457 }
1458 },
1459 "19": {
1460 "position": {
1461 "x": 18,
1462 "y": 15,
1463 "colSpan": 7,
1464 "rowSpan": 4
1465 },
1466 "metadata": {
1467 "inputs": [
1468 {
1469 "name": "ComponentId",
1470 "value": {
1471 "SubscriptionId": "{Subscription_Id}",
1472 "ResourceGroup": "{Resource_Group}",
1473 "Name": "{Workspace_Name}",
1474 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1475 }
1476 },
1477 {
1478 "name": "Query",
1479 "value": "//Top 5 Outbound Ports Denied \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco'"
1480 },
1481 {
1482 "name": "Version",
1483 "value": "1.0"
1484 },
1485 {
1486 "name": "DashboardId",
1487 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1488 },
1489 {
1490 "name": "PartId",
1491 "value": "7678ddf2-f79c-49e8-946f-4427c72006be"
1492 },
1493 {
1494 "name": "PartTitle",
1495 "value": "Analytics"
1496 },
1497 {
1498 "name": "PartSubTitle",
1499 "value": "{Workspace_Name}"
1500 },
1501 {
1502 "name": "resourceTypeMode",
1503 "value": "workspace"
1504 },
1505 {
1506 "name": "ControlType",
1507 "value": "AnalyticsGrid"
1508 },
1509 {
1510 "name": "Dimensions",
1511 "isOptional": true
1512 },
1513 {
1514 "name": "TimeRange",
1515 "value": "P1D"
1516 },
1517 {
1518 "name": "SpecificChart",
1519 "isOptional": true
1520 }
1521 ],
1522 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1523 "settings": {
1524 "content": {
1525 "PartTitle": "Top 5 denied outbound ports",
1526 "PartSubTitle": " ",
1527 "Query": "//Top 5 Outbound Ports Denied\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where CommunicationDirection contains   'outbound'\n| where SimplifiedDeviceAction == 'Deny' \n| extend DestinationPortS=tostring(DestinationPort)  \n| summarize PortCount=count() by DestinationPortS\n| top 5 by PortCount desc "
1528 }
1529 },
1530 "asset": {
1531 "idInputName": "ComponentId",
1532 "type": "ApplicationInsights"
1533 }
1534 }
1535 },
1536 "20": {
1537 "position": {
1538 "x": 0,
1539 "y": 19,
1540 "colSpan": 25,
1541 "rowSpan": 1
1542 },
1543 "metadata": {
1544 "inputs": [],
1545 "type": "Extension/HubsExtension/PartType/MarkdownPart",
1546 "settings": {
1547 "content": {
1548 "settings": {
1549 "content": "<div style='font-size:300%;'>Top 5 allowed and blocked IP addresses</div>",
1550 "title": "",
1551 "subtitle": " "
1552 }
1553 }
1554 }
1555 }
1556 },
1557 "21": {
1558 "position": {
1559 "x": 0,
1560 "y": 20,
1561 "colSpan": 6,
1562 "rowSpan": 4
1563 },
1564 "metadata": {
1565 "inputs": [
1566 {
1567 "name": "ComponentId",
1568 "value": {
1569 "SubscriptionId": "{Subscription_Id}",
1570 "ResourceGroup": "{Resource_Group}",
1571 "Name": "{Workspace_Name}",
1572 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1573 }
1574 },
1575 {
1576 "name": "Query",
1577 "value": "//top 5 protocol Deny\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where Protocol != ''\n| where SimplifiedDeviceAction == 'Deny'\n| summarize ProtocolCount= count() by Protocol\n| top 5 by ProtocolCount\n"
1578 },
1579 {
1580 "name": "Dimensions",
1581 "value": {
1582 "xAxis": {
1583 "name": "Protocol",
1584 "type": "String"
1585 },
1586 "yAxis": [
1587 {
1588 "name": "ProtocolCount",
1589 "type": "Int64"
1590 }
1591 ],
1592 "splitBy": [],
1593 "aggregation": "Sum"
1594 }
1595 },
1596 {
1597 "name": "Version",
1598 "value": "1.0"
1599 },
1600 {
1601 "name": "DashboardId",
1602 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1603 },
1604 {
1605 "name": "PartId",
1606 "value": "cafb54c2-f6ea-4fcc-a5a4-bdf0f3a88da4"
1607 },
1608 {
1609 "name": "PartTitle",
1610 "value": "Analytics"
1611 },
1612 {
1613 "name": "PartSubTitle",
1614 "value": "{Workspace_Name}"
1615 },
1616 {
1617 "name": "resourceTypeMode",
1618 "value": "workspace"
1619 },
1620 {
1621 "name": "ControlType",
1622 "value": "AnalyticsDonut"
1623 },
1624 {
1625 "name": "TimeRange",
1626 "value": "P1D"
1627 },
1628 {
1629 "name": "SpecificChart",
1630 "isOptional": true
1631 }
1632 ],
1633 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1634 "settings": {
1635 "content": {
1636 "PartTitle": "Top 5 denied protocols",
1637 "PartSubTitle": " "
1638 }
1639 },
1640 "asset": {
1641 "idInputName": "ComponentId",
1642 "type": "ApplicationInsights"
1643 }
1644 }
1645 },
1646 "22": {
1647 "position": {
1648 "x": 6,
1649 "y": 20,
1650 "colSpan": 6,
1651 "rowSpan": 4
1652 },
1653 "metadata": {
1654 "inputs": [
1655 {
1656 "name": "ComponentId",
1657 "value": {
1658 "SubscriptionId": "{Subscription_Id}",
1659 "ResourceGroup": "{Resource_Group}",
1660 "Name": "{Workspace_Name}",
1661 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1662 }
1663 },
1664 {
1665 "name": "Query",
1666 "value": "//top 5 protocol Allow\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where Protocol != ''\n| where SimplifiedDeviceAction == 'Allow'\n| summarize ProtocolCount= count() by Protocol\n| top 5 by ProtocolCount\n"
1667 },
1668 {
1669 "name": "Dimensions",
1670 "value": {
1671 "xAxis": {
1672 "name": "Protocol",
1673 "type": "String"
1674 },
1675 "yAxis": [
1676 {
1677 "name": "ProtocolCount",
1678 "type": "Int64"
1679 }
1680 ],
1681 "splitBy": [],
1682 "aggregation": "Sum"
1683 }
1684 },
1685 {
1686 "name": "Version",
1687 "value": "1.0"
1688 },
1689 {
1690 "name": "DashboardId",
1691 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1692 },
1693 {
1694 "name": "PartId",
1695 "value": "cb958e69-b8cb-4e78-9bf1-0510feaccf0e"
1696 },
1697 {
1698 "name": "PartTitle",
1699 "value": "Analytics"
1700 },
1701 {
1702 "name": "PartSubTitle",
1703 "value": "{Workspace_Name}"
1704 },
1705 {
1706 "name": "resourceTypeMode",
1707 "value": "workspace"
1708 },
1709 {
1710 "name": "ControlType",
1711 "value": "AnalyticsChart"
1712 },
1713 {
1714 "name": "SpecificChart",
1715 "value": "Bar"
1716 },
1717 {
1718 "name": "TimeRange",
1719 "value": "P1D"
1720 }
1721 ],
1722 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1723 "settings": {
1724 "content": {
1725 "PartTitle": "Top 5 allowed protocols",
1726 "PartSubTitle": " "
1727 }
1728 },
1729 "asset": {
1730 "idInputName": "ComponentId",
1731 "type": "ApplicationInsights"
1732 }
1733 }
1734 },
1735 "23": {
1736 "position": {
1737 "x": 12,
1738 "y": 20,
1739 "colSpan": 6,
1740 "rowSpan": 4
1741 },
1742 "metadata": {
1743 "inputs": [
1744 {
1745 "name": "ComponentId",
1746 "value": {
1747 "SubscriptionId": "{Subscription_Id}",
1748 "ResourceGroup": "{Resource_Group}",
1749 "Name": "{Workspace_Name}",
1750 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1751 }
1752 },
1753 {
1754 "name": "Query",
1755 "value": "//Top 5 Inbound Destination IP Addresses Blocked \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'inbound' \n| where SimplifiedDeviceAction == 'Deny' \n| summarize IpCount= count() by DestinationIP \n| top 5 by IpCount desc nulls last \n"
1756 },
1757 {
1758 "name": "Version",
1759 "value": "1.0"
1760 },
1761 {
1762 "name": "DashboardId",
1763 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1764 },
1765 {
1766 "name": "PartId",
1767 "value": "66d7c8bd-58bf-4b6f-bb4e-2c76f2a2782f"
1768 },
1769 {
1770 "name": "PartTitle",
1771 "value": "Analytics"
1772 },
1773 {
1774 "name": "PartSubTitle",
1775 "value": "{Workspace_Name}"
1776 },
1777 {
1778 "name": "resourceTypeMode",
1779 "value": "workspace"
1780 },
1781 {
1782 "name": "ControlType",
1783 "value": "AnalyticsGrid"
1784 },
1785 {
1786 "name": "Dimensions",
1787 "isOptional": true
1788 },
1789 {
1790 "name": "TimeRange",
1791 "value": "P1D"
1792 },
1793 {
1794 "name": "SpecificChart",
1795 "isOptional": true
1796 }
1797 ],
1798 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1799 "settings": {
1800 "content": {
1801 "PartTitle": "Top 5 blocked inbound destination IP addresses",
1802 "PartSubTitle": " "
1803 }
1804 },
1805 "asset": {
1806 "idInputName": "ComponentId",
1807 "type": "ApplicationInsights"
1808 }
1809 }
1810 },
1811 "24": {
1812 "position": {
1813 "x": 18,
1814 "y": 20,
1815 "colSpan": 7,
1816 "rowSpan": 4
1817 },
1818 "metadata": {
1819 "inputs": [
1820 {
1821 "name": "ComponentId",
1822 "value": {
1823 "SubscriptionId": "{Subscription_Id}",
1824 "ResourceGroup": "{Resource_Group}",
1825 "Name": "{Workspace_Name}",
1826 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1827 }
1828 },
1829 {
1830 "name": "Query",
1831 "value": "//Top 5 Inbound Destination IP Addresses Allowed \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'inbound' \n| where DestinationIP != '' \n| where SimplifiedDeviceAction == 'Allow' or SimplifiedDeviceAction == 'Built' \n| summarize IpCount= count() by DestinationIP \n| top 5 by IpCount desc nulls last"
1832 },
1833 {
1834 "name": "Version",
1835 "value": "1.0"
1836 },
1837 {
1838 "name": "DashboardId",
1839 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1840 },
1841 {
1842 "name": "PartId",
1843 "value": "80ffa6c5-fc20-4f72-9938-547dd8b0b80e"
1844 },
1845 {
1846 "name": "PartTitle",
1847 "value": "Analytics"
1848 },
1849 {
1850 "name": "PartSubTitle",
1851 "value": "{Workspace_Name}"
1852 },
1853 {
1854 "name": "resourceTypeMode",
1855 "value": "workspace"
1856 },
1857 {
1858 "name": "ControlType",
1859 "value": "AnalyticsGrid"
1860 },
1861 {
1862 "name": "Dimensions",
1863 "isOptional": true
1864 },
1865 {
1866 "name": "TimeRange",
1867 "value": "P1D"
1868 },
1869 {
1870 "name": "SpecificChart",
1871 "isOptional": true
1872 }
1873 ],
1874 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1875 "settings": {
1876 "content": {
1877 "PartTitle": "Top 5 allowed inbound destination IP addresses",
1878 "PartSubTitle": " "
1879 }
1880 },
1881 "asset": {
1882 "idInputName": "ComponentId",
1883 "type": "ApplicationInsights"
1884 }
1885 }
1886 },
1887 "25": {
1888 "position": {
1889 "x": 0,
1890 "y": 24,
1891 "colSpan": 6,
1892 "rowSpan": 4
1893 },
1894 "metadata": {
1895 "inputs": [
1896 {
1897 "name": "ComponentId",
1898 "value": {
1899 "SubscriptionId": "{Subscription_Id}",
1900 "ResourceGroup": "{Resource_Group}",
1901 "Name": "{Workspace_Name}",
1902 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1903 }
1904 },
1905 {
1906 "name": "Query",
1907 "value": "//top 5 outbound deny dst ip\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '106100'\n| where SimplifiedDeviceAction == 'Deny'\n| where Message contains ' -> management'\n| summarize IpCount= count() by DestinationIP\n| top 5 by IpCount desc nulls last\n"
1908 },
1909 {
1910 "name": "Dimensions",
1911 "value": {
1912 "xAxis": {
1913 "name": "DestinationIP",
1914 "type": "String"
1915 },
1916 "yAxis": [
1917 {
1918 "name": "IpCount",
1919 "type": "Int64"
1920 }
1921 ],
1922 "splitBy": [],
1923 "aggregation": "Sum"
1924 }
1925 },
1926 {
1927 "name": "Version",
1928 "value": "1.0"
1929 },
1930 {
1931 "name": "DashboardId",
1932 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
1933 },
1934 {
1935 "name": "PartId",
1936 "value": "4db3575b-7a7e-4add-b14e-7d0aceeb1633"
1937 },
1938 {
1939 "name": "PartTitle",
1940 "value": "Analytics"
1941 },
1942 {
1943 "name": "PartSubTitle",
1944 "value": "{Workspace_Name}"
1945 },
1946 {
1947 "name": "resourceTypeMode",
1948 "value": "workspace"
1949 },
1950 {
1951 "name": "ControlType",
1952 "value": "AnalyticsChart"
1953 },
1954 {
1955 "name": "SpecificChart",
1956 "value": "Bar"
1957 },
1958 {
1959 "name": "TimeRange",
1960 "value": "P1D"
1961 }
1962 ],
1963 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1964 "settings": {
1965 "content": {
1966 "PartTitle": "Top 5 denied outbound destination IP addresses",
1967 "PartSubTitle": " "
1968 }
1969 },
1970 "asset": {
1971 "idInputName": "ComponentId",
1972 "type": "ApplicationInsights"
1973 }
1974 }
1975 },
1976 "26": {
1977 "position": {
1978 "x": 6,
1979 "y": 24,
1980 "colSpan": 6,
1981 "rowSpan": 4
1982 },
1983 "metadata": {
1984 "inputs": [
1985 {
1986 "name": "ComponentId",
1987 "value": {
1988 "SubscriptionId": "{Subscription_Id}",
1989 "ResourceGroup": "{Resource_Group}",
1990 "Name": "{Workspace_Name}",
1991 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1992 }
1993 },
1994 {
1995 "name": "Query",
1996 "value": "//top 5 outbound Allow dst ip\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '106100'\n| where SimplifiedDeviceAction == 'Allow'\n| where Message contains ' -> management'\n| summarize IpCount= count() by DestinationIP\n| top 5 by IpCount desc nulls last\n"
1997 },
1998 {
1999 "name": "Dimensions",
2000 "value": {
2001 "xAxis": {
2002 "name": "DestinationIP",
2003 "type": "String"
2004 },
2005 "yAxis": [
2006 {
2007 "name": "IpCount",
2008 "type": "Int64"
2009 }
2010 ],
2011 "splitBy": [],
2012 "aggregation": "Sum"
2013 }
2014 },
2015 {
2016 "name": "Version",
2017 "value": "1.0"
2018 },
2019 {
2020 "name": "DashboardId",
2021 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
2022 },
2023 {
2024 "name": "PartId",
2025 "value": "3845c029-779e-468e-9eb5-aa0ab1d373bc"
2026 },
2027 {
2028 "name": "PartTitle",
2029 "value": "Analytics"
2030 },
2031 {
2032 "name": "PartSubTitle",
2033 "value": "{Workspace_Name}"
2034 },
2035 {
2036 "name": "resourceTypeMode",
2037 "value": "workspace"
2038 },
2039 {
2040 "name": "ControlType",
2041 "value": "AnalyticsDonut"
2042 },
2043 {
2044 "name": "TimeRange",
2045 "value": "P1D"
2046 },
2047 {
2048 "name": "SpecificChart",
2049 "isOptional": true
2050 }
2051 ],
2052 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
2053 "settings": {
2054 "content": {
2055 "PartTitle": "Top 5 allowed outbound destination IP addresses",
2056 "PartSubTitle": " "
2057 }
2058 },
2059 "asset": {
2060 "idInputName": "ComponentId",
2061 "type": "ApplicationInsights"
2062 }
2063 }
2064 },
2065 "27": {
2066 "position": {
2067 "x": 12,
2068 "y": 24,
2069 "colSpan": 6,
2070 "rowSpan": 4
2071 },
2072 "metadata": {
2073 "inputs": [
2074 {
2075 "name": "ComponentId",
2076 "value": {
2077 "SubscriptionId": "{Subscription_Id}",
2078 "ResourceGroup": "{Resource_Group}",
2079 "Name": "{Workspace_Name}",
2080 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
2081 }
2082 },
2083 {
2084 "name": "Query",
2085 "value": "//Top 5 Inbound Source IP Addresses Denied \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'inbound' \n| where SimplifiedDeviceAction == 'Deny' \n| summarize IpCount= count() by SourceIP \n| top 5 by IpCount desc nulls last"
2086 },
2087 {
2088 "name": "Version",
2089 "value": "1.0"
2090 },
2091 {
2092 "name": "DashboardId",
2093 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
2094 },
2095 {
2096 "name": "PartId",
2097 "value": "14d65713-9485-4d9a-9044-c8399596886c"
2098 },
2099 {
2100 "name": "PartTitle",
2101 "value": "Analytics"
2102 },
2103 {
2104 "name": "PartSubTitle",
2105 "value": "{Workspace_Name}"
2106 },
2107 {
2108 "name": "resourceTypeMode",
2109 "value": "workspace"
2110 },
2111 {
2112 "name": "ControlType",
2113 "value": "AnalyticsGrid"
2114 },
2115 {
2116 "name": "Dimensions",
2117 "isOptional": true
2118 },
2119 {
2120 "name": "TimeRange",
2121 "value": "P1D"
2122 },
2123 {
2124 "name": "SpecificChart",
2125 "isOptional": true
2126 }
2127 ],
2128 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
2129 "settings": {
2130 "content": {
2131 "PartTitle": "Top 5 denied inbound source IP addresses",
2132 "PartSubTitle": " "
2133 }
2134 },
2135 "asset": {
2136 "idInputName": "ComponentId",
2137 "type": "ApplicationInsights"
2138 }
2139 }
2140 },
2141 "28": {
2142 "position": {
2143 "x": 18,
2144 "y": 24,
2145 "colSpan": 7,
2146 "rowSpan": 4
2147 },
2148 "metadata": {
2149 "inputs": [
2150 {
2151 "name": "ComponentId",
2152 "value": {
2153 "SubscriptionId": "{Subscription_Id}",
2154 "ResourceGroup": "{Resource_Group}",
2155 "Name": "{Workspace_Name}",
2156 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
2157 }
2158 },
2159 {
2160 "name": "Query",
2161 "value": "//Top 5 Outbound Source IP Addresses Allowed \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where CommunicationDirection contains 'outbound' \n| where SimplifiedDeviceAction == 'Built' \n| summarize IpCount= count() by SourceIP \n| top 5 by IpCount desc nulls last"
2162 },
2163 {
2164 "name": "Version",
2165 "value": "1.0"
2166 },
2167 {
2168 "name": "DashboardId",
2169 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
2170 },
2171 {
2172 "name": "PartId",
2173 "value": "f1eccf54-99d1-4f31-b9c3-bd3aa0e58e87"
2174 },
2175 {
2176 "name": "PartTitle",
2177 "value": "Analytics"
2178 },
2179 {
2180 "name": "PartSubTitle",
2181 "value": "{Workspace_Name}"
2182 },
2183 {
2184 "name": "resourceTypeMode",
2185 "value": "workspace"
2186 },
2187 {
2188 "name": "ControlType",
2189 "value": "AnalyticsGrid"
2190 },
2191 {
2192 "name": "Dimensions",
2193 "isOptional": true
2194 },
2195 {
2196 "name": "TimeRange",
2197 "value": "P1D"
2198 },
2199 {
2200 "name": "SpecificChart",
2201 "isOptional": true
2202 }
2203 ],
2204 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
2205 "settings": {
2206 "content": {
2207 "PartTitle": "Top 5 allowed outbound source IP addresses",
2208 "PartSubTitle": " "
2209 }
2210 },
2211 "asset": {
2212 "idInputName": "ComponentId",
2213 "type": "ApplicationInsights"
2214 }
2215 }
2216 },
2217 "29": {
2218 "position": {
2219 "x": 0,
2220 "y": 28,
2221 "colSpan": 25,
2222 "rowSpan": 1
2223 },
2224 "metadata": {
2225 "inputs": [],
2226 "type": "Extension/HubsExtension/PartType/MarkdownPart",
2227 "settings": {
2228 "content": {
2229 "settings": {
2230 "content": "<div style='font-size:300%;'>Firewall management</div>\n",
2231 "title": "",
2232 "subtitle": " "
2233 }
2234 }
2235 }
2236 }
2237 },
2238 "30": {
2239 "position": {
2240 "x": 0,
2241 "y": 29,
2242 "colSpan": 6,
2243 "rowSpan": 4
2244 },
2245 "metadata": {
2246 "inputs": [
2247 {
2248 "name": "ComponentId",
2249 "value": {
2250 "SubscriptionId": "{Subscription_Id}",
2251 "ResourceGroup": "{Resource_Group}",
2252 "Name": "{Workspace_Name}",
2253 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
2254 }
2255 },
2256 {
2257 "name": "Query",
2258 "value": "//top 10 commands\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '111008'\n| extend CommandExecuted= extract('%ASA-5-111008: User '.*?' executed the '(.*?)' command.',1,Message)\n| summarize Count= count() by CommandExecuted\n| top 5 by Count desc\n"
2259 },
2260 {
2261 "name": "Version",
2262 "value": "1.0"
2263 },
2264 {
2265 "name": "DashboardId",
2266 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
2267 },
2268 {
2269 "name": "PartId",
2270 "value": "c4ceeb6d-4b09-4ca8-9e7a-22447327dde4"
2271 },
2272 {
2273 "name": "PartTitle",
2274 "value": "Analytics"
2275 },
2276 {
2277 "name": "PartSubTitle",
2278 "value": "{Workspace_Name}"
2279 },
2280 {
2281 "name": "resourceTypeMode",
2282 "value": "workspace"
2283 },
2284 {
2285 "name": "ControlType",
2286 "value": "AnalyticsGrid"
2287 },
2288 {
2289 "name": "Dimensions",
2290 "isOptional": true
2291 },
2292 {
2293 "name": "TimeRange",
2294 "value": "P1D"
2295 },
2296 {
2297 "name": "SpecificChart",
2298 "isOptional": true
2299 }
2300 ],
2301 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
2302 "settings": {
2303 "content": {
2304 "PartTitle": "Top 5 commands executed on firewall",
2305 "PartSubTitle": " "
2306 }
2307 },
2308 "asset": {
2309 "idInputName": "ComponentId",
2310 "type": "ApplicationInsights"
2311 }
2312 }
2313 },
2314 "31": {
2315 "position": {
2316 "x": 6,
2317 "y": 29,
2318 "colSpan": 5,
2319 "rowSpan": 4
2320 },
2321 "metadata": {
2322 "inputs": [
2323 {
2324 "name": "ComponentId",
2325 "value": {
2326 "SubscriptionId": "{Subscription_Id}",
2327 "ResourceGroup": "{Resource_Group}",
2328 "Name": "{Workspace_Name}",
2329 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
2330 }
2331 },
2332 {
2333 "name": "Query",
2334 "value": "//Top 5 Source IP Addresses By Failed Authentication \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '611102' \n| extend IPAddress= extract('%ASA-6-611102:.*: IP address: (.*?), Uname.*',1,Message) \n| summarize IPAddressCount=count() by IPAddress \n| top 5 by IPAddressCount desc"
2335 },
2336 {
2337 "name": "Version",
2338 "value": "1.0"
2339 },
2340 {
2341 "name": "DashboardId",
2342 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
2343 },
2344 {
2345 "name": "PartId",
2346 "value": "85b3f777-a756-4233-8b62-e1330c415bd5"
2347 },
2348 {
2349 "name": "PartTitle",
2350 "value": "Analytics"
2351 },
2352 {
2353 "name": "PartSubTitle",
2354 "value": "{Workspace_Name}"
2355 },
2356 {
2357 "name": "resourceTypeMode",
2358 "value": "workspace"
2359 },
2360 {
2361 "name": "ControlType",
2362 "value": "AnalyticsGrid"
2363 },
2364 {
2365 "name": "Dimensions",
2366 "isOptional": true
2367 },
2368 {
2369 "name": "TimeRange",
2370 "value": "P1D"
2371 },
2372 {
2373 "name": "SpecificChart",
2374 "isOptional": true
2375 }
2376 ],
2377 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
2378 "settings": {
2379 "content": {
2380 "PartTitle": "Top 5 source IP addresses, by failed authentication",
2381 "PartSubTitle": " "
2382 }
2383 },
2384 "asset": {
2385 "idInputName": "ComponentId",
2386 "type": "ApplicationInsights"
2387 }
2388 }
2389 },
2390 "32": {
2391 "position": {
2392 "x": 11,
2393 "y": 29,
2394 "colSpan": 5,
2395 "rowSpan": 4
2396 },
2397 "metadata": {
2398 "inputs": [
2399 {
2400 "name": "ComponentId",
2401 "value": {
2402 "SubscriptionId": "{Subscription_Id}",
2403 "ResourceGroup": "{Resource_Group}",
2404 "Name": "{Workspace_Name}",
2405 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
2406 }
2407 },
2408 {
2409 "name": "Query",
2410 "value": "//Login Attempts For Nonexistent User Account \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '113015' \n| extend ipaddress=extract('%ASA-6-113015:.*: user IP = (.*)$',1,Message) \n| summarize IPCount=count() by ipaddress \n| top 5 by IPCount desc"
2411 },
2412 {
2413 "name": "Version",
2414 "value": "1.0"
2415 },
2416 {
2417 "name": "DashboardId",
2418 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
2419 },
2420 {
2421 "name": "PartId",
2422 "value": "24deded9-5ff5-41aa-b568-636af82c9def"
2423 },
2424 {
2425 "name": "PartTitle",
2426 "value": "Analytics"
2427 },
2428 {
2429 "name": "PartSubTitle",
2430 "value": "{Workspace_Name}"
2431 },
2432 {
2433 "name": "resourceTypeMode",
2434 "value": "workspace"
2435 },
2436 {
2437 "name": "ControlType",
2438 "value": "AnalyticsGrid"
2439 },
2440 {
2441 "name": "Dimensions",
2442 "isOptional": true
2443 },
2444 {
2445 "name": "TimeRange",
2446 "value": "P1D"
2447 },
2448 {
2449 "name": "SpecificChart",
2450 "isOptional": true
2451 }
2452 ],
2453 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
2454 "settings": {
2455 "content": {
2456 "PartTitle": "Logon attempts to nonexistent user account, by source IP address",
2457 "PartSubTitle": " "
2458 }
2459 },
2460 "asset": {
2461 "idInputName": "ComponentId",
2462 "type": "ApplicationInsights"
2463 }
2464 }
2465 },
2466 "33": {
2467 "position": {
2468 "x": 16,
2469 "y": 29,
2470 "colSpan": 6,
2471 "rowSpan": 4
2472 },
2473 "metadata": {
2474 "inputs": [
2475 {
2476 "name": "ComponentId",
2477 "value": {
2478 "SubscriptionId": "{Subscription_Id}",
2479 "ResourceGroup": "{Resource_Group}",
2480 "Name": "{Workspace_Name}",
2481 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
2482 }
2483 },
2484 {
2485 "name": "Query",
2486 "value": "//Top 5 SSH Failed Attempt By Source IP \nCommonSecurityLog \n| where DeviceProduct =~ 'ASA' \n| where DeviceVendor =~ 'Cisco' \n| where DeviceEventClassID == '315011' \n| extend IP= extract('%ASA-6-315011: SSH session from (.*) on',1,Message) \n| summarize ReasonCount=count() by IP \n| top 5 by ReasonCount desc"
2487 },
2488 {
2489 "name": "Version",
2490 "value": "1.0"
2491 },
2492 {
2493 "name": "DashboardId",
2494 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
2495 },
2496 {
2497 "name": "PartId",
2498 "value": "ac387c57-98d0-4822-93f6-3c2f296d9ac1"
2499 },
2500 {
2501 "name": "PartTitle",
2502 "value": "Analytics"
2503 },
2504 {
2505 "name": "PartSubTitle",
2506 "value": "{Workspace_Name}"
2507 },
2508 {
2509 "name": "resourceTypeMode",
2510 "value": "workspace"
2511 },
2512 {
2513 "name": "ControlType",
2514 "value": "AnalyticsGrid"
2515 },
2516 {
2517 "name": "Dimensions",
2518 "isOptional": true
2519 },
2520 {
2521 "name": "TimeRange",
2522 "value": "P1D"
2523 },
2524 {
2525 "name": "SpecificChart",
2526 "isOptional": true
2527 }
2528 ],
2529 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
2530 "settings": {
2531 "content": {
2532 "PartTitle": "Top 5 SSH failed attempts, by source IP address",
2533 "PartSubTitle": " "
2534 }
2535 },
2536 "asset": {
2537 "idInputName": "ComponentId",
2538 "type": "ApplicationInsights"
2539 }
2540 }
2541 },
2542 "34": {
2543 "position": {
2544 "x": 22,
2545 "y": 29,
2546 "colSpan": 3,
2547 "rowSpan": 4
2548 },
2549 "metadata": {
2550 "inputs": [
2551 {
2552 "name": "ComponentId",
2553 "value": {
2554 "SubscriptionId": "{Subscription_Id}",
2555 "ResourceGroup": "{Resource_Group}",
2556 "Name": "{Workspace_Name}",
2557 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
2558 }
2559 },
2560 {
2561 "name": "Query",
2562 "value": "//Authentocation Success\nCommonSecurityLog\n| where DeviceProduct =~ 'ASA'\n| where DeviceVendor =~ 'Cisco'\n| where DeviceEventClassID == '113012'\n| extend UserName= extract('%ASA-6-113012:.*: user = (.*)$',1,Message)\n| summarize UserCount=count() by UserName\n| top 5 by UserCount desc\n"
2563 },
2564 {
2565 "name": "Dimensions",
2566 "value": {
2567 "xAxis": {
2568 "name": "UserName",
2569 "type": "String"
2570 },
2571 "yAxis": [
2572 {
2573 "name": "UserCount",
2574 "type": "Int64"
2575 }
2576 ],
2577 "splitBy": [],
2578 "aggregation": "Sum"
2579 }
2580 },
2581 {
2582 "name": "Version",
2583 "value": "1.0"
2584 },
2585 {
2586 "name": "DashboardId",
2587 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CiscoDashboard_{Workspace_Name}"
2588 },
2589 {
2590 "name": "PartId",
2591 "value": "83678fda-fe05-4a83-b61f-c457740a84bf"
2592 },
2593 {
2594 "name": "PartTitle",
2595 "value": "Analytics"
2596 },
2597 {
2598 "name": "PartSubTitle",
2599 "value": "{Workspace_Name}"
2600 },
2601 {
2602 "name": "resourceTypeMode",
2603 "value": "workspace"
2604 },
2605 {
2606 "name": "ControlType",
2607 "value": "AnalyticsChart"
2608 },
2609 {
2610 "name": "SpecificChart",
2611 "value": "Bar"
2612 },
2613 {
2614 "name": "TimeRange",
2615 "value": "P1D"
2616 }
2617 ],
2618 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
2619 "settings": {
2620 "content": {
2621 "PartTitle": "Top 5 successfully authenticated users",
2622 "PartSubTitle": " "
2623 }
2624 },
2625 "asset": {
2626 "idInputName": "ComponentId",
2627 "type": "ApplicationInsights"
2628 }
2629 }
2630 },
2631 "35": {
2632 "position": {
2633 "x": 0,
2634 "y": 0,
2635 "colSpan": 1,
2636 "rowSpan": 1
2637 },
2638 "metadata": {
2639 "inputs": [
2640 {
2641 "name": "subscriptionId",
2642 "value": "{Subscription_Id}"
2643 },
2644 {
2645 "name": "resourceGroup",
2646 "value": "{Resource_Group}"
2647 },
2648 {
2649 "name": "workspaceName",
2650 "value": "{Workspace_Name}"
2651 },
2652 {
2653 "name": "menuItemToOpen",
2654 "value": "Dashboards"
2655 }
2656 ],
2657 "type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
2658 "defaultMenuItemId": "0"
2659 }
2660 }
2661 }
2662 }
2663 }
2664 }
2665}