Forge
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
fde110c7da8a1aedb8d63af851d1c8269b3a5810

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

Azure-Sentinel/Dashboards

Dashboards/Cylance.json

1370lines · modecode

RawDownload
Update Cylance.json610a805
7 years ago
1{
2 "name": "CylanceDashboard_{Workspace_Name}",
3 "type": "Microsoft.Portal/dashboards",
4 "location": "{Dashboard_Location}",
5 "tags": {
6 "dashboardKey": "CylanceDashboard",
7 "hidden-title": "Cylance - {Workspace_Name}",
8 "version": "1.1",
9 "workspaceName": "{Workspace_Name}"
10 },
11 "properties": {
12 "lenses": {
13 "0": {
14 "order": 0,
15 "parts": {
16 "0": {
17 "position": {
18 "x": 1,
19 "y": 0,
20 "colSpan": 11,
21 "rowSpan": 1
22 },
23 "metadata": {
24 "inputs": [],
25 "type": "Extension/HubsExtension/PartType/MarkdownPart",
26 "settings": {
27 "content": {
28 "settings": {
29 "content": "<div style='font-size:300%;'>Cylance overview</div> ",
30 "title": "",
31 "subtitle": ""
32 }
33 }
34 }
35 }
36 },
37 "1": {
38 "position": {
39 "x": 12,
40 "y": 0,
41 "colSpan": 6,
42 "rowSpan": 1
43 },
44 "metadata": {
45 "inputs": [],
46 "type": "Extension/HubsExtension/PartType/MarkdownPart",
47 "settings": {
48 "content": {
49 "settings": {
50 "content": "<body style='background-color:#FF0000;'><img width='600' height='50' src='https://download.cylance.com/updates/CylanceDetectImages/cylance_signin_logo.png'/> \n</body>",
51 "title": "",
52 "subtitle": ""
53 }
54 }
55 }
56 }
57 },
58 "2": {
59 "position": {
60 "x": 0,
61 "y": 1,
62 "colSpan": 6,
63 "rowSpan": 4
64 },
65 "metadata": {
66 "inputs": [
67 {
68 "name": "ComponentId",
69 "value": {
70 "SubscriptionId": "{Subscription_Id}",
71 "ResourceGroup": "{Resource_Group}",
72 "Name": "{Workspace_Name}",
73 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
74 }
75 },
76 {
77 "name": "Query",
78 "value": "//log type trend\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| summarize LogTypeCount= count() by LogType , TimeGenerated\n"
79 },
80 {
81 "name": "Dimensions",
82 "value": {
83 "xAxis": {
84 "name": "TimeGenerated",
85 "type": "DateTime"
86 },
87 "yAxis": [
88 {
89 "name": "LogTypeCount",
90 "type": "Int64"
91 }
92 ],
93 "splitBy": [
94 {
95 "name": "LogType",
96 "type": "String"
97 }
98 ],
99 "aggregation": "Sum"
100 }
101 },
102 {
103 "name": "Version",
104 "value": "1.0"
105 },
106 {
107 "name": "DashboardId",
108 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
109 },
110 {
111 "name": "PartId",
112 "value": "d88fd7ce-0325-45b7-80bf-7f4aa8709fa7"
113 },
114 {
115 "name": "PartTitle",
116 "value": "Analytics"
117 },
118 {
119 "name": "PartSubTitle",
120 "value": "{Workspace_Name}"
121 },
122 {
123 "name": "resourceTypeMode",
124 "value": "workspace"
125 },
126 {
127 "name": "ControlType",
128 "value": "AnalyticsChart"
129 },
130 {
131 "name": "SpecificChart",
132 "value": "Bar"
133 },
134 {
135 "name": "TimeRange",
136 "value": "P1D"
137 }
138 ],
139 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
140 "settings": {
141 "content": {
142 "PartTitle": "Event type trend over time",
143 "PartSubTitle": " "
144 }
145 },
146 "asset": {
147 "idInputName": "ComponentId",
148 "type": "ApplicationInsights"
149 }
150 }
151 },
152 "3": {
153 "position": {
154 "x": 6,
155 "y": 1,
156 "colSpan": 6,
157 "rowSpan": 4
158 },
159 "metadata": {
160 "inputs": [
161 {
162 "name": "ComponentId",
163 "value": {
164 "SubscriptionId": "{Subscription_Id}",
165 "ResourceGroup": "{Resource_Group}",
166 "Name": "{Workspace_Name}",
167 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
168 }
169 },
170 {
171 "name": "Query",
172 "value": "//log volume trend\nSyslog\n| where Computer =~ 'sysloghost' \n| summarize LogVolume= count() by TimeGenerated "
173 },
174 {
175 "name": "Dimensions",
176 "value": {
177 "xAxis": {
178 "name": "TimeGenerated",
179 "type": "DateTime"
180 },
181 "yAxis": [
182 {
183 "name": "LogVolume",
184 "type": "Int64"
185 }
186 ],
187 "splitBy": [],
188 "aggregation": "Sum"
189 }
190 },
191 {
192 "name": "Version",
193 "value": "1.0"
194 },
195 {
196 "name": "DashboardId",
197 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
198 },
199 {
200 "name": "PartId",
201 "value": "5256b3b9-e294-49be-95da-c01b3eec7bf9"
202 },
203 {
204 "name": "PartTitle",
205 "value": "Analytics"
206 },
207 {
208 "name": "PartSubTitle",
209 "value": "{Workspace_Name}"
210 },
211 {
212 "name": "resourceTypeMode",
213 "value": "workspace"
214 },
215 {
216 "name": "ControlType",
217 "value": "AnalyticsChart"
218 },
219 {
220 "name": "SpecificChart",
221 "value": "Line"
222 },
223 {
224 "name": "TimeRange",
225 "value": "P1D"
226 }
227 ],
228 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
229 "settings": {
230 "content": {
231 "PartTitle": "Event count trend over time",
232 "PartSubTitle": " "
233 }
234 },
235 "asset": {
236 "idInputName": "ComponentId",
237 "type": "ApplicationInsights"
238 }
239 }
240 },
241 "4": {
242 "position": {
243 "x": 12,
244 "y": 1,
245 "colSpan": 6,
246 "rowSpan": 4
247 },
248 "metadata": {
249 "inputs": [
250 {
251 "name": "ComponentId",
252 "value": {
253 "SubscriptionId": "{Subscription_Id}",
254 "ResourceGroup": "{Resource_Group}",
255 "Name": "{Workspace_Name}",
256 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
257 }
258 },
259 {
260 "name": "Query",
261 "value": "// log type count\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| summarize LogTypeCount= count() by LogType \n"
262 },
263 {
264 "name": "Dimensions",
265 "value": {
266 "xAxis": {
267 "name": "LogType",
268 "type": "String"
269 },
270 "yAxis": [
271 {
272 "name": "LogTypeCount",
273 "type": "Int64"
274 }
275 ],
276 "splitBy": [],
277 "aggregation": "Sum"
278 }
279 },
280 {
281 "name": "Version",
282 "value": "1.0"
283 },
284 {
285 "name": "DashboardId",
286 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
287 },
288 {
289 "name": "PartId",
290 "value": "8c4bdd63-3db8-4c6f-8479-2e730f87ad1e"
291 },
292 {
293 "name": "PartTitle",
294 "value": "Analytics"
295 },
296 {
297 "name": "PartSubTitle",
298 "value": "{Workspace_Name}"
299 },
300 {
301 "name": "resourceTypeMode",
302 "value": "workspace"
303 },
304 {
305 "name": "ControlType",
306 "value": "AnalyticsDonut"
307 },
308 {
309 "name": "TimeRange",
310 "value": "P1D"
311 },
312 {
313 "name": "SpecificChart",
314 "isOptional": true
315 }
316 ],
317 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
318 "settings": {
319 "content": {
320 "PartTitle": "Event type summary",
321 "PartSubTitle": " "
322 }
323 },
324 "asset": {
325 "idInputName": "ComponentId",
326 "type": "ApplicationInsights"
327 }
328 }
329 },
330 "5": {
331 "position": {
332 "x": 0,
333 "y": 5,
334 "colSpan": 18,
335 "rowSpan": 1
336 },
337 "metadata": {
338 "inputs": [],
339 "type": "Extension/HubsExtension/PartType/MarkdownPart",
340 "settings": {
341 "content": {
342 "settings": {
343 "content": "<div style='font-size:300%;'>Malware posture</div> ",
344 "title": "",
345 "subtitle": ""
346 }
347 }
348 }
349 }
350 },
351 "6": {
352 "position": {
353 "x": 0,
354 "y": 6,
355 "colSpan": 6,
356 "rowSpan": 4
357 },
358 "metadata": {
359 "inputs": [
360 {
361 "name": "ComponentId",
362 "value": {
363 "SubscriptionId": "{Subscription_Id}",
364 "ResourceGroup": "{Resource_Group}",
365 "Name": "{Workspace_Name}",
366 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
367 }
368 },
369 {
370 "name": "Query",
371 "value": "//top 5 malware seen\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend MalwareMD5= extract('MD5: (.*?),',1,SyslogMessage) \n| summarize MalwareCount= count() by MalwareMD5\n| top 5 by MalwareCount desc \n"
372 },
373 {
374 "name": "Version",
375 "value": "1.0"
376 },
377 {
378 "name": "DashboardId",
379 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
380 },
381 {
382 "name": "PartId",
383 "value": "a63faa99-b0b5-42c7-8e8f-7de3bca4391b"
384 },
385 {
386 "name": "PartTitle",
387 "value": "Analytics"
388 },
389 {
390 "name": "PartSubTitle",
391 "value": "{Workspace_Name}"
392 },
393 {
394 "name": "resourceTypeMode",
395 "value": "workspace"
396 },
397 {
398 "name": "ControlType",
399 "value": "AnalyticsGrid"
400 },
401 {
402 "name": "Dimensions",
403 "isOptional": true
404 },
405 {
406 "name": "TimeRange",
407 "value": "P1D"
408 },
409 {
410 "name": "SpecificChart",
411 "isOptional": true
412 }
413 ],
414 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
415 "settings": {
416 "content": {
417 "PartTitle": "Top 5 malware events",
418 "PartSubTitle": " "
419 }
420 },
421 "asset": {
422 "idInputName": "ComponentId",
423 "type": "ApplicationInsights"
424 }
425 }
426 },
427 "7": {
428 "position": {
429 "x": 6,
430 "y": 6,
431 "colSpan": 6,
432 "rowSpan": 4
433 },
434 "metadata": {
435 "inputs": [
436 {
437 "name": "ComponentId",
438 "value": {
439 "SubscriptionId": "{Subscription_Id}",
440 "ResourceGroup": "{Resource_Group}",
441 "Name": "{Workspace_Name}",
442 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
443 }
444 },
445 {
446 "name": "Query",
447 "value": "//Threat classification\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend Classification= extract('Threat Classification: (.*?)#',1,SyslogMessage)\n| summarize count() by Classification \n| top 5 by count_ desc \n"
448 },
449 {
450 "name": "Version",
451 "value": "1.0"
452 },
453 {
454 "name": "DashboardId",
455 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
456 },
457 {
458 "name": "PartId",
459 "value": "ac7b0173-e513-4388-a1cc-8cf5b7498893"
460 },
461 {
462 "name": "PartTitle",
463 "value": "Analytics"
464 },
465 {
466 "name": "PartSubTitle",
467 "value": "{Workspace_Name}"
468 },
469 {
470 "name": "resourceTypeMode",
471 "value": "workspace"
472 },
473 {
474 "name": "ControlType",
475 "value": "AnalyticsGrid"
476 },
477 {
478 "name": "Dimensions",
479 "isOptional": true
480 },
481 {
482 "name": "TimeRange",
483 "value": "P1D"
484 },
485 {
486 "name": "SpecificChart",
487 "isOptional": true
488 }
489 ],
490 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
491 "settings": {
492 "content": {
493 "PartTitle": "Top 5 malware types",
494 "PartSubTitle": " "
495 }
496 },
497 "asset": {
498 "idInputName": "ComponentId",
499 "type": "ApplicationInsights"
500 }
501 }
502 },
503 "8": {
504 "position": {
505 "x": 12,
506 "y": 6,
507 "colSpan": 6,
508 "rowSpan": 4
509 },
510 "metadata": {
511 "inputs": [
512 {
513 "name": "ComponentId",
514 "value": {
515 "SubscriptionId": "{Subscription_Id}",
516 "ResourceGroup": "{Resource_Group}",
517 "Name": "{Workspace_Name}",
518 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
519 }
520 },
521 {
522 "name": "Query",
523 "value": "//how new is malware\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend Unique= extract('Is Unique To Cylance: (.*?),',1,SyslogMessage)\n| summarize count() by Unique \n"
524 },
525 {
526 "name": "Version",
527 "value": "1.0"
528 },
529 {
530 "name": "DashboardId",
531 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
532 },
533 {
534 "name": "PartId",
535 "value": "8e4ef54c-4a1f-4101-a8eb-390059b26332"
536 },
537 {
538 "name": "PartTitle",
539 "value": "Analytics"
540 },
541 {
542 "name": "PartSubTitle",
543 "value": "{Workspace_Name}"
544 },
545 {
546 "name": "resourceTypeMode",
547 "value": "workspace"
548 },
549 {
550 "name": "ControlType",
551 "value": "AnalyticsGrid"
552 },
553 {
554 "name": "Dimensions",
555 "isOptional": true
556 },
557 {
558 "name": "TimeRange",
559 "value": "P1D"
560 },
561 {
562 "name": "SpecificChart",
563 "isOptional": true
564 }
565 ],
566 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
567 "settings": {
568 "content": {
569 "PartTitle": "First time malware type detected?",
570 "PartSubTitle": " "
571 }
572 },
573 "asset": {
574 "idInputName": "ComponentId",
575 "type": "ApplicationInsights"
576 }
577 }
578 },
579 "9": {
580 "position": {
581 "x": 0,
582 "y": 10,
583 "colSpan": 18,
584 "rowSpan": 1
585 },
586 "metadata": {
587 "inputs": [],
588 "type": "Extension/HubsExtension/PartType/MarkdownPart",
589 "settings": {
590 "content": {
591 "settings": {
592 "content": "<div style='font-size:300%;'>Threat posture in environment</div> ",
593 "title": "",
594 "subtitle": ""
595 }
596 }
597 }
598 }
599 },
600 "10": {
601 "position": {
602 "x": 0,
603 "y": 11,
604 "colSpan": 6,
605 "rowSpan": 4
606 },
607 "metadata": {
608 "inputs": [
609 {
610 "name": "ComponentId",
611 "value": {
612 "SubscriptionId": "{Subscription_Id}",
613 "ResourceGroup": "{Resource_Group}",
614 "Name": "{Workspace_Name}",
615 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
616 }
617 },
618 {
619 "name": "Query",
620 "value": "//Detected By\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend DetectionMethod= extract('Detected By: (.*?),',1,SyslogMessage)\n| summarize count() by DetectionMethod\n"
621 },
622 {
623 "name": "Version",
624 "value": "1.0"
625 },
626 {
627 "name": "DashboardId",
628 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
629 },
630 {
631 "name": "PartId",
632 "value": "106a734c-1b9a-44e9-8541-b4b2b1f787fb"
633 },
634 {
635 "name": "PartTitle",
636 "value": "Analytics"
637 },
638 {
639 "name": "PartSubTitle",
640 "value": "{Workspace_Name}"
641 },
642 {
643 "name": "resourceTypeMode",
644 "value": "workspace"
645 },
646 {
647 "name": "ControlType",
648 "value": "AnalyticsGrid"
649 },
650 {
651 "name": "Dimensions",
652 "isOptional": true
653 },
654 {
655 "name": "TimeRange",
656 "value": "P1D"
657 },
658 {
659 "name": "SpecificChart",
660 "isOptional": true
661 }
662 ],
663 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
664 "settings": {
665 "content": {
666 "PartTitle": "Cylance threat, by feature",
667 "PartSubTitle": " ",
668 "Query": "//Detected By\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend DetectionMethod= extract('Detected By: (.*?),',1,SyslogMessage)\n| summarize Count=count() by DetectionMethod\n"
669 }
670 },
671 "asset": {
672 "idInputName": "ComponentId",
673 "type": "ApplicationInsights"
674 }
675 }
676 },
677 "11": {
678 "position": {
679 "x": 6,
680 "y": 11,
681 "colSpan": 6,
682 "rowSpan": 4
683 },
684 "metadata": {
685 "inputs": [
686 {
687 "name": "ComponentId",
688 "value": {
689 "SubscriptionId": "{Subscription_Id}",
690 "ResourceGroup": "{Resource_Group}",
691 "Name": "{Workspace_Name}",
692 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
693 }
694 },
695 {
696 "name": "Query",
697 "value": "//Count by status\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend CylanceStatus= extract('Status: (.*?),',1,SyslogMessage)\n| summarize count() by CylanceStatus \n"
698 },
699 {
700 "name": "Version",
701 "value": "1.0"
702 },
703 {
704 "name": "DashboardId",
705 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
706 },
707 {
708 "name": "PartId",
709 "value": "636dd1a9-1304-4da0-9a4b-fdd8d734bfda"
710 },
711 {
712 "name": "PartTitle",
713 "value": "Analytics"
714 },
715 {
716 "name": "PartSubTitle",
717 "value": "{Workspace_Name}"
718 },
719 {
720 "name": "resourceTypeMode",
721 "value": "workspace"
722 },
723 {
724 "name": "ControlType",
725 "value": "AnalyticsGrid"
726 },
727 {
728 "name": "Dimensions",
729 "isOptional": true
730 },
731 {
732 "name": "TimeRange",
733 "value": "P1D"
734 },
735 {
736 "name": "SpecificChart",
737 "isOptional": true
738 }
739 ],
740 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
741 "settings": {
742 "content": {
743 "PartTitle": "Clyance threat status summary",
744 "PartSubTitle": " ",
745 "Query": "//Count by status\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend CylanceStatus= extract('Status: (.*?),',1,SyslogMessage)\n| summarize StatusCount=count() by CylanceStatus \n"
746 }
747 },
748 "asset": {
749 "idInputName": "ComponentId",
750 "type": "ApplicationInsights"
751 }
752 }
753 },
754 "12": {
755 "position": {
756 "x": 12,
757 "y": 11,
758 "colSpan": 6,
759 "rowSpan": 4
760 },
761 "metadata": {
762 "inputs": [
763 {
764 "name": "ComponentId",
765 "value": {
766 "SubscriptionId": "{Subscription_Id}",
767 "ResourceGroup": "{Resource_Group}",
768 "Name": "{Workspace_Name}",
769 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
770 }
771 },
772 {
773 "name": "Query",
774 "value": "//threat type make pie chart \nSyslog \n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat' \n| extend EventName = extract('Event Name: (.*?),',1,SyslogMessage ) \n| summarize EventType= count() by EventName \n"
775 },
776 {
777 "name": "Dimensions",
778 "value": {
779 "xAxis": {
780 "name": "EventName",
781 "type": "String"
782 },
783 "yAxis": [
784 {
785 "name": "EventType",
786 "type": "Int64"
787 }
788 ],
789 "splitBy": [],
790 "aggregation": "Sum"
791 }
792 },
793 {
794 "name": "Version",
795 "value": "1.0"
796 },
797 {
798 "name": "DashboardId",
799 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
800 },
801 {
802 "name": "PartId",
803 "value": "ab497652-b6c8-46c9-be16-fd656372373c"
804 },
805 {
806 "name": "PartTitle",
807 "value": "Analytics"
808 },
809 {
810 "name": "PartSubTitle",
811 "value": "{Workspace_Name}"
812 },
813 {
814 "name": "resourceTypeMode",
815 "value": "workspace"
816 },
817 {
818 "name": "ControlType",
819 "value": "AnalyticsDonut"
820 },
821 {
822 "name": "TimeRange",
823 "value": "P1D"
824 },
825 {
826 "name": "SpecificChart",
827 "isOptional": true
828 }
829 ],
830 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
831 "settings": {
832 "content": {
833 "PartTitle": "Threat event summary",
834 "PartSubTitle": " "
835 }
836 },
837 "asset": {
838 "idInputName": "ComponentId",
839 "type": "ApplicationInsights"
840 }
841 }
842 },
843 "13": {
844 "position": {
845 "x": 0,
846 "y": 15,
847 "colSpan": 6,
848 "rowSpan": 4
849 },
850 "metadata": {
851 "inputs": [
852 {
853 "name": "ComponentId",
854 "value": {
855 "SubscriptionId": "{Subscription_Id}",
856 "ResourceGroup": "{Resource_Group}",
857 "Name": "{Workspace_Name}",
858 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
859 }
860 },
861 {
862 "name": "Query",
863 "value": "//top 5 device in threat\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend DeviceName = extract('Device Name: (.*?),',1,SyslogMessage)\n| where DeviceName != ''\n| summarize DeviceCount=count() by DeviceName\n| top 5 by DeviceCount desc \n"
864 },
865 {
866 "name": "Version",
867 "value": "1.0"
868 },
869 {
870 "name": "DashboardId",
871 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
872 },
873 {
874 "name": "PartId",
875 "value": "fe52d69e-369f-4ec0-9210-1860baa3c55a"
876 },
877 {
878 "name": "PartTitle",
879 "value": "Analytics"
880 },
881 {
882 "name": "PartSubTitle",
883 "value": "{Workspace_Name}"
884 },
885 {
886 "name": "resourceTypeMode",
887 "value": "workspace"
888 },
889 {
890 "name": "ControlType",
891 "value": "AnalyticsGrid"
892 },
893 {
894 "name": "Dimensions",
895 "isOptional": true
896 },
897 {
898 "name": "TimeRange",
899 "value": "P1D"
900 },
901 {
902 "name": "SpecificChart",
903 "isOptional": true
904 }
905 ],
906 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
907 "settings": {
908 "content": {
909 "PartTitle": "Top 5 devices with threats, by count",
910 "PartSubTitle": " "
911 }
912 },
913 "asset": {
914 "idInputName": "ComponentId",
915 "type": "ApplicationInsights"
916 }
917 }
918 },
919 "14": {
920 "position": {
921 "x": 6,
922 "y": 15,
923 "colSpan": 6,
924 "rowSpan": 4
925 },
926 "metadata": {
927 "inputs": [
928 {
929 "name": "ComponentId",
930 "value": {
931 "SubscriptionId": "{Subscription_Id}",
932 "ResourceGroup": "{Resource_Group}",
933 "Name": "{Workspace_Name}",
934 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
935 }
936 },
937 {
938 "name": "Query",
939 "value": "//unsafe count by device\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend CylanceStatus= extract('Status: (.*?),',1,SyslogMessage)\n| where CylanceStatus =~'Unsafe'\n| extend DeviceName = extract('Device Name: (.*?),',1,SyslogMessage)\n| summarize count() by DeviceName \n| top 5 by count_ desc nulls last \n"
940 },
941 {
942 "name": "Version",
943 "value": "1.0"
944 },
945 {
946 "name": "DashboardId",
947 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
948 },
949 {
950 "name": "PartId",
951 "value": "55fb4a5b-a9ce-4d64-9db4-1e113859f4ff"
952 },
953 {
954 "name": "PartTitle",
955 "value": "Analytics"
956 },
957 {
958 "name": "PartSubTitle",
959 "value": "{Workspace_Name}"
960 },
961 {
962 "name": "resourceTypeMode",
963 "value": "workspace"
964 },
965 {
966 "name": "ControlType",
967 "value": "AnalyticsGrid"
968 },
969 {
970 "name": "Dimensions",
971 "isOptional": true
972 },
973 {
974 "name": "TimeRange",
975 "value": "P1D"
976 },
977 {
978 "name": "SpecificChart",
979 "isOptional": true
980 }
981 ],
982 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
983 "settings": {
984 "content": {
985 "PartTitle": "Top 5 devices with unsafe threats, by count",
986 "PartSubTitle": " ",
987 "Query": "//unsafe count by device\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat'\n| extend CylanceStatus= extract('Status: (.*?),',1,SyslogMessage)\n| where CylanceStatus =~'Unsafe'\n| extend DeviceName = extract('Device Name: (.*?),',1,SyslogMessage)\n| summarize StatusCount=count() by DeviceName \n| top 5 by StatusCount nulls last \n"
988 }
989 },
990 "asset": {
991 "idInputName": "ComponentId",
992 "type": "ApplicationInsights"
993 }
994 }
995 },
996 "15": {
997 "position": {
998 "x": 12,
999 "y": 15,
1000 "colSpan": 6,
1001 "rowSpan": 4
1002 },
1003 "metadata": {
1004 "inputs": [
1005 {
1006 "name": "ComponentId",
1007 "value": {
1008 "SubscriptionId": "{Subscription_Id}",
1009 "ResourceGroup": "{Resource_Group}",
1010 "Name": "{Workspace_Name}",
1011 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1012 }
1013 },
1014 {
1015 "name": "Query",
1016 "value": "//malware type pie chart \nSyslog \n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Threat' \n| extend FileType= extract('File Type: (.*?),',1,SyslogMessage) \n| summarize FileTypeCount=count() by FileType \n"
1017 },
1018 {
1019 "name": "Dimensions",
1020 "value": {
1021 "xAxis": {
1022 "name": "FileType",
1023 "type": "String"
1024 },
1025 "yAxis": [
1026 {
1027 "name": "FileTypeCount",
1028 "type": "Int64"
1029 }
1030 ],
1031 "splitBy": [],
1032 "aggregation": "Sum"
1033 }
1034 },
1035 {
1036 "name": "Version",
1037 "value": "1.0"
1038 },
1039 {
1040 "name": "DashboardId",
1041 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
1042 },
1043 {
1044 "name": "PartId",
1045 "value": "4ec2c57b-16a4-4632-846f-e83c33c10e6f"
1046 },
1047 {
1048 "name": "PartTitle",
1049 "value": "Analytics"
1050 },
1051 {
1052 "name": "PartSubTitle",
1053 "value": "{Workspace_Name}"
1054 },
1055 {
1056 "name": "resourceTypeMode",
1057 "value": "workspace"
1058 },
1059 {
1060 "name": "ControlType",
1061 "value": "AnalyticsDonut"
1062 },
1063 {
1064 "name": "TimeRange",
1065 "value": "P1D"
1066 },
1067 {
1068 "name": "SpecificChart",
1069 "isOptional": true
1070 }
1071 ],
1072 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1073 "settings": {
1074 "content": {
1075 "PartTitle": "File type associated with threat, by count",
1076 "PartSubTitle": " "
1077 }
1078 },
1079 "asset": {
1080 "idInputName": "ComponentId",
1081 "type": "ApplicationInsights"
1082 }
1083 }
1084 },
1085 "16": {
1086 "position": {
1087 "x": 0,
1088 "y": 19,
1089 "colSpan": 18,
1090 "rowSpan": 1
1091 },
1092 "metadata": {
1093 "inputs": [],
1094 "type": "Extension/HubsExtension/PartType/MarkdownPart",
1095 "settings": {
1096 "content": {
1097 "settings": {
1098 "content": "<div style='font-size:300%;'>Cylance mangement</div> \n",
1099 "title": "",
1100 "subtitle": ""
1101 }
1102 }
1103 }
1104 }
1105 },
1106 "17": {
1107 "position": {
1108 "x": 0,
1109 "y": 20,
1110 "colSpan": 6,
1111 "rowSpan": 4
1112 },
1113 "metadata": {
1114 "inputs": [
1115 {
1116 "name": "ComponentId",
1117 "value": {
1118 "SubscriptionId": "{Subscription_Id}",
1119 "ResourceGroup": "{Resource_Group}",
1120 "Name": "{Workspace_Name}",
1121 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1122 }
1123 },
1124 {
1125 "name": "Query",
1126 "value": "//Audit logs type\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'AuditLog'\n| extend EventName = extract('Event Name: (.*?),',1,SyslogMessage ) \n| summarize EventType= count() by EventName\n"
1127 },
1128 {
1129 "name": "Version",
1130 "value": "1.0"
1131 },
1132 {
1133 "name": "DashboardId",
1134 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
1135 },
1136 {
1137 "name": "PartId",
1138 "value": "3a902863-3cfc-41af-9832-bc18926c22bd"
1139 },
1140 {
1141 "name": "PartTitle",
1142 "value": "Analytics"
1143 },
1144 {
1145 "name": "PartSubTitle",
1146 "value": "{Workspace_Name}"
1147 },
1148 {
1149 "name": "resourceTypeMode",
1150 "value": "workspace"
1151 },
1152 {
1153 "name": "ControlType",
1154 "value": "AnalyticsGrid"
1155 },
1156 {
1157 "name": "Dimensions",
1158 "isOptional": true
1159 },
1160 {
1161 "name": "TimeRange",
1162 "value": "P1D"
1163 },
1164 {
1165 "name": "SpecificChart",
1166 "isOptional": true
1167 }
1168 ],
1169 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1170 "settings": {
1171 "content": {
1172 "PartTitle": "Audit event summary",
1173 "PartSubTitle": " ",
1174 "Query": "//Audit logs type\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'AuditLog'\n| extend EventName = extract('Event Name: (.*?),',1,SyslogMessage ) \n| summarize EventCount= count() by EventName\n"
1175 }
1176 },
1177 "asset": {
1178 "idInputName": "ComponentId",
1179 "type": "ApplicationInsights"
1180 }
1181 }
1182 },
1183 "18": {
1184 "position": {
1185 "x": 6,
1186 "y": 20,
1187 "colSpan": 6,
1188 "rowSpan": 4
1189 },
1190 "metadata": {
1191 "inputs": [
1192 {
1193 "name": "ComponentId",
1194 "value": {
1195 "SubscriptionId": "{Subscription_Id}",
1196 "ResourceGroup": "{Resource_Group}",
1197 "Name": "{Workspace_Name}",
1198 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1199 }
1200 },
1201 {
1202 "name": "Query",
1203 "value": "//Agent Version Across \nSyslog \n| where Computer =~ 'sysloghost' \n| extend AgentVersion= extract('Agent Version: (.*?),',1,SyslogMessage) \n| where AgentVersion !='' \n| extend DeviceName = extract('Device Name: (.*?),',1,SyslogMessage) \n| summarize DeviceCount=dcount(DeviceName) by AgentVersion \n"
1204 },
1205 {
1206 "name": "Version",
1207 "value": "1.0"
1208 },
1209 {
1210 "name": "DashboardId",
1211 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
1212 },
1213 {
1214 "name": "PartId",
1215 "value": "591a1ebd-822d-4188-a3f8-63fe9d376c77"
1216 },
1217 {
1218 "name": "PartTitle",
1219 "value": "Analytics"
1220 },
1221 {
1222 "name": "PartSubTitle",
1223 "value": "{Workspace_Name}"
1224 },
1225 {
1226 "name": "resourceTypeMode",
1227 "value": "workspace"
1228 },
1229 {
1230 "name": "ControlType",
1231 "value": "AnalyticsGrid"
1232 },
1233 {
1234 "name": "Dimensions",
1235 "isOptional": true
1236 },
1237 {
1238 "name": "TimeRange",
1239 "value": "P1D"
1240 },
1241 {
1242 "name": "SpecificChart",
1243 "isOptional": true
1244 }
1245 ],
1246 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1247 "settings": {
1248 "content": {
1249 "PartTitle": "Agent version summary",
1250 "PartSubTitle": " "
1251 }
1252 },
1253 "asset": {
1254 "idInputName": "ComponentId",
1255 "type": "ApplicationInsights"
1256 }
1257 }
1258 },
1259 "19": {
1260 "position": {
1261 "x": 12,
1262 "y": 20,
1263 "colSpan": 6,
1264 "rowSpan": 4
1265 },
1266 "metadata": {
1267 "inputs": [
1268 {
1269 "name": "ComponentId",
1270 "value": {
1271 "SubscriptionId": "{Subscription_Id}",
1272 "ResourceGroup": "{Resource_Group}",
1273 "Name": "{Workspace_Name}",
1274 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalInsights/workspaces/{Workspace_Name}"
1275 }
1276 },
1277 {
1278 "name": "Query",
1279 "value": "//device logs\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Device'\n| extend EventName = extract('Event Name: (.*?),',1,SyslogMessage ) \n| summarize EventType= count() by EventName\n"
1280 },
1281 {
1282 "name": "Version",
1283 "value": "1.0"
1284 },
1285 {
1286 "name": "DashboardId",
1287 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/CylanceDashboard_{Workspace_Name}"
1288 },
1289 {
1290 "name": "PartId",
1291 "value": "1dc8e02e-d322-45fd-800e-07c9f889d64b"
1292 },
1293 {
1294 "name": "PartTitle",
1295 "value": "Analytics"
1296 },
1297 {
1298 "name": "PartSubTitle",
1299 "value": "{Workspace_Name}"
1300 },
1301 {
1302 "name": "resourceTypeMode",
1303 "value": "workspace"
1304 },
1305 {
1306 "name": "ControlType",
1307 "value": "AnalyticsGrid"
1308 },
1309 {
1310 "name": "Dimensions",
1311 "isOptional": true
1312 },
1313 {
1314 "name": "TimeRange",
1315 "value": "P1D"
1316 },
1317 {
1318 "name": "SpecificChart",
1319 "isOptional": true
1320 }
1321 ],
1322 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1323 "settings": {
1324 "content": {
1325 "PartTitle": "Device event summary",
1326 "PartSubTitle": " ",
1327 "Query": "//device logs\nSyslog\n| where Computer =~ 'sysloghost' \n| extend LogType= extract('^([a-xA-Z]*),',1,SyslogMessage ) \n| where LogType =~'Device'\n| extend EventName = extract('Event Name: (.*?),',1,SyslogMessage ) \n| summarize EventCount= count() by EventName\n"
1328 }
1329 },
1330 "asset": {
1331 "idInputName": "ComponentId",
1332 "type": "ApplicationInsights"
1333 }
1334 }
1335 },
1336 "20": {
1337 "position": {
1338 "x": 0,
1339 "y": 0,
1340 "colSpan": 1,
1341 "rowSpan": 1
1342 },
1343 "metadata": {
1344 "inputs": [
1345 {
1346 "name": "subscriptionId",
1347 "value": "{Subscription_Id}"
1348 },
1349 {
1350 "name": "resourceGroup",
1351 "value": "{Resource_Group}"
1352 },
1353 {
1354 "name": "workspaceName",
1355 "value": "{Workspace_Name}"
1356 },
1357 {
1358 "name": "menuItemToOpen",
1359 "value": "Dashboards"
1360 }
1361 ],
1362 "type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
1363 "defaultMenuItemId": "0"
1364 }
1365 }
1366 }
1367 }
1368 }
1369 }
1370}