KeyVault.workbook

{ "version": "Notebook/1.0", "items": [ { "type": 1, "content": { "json": "## Azure Key Vaults\n" }, "name": "text - 2" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspaces}" ], "parameters": [ { "id": "a0259937-eda6-430d-bf13-6c07bfd4e32b", "version": "KqlParameterItem/1.0", "name": "DefaultSubscription_Internal", "type": 1, "isRequired": true, "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId", "crossComponentResources": [ "value::selected" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "84ca1870-93c6-4a43-a5fb-792886ab1eca", "version": "KqlParameterItem/1.0", "name": "TimeRange", "type": 4, "isRequired": true, "value": { "durationMs": 7776000000 }, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 }, { "durationMs": 172800000 }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2419200000 }, { "durationMs": 2592000000 }, { "durationMs": 5184000000 }, { "durationMs": 7776000000 } ], "allowCustom": true }, "timeContext": { "durationMs": 86400000 } }, { "id": "d213ef66-f7cd-4e8f-bd05-d7811577fb61", "version": "KqlParameterItem/1.0", "name": "Subscription", "type": 6, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "summarize by subscriptionId\r\n| project value = strcat("/subscriptions/", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\r\n", "crossComponentResources": [ "value::selected" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "3d0a03f2-3edd-45a0-9113-76be5d9c81d2", "version": "KqlParameterItem/1.0", "name": "Workspaces", "type": 5, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where strcat('/subscriptions/',subscriptionId) in ({Subscription})\r\n| project id", "crossComponentResources": [ "value::selected" ], "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "50862310-e38b-4c56-9475-de85c7f1e78b", "version": "KqlParameterItem/1.0", "name": "KeyVault", "type": 5, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "where type =~ 'microsoft.keyvault/vaults'\r\n| where strcat('/subscriptions/',subscriptionId) in ({Subscription})\r\n| project id=tolower(id)", "crossComponentResources": [ "{Workspaces}" ], "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" } ], "style": "pills", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "name": "parameters - 1" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "0d07fb2d-b76e-4e9d-8a68-894237cadec4", "cellValue": "mainTab", "linkTarget": "parameter", "linkLabel": "Azure Defender for Key Vault alerts", "subTarget": "alerts", "style": "link" }, { "id": "918a3880-2818-48e0-8fae-b31c3020e22c", "cellValue": "mainTab", "linkTarget": "parameter", "linkLabel": "Analytics over Key Vault events", "subTarget": "diagnostics", "style": "link" }, { "id": "590e729d-bf07-4670-8bbe-709f9d03a774", "cellValue": "mainTab", "linkTarget": "parameter", "linkLabel": "Key Vault monitoring", "subTarget": "monitor", "style": "link" } ] }, "name": "links - 6" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "## Diagnostic logs coverage" }, "name": "text - 0" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName \r\n| where _TableName == "AzureDiagnostics" and Category == "AuditEvent" and ResourceType == "VAULTS"\r\n| summarize count() by ResourceId = tolower(ResourceId)\r\n| summarize logsKVs = make_set(ResourceId)\r\n| extend selectedKVs = "[{KeyVault}]"\r\n| extend selectedKVs = replace("'", '"', selectedKVs)\r\n| extend selectedKVs = todynamic(selectedKVs)\r\n| mv-expand KVId = selectedKVs\r\n| project KVId = toupper(tostring(KVId)), ["Diagnostic logs"] = (logsKVs has tostring(KVId))\r\n| extend ["Diagnostic settings"] = iff(["Diagnostic logs"] == false, strcat("https://ms.portal.azure.com/#@microsoft.onmicrosoft.com/resource", KVId, "/diagnostics"), "")\r\n| order by ["Diagnostic settings"] desc\r\n", "size": 0, "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "Diagnostic logs", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "false", "representation": "4", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "" } ] } }, { "columnMatch": "Diagnostic settings", "formatter": 7, "formatOptions": { "linkTarget": "Url" } } ], "filter": true } }, "customWidth": "60", "name": "query - 1" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName *\r\n| where TableName == "AzureDiagnostics" and Category == "AuditEvent" and ResourceType == "VAULTS"\r\n| summarize count() by ResourceId = tolower(ResourceId)\r\n| summarize logsKVs = make_set(ResourceId)\r\n| extend selectedKVs = "[{KeyVault}]"\r\n| extend selectedKVs = replace("'", '"', selectedKVs)\r\n| extend selectedKVs = todynamic(selectedKVs)\r\n| mv-expand KVId = selectedKVs\r\n| project KVId = toupper(tostring(KVId)),isDiag = (logsKVs has tostring(KVId))\r\n| summarize KeyVaults = count() by isDiag\r\n| project KeyVaults, ['Diagnostic logs for Key Vaults'] = iif(isDiag,'Diagnostic logs collected','Diagnostic logs not collected')\r\n", "size": 0, "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart" }, "customWidth": "40", "name": "query - 2" } ] }, "conditionalVisibility": { "parameterName": "mainTab", "comparison": "isEqualTo", "value": "diagnostics" }, "name": "group - 7", "styleSettings": { "showBorder": true } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "## Key vault activity baselines and deviations" }, "name": "text - 0" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "48d47b0d-e3f3-420c-9427-d52a8afb0f0e", "version": "KqlParameterItem/1.0", "name": "BaselineTimeRange", "type": 4, "isRequired": true, "value": { "durationMs": 1209600000 }, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 }, { "durationMs": 172800000 }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2419200000 }, { "durationMs": 2592000000 }, { "durationMs": 5184000000 }, { "durationMs": 7776000000 } ], "allowCustom": true }, "timeContext": { "durationMs": 86400000 } } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 1" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where TimeGenerated > {BaselineTimeRange:start}\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({BaselineTimeRange:start}, now()-1d, 1d) by ResourceId\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n| extend MaxAnomalyScore = AnomalyScore, MinAnomalyScore = AnomalyScore, AnomlyScoreTrend = AnomalyScore\r\n| mv-apply MaxAnomalyScore to typeof(real) on (top 1 by MaxAnomalyScore desc)\r\n| mv-apply MinAnomalyScore to typeof(real) on (top 1 by MinAnomalyScore asc)\r\n| mv-expand with_itemindex=Index AnomalyScore\r\n| where Index == array_length(DailyCounts)-1\r\n| project-away day, Index\r\n| extend AnomalyScoreAbs = abs(toreal(AnomalyScore))\r\n| extend WasAnomalous = iif(MaxAnomalyScore > 3 or MinAnomalyScore < -3, true, false)\r\n| extend Anomalous = iif(AnomalyScoreAbs > 3, true, false)\r\n| order by AnomalyScoreAbs desc\r\n\r\n", "size": 0, "title": "Daily anomaly scores, by key vault", "exportFieldName": "ResourceId", "exportParameterName": "SelectedResource", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "DailyCounts", "formatter": 9, "formatOptions": { "palette": "blue" } }, { "columnMatch": "AnomalyScore", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "startsWith", "thresholdValue": "-", "representation": "trenddown", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "0", "representation": "right", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "trendup", "text": "{0}{1}" } ] }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "MaxAnomalyScore", "formatter": 5 }, { "columnMatch": "MinAnomalyScore", "formatter": 5 }, { "columnMatch": "AnomlyScoreTrend", "formatter": 9, "formatOptions": { "palette": "orange" } }, { "columnMatch": "AnomalyScoreAbs", "formatter": 5 }, { "columnMatch": "WasAnomalous", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "true", "representation": "2", "text": "" }, { "operator": "==", "thresholdValue": "false", "representation": "Blank", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Anomalous", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "true", "representation": "Important", "text": "" }, { "operator": "==", "thresholdValue": "false", "representation": "Blank", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } } ], "filter": true, "labelSettings": [ { "columnId": "ResourceId" }, { "columnId": "AnomalyScore", "label": "Anomaly Score" }, { "columnId": "AnomlyScoreTrend", "label": "Anomaly trend" }, { "columnId": "AnomalyScoreAbs" }, { "columnId": "WasAnomalous", "label": "Historical anomaly" } ] }, "chartSettings": { "yAxis": [ "AnomalyScore" ] } }, "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where TimeGenerated > {BaselineTimeRange:start}\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) == tolower('{SelectedResource}')\r\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({BaselineTimeRange:start}, now()-1d, 1d) by ResourceId\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n", "size": 0, "title": "Daily activity over time for the selected key vault (from the list above)", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart", "chartSettings": { "yAxis": [ "DailyCounts" ], "ySettings": { "numberFormatSettings": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } } }, "customWidth": "50", "name": "query - 2 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where TimeGenerated > {BaselineTimeRange:start}\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) == tolower('{SelectedResource}')\r\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({BaselineTimeRange:start}, now()-1d, 1d) by ResourceId\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n", "size": 0, "title": "Anomaly score over time for the selected key vault (from the list above)", "color": "orange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart", "chartSettings": { "yAxis": [ "AnomalyScore" ], "ySettings": { "numberFormatSettings": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } } }, "customWidth": "50", "name": "query - 2 - Copy - Copy" } ] }, "conditionalVisibility": { "parameterName": "mainTab", "comparison": "isEqualTo", "value": "diagnostics" }, "name": "baselines", "styleSettings": { "showBorder": true } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "## Azure Defender for Key Vaults coverage" }, "name": "text - 9" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "datatable (Event:string)\r\n ["AKV Workbook"]\r\n| extend keyvault = (strcat("[", "{KeyVault}", "]"))\r\n| extend keyvault = todynamic(replace("'", '"', keyvault))\r\n| mvexpand keyvault\r\n| extend subscriptionId = extract(@"/subscriptions/([^/]+)", 1, tostring(keyvault))\r\n| summarize AKVs = count() by subscriptionId, DefenderForKV = 0\r\n| union\r\n(\r\nsecurityresources\r\n| where type =~ "microsoft.security/pricings"\r\n| where name == "KeyVaults"\r\n| project DefenderForKV = iif(properties.pricingTier == 'Standard', 1, 0), AKVs = 0, subscriptionId\r\n)\r\n| summarize AKVs = sum(AKVs), DefenderForKV = sum(DefenderForKV) by subscriptionId\r\n| project Subscription = strcat('/subscriptions/', subscriptionId), ["Kay Vaults"] = AKVs, ['Defender for Key Vault'] = iif(DefenderForKV > 0,'yes','no'), ['Onboard Azure Defender'] = iif(DefenderForKV > 0, '', 'https://ms.portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26')\r\n| order by ['Defender for Key Vault'] asc\r\n ", "size": 0, "title": "Subscriptions covered by Azure Defender for Key Vault", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "gridSettings": { "formatters": [ { "columnMatch": "Defender for Key Vault", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "no", "representation": "4", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "" } ] } }, { "columnMatch": "Onboard Azure Defender", "formatter": 7, "formatOptions": { "linkTarget": "Url" } } ] } }, "customWidth": "50", "name": "query - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "datatable (Event:string)\r\n ["AKV Workbook"]\r\n| extend keyvaults = (strcat("[", "{KeyVault}", "]"))\r\n| extend keyvaults = todynamic(replace("'", '"', keyvaults))\r\n| mvexpand keyvaults\r\n| extend subscriptionId = extract(@"/subscriptions/([^/]+)", 1, tostring(keyvaults))\r\n| summarize AKVs = count() by subscriptionId, DefenderForKV = 0\r\n| union\r\n(\r\nsecurityresources\r\n| where type =~ "microsoft.security/pricings"\r\n| where name == "KeyVaults"\r\n| project DefenderForKV = iif(properties.pricingTier == 'Standard', 1, 0), AKVs = 0, subscriptionId\r\n)\r\n| summarize AKVs = sum(AKVs), DefenderForKV = sum(DefenderForKV) by subscriptionId\r\n| project Subscription = 1, ['Defender for Key Vault'] = iif(DefenderForKV > 0,'Protected by Azure Defender','Not protected by Azure Defender')", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "visualization": "piechart" }, "customWidth": "50", "name": "query - 4" } ] }, "name": "group - 7" }, { "type": 1, "content": { "json": "## Azure Defender for Key Vaults alerts" }, "name": "text - 9 - Copy" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspaces}" ], "parameters": [ { "id": "66a39242-f029-479f-b90e-a0249f4ae27b", "version": "KqlParameterItem/1.0", "name": "AlertSeverity", "type": 2, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "SecurityAlert\r\n| where AlertType startswith "KV"\r\n| summarize Count = count() by AlertSeverity\r\n| order by Count desc, AlertSeverity asc\r\n| project Value = AlertSeverity, Label = strcat(AlertSeverity, ' - ', Count)\r\n", "crossComponentResources": [ "{Workspaces}" ], "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 6" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let data = SecurityAlert\r\n| where "{AlertSeverity:lable}" == "All" or AlertSeverity in ({AlertSeverity})\r\n| where AlertType startswith "KV"\r\n| where tolower(ResourceId) in ({KeyVault});\r\ndata\r\n| summarize Count = count() by AlertSeverity\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by AlertSeverity)\r\n on AlertSeverity\r\n | project-away TimeGenerated\r\n| extend AlertSeveritys = AlertSeverity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend AlertSeverity = 'All', AlertSeveritys = '' \r\n)\r\n| extend Severity = iif(AlertSeverity == "All", 0,iif(AlertSeverity == "High", 1, iif(AlertSeverity == "Medium", 2, iif(AlertSeverity == "Low", 3, 4))))\r\n| order by Severity asc\r\n", "size": 3, "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", "tileSettings": { "titleContent": { "columnMatch": "AlertSeverity", "formatter": 1 }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "secondaryContent": { "columnMatch": "Trend", "formatter": 9, "formatOptions": { "palette": "blue" } }, "showBorder": false } }, "name": "query - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert\r\n| where AlertType startswith "KV"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where AlertSeverity in ({AlertSeverity})\r\n| summarize AlertCount = count() by ResourceId\r\n| project Resource = tolower(ResourceId), AlertCount\r\n| order by AlertCount desc\r\n", "size": 0, "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "AlertCount", "formatter": 3, "formatOptions": { "palette": "blue" } }, { "columnMatch": "ResourceId", "formatter": 1 }, { "columnMatch": "x", "formatter": 1 } ] } }, "customWidth": "30", "name": "query - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert\r\n| where TimeGenerated {TimeRange}\r\n| where "{AlertSeverity}" has AlertSeverity or isempty("{AlertSeverity}")\r\n| where AlertType startswith "KV_"\r\n| where ResourceId in ({KeyVault})\r\n| make-series Count=count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ResourceId\r\n//| summarize Count=count() by ResourceId, bin(TimeGenerated,{TimeRange:grain})\r\n", "size": 0, "title": "Key vault alerts", "noDataMessage": "No alrets from Azure Defender for Key Vaults", "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeRangeFilter", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart" }, "customWidth": "70", "name": "query - 9" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Incidents = SecurityIncident\r\n| project AlertIds, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nSecurityAlert\r\n| where TimeGenerated between ({TimeRangeFilter:start} .. ({TimeRangeFilter:end} + {TimeRange:grain}))\r\n| where AlertType startswith "KV_"\r\n| where ResourceId in ({KeyVault})\r\n| where AlertSeverity in ({AlertSeverity})\r\n| project TimeGenerated, ResourceId, AlertSeverity, DisplayName, AlertLink, AlertId=tostring(SystemAlertId)\r\n| order by TimeGenerated desc\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| project TimeGenerated, ResourceId, AlertSeverity, DisplayName, ['Azure Defender Alert'] = AlertLink, Incident = IncidentUrl, AlertId\r\n", "size": 0, "title": "Key vault alerts", "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "AlertId", "exportParameterName": "SelectedAlertId", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "Azure Defender Alert", "formatter": 7, "formatOptions": { "linkTarget": "Url", "linkLabel": "Go to alert" } }, { "columnMatch": "Incident", "formatter": 7, "formatOptions": { "linkTarget": "Url", "linkLabel": "" } }, { "columnMatch": "AlertId", "formatter": 5 } ], "filter": true, "sortBy": [ { "itemKey": "DisplayName", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "DisplayName", "sortOrder": 2 } ] }, "name": "query - 15 - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let data = SecurityAlert\r\n| where AlertType startswith "KV_"\r\n| where SystemAlertId == '{SelectedAlertId}';\r\nlet nodes = data\r\n| project Id = SystemAlertId, Name = DisplayName, Size = 1, Kind = 'alert'\r\n| union (\r\ndata \r\n| project parse_json(Entities), SystemAlertId\r\n| mv-expand Entities\r\n| evaluate bag_unpack(Entities)\r\n| project Id = strcat(SystemAlertId, '-',$id), Name = strcat(ResourceId,Address,AadUserId), Size = 1, Kind = Type\r\n);\r\nlet links = data\r\n| project parse_json(Entities), SystemAlertId\r\n| mv-expand Entities\r\n| evaluate bag_unpack(Entities)\r\n| project SourceId = SystemAlertId, TargetId = strcat(SystemAlertId, '-', $id), Size = 1, Kind = Type;\r\nnodes | union (links)\r\n", "size": 2, "title": "Alert and entity graph (chose an alert from the list above)", "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "graph", "gridSettings": { "formatters": [ { "columnMatch": "Name", "formatter": 1 } ] }, "graphSettings": { "type": 0, "topContent": { "columnMatch": "Name", "formatter": 13, "formatOptions": { "linkTarget": null, "showIcon": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } }, "tooltipFormat": { "tooltip": "{0}" } }, "centerContent": { "columnMatch": "Kind", "formatter": 16, "formatOptions": { "showIcon": true }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "nodeIdField": "Id", "sourceIdField": "SourceId", "targetIdField": "TargetId", "graphOrientation": 3, "showOrientationToggles": false, "edgeSize": "Size", "edgeLabel": "Kind", "nodeSize": null, "staticNodeSize": 100, "colorSettings": { "nodeColorField": "Kind", "type": 1, "colorPalette": "default" }, "hivesMargin": 5 } }, "name": "query - 6", "styleSettings": { "showBorder": true } } ] }, "conditionalVisibility": { "parameterName": "mainTab", "comparison": "isEqualTo", "value": "alerts" }, "name": "group - 10", "styleSettings": { "showBorder": true } } ] }, "conditionalVisibility": { "parameterName": "mainTab", "comparison": "isEqualTo", "value": "alerts" }, "name": "defenderAlertsTabGroup" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "## Event analysis" }, "name": "text - 1" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "4a61e462-17aa-45db-aace-0ef094245a1c", "cellValue": "selectedEvents", "linkTarget": "parameter", "linkLabel": "All events", "subTarget": "allEvents", "preText": "All events", "style": "primary" }, { "id": "dbb78084-c5b8-42aa-bc03-e55dd51736b0", "cellValue": "selectedEvents", "linkTarget": "parameter", "linkLabel": "Failed events", "subTarget": "failedEvents", "preText": "Failed events", "style": "primary" } ] }, "name": "links - 2 - Copy" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "06733059-20fd-4155-87ed-18f1c3edbe36", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "by key vault", "subTarget": "byKeyVault", "style": "link" }, { "id": "35cfd3e6-719d-4ae9-8432-cc308836aafe", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "by caller IP", "subTarget": "byCallerIP", "style": "link" }, { "id": "d689a024-0d16-465a-bec4-39aa82912058", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "by identity", "subTarget": "byIdentity", "style": "link" }, { "id": "1373e323-a457-4371-9382-ba5271996edf", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "by operation", "subTarget": "byOperation", "style": "link" } ] }, "name": "links - 0" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize Count = count() by Resource, bin(TimeGenerated,{TimeRange:grain})", "size": 0, "title": "Events, by key vault", "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart" }, "name": "Events, by key vault" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by Resource\r\n| order by EventCount desc", "size": 0, "title": "Activity, by key vault", "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "EventCount", "formatter": 3, "formatOptions": { "palette": "blue" } } ] } }, "customWidth": "60", "name": "Activity, by key vault" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by Resource", "size": 0, "title": "Events, by key vault distribution", "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart" }, "customWidth": "40", "name": "Events, by key vault distribution" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "byKeyVault" }, "name": "AllEvents-ByKeyVault-Group" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize Count = count() by CallerIPAddress, bin(TimeGenerated,{TimeRange:grain})", "size": 0, "title": "Events, by Caller IP", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart" }, "name": "Events, by Caller IP" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let AlertIPs = SecurityAlert\r\n| project parse_json(Entities), AlertLink, SystemAlertId\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'Address'\r\n| project IP = tostring(split(split(Entities, 'Address":"')[1], '"')[0]), AlertLink, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, Title, Severity, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by IP = tostring(CallerIPAddress)\r\n| join kind=leftouter AlertIPs on IP\r\n| project-away IP1\r\n| order by EventCount desc\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| extend Incident = IncidentUrl\r\n| summarize ['Related incidents'] = count(Incident != '') by IP, EventCount\r\n| order by ['Related incidents'], EventCount desc\r\n", "size": 0, "title": "Activity by Caller IP", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "IP", "exportParameterName": "SelectedIP", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "EventCount", "formatter": 3, "formatOptions": { "palette": "blue" } }, { "columnMatch": "Related incidents", "formatter": 3, "formatOptions": { "palette": "redDark" } } ] }, "sortBy": [] }, "customWidth": "60", "name": "Activity by Caller IP" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by CallerIPAddress", "size": 0, "title": "Events, by Caller IP distribution", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart" }, "customWidth": "40", "name": "Events, by Caller IP distribution" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let AlertIPs = SecurityAlert\r\n| extend parse_json(Entities), AlertLink, SystemAlertId, AlertType\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'Address'\r\n| project IP = tostring(split(split(Entities, 'Address":"')[1], '"')[0]), TimeGenerated, DisplayName, Description, ProductName, AlertLink, AlertSeverity, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, Title, Severity, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAlertIPs\r\n| where IP in ('{SelectedIP}')\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| project TimeGenerated, Title, ProductName, Severity, Incident = IncidentUrl\r\n| where isempty(Incident) == false", "size": 0, "title": "Incidents involving the selected Caller IP (selected above)", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "Incident", "formatter": 7, "formatOptions": { "linkTarget": "Url" } } ] } }, "name": "Incidents involving the selected Caller IP" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "byCallerIP" }, "name": "AllEvents-ByCallerIP-Group" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| summarize Count = count() by Identity = iff(isempty(User), ObjectId, User) , bin(TimeGenerated,{TimeRange:grain})", "size": 0, "title": "Events, by Identity", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart" }, "name": "Events, by Identity" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let AlertIDs = SecurityAlert\r\n| project parse_json(Entities), AlertLink, SystemAlertId, TimeGenerated\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'AadUserId'\r\n| project ID = tostring(split(split(Entities, 'AadUserId":"')[1], '"')[0]), TimeGenerated, AlertLink, AlertId = SystemAlertId;\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| where isempty(ObjectId) == false or isempty(User) == false or isempty(ApplicationId) == false\r\n| extend ID = iif(isempty(ObjectId), ApplicationId, ObjectId)\r\n//| summarize EventCount=count() by Identity = iif(isempty(User),iif(isempty(ObjectId), ApplicationId, ObjectId), User), Identifier = iif(isempty(User),iif(isempty(ObjectId), 'AppId', 'ObjectId'), 'User'), ID\r\n| summarize EventCount=count() by Identity = iif(isempty(ObjectId), ApplicationId, ObjectId), Identifier = iif(isempty(User),iif(isempty(ObjectId), 'AppId', 'ObjectId'), 'User'), User, ID\r\n| join kind=leftouter AlertIDs on ID\r\n| project-away ID, ID1\r\n| order by EventCount desc\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| extend Incident = IncidentUrl\r\n| summarize ['Related incidents'] = count(Incident != '') by Identity, Identifier, User, EventCount\r\n| order by ['Related incidents'], EventCount desc\r\n", "size": 0, "title": "Activity, by Identity", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "Identity", "exportParameterName": "SelectedID", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "EventCount", "formatter": 3, "formatOptions": { "palette": "blue" } }, { "columnMatch": "Related incidents", "formatter": 3, "formatOptions": { "palette": "redDark" } } ], "sortBy": [ { "itemKey": "$gen_bar_Related incidents_4", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_bar_Related incidents_4", "sortOrder": 2 } ] }, "customWidth": "60", "name": "Activity, by Identity" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| summarize EventCount=count() by Identiy = iif(isempty(User), ObjectId, User)", "size": 0, "title": "Events, by Identity distribution", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart" }, "customWidth": "40", "name": "Events, by Identity distribution" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let AlertIDs = SecurityAlert\r\n| extend parse_json(Entities), AlertLink, SystemAlertId\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'AadUserId'\r\n| project ID = tostring(split(split(Entities, 'AadUserId":"')[1], '"')[0]), TimeGenerated, DisplayName, Description, ProductName, AlertLink, AlertSeverity, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, Title, Severity, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAlertIDs\r\n| where ID in ('{SelectedID}')\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| project TimeGenerated, Title, ProductName, Severity, Incident = IncidentUrl\r\n| where isempty(Incident) == false", "size": 0, "title": "Incidents involving the selected identity (selected above)", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "Incident", "formatter": 7, "formatOptions": { "linkTarget": "Url" } } ] } }, "name": "Incidents involving the selected identity" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "byIdentity" }, "name": "AllEvents-ByIdentity-Group" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize Count = count() by OperationName, bin(TimeGenerated,{TimeRange:grain})", "size": 0, "title": "Events, by operation name", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart" }, "name": "Events, by operation name" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by OperationName", "size": 0, "title": "Activity, by operation name", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "EventCount", "formatter": 3, "formatOptions": { "palette": "blue" } } ] } }, "customWidth": "60", "name": "Activity, by operation name" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| summarize EventCount=count() by OperationName\r\n| order by EventCount desc", "size": 0, "title": "Events, by operation name distribution", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart" }, "customWidth": "40", "name": "Events, by operation name distribution" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "byOperation" }, "name": "AllEvents-ByOperation-Group" } ] }, "conditionalVisibility": { "parameterName": "selectedEvents", "comparison": "isEqualTo", "value": "allEvents" }, "name": "EventAnalysis-AllEventsGroup" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "06733059-20fd-4155-87ed-18f1c3edbe36", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "by key vault", "subTarget": "byKeyVault", "style": "link" }, { "id": "35cfd3e6-719d-4ae9-8432-cc308836aafe", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "by caller IP", "subTarget": "byCallerIP", "style": "link" }, { "id": "d689a024-0d16-465a-bec4-39aa82912058", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "by identity", "subTarget": "byIdentity", "style": "link" }, { "id": "1373e323-a457-4371-9382-ba5271996edf", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "by operation", "subTarget": "byOperation", "style": "link" } ] }, "name": "links - 0" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| summarize Count = count() by Resource, bin(TimeGenerated,{TimeRange:grain})", "size": 0, "title": "Events, by key vault", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart" }, "name": "Events, by key vault" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| summarize EventCount=count() by Resource\r\n| order by EventCount desc", "size": 0, "title": "Activity, by key vault", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "EventCount", "formatter": 3, "formatOptions": { "palette": "blue" } } ] } }, "customWidth": "60", "name": "Activity, by key vault" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| summarize EventCount=count() by Resource", "size": 0, "title": "Events, by key vault distribution", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart" }, "customWidth": "40", "name": "Events, by key vault distribution" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "byKeyVault" }, "name": "AllEvents-ByKeyVault-Group" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| summarize Count = count() by CallerIPAddress, bin(TimeGenerated,{TimeRange:grain})", "size": 0, "title": "Events, by Caller IP", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart" }, "name": "Events, by Caller IP" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let AlertIPs = SecurityAlert\r\n| project parse_json(Entities), AlertLink, SystemAlertId\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'Address'\r\n| project IP = tostring(split(split(Entities, 'Address":"')[1], '"')[0]), AlertLink, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| summarize EventCount=count() by IP = tostring(CallerIPAddress)\r\n| join kind=leftouter AlertIPs on IP\r\n| project-away IP1\r\n| order by EventCount desc\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| extend Incident = IncidentUrl\r\n| summarize ['Related incidents'] = count(Incident != '') by IP, EventCount\r\n| order by ['Related incidents'], EventCount desc\r\n", "size": 0, "title": "Activity by Caller IP", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "IP", "exportParameterName": "SelectedIP", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "EventCount", "formatter": 3, "formatOptions": { "palette": "blue" } }, { "columnMatch": "Related incidents", "formatter": 3, "formatOptions": { "palette": "redDark" } } ] } }, "customWidth": "60", "name": "Activity by Caller IP" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| summarize EventCount=count() by CallerIPAddress", "size": 0, "title": "Events, by Caller IP distribution", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart" }, "customWidth": "40", "name": "Events, by Caller IP distribution" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let AlertIPs = SecurityAlert\r\n| extend parse_json(Entities), AlertLink, SystemAlertId, AlertType\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'Address'\r\n| project IP = tostring(split(split(Entities, 'Address":"')[1], '"')[0]), TimeGenerated, DisplayName, Description, ProductName, AlertLink, AlertSeverity, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, Title, Severity, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAlertIPs\r\n| where IP in ('{SelectedIP}')\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| project TimeGenerated, Title, ProductName, Severity, Incident = IncidentUrl\r\n| where isempty(Incident) == false", "size": 0, "title": "Incidents involving the selected Caller IP (selected above)", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "Incident", "formatter": 7, "formatOptions": { "linkTarget": "Url" } } ] } }, "name": "Incidents involving the selected Caller IP" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "byCallerIP" }, "name": "AllEvents-ByCallerIP-Group" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| summarize Count = count() by Identity = iff(isempty(User), ObjectId, User) , bin(TimeGenerated,{TimeRange:grain})", "size": 0, "title": "Events, by Identity", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart" }, "name": "Events, by Identity" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let AlertIDs = SecurityAlert\r\n| project parse_json(Entities), AlertLink, SystemAlertId, TimeGenerated\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'AadUserId'\r\n| project ID = tostring(split(split(Entities, 'AadUserId":"')[1], '"')[0]), TimeGenerated, AlertLink, AlertId = SystemAlertId;\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| where isempty(ObjectId) == false or isempty(User) == false or isempty(ApplicationId) == false\r\n| extend ID = iif(isempty(ObjectId), ApplicationId, ObjectId)\r\n//| summarize EventCount=count() by Identity = iif(isempty(User),iif(isempty(ObjectId), ApplicationId, ObjectId), User), Identifier = iif(isempty(User),iif(isempty(ObjectId), 'AppId', 'ObjectId'), 'User'), ID\r\n| summarize EventCount=count() by Identity = iif(isempty(ObjectId), ApplicationId, ObjectId), Identifier = iif(isempty(User),iif(isempty(ObjectId), 'AppId', 'ObjectId'), 'User'), User, ID\r\n| join kind=leftouter AlertIDs on ID\r\n| project-away ID, ID1\r\n| order by EventCount desc\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| extend Incident = IncidentUrl\r\n| summarize ['Related incidents'] = count(Incident != '') by Identity, Identifier, User, EventCount\r\n| order by ['Related incidents'], EventCount desc\r\n", "size": 0, "title": "Activity, by Identity", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "Identity", "exportParameterName": "SelectedID", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "EventCount", "formatter": 3, "formatOptions": { "palette": "blue" } }, { "columnMatch": "Related incidents", "formatter": 3, "formatOptions": { "palette": "redDark" } } ] } }, "customWidth": "60", "name": "Activity, by Identity" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend ApplicationId = identity_claim_appid_g\r\n| summarize EventCount=count() by Identiy = iif(isempty(User), ObjectId, User)", "size": 0, "title": "Events, by Identity distribution", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart" }, "customWidth": "40", "name": "Events, by Identity distribution" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let AlertIDs = SecurityAlert\r\n| extend parse_json(Entities), AlertLink, SystemAlertId\r\n| mv-expand Entities\r\n| extend parse_json(Entities)\r\n| mv-expand Entities\r\n| where Entities has 'AadUserId'\r\n| project ID = tostring(split(split(Entities, 'AadUserId":"')[1], '"')[0]), TimeGenerated, DisplayName, Description, ProductName, AlertLink, AlertSeverity, AlertId = tostring(SystemAlertId);\r\nlet Incidents = SecurityIncident\r\n| project AlertIds, Title, Severity, IncidentUrl\r\n|mv-expand AlertId = AlertIds\r\n| extend AlertId = tostring(AlertId);\r\nAlertIDs\r\n| where ID in ('{SelectedID}')\r\n| join kind=leftouter Incidents on AlertId\r\n| project-away AlertIds, AlertId1\r\n| project TimeGenerated, Title, ProductName, Severity, Incident = IncidentUrl\r\n| where isempty(Incident) == false", "size": 0, "title": "Incidents involving the selected identity (selected above)", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "Incident", "formatter": 7, "formatOptions": { "linkTarget": "Url" } } ] } }, "name": "Incidents involving the selected identity" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "byIdentity" }, "name": "AllEvents-ByIdentity-Group" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| summarize Count = count() by OperationName, bin(TimeGenerated,{TimeRange:grain})", "size": 0, "title": "Events, by operation name", "timeContext": { "durationMs": 2419200000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart" }, "name": "Events, by operation name" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| summarize EventCount=count() by OperationName", "size": 0, "title": "Activity, by operation name", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "EventCount", "formatter": 3, "formatOptions": { "palette": "blue" } } ] } }, "customWidth": "60", "name": "Activity, by operation name" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| where HttpStatusCode = tostring(httpStatusCode_d) !startswith "20"\r\n| summarize EventCount=count() by OperationName\r\n| order by EventCount desc", "size": 0, "title": "Events, by operation name distribution", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "piechart" }, "customWidth": "40", "name": "Events, by operation name distribution" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "byOperation" }, "name": "AllEvents-ByOperation-Group" } ] }, "conditionalVisibility": { "parameterName": "selectedEvents", "comparison": "isEqualTo", "value": "failedEvents" }, "name": "EventAnalysis-FailedEventsGroup" } ] }, "name": "EventAnalysisGroup" } ] }, "conditionalVisibility": { "parameterName": "mainTab", "comparison": "isEqualTo", "value": "diagnostics" }, "name": "DiagnosticsTabGroup", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let SensitiveOperationList = dynamic(["VaultDelete", "KeyDelete", "SecretDelete", "SecretPurge", "KeyPurge", "SecretBackup", "KeyBackup"]);\r\nAzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| extend Result = columnifexists("ResultType", "NoResult")\r\n| extend requestUri_s = columnifexists("requestUri_s", "None"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists("identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g", "None")\r\n| extend id_s = columnifexists("id_s", "None"), CallerIPAddress = columnifexists("CallerIPAddress", "None"), clientInfo_s = columnifexists("clientInfo_s", "None")\r\n| where Result !~ "None" and isnotempty(Result)\r\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ "None" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\r\n| where id_s !~ "None" and isnotempty(id_s)\r\n| where CallerIPAddress !~ "None" and isnotempty(CallerIPAddress)\r\n| where clientInfo_s !~ "None" and isnotempty(clientInfo_s)\r\n| where requestUri_s !~ "None" and isnotempty(requestUri_s)\r\n| where ResourceType =~ "VAULTS" and Result =~ "Success" \r\n| where OperationName in~ (SensitiveOperationList) \r\n| project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_http_schemas_microsoft_com_identity_claims_scope_s, requestUri_s, clientInfo_s\r\n", "size": 0, "title": "Sensitive Operations", "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "sortBy": [ { "itemKey": "identity_claim_appid_g", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "identity_claim_appid_g", "sortOrder": 2 } ] }, "conditionalVisibility": { "parameterName": "mainTab", "comparison": "isEqualTo", "value": "diagnostics" }, "name": "SensitiveOperations", "styleSettings": { "showBorder": true } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "29f888e1-53ba-4dc0-9d4f-63fc52d3cacf", "version": "KqlParameterItem/1.0", "name": "EventCountThreshold", "label": "Event Threshold", "type": 1, "isRequired": true, "value": "1000", "timeContext": { "durationMs": 86400000 } }, { "id": "6b2fb75b-7a4e-4105-be3c-c3be5b5c8aa1", "version": "KqlParameterItem/1.0", "name": "MonitoredTimeRange", "type": 4, "isRequired": true, "value": { "durationMs": 86400000 }, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 } ] }, "timeContext": { "durationMs": 86400000 } } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 0" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let EventCountThreshold = {EventCountThreshold};\r\nlet MonitoredTimeRange = {MonitoredTimeRange:start};\r\nlet OperationList = dynamic(\r\n["SecretGet", "KeyGet", "VaultGet"]);\r\nAzureDiagnostics\r\n| where TimeGenerated > MonitoredTimeRange\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVault})\r\n| extend Result = columnifexists("ResultType", "None"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists("identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g", "None")\r\n| where Result !~ "None" and isnotempty(Result)\r\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ "None" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\r\n| where ResourceType =~ "VAULTS" and Result =~ "Success"\r\n| where OperationName in (OperationList) \r\n| summarize EventCount = count(), OperationNames = make_set(OperationName), CallerIPList = make_set(CallerIPAddress), RequestUriList = make_set(requestUri_s), ClientInfoList = make_set(clientInfo_s) by ResourceId, Result, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_appid_g, identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| where EventCount > EventCountThreshold\r\n| order by EventCount desc\r\n\r\n\r\n\r\n", "size": 0, "title": "Mass Secret Retrieval", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "gridSettings": { "formatters": [ { "columnMatch": "Result", "formatter": 5 }, { "columnMatch": "EventCount", "formatter": 3, "formatOptions": { "palette": "red" } } ] } }, "name": "MassSecretRetrieval" } ] }, "conditionalVisibility": { "parameterName": "mainTab", "comparison": "isEqualTo", "value": "diagnostics" }, "name": "MassSecretRetrieval", "styleSettings": { "showBorder": true } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "## Operation analysis" }, "name": "text - 0" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspaces}" ], "parameters": [ { "id": "e51d1f48-3866-41cd-afd2-a36b24946ba7", "version": "KqlParameterItem/1.0", "name": "KeyVaultOperationAnalysis", "type": 5, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "where type =~ 'microsoft.keyvault/vaults'\r\n| where strcat('/subscriptions/',subscriptionId) in ({Subscription})\r\n| project id=tolower(id)\r\n| where id in ({KeyVault})", "crossComponentResources": [ "{Workspaces}" ], "value": [], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false }, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" } ], "style": "pills", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "name": "parameters - 5" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "515c8b15-31cc-44d0-926e-5ae8b3cc5ae9", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Secrets", "subTarget": "secret", "preText": "Secrets", "style": "link" }, { "id": "7be60a7e-aff8-49c1-b7e3-ec2e91799e40", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Keys", "subTarget": "key", "style": "link" }, { "id": "1b00600a-aa98-40d4-9b4b-cc4b06c7de0b", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Certificates", "subTarget": "certificate", "style": "link" } ] }, "name": "links - 1" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "8c382ba4-42e6-4948-b7c2-49acbddc6d0f", "version": "KqlParameterItem/1.0", "name": "GetOperationsScale", "type": 10, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "value": "log", "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\r\n { "value":"log", "label":"Logarithmic" },\r\n { "value":"linear", "label":"Linear" }\r\n]", "timeContext": { "durationMs": 86400000 } }, { "id": "fcd2858b-de98-4839-a30b-34349f094de5", "version": "KqlParameterItem/1.0", "name": "Identity", "type": 10, "isRequired": true, "value": "all", "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\r\n { "value":"all", "label":"All" },\r\n { "value":"users", "label":"Users" },\r\n { "value":"servicesr", "label":"Services" }\r\n]", "timeContext": { "durationMs": 86400000 } } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureDiagnostics\r\n| where ResourceType == "VAULTS"\r\n| where Category == "AuditEvent"\r\n| where tolower(ResourceId) in ({KeyVaultOperationAnalysis})\r\n| where OperationName contains tostring('{selectedTab}')\r\n| extend User = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\r\n| extend ObjectId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\r\n| extend userActivity = iif(isempty(User),0,1), serviceActivity = iif(isempty(User),1,0)\r\n| summarize UserCount=sum(userActivity), ServiceCount=sum(serviceActivity), AllCount = count() by OperationName, bin(TimeGenerated,{TimeRange:grain}/10)\r\n| extend Count = iif(tostring('{Identity}') == 'all', AllCount, iif(tostring('{Identity}') == 'users', UserCount, ServiceCount))\r\n| extend Count = iif(tostring('{GetOperationsScale}') == 'log', iif(OperationName contains "get", log(Count), toreal(Count)), toreal(Count))\r\n\r\n", "size": 0, "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspaces}" ], "visualization": "timechart", "gridSettings": { "formatters": [ { "columnMatch": "ListCount", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false }, "emptyValCustomText": "0" } }, { "columnMatch": "LogListCount", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } } ] }, "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "GetOp", "formatter": 1 }, "leftContent": { "columnMatch": "LogGetCount", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "graphSettings": { "type": 0, "topContent": { "columnMatch": "GetOp", "formatter": 1 }, "centerContent": { "columnMatch": "LogGetCount", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "chartSettings": { "yAxis": [ "Count" ], "ySettings": { "numberFormatSettings": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } }, "min": 0 } }, "mapSettings": { "locInfo": "LatLong", "sizeSettings": "LogGetCount", "sizeAggregation": "Sum", "legendMetric": "LogGetCount", "legendAggregation": "Sum", "itemColorSettings": { "type": "heatmap", "colorAggregation": "Sum", "nodeColorField": "LogGetCount", "heatmapPalette": "greenRed" } } }, "name": "query - 14 - Copy" } ] }, "name": "operation group" } ] }, "conditionalVisibility": { "parameterName": "mainTab", "comparison": "isEqualTo", "value": "diagnostics" }, "name": "group - 11", "styleSettings": { "showBorder": true } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [] }, "conditionalVisibility": { "parameterName": "mainTab", "comparison": "isEqualTo", "value": "monitoring" }, "name": "monitoring" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 10, "content": { "chartId": "workbook9a52a059-26c9-474b-a678-8ddbedbdf6c2", "version": "MetricsItem/2.0", "size": 0, "chartType": 0, "resourceType": "microsoft.keyvault/vaults", "metricScope": 0, "resourceParameter": "KeyVault", "resourceIds": [ "{KeyVault}" ], "timeContextFromParameter": "TimeRange", "timeContext": { "durationMs": 7776000000 }, "metrics": [ { "namespace": "microsoft.keyvault/vaults", "metric": "microsoft.keyvault/vaults--ServiceApiResult", "aggregation": 1, "splitBy": "ActivityName", "splitBySortOrder": -1, "splitByLimit": 5, "columnName": "Api hits" }, { "namespace": "microsoft.keyvault/vaults", "metric": "microsoft.keyvault/vaults--ServiceApiResult", "aggregation": 1, "splitBy": "ActivityName", "splitBySortOrder": -1, "splitByLimit": null, "columnName": "Api hit failures" }, { "namespace": "microsoft.keyvault/vaults", "metric": "microsoft.keyvault/vaults--ServiceApiLatency", "aggregation": 4, "splitBy": "ActivityName", "splitBySortOrder": -1, "splitByLimit": null }, { "namespace": "microsoft.keyvault/vaults", "metric": "microsoft.keyvault/vaults--SaturationShoebox", "aggregation": 4, "splitBy": "ActivityName", "splitBySortOrder": -1, "splitByLimit": null, "columnName": "Saturation" } ], "title": "Overview", "gridFormatType": 2, "gridSettings": { "formatters": [ { "columnMatch": "$gen_group", "formatter": 13, "formatOptions": { "linkTarget": "Resource", "subTarget": "insights", "showIcon": true } }, { "columnMatch": "Subscription", "formatter": 5 }, { "columnMatch": "Name", "formatter": 5, "formatOptions": { "linkTarget": "Resource" } }, { "columnMatch": "Segment", "formatter": 5 }, { "columnMatch": "Api hits", "formatter": 8, "formatOptions": { "min": 0, "palette": "blue", "aggregation": "Sum" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumFractionDigits": 1 }, "emptyValCustomText": "-" } }, { "columnMatch": "Api hits Timeline", "formatter": 21, "formatOptions": { "min": 0, "palette": "blue", "aggregation": "Sum" } }, { "columnMatch": "Api hit failures", "formatter": 8, "formatOptions": { "min": 0, "palette": "red", "aggregation": "Sum" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumFractionDigits": 1 }, "emptyValCustomText": "-" } }, { "columnMatch": "Api hit failures Timeline", "formatter": 5 }, { "columnMatch": "microsoft.keyvault/vaults--ServiceApiLatency", "formatter": 8, "formatOptions": { "palette": "gray", "aggregation": "Max" }, "numberFormat": { "unit": 23, "options": { "style": "decimal", "maximumFractionDigits": 2 } } }, { "columnMatch": "microsoft.keyvault/vaults--ServiceApiLatency Timeline", "formatter": 5 }, { "columnMatch": "Saturation", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": ">", "thresholdValue": "75", "representation": "2", "text": "{0}{1}" }, { "operator": "is Empty", "representation": "success", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ], "aggregation": "Average" }, "numberFormat": { "unit": 1, "options": { "style": "decimal", "maximumFractionDigits": 1 }, "emptyValCustomText": "0%" } }, { "columnMatch": "Saturation Timeline", "formatter": 5 }, { "columnMatch": ".*\/Total Service Api Hits$", "formatter": 1 }, { "columnMatch": "microsoft.keyvault/vaults--ServiceApiResult Timeline", "formatter": 5 }, { "columnMatch": "microsoft.keyvault/vaults--ServiceApiResult", "formatter": 1, "numberFormat": { "unit": 0, "options": { "style": "decimal" } } }, { "columnMatch": "More Details", "formatter": 7, "formatOptions": { "linkTarget": "WorkbookTemplate" } } ], "rowLimit": 10000, "filter": true, "hierarchySettings": { "treeType": 1, "groupBy": [ "Subscription", "Name" ], "expandTopLevel": true, "finalBy": "Segment" }, "labelSettings": [ { "columnId": "Subscription" }, { "columnId": "Name" }, { "columnId": "Segment" }, { "columnId": "Api hits", "label": "Requests" }, { "columnId": "Api hits Timeline", "label": "Requests Timeline" }, { "columnId": "Api hit failures", "label": "Request failures" }, { "columnId": "microsoft.keyvault/vaults--ServiceApiLatency", "label": "Average latency (worst rolled up)" }, { "columnId": "microsoft.keyvault/vaults--ServiceApiLatency Timeline", "label": "Overall Service Api Latency (Average) Timeline" } ] }, "sortBy": [] }, "name": "overviewMonitoring" }, { "type": 10, "content": { "chartId": "workbookfc929046-618d-46d4-a287-ec07bc167656", "version": "MetricsItem/2.0", "size": 0, "chartType": 0, "resourceType": "microsoft.keyvault/vaults", "metricScope": 0, "resourceParameter": "KeyVault", "resourceIds": [ "{KeyVault}" ], "timeContextFromParameter": "TimeRange", "timeContext": { "durationMs": 7776000000 }, "metrics": [ { "namespace": "microsoft.keyvault/vaults", "metric": "microsoft.keyvault/vaults--ServiceApiHit", "aggregation": 1 }, { "namespace": "microsoft.keyvault/vaults", "metric": "microsoft.keyvault/vaults--ServiceApiResult", "aggregation": 1, "columnName": "Successes" }, { "namespace": "microsoft.keyvault/vaults", "metric": "microsoft.keyvault/vaults--ServiceApiResult", "aggregation": 1, "columnName": "Authentication" }, { "namespace": "microsoft.keyvault/vaults", "metric": "microsoft.keyvault/vaults--ServiceApiResult", "aggregation": 1, "columnName": "Throttling" }, { "namespace": "microsoft.keyvault/vaults", "metric": "microsoft.keyvault/vaults--ServiceApiResult", "aggregation": 1, "columnName": "Failures" } ], "title": "Failures", "gridSettings": { "formatters": [ { "columnMatch": "$gen_group", "formatter": 13, "formatOptions": { "linkTarget": "Resource", "subTarget": "insights", "showIcon": true } }, { "columnMatch": "Subscription", "formatter": 5 }, { "columnMatch": "Name", "formatter": 5, "formatOptions": { "linkTarget": "Resource" } }, { "columnMatch": "microsoft.keyvault/vaults--ServiceApiHit", "formatter": 8, "formatOptions": { "min": 0, "palette": "blue", "aggregation": "Sum" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumFractionDigits": 1 }, "emptyValCustomText": "-" } }, { "columnMatch": "microsoft.keyvault/vaults--ServiceApiHit Timeline", "formatter": 21, "formatOptions": { "min": 0, "palette": "blue", "aggregation": "Sum" } }, { "columnMatch": "Successes", "formatter": 8, "formatOptions": { "min": 0, "palette": "green", "aggregation": "Sum" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumFractionDigits": 1 }, "emptyValCustomText": "-" } }, { "columnMatch": "Successes Timeline", "formatter": 5 }, { "columnMatch": "Authentication", "formatter": 8, "formatOptions": { "min": 0, "palette": "gray", "aggregation": "Sum" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumFractionDigits": 1 }, "emptyValCustomText": "-" } }, { "columnMatch": "Authentication Timeline", "formatter": 5 }, { "columnMatch": "Throttling", "formatter": 8, "formatOptions": { "min": 0, "palette": "redBright", "aggregation": "Sum" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumFractionDigits": 1 }, "emptyValCustomText": "-" } }, { "columnMatch": "Throttling Timeline", "formatter": 5 }, { "columnMatch": "Failures", "formatter": 8, "formatOptions": { "min": 0, "palette": "redDark", "aggregation": "Sum" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumFractionDigits": 1 }, "emptyValCustomText": "-" } }, { "columnMatch": "Failures Timeline", "formatter": 5 }, { "columnMatch": "microsoft.keyvault/vaults--ServiceApiResult", "formatter": 1, "numberFormat": { "unit": 0, "options": { "style": "decimal" } } } ], "rowLimit": 10000, "filter": true, "hierarchySettings": { "treeType": 1, "groupBy": [ "Subscription" ], "expandTopLevel": true, "finalBy": "Name" }, "labelSettings": [ { "columnId": "Subscription" }, { "columnId": "Name" }, { "columnId": "microsoft.keyvault/vaults--ServiceApiHit", "label": "Total Service Api Hits (Sum)" }, { "columnId": "microsoft.keyvault/vaults--ServiceApiHit Timeline", "label": "Total Service Api Hits Timeline" }, { "columnId": "Failures", "label": "Other Failures" } ] } }, "showPin": true, "name": "failureMonitoring - Copy" } ] }, "conditionalVisibility": { "parameterName": "mainTab", "comparison": "isEqualTo", "value": "monitor" }, "name": "generalMonitoring" } ],
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }