![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/keeper_security.svg\")
",
"Description": "The [Keeper Security](https://keepersecurity.com/) solution for Microsoft Sentinel enables you to ingest [Keeper Security](https://keepersecurity.com/) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.",
+ "Analytic Rules": [
+ "Analytic Rules/Keeper Security - Alternate Master Password.yaml",
+ "Analytic Rules/Keeper Security - User MFA Changed.yaml"
+ ],
"Data Connectors": [
"Data Connectors/KeeperSecurity_ccp/KepperSecurity_Definition.json"
],
+ "Workbooks": [
+ "Workbooks/KeeperSecurityDashboard.json"
+ ],
"BasePath": "/Users/joaopaulooliveriasantos/Projects/Azure-Sentinel/Solutions/KeeperSecurity",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
diff --git a/Solutions/Keeper Security/Package/3.0.1.zip b/Solutions/Keeper Security/Package/3.0.1.zip
new file mode 100644
index 00000000000..2ddb4270f49
Binary files /dev/null and b/Solutions/Keeper Security/Package/3.0.1.zip differ
diff --git a/Solutions/Keeper Security/Package/createUiDefinition.json b/Solutions/Keeper Security/Package/createUiDefinition.json
index d3ed2114e92..715aa4db9b9 100644
--- a/Solutions/Keeper Security/Package/createUiDefinition.json
+++ b/Solutions/Keeper Security/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Keeper%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Keeper Security](https://keepersecurity.com/) solution for Microsoft Sentinel enables you to ingest [Keeper Security](https://keepersecurity.com/) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Keeper%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Keeper Security](https://keepersecurity.com/) solution for Microsoft Sentinel enables you to ingest [Keeper Security](https://keepersecurity.com/) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -74,6 +74,104 @@
}
}
]
+ },
+ {
+ "name": "workbooks",
+ "label": "Workbooks",
+ "subLabel": {
+ "preValidation": "Configure the workbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Workbooks",
+ "elements": [
+ {
+ "name": "workbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ }
+ },
+ {
+ "name": "workbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+ }
+ }
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "Keeper Security Dashboard",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This workbook contains visualizations and insights in the Keeper Security environment."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+ }
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "Keeper Security - Password Changed",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Creates an informational incident based on Keeper Security Password Changed data in Microsoft Sentinel"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic2",
+ "type": "Microsoft.Common.Section",
+ "label": "Keeper Security - User MFA Changed",
+ "elements": [
+ {
+ "name": "analytic2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Creates an informational incident based on Keeper Security User MFA Changed data in Microsoft Sentinel"
+ }
+ }
+ ]
+ }
+ ]
}
],
"outputs": {
diff --git a/Solutions/Keeper Security/Package/mainTemplate.json b/Solutions/Keeper Security/Package/mainTemplate.json
index 4d1059b7e4b..21d41547fad 100644
--- a/Solutions/Keeper Security/Package/mainTemplate.json
+++ b/Solutions/Keeper Security/Package/mainTemplate.json
@@ -41,15 +41,37 @@
"metadata": {
"description": "subscription id where Microsoft Sentinel is setup"
}
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Keeper Security Dashboard",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
}
},
"variables": {
"email": "jsantos@keepersecurity.com",
"_email": "[variables('email')]",
"_solutionName": "Keeper Security",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "keepersecurity.keeper-security-integration",
"_solutionId": "[variables('solutionId')]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.3",
+ "_analyticRulecontentId1": "f031fbbc-37d8-4667-b795-d386bf2b5ab2",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f031fbbc-37d8-4667-b795-d386bf2b5ab2')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f031fbbc-37d8-4667-b795-d386bf2b5ab2')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f031fbbc-37d8-4667-b795-d386bf2b5ab2','-', '1.0.3')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.0.3",
+ "_analyticRulecontentId2": "75ffc8a4-86db-4f48-8506-cb4c049be484",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '75ffc8a4-86db-4f48-8506-cb4c049be484')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('75ffc8a4-86db-4f48-8506-cb4c049be484')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75ffc8a4-86db-4f48-8506-cb4c049be484','-', '1.0.3')))]"
+ },
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"dataConnectorCCPVersion": "1.0.0",
"_dataConnectorContentIdConnectorDefinition1": "KeeperSecurityPush2",
@@ -58,9 +80,259 @@
"dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
"dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
"blanks": "[replace('b', 'b', '')]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "KeeperSecurityDashboard",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Keeper Security - Alternate Master Password_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "NRT",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Creates an informational incident based on Keeper Security Password Changed data in Microsoft Sentinel",
+ "displayName": "Keeper Security - Password Changed",
+ "enabled": false,
+ "query": "KeeperSecurityEventNewLogs_CL\n| where AuditEvent == \"change_master_password\"\n",
+ "severity": "Informational",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "KeeperSecurityEventNewLogs_CL"
+ ],
+ "connectorId": "KeeperSecurityPush2"
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
+ {
+ "columnName": "Username",
+ "identifier": "FullName"
+ }
+ ],
+ "entityType": "Account"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "RemoteAddress",
+ "identifier": "Address"
+ }
+ ],
+ "entityType": "IP"
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "{{AuditEvent}} has been captured in the Keeper Security Event Logs",
+ "alertDisplayNameFormat": "{{AuditEvent}} on {{RemoteAddress}}"
+ },
+ "incidentConfiguration": {
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "enabled": false,
+ "matchingMethod": "AllEntities"
+ },
+ "createIncident": true
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
+ "properties": {
+ "description": "Keeper Security Analytics Rule 1",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "source": {
+ "kind": "Solution",
+ "name": "Keeper Security",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Joao Paulo Oliveira Santos",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Keeper Security",
+ "email": "support@keepersecurity.com",
+ "tier": "Partner",
+ "link": "https://www.keepersecurity.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Keeper Security - Password Changed",
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Keeper Security - User MFA Changed_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "NRT",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Creates an informational incident based on Keeper Security User MFA Changed data in Microsoft Sentinel",
+ "displayName": "Keeper Security - User MFA Changed",
+ "enabled": false,
+ "query": "KeeperSecurityEventNewLogs_CL\n| where AuditEvent in (```set_two_factor_off```, ```set_two_factor_on```)\n",
+ "severity": "Informational",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "KeeperSecurityEventNewLogs_CL"
+ ],
+ "connectorId": "KeeperSecurityPush2"
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
+ {
+ "columnName": "Username",
+ "identifier": "FullName"
+ }
+ ],
+ "entityType": "Account"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "RemoteAddress",
+ "identifier": "Address"
+ }
+ ],
+ "entityType": "IP"
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "{{AuditEvent}} has been captured in the Keeper Security Event Logs",
+ "alertDisplayNameFormat": "{{AuditEvent}} on {{RemoteAddress}}"
+ },
+ "incidentConfiguration": {
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "enabled": false,
+ "matchingMethod": "AllEntities"
+ },
+ "createIncident": true
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
+ "properties": {
+ "description": "Keeper Security Analytics Rule 2",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+ "source": {
+ "kind": "Solution",
+ "name": "Keeper Security",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Joao Paulo Oliveira Santos",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Keeper Security",
+ "email": "support@keepersecurity.com",
+ "tier": "Partner",
+ "link": "https://www.keepersecurity.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Keeper Security - User MFA Changed",
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
+ }
+ },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -730,17 +1002,105 @@
"version": "[variables('dataConnectorCCPVersion')]"
}
},
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "KeeperSecurityDashboard Workbook with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "This workbook contains visualizations and insights in the Keeper Security environment."
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Keeper Security Audit Logs Analysis\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"1ca69445-60fc-4806-b43d-ac7e6aad630a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"value\":\"/subscriptions/8c6a2ccf-3647-416c-b18c-4d9299c73e59\",\"typeSettings\":{\"includeAll\":false},\"label\":\"☁️ Subscription\"},{\"id\":\"e94aafa3-c5d9-4523-89f0-4e87aa754511\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"Resources \\n| where type =~ \\\"microsoft.operationalinsights/workspaces\\\" \\n| order by name \\n| project id, name, selected=row_number()==1, group=resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true}},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"label\":\"🗂️ Workspace\",\"value\":\"\"},{\"id\":\"c4b69c01-2263-4ada-8d9c-43433b739ff3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"label\":\"⏱️ Time Range\"}],\"style\":\"above\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"182ff415-dc4f-42d3-a39a-eab397510bc7\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Overview\",\"style\":\"link\"},{\"id\":\"0d78c03f-f8d7-40da-8761-3ef454b14ad8\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"User Analysis\",\"subTarget\":\"UserAnalysis\",\"style\":\"link\"},{\"id\":\"security-events-tab\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Events\",\"subTarget\":\"SecurityEvents\",\"style\":\"link\"}]},\"name\":\"links - tabs\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Overview\",\"loadType\":\"always\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| summarize count() by bin(TimeGenerated, 1h), Category\\n| order by TimeGenerated asc\",\"size\":1,\"title\":\"Events Over Time by Category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"name\":\"events-timeline\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| where isnotempty(RemoteAddress)\\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\\n| extend Country = tostring(GeoIP.country), City = tostring(GeoIP.city)\\n| extend Latitude = toreal(GeoIP.latitude), Longitude = toreal(GeoIP.longitude)\\n| where isnotempty(Country)\\n| summarize EventCount = count() by Country, City, Latitude, Longitude\\n| top 20 by EventCount\",\"size\":0,\"title\":\"Geographic Distribution of Events\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Country\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"EventCount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"geographic-map\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| distinct Username\\n| count\",\"size\":4,\"title\":\"Active Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"active-users-tile\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| summarize TotalEvents = count()\\n| extend TotalEvents\",\"size\":4,\"title\":\"Total Events\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"total-events-tile\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| summarize count() by Category\\n| order by count_ desc\",\"size\":1,\"title\":\"Events by Category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"events-by-category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| summarize count() by AuditEvent\\n| order by count_ desc\\n| limit 10\",\"size\":1,\"title\":\"Top 10 Audit Events\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"top-audit-events\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},\"name\":\"Group: Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"User Analysis\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"user-selection-method\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserSelectionMethod\",\"label\":\"Select User Method\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\": \\\"name\\\", \\\"label\\\": \\\"Select User by Name\\\", \\\"selected\\\":true },\\n {\\\"value\\\": \\\"search\\\", \\\"label\\\": \\\"Search User\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"user-selection-method\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"selected-username\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectedUsername\",\"label\":\"Select User\",\"type\":2,\"isRequired\":true,\"query\":\"KeeperSecurityEventNewLogs_CL\\n| where TimeGenerated {TimeRange:query}\\n| where isnotempty(Username)\\n| summarize Count = count() by Username\\n| order by Count desc, Username asc\\n| project Value = Username, Label = strcat(Username, ' - ', Count, ' events'), Selected = false\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\"}],\"style\":\"above\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"UserSelectionMethod\",\"comparison\":\"isEqualTo\",\"value\":\"name\"},\"name\":\"user-selection-dropdown\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| where Username == '{SelectedUsername:query}'\\n| where isnotempty(RemoteAddress)\\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\\n| extend Country = tostring(GeoIP.country), City = tostring(GeoIP.city)\\n| extend Latitude = toreal(GeoIP.latitude), Longitude = toreal(GeoIP.longitude)\\n| where isnotempty(Country) and isnotempty(Latitude)\\n| summarize EventCount = count() by Country, City, Latitude, Longitude\\n| order by EventCount desc\\n\",\"size\":0,\"title\":\"User Geographic Activity:\",\"timeContextFromParameter\":\"TimeRange\",\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"latitude\":\"Latitude\",\"longitude\":\"Longitude\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"labelSettings\":\"City\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"categorical\"}}},\"customWidth\":\"50\",\"name\":\"user-geographic-activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| where Username == '{SelectedUsername:query}'\\n| summarize count() by bin(TimeGenerated, 1h)\\n| order by TimeGenerated asc\",\"size\":1,\"title\":\"User Activity Pattern: {SelectedUsername}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"50\",\"name\":\"user-activity-pattern\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| where Username == '{SelectedUsername:query}'\\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\\n| extend Country = tostring(GeoIP.country), City = tostring(GeoIP.city)\\n| project TimeGenerated, Username, AuditEvent, Category, RemoteAddress, City, Country, ClientVersion, Data\\n| order by TimeGenerated desc\",\"size\":1,\"title\":\"Detailed Activity for User: {SelectedUsername}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},{\"columnMatch\":\"RemoteAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"gray\"}]}}],\"filter\":true}},\"name\":\"user-detailed-activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| where Username == '{SelectedUsername:query}'\\n| summarize count() by Category\\n| order by count_ desc\",\"size\":4,\"title\":\"Event Categories for {SelectedUsername}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"user-event-categories\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| where Username == '{SelectedUsername}'\\n| summarize count() by AuditEvent\\n| order by count_ desc\\n| limit 10\",\"size\":4,\"title\":\"Top Audit Events: {SelectedUsername}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"user-top-events\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"UserAnalysis\"},\"name\":\"Group: UserAnalysis\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Events\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\\n| extend Country = tostring(GeoIP.country)\\n| where isnotempty(Country)\\n| summarize UniqueUsers = dcount(Username), TotalEvents = count() by Country\\n| order by TotalEvents desc\\n| limit 20\",\"size\":1,\"title\":\"Security Events by Country\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\"}},{\"columnMatch\":\"UniqueUsers\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"security-events-by-country\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| summarize EventCount = count() by Username\\n| order by EventCount desc\\n| limit 20\",\"size\":1,\"title\":\"Most Active Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"most-active-users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| extend Hour = datetime_part('hour', TimeGenerated)\\n| summarize EventCount = count() by Hour\\n| order by Hour asc\",\"size\":1,\"title\":\"Activity by Hour of Day\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"columnchart\"},\"name\":\"activity-by-hour\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"KeeperSecurityEventNewLogs_CL\\n| summarize EventCount = count() by RemoteAddress\\n| order by EventCount desc\\n| limit 20\",\"size\":1,\"title\":\"Top Source IP Addresses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RemoteAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"gray\"}]}},{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\"}}]}},\"name\":\"top-source-ips\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"SecurityEvents\"},\"name\":\"Group: SecurityEvents\"}],\"fromTemplateId\":\"sentinel-KeeperSecurityDashboard\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "properties": {
+ "description": "@{workbookKey=KeeperSecurityDashboard; logoFileName=keeper_security.svg; description=This workbook contains visualizations and insights in the Keeper Security environment.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Keeper Security Dashboard; templateRelativePath=KeeperSecurityDashboard.json; subtitle=; provider=Keeper Security}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Keeper Security",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Joao Paulo Oliveira Santos",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Keeper Security",
+ "email": "support@keepersecurity.com",
+ "tier": "Partner",
+ "link": "https://www.keepersecurity.com"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "KeeperSecurityEventNewLogs_CL",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "KeeperSecurityPush2",
+ "kind": "DataConnector"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
+ }
+ },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Keeper Security",
"publisherDisplayName": "Keeper Security",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Keeper Security solution for Microsoft Sentinel enables you to ingest Keeper Security forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.
\nData Connectors: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Keeper Security solution for Microsoft Sentinel enables you to ingest Keeper Security forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.
\nData Connectors: 1, Workbooks: 1, Analytic Rules: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -765,10 +1125,25 @@ "dependencies": { "operator": "AND", "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, { "kind": "DataConnector", "contentId": "[variables('_dataConnectorContentIdConnections1')]", "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" } ] }, diff --git a/Solutions/Keeper Security/Package/testParameters.json b/Solutions/Keeper Security/Package/testParameters.json index 554801e41b7..f96f0a92493 100644 --- a/Solutions/Keeper Security/Package/testParameters.json +++ b/Solutions/Keeper Security/Package/testParameters.json @@ -34,5 +34,13 @@ "metadata": { "description": "subscription id where Microsoft Sentinel is setup" } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Keeper Security Dashboard", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } } } diff --git a/Solutions/Keeper Security/ReleaseNotes.md b/Solutions/Keeper Security/ReleaseNotes.md index e7995136ee3..c06f22cdcbb 100644 --- a/Solutions/Keeper Security/ReleaseNotes.md +++ b/Solutions/Keeper Security/ReleaseNotes.md @@ -1,5 +1,5 @@ -# Release Notes - | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------| +| 3.0.1 | 25-07-2025 | Added new **Analytic Rules** and **Workbook** | | 3.0.0 | 11-06-2025 | Initial Solution Release with KeeperSecurity **Data Connector** CCP. | + diff --git a/Solutions/Keeper Security/Workbooks/KeeperSecurityDashboard.json b/Solutions/Keeper Security/Workbooks/KeeperSecurityDashboard.json new file mode 100644 index 00000000000..c4b7cd2ef7c --- /dev/null +++ b/Solutions/Keeper Security/Workbooks/KeeperSecurityDashboard.json @@ -0,0 +1,591 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## Keeper Security Audit Logs Analysis" + }, + "name": "text - 1" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Subscription}" + ], + "parameters": [ + { + "id": "1ca69445-60fc-4806-b43d-ac7e6aad630a", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "isRequired": true, + "value": "/subscriptions/8c6a2ccf-3647-416c-b18c-4d9299c73e59", + "typeSettings": { + "includeAll": false + }, + "label": "☁️ Subscription" + }, + { + "id": "e94aafa3-c5d9-4523-89f0-4e87aa754511", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "isRequired": true, + "query": "Resources \n| where type =~ \"microsoft.operationalinsights/workspaces\" \n| order by name \n| project id, name, selected=row_number()==1, group=resourceGroup", + "crossComponentResources": [ + "{Subscription}" + ], + "typeSettings": { + "resourceTypeFilter": { + "microsoft.operationalinsights/workspaces": true + } + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "label": "🗂️ Workspace", + "value": "" + }, + { + "id": "c4b69c01-2263-4ada-8d9c-43433b739ff3", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 2592000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2592000000 + } + ], + "allowCustom": true + }, + "label": "⏱️ Time Range" + } + ], + "style": "above", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "182ff415-dc4f-42d3-a39a-eab397510bc7", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Overview", + "subTarget": "Overview", + "style": "link" + }, + { + "id": "0d78c03f-f8d7-40da-8761-3ef454b14ad8", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "User Analysis", + "subTarget": "UserAnalysis", + "style": "link" + }, + { + "id": "security-events-tab", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Security Events", + "subTarget": "SecurityEvents", + "style": "link" + } + ] + }, + "name": "links - tabs" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Overview", + "loadType": "always", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize count() by bin(TimeGenerated, 1h), Category\n| order by TimeGenerated asc", + "size": 1, + "title": "Events Over Time by Category", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart" + }, + "name": "events-timeline" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where isnotempty(RemoteAddress)\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\n| extend Country = tostring(GeoIP.country), City = tostring(GeoIP.city)\n| extend Latitude = toreal(GeoIP.latitude), Longitude = toreal(GeoIP.longitude)\n| where isnotempty(Country)\n| summarize EventCount = count() by Country, City, Latitude, Longitude\n| top 20 by EventCount", + "size": 0, + "title": "Geographic Distribution of Events", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Country", + "sizeSettings": "EventCount", + "sizeAggregation": "Sum", + "legendMetric": "EventCount", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "EventCount", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "customWidth": "50", + "name": "geographic-map" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| distinct Username\n| count", + "size": 4, + "title": "Active Users", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "active-users-tile" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize TotalEvents = count()\n| extend TotalEvents", + "size": 4, + "title": "Total Events", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "TotalEvents", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "total-events-tile" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize count() by Category\n| order by count_ desc", + "size": 1, + "title": "Events by Category", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "events-by-category" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize count() by AuditEvent\n| order by count_ desc\n| limit 10", + "size": 1, + "title": "Top 10 Audit Events", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "top-audit-events" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Overview" + }, + "name": "Group: Overview" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "User Analysis", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "user-selection-method", + "version": "KqlParameterItem/1.0", + "name": "UserSelectionMethod", + "label": "Select User Method", + "type": 10, + "isRequired": true, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\n {\"value\": \"name\", \"label\": \"Select User by Name\", \"selected\":true },\n {\"value\": \"search\", \"label\": \"Search User\"}\n]", + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "above", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "user-selection-method" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "selected-username", + "version": "KqlParameterItem/1.0", + "name": "SelectedUsername", + "label": "Select User", + "type": 2, + "isRequired": true, + "query": "KeeperSecurityEventNewLogs_CL\n| where TimeGenerated {TimeRange:query}\n| where isnotempty(Username)\n| summarize Count = count() by Username\n| order by Count desc, Username asc\n| project Value = Username, Label = strcat(Username, ' - ', Count, ' events'), Selected = false", + "typeSettings": { + "showDefault": false + }, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "" + } + ], + "style": "above", + "doNotRunWhenHidden": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "UserSelectionMethod", + "comparison": "isEqualTo", + "value": "name" + }, + "name": "user-selection-dropdown" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where Username == '{SelectedUsername:query}'\n| where isnotempty(RemoteAddress)\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\n| extend Country = tostring(GeoIP.country), City = tostring(GeoIP.city)\n| extend Latitude = toreal(GeoIP.latitude), Longitude = toreal(GeoIP.longitude)\n| where isnotempty(Country) and isnotempty(Latitude)\n| summarize EventCount = count() by Country, City, Latitude, Longitude\n| order by EventCount desc\n", + "size": 0, + "title": "User Geographic Activity:", + "timeContextFromParameter": "TimeRange", + "exportToExcelOptions": "all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "latitude": "Latitude", + "longitude": "Longitude", + "sizeSettings": "EventCount", + "sizeAggregation": "Sum", + "labelSettings": "City", + "legendMetric": "EventCount", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "EventCount", + "heatmapPalette": "categorical" + } + } + }, + "customWidth": "50", + "name": "user-geographic-activity" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where Username == '{SelectedUsername:query}'\n| summarize count() by bin(TimeGenerated, 1h)\n| order by TimeGenerated asc", + "size": 1, + "title": "User Activity Pattern: {SelectedUsername}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart" + }, + "customWidth": "50", + "name": "user-activity-pattern" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where Username == '{SelectedUsername:query}'\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\n| extend Country = tostring(GeoIP.country), City = tostring(GeoIP.city)\n| project TimeGenerated, Username, AuditEvent, Category, RemoteAddress, City, Country, ClientVersion, Data\n| order by TimeGenerated desc", + "size": 1, + "title": "Detailed Activity for User: {SelectedUsername}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6 + }, + { + "columnMatch": "RemoteAddress", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "gray" + } + ] + } + } + ], + "filter": true + } + }, + "name": "user-detailed-activity" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where Username == '{SelectedUsername:query}'\n| summarize count() by Category\n| order by count_ desc", + "size": 4, + "title": "Event Categories for {SelectedUsername}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "user-event-categories" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where Username == '{SelectedUsername}'\n| summarize count() by AuditEvent\n| order by count_ desc\n| limit 10", + "size": 4, + "title": "Top Audit Events: {SelectedUsername}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "user-top-events" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "UserAnalysis" + }, + "name": "Group: UserAnalysis" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Security Events", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\n| extend Country = tostring(GeoIP.country)\n| where isnotempty(Country)\n| summarize UniqueUsers = dcount(Username), TotalEvents = count() by Country\n| order by TotalEvents desc\n| limit 20", + "size": 1, + "title": "Security Events by Country", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TotalEvents", + "formatter": 3, + "formatOptions": { + "palette": "greenRed" + } + }, + { + "columnMatch": "UniqueUsers", + "formatter": 3, + "formatOptions": { + "palette": "blue" + } + } + ] + } + }, + "customWidth": "50", + "name": "security-events-by-country" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize EventCount = count() by Username\n| order by EventCount desc\n| limit 20", + "size": 1, + "title": "Most Active Users", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "most-active-users" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| extend Hour = datetime_part('hour', TimeGenerated)\n| summarize EventCount = count() by Hour\n| order by Hour asc", + "size": 1, + "title": "Activity by Hour of Day", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "columnchart" + }, + "name": "activity-by-hour" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize EventCount = count() by RemoteAddress\n| order by EventCount desc\n| limit 20", + "size": 1, + "title": "Top Source IP Addresses", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "RemoteAddress", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "gray" + } + ] + } + }, + { + "columnMatch": "EventCount", + "formatter": 3, + "formatOptions": { + "palette": "greenRed" + } + } + ] + } + }, + "name": "top-source-ips" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "SecurityEvents" + }, + "name": "Group: SecurityEvents" + } + ], + "fallbackResourceIds": [], + "fromTemplateId": "sentinel-KeeperSecurityDashboard", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Workbooks/Images/Logos/keeper_security.svg b/Workbooks/Images/Logos/keeper_security.svg new file mode 100644 index 00000000000..2248c731f55 --- /dev/null +++ b/Workbooks/Images/Logos/keeper_security.svg @@ -0,0 +1,14 @@ + diff --git a/Workbooks/Images/Preview/KeeperSecurityDashboard01Black.png b/Workbooks/Images/Preview/KeeperSecurityDashboard01Black.png new file mode 100644 index 00000000000..e8259400168 Binary files /dev/null and b/Workbooks/Images/Preview/KeeperSecurityDashboard01Black.png differ diff --git a/Workbooks/Images/Preview/KeeperSecurityDashboard01White.png b/Workbooks/Images/Preview/KeeperSecurityDashboard01White.png new file mode 100644 index 00000000000..4c63478d1d3 Binary files /dev/null and b/Workbooks/Images/Preview/KeeperSecurityDashboard01White.png differ diff --git a/Workbooks/Images/Preview/KeeperSecurityDashboard02Black.png b/Workbooks/Images/Preview/KeeperSecurityDashboard02Black.png new file mode 100644 index 00000000000..adf27a19138 Binary files /dev/null and b/Workbooks/Images/Preview/KeeperSecurityDashboard02Black.png differ diff --git a/Workbooks/Images/Preview/KeeperSecurityDashboard02White.png b/Workbooks/Images/Preview/KeeperSecurityDashboard02White.png new file mode 100644 index 00000000000..f2c95fc2152 Binary files /dev/null and b/Workbooks/Images/Preview/KeeperSecurityDashboard02White.png differ diff --git a/Workbooks/Images/Preview/KeeperSecurityDashboard03Black.png b/Workbooks/Images/Preview/KeeperSecurityDashboard03Black.png new file mode 100644 index 00000000000..eaaf566e917 Binary files /dev/null and b/Workbooks/Images/Preview/KeeperSecurityDashboard03Black.png differ diff --git a/Workbooks/Images/Preview/KeeperSecurityDashboard03White.png b/Workbooks/Images/Preview/KeeperSecurityDashboard03White.png new file mode 100644 index 00000000000..bfe5ec5e062 Binary files /dev/null and b/Workbooks/Images/Preview/KeeperSecurityDashboard03White.png differ diff --git a/Workbooks/KeeperSecurityDashboard.json b/Workbooks/KeeperSecurityDashboard.json new file mode 100644 index 00000000000..c4b7cd2ef7c --- /dev/null +++ b/Workbooks/KeeperSecurityDashboard.json @@ -0,0 +1,591 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## Keeper Security Audit Logs Analysis" + }, + "name": "text - 1" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Subscription}" + ], + "parameters": [ + { + "id": "1ca69445-60fc-4806-b43d-ac7e6aad630a", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "isRequired": true, + "value": "/subscriptions/8c6a2ccf-3647-416c-b18c-4d9299c73e59", + "typeSettings": { + "includeAll": false + }, + "label": "☁️ Subscription" + }, + { + "id": "e94aafa3-c5d9-4523-89f0-4e87aa754511", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "isRequired": true, + "query": "Resources \n| where type =~ \"microsoft.operationalinsights/workspaces\" \n| order by name \n| project id, name, selected=row_number()==1, group=resourceGroup", + "crossComponentResources": [ + "{Subscription}" + ], + "typeSettings": { + "resourceTypeFilter": { + "microsoft.operationalinsights/workspaces": true + } + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "label": "🗂️ Workspace", + "value": "" + }, + { + "id": "c4b69c01-2263-4ada-8d9c-43433b739ff3", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 2592000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2592000000 + } + ], + "allowCustom": true + }, + "label": "⏱️ Time Range" + } + ], + "style": "above", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "182ff415-dc4f-42d3-a39a-eab397510bc7", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Overview", + "subTarget": "Overview", + "style": "link" + }, + { + "id": "0d78c03f-f8d7-40da-8761-3ef454b14ad8", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "User Analysis", + "subTarget": "UserAnalysis", + "style": "link" + }, + { + "id": "security-events-tab", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Security Events", + "subTarget": "SecurityEvents", + "style": "link" + } + ] + }, + "name": "links - tabs" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Overview", + "loadType": "always", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize count() by bin(TimeGenerated, 1h), Category\n| order by TimeGenerated asc", + "size": 1, + "title": "Events Over Time by Category", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart" + }, + "name": "events-timeline" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where isnotempty(RemoteAddress)\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\n| extend Country = tostring(GeoIP.country), City = tostring(GeoIP.city)\n| extend Latitude = toreal(GeoIP.latitude), Longitude = toreal(GeoIP.longitude)\n| where isnotempty(Country)\n| summarize EventCount = count() by Country, City, Latitude, Longitude\n| top 20 by EventCount", + "size": 0, + "title": "Geographic Distribution of Events", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Country", + "sizeSettings": "EventCount", + "sizeAggregation": "Sum", + "legendMetric": "EventCount", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "EventCount", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "customWidth": "50", + "name": "geographic-map" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| distinct Username\n| count", + "size": 4, + "title": "Active Users", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "active-users-tile" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize TotalEvents = count()\n| extend TotalEvents", + "size": 4, + "title": "Total Events", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "TotalEvents", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "total-events-tile" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize count() by Category\n| order by count_ desc", + "size": 1, + "title": "Events by Category", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "events-by-category" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize count() by AuditEvent\n| order by count_ desc\n| limit 10", + "size": 1, + "title": "Top 10 Audit Events", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "top-audit-events" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Overview" + }, + "name": "Group: Overview" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "User Analysis", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "user-selection-method", + "version": "KqlParameterItem/1.0", + "name": "UserSelectionMethod", + "label": "Select User Method", + "type": 10, + "isRequired": true, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\n {\"value\": \"name\", \"label\": \"Select User by Name\", \"selected\":true },\n {\"value\": \"search\", \"label\": \"Search User\"}\n]", + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "above", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "user-selection-method" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "selected-username", + "version": "KqlParameterItem/1.0", + "name": "SelectedUsername", + "label": "Select User", + "type": 2, + "isRequired": true, + "query": "KeeperSecurityEventNewLogs_CL\n| where TimeGenerated {TimeRange:query}\n| where isnotempty(Username)\n| summarize Count = count() by Username\n| order by Count desc, Username asc\n| project Value = Username, Label = strcat(Username, ' - ', Count, ' events'), Selected = false", + "typeSettings": { + "showDefault": false + }, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "" + } + ], + "style": "above", + "doNotRunWhenHidden": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "UserSelectionMethod", + "comparison": "isEqualTo", + "value": "name" + }, + "name": "user-selection-dropdown" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where Username == '{SelectedUsername:query}'\n| where isnotempty(RemoteAddress)\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\n| extend Country = tostring(GeoIP.country), City = tostring(GeoIP.city)\n| extend Latitude = toreal(GeoIP.latitude), Longitude = toreal(GeoIP.longitude)\n| where isnotempty(Country) and isnotempty(Latitude)\n| summarize EventCount = count() by Country, City, Latitude, Longitude\n| order by EventCount desc\n", + "size": 0, + "title": "User Geographic Activity:", + "timeContextFromParameter": "TimeRange", + "exportToExcelOptions": "all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "latitude": "Latitude", + "longitude": "Longitude", + "sizeSettings": "EventCount", + "sizeAggregation": "Sum", + "labelSettings": "City", + "legendMetric": "EventCount", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "EventCount", + "heatmapPalette": "categorical" + } + } + }, + "customWidth": "50", + "name": "user-geographic-activity" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where Username == '{SelectedUsername:query}'\n| summarize count() by bin(TimeGenerated, 1h)\n| order by TimeGenerated asc", + "size": 1, + "title": "User Activity Pattern: {SelectedUsername}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart" + }, + "customWidth": "50", + "name": "user-activity-pattern" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where Username == '{SelectedUsername:query}'\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\n| extend Country = tostring(GeoIP.country), City = tostring(GeoIP.city)\n| project TimeGenerated, Username, AuditEvent, Category, RemoteAddress, City, Country, ClientVersion, Data\n| order by TimeGenerated desc", + "size": 1, + "title": "Detailed Activity for User: {SelectedUsername}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6 + }, + { + "columnMatch": "RemoteAddress", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "gray" + } + ] + } + } + ], + "filter": true + } + }, + "name": "user-detailed-activity" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where Username == '{SelectedUsername:query}'\n| summarize count() by Category\n| order by count_ desc", + "size": 4, + "title": "Event Categories for {SelectedUsername}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "user-event-categories" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| where Username == '{SelectedUsername}'\n| summarize count() by AuditEvent\n| order by count_ desc\n| limit 10", + "size": 4, + "title": "Top Audit Events: {SelectedUsername}", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "user-top-events" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "UserAnalysis" + }, + "name": "Group: UserAnalysis" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Security Events", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| extend GeoIP = geo_info_from_ip_address(RemoteAddress)\n| extend Country = tostring(GeoIP.country)\n| where isnotempty(Country)\n| summarize UniqueUsers = dcount(Username), TotalEvents = count() by Country\n| order by TotalEvents desc\n| limit 20", + "size": 1, + "title": "Security Events by Country", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TotalEvents", + "formatter": 3, + "formatOptions": { + "palette": "greenRed" + } + }, + { + "columnMatch": "UniqueUsers", + "formatter": 3, + "formatOptions": { + "palette": "blue" + } + } + ] + } + }, + "customWidth": "50", + "name": "security-events-by-country" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize EventCount = count() by Username\n| order by EventCount desc\n| limit 20", + "size": 1, + "title": "Most Active Users", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "most-active-users" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| extend Hour = datetime_part('hour', TimeGenerated)\n| summarize EventCount = count() by Hour\n| order by Hour asc", + "size": 1, + "title": "Activity by Hour of Day", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "columnchart" + }, + "name": "activity-by-hour" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "KeeperSecurityEventNewLogs_CL\n| summarize EventCount = count() by RemoteAddress\n| order by EventCount desc\n| limit 20", + "size": 1, + "title": "Top Source IP Addresses", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "RemoteAddress", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "gray" + } + ] + } + }, + { + "columnMatch": "EventCount", + "formatter": 3, + "formatOptions": { + "palette": "greenRed" + } + } + ] + } + }, + "name": "top-source-ips" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "SecurityEvents" + }, + "name": "Group: SecurityEvents" + } + ], + "fallbackResourceIds": [], + "fromTemplateId": "sentinel-KeeperSecurityDashboard", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 3079a766c95..3ec54ad8d7b 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -9333,5 +9333,29 @@ "source": { "kind": "Community" } + }, + { + "workbookKey": "KeeperSecurityDashboard", + "logoFileName": "keeper_security.svg", + "description": "This workbook contains visualizations and insights in the Keeper Security environment.", + "dataTypesDependencies": [ + "KeeperSecurityEventNewLogs_CL" + ], + "dataConnectorsDependencies": [ + "KeeperSecurityPush2" + ], + "previewImagesFileNames": [ + "KeeperSecurityDashboard01White.png", + "KeeperSecurityDashboard02White.png", + "KeeperSecurityDashboard03White.png", + "KeeperSecurityDashboard01Black.png", + "KeeperSecurityDashboard02Black.png", + "KeeperSecurityDashboard03Black.png" + ], + "version": "1.0.0", + "title": "Keeper Security Dashboard", + "templateRelativePath": "KeeperSecurityDashboard.json", + "subtitle": "", + "provider": "Keeper Security" } -] +] \ No newline at end of file