-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathworkbook.json
More file actions
35 lines (35 loc) · 10.7 KB
/
workbook.json
File metadata and controls
35 lines (35 loc) · 10.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
},
"workspaceResourceGroup": {
"type": "string"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"workspaceId": "[resourceId(parameters('workspaceResourceGroup'), 'Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
"workbookId": "[guid(resourceGroup().id, 'XposedOrNot-Workbook')]"
},
"resources": [
{
"type": "microsoft.insights/workbooks",
"apiVersion": "2022-04-01",
"name": "[variables('workbookId')]",
"location": "[parameters('location')]",
"kind": "shared",
"properties": {
"displayName": "XposedOrNot Breach Intelligence",
"category": "sentinel",
"sourceId": "[variables('workspaceId')]",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# \\ud83d\\udd13 XposedOrNot Breach Intelligence\\n---\"},\"name\":\"header\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"time-range\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000,\"displayName\":\"Last 24 hours\"},{\"durationMs\":604800000,\"displayName\":\"Last 7 days\"},{\"durationMs\":2592000000,\"displayName\":\"Last 30 days\"},{\"durationMs\":7776000000,\"displayName\":\"Last 90 days\"},{\"durationMs\":31536000000,\"displayName\":\"Last 365 days\"}]},\"label\":\"Time Range\"}]},\"name\":\"parameters\"},{\"type\":1,\"content\":{\"json\":\"## \\ud83d\\udcca Overview\"},\"name\":\"yearly-header\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | count | project Label=\\\"Unique Records\\\", Value=Count\",\"size\":4,\"title\":\"\\ud83d\\udccb Total Records\",\"noDataMessage\":\"0\",\"noDataMessageStyle\":3,\"showExportToExcel\":false,\"queryType\":0,\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Label\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Value\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}}}},\"customWidth\":\"25\",\"name\":\"tile-total\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | summarize Value=dcount(Email) | project Label=\\\"Unique Emails\\\", Value\",\"size\":4,\"title\":\"\\ud83d\\udce7 Unique Emails\",\"noDataMessage\":\"0\",\"noDataMessageStyle\":3,\"queryType\":0,\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Label\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Value\",\"formatter\":12,\"formatOptions\":{\"palette\":\"purple\"}}}},\"customWidth\":\"25\",\"name\":\"tile-emails\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | summarize Value=dcount(Domain) | project Label=\\\"Domains\\\", Value\",\"size\":4,\"title\":\"\\ud83c\\udf10 Domains\",\"noDataMessage\":\"0\",\"noDataMessageStyle\":3,\"queryType\":0,\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Label\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Value\",\"formatter\":12,\"formatOptions\":{\"palette\":\"green\"}}}},\"customWidth\":\"25\",\"name\":\"tile-domains\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | summarize Value=dcount(BreachName) | project Label=\\\"Breaches\\\", Value\",\"size\":4,\"title\":\"\\ud83d\\udd25 Unique Breaches\",\"noDataMessage\":\"0\",\"noDataMessageStyle\":3,\"queryType\":0,\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Label\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Value\",\"formatter\":12,\"formatOptions\":{\"palette\":\"redBright\"}}}},\"customWidth\":\"25\",\"name\":\"tile-breaches\"},{\"type\":1,\"content\":{\"json\":\"---\\n## \\ud83d\\udccb Exposed Data Analysis\"},\"name\":\"exposed-header\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | where isnotempty(ExposedDataTypes) | extend DataTypes = split(ExposedDataTypes, ';') | mv-expand DataType = DataTypes | where isnotempty(DataType) | summarize Count=count() by tostring(DataType) | order by Count desc | take 15\",\"size\":0,\"title\":\"\\ud83d\\udcca Exposed Data Types\",\"noDataMessage\":\"Awaiting data sync...\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"DataType\",\"yAxis\":[\"Count\"],\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blue\"}]}},\"customWidth\":\"50\",\"name\":\"data-types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | where isnotempty(BreachedDate) | summarize Count=count() by bin(BreachedDate, 365d) | order by BreachedDate asc\",\"size\":0,\"title\":\"\\ud83d\\udcc5 Breaches by Year\",\"noDataMessage\":\"Awaiting data sync...\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"BreachedDate\",\"yAxis\":[\"Count\"],\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"purple\"}]}},\"customWidth\":\"50\",\"name\":\"breaches-timeline\"},{\"type\":1,\"content\":{\"json\":\"---\\n## \\ud83d\\udcc8 Breach Timeline\"},\"name\":\"detections-header\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | where isnotempty(BreachedDate) | summarize Count=count() by bin(BreachedDate, 1d) | order by BreachedDate asc\",\"size\":0,\"title\":\"\\ud83d\\udcc8 Breach Records by Date\",\"noDataMessage\":\"Awaiting data sync...\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":31536000000},\"queryType\":0,\"visualization\":\"areachart\",\"chartSettings\":{\"yAxis\":[\"Count\"],\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blue\"}]}},\"customWidth\":\"60\",\"name\":\"timeline\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | summarize Emails=dcount(Email) by Domain | order by Emails desc | take 10\",\"size\":0,\"title\":\"\\ud83c\\udfe2 Top Domains by Exposed Emails\",\"noDataMessage\":\"Awaiting data sync...\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"visualization\":\"piechart\"},\"customWidth\":\"40\",\"name\":\"domains-pie\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | project BreachedDate=format_datetime(BreachedDate, 'yyyy-MM-dd'), Email, EmailDomain, Domain, BreachName, PasswordRisk, ExposedRecords | order by BreachedDate desc | take 50\",\"size\":0,\"title\":\"\\ud83d\\udd0e Breach Exposure Summary\",\"noDataMessage\":\"Awaiting data sync...\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"PasswordRisk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"plaintext\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"easytocrack\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"detections-table\"},{\"type\":1,\"content\":{\"json\":\"---\\n## \\ud83d\\udd11 Security Risk Analysis\"},\"name\":\"risk-header\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | summarize Count=count() by PasswordRisk | order by Count desc\",\"size\":0,\"title\":\"\\ud83d\\udd10 Password Risk Distribution\",\"noDataMessage\":\"Awaiting data sync...\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"password-risk\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | summarize Records=count(), Emails=dcount(Email), TotalExposed=sum(ExposedRecords) by BreachName | order by Emails desc | take 10\",\"size\":0,\"title\":\"\\ud83d\\udd25 Top 10 Breaches\",\"noDataMessage\":\"Awaiting data sync...\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Records\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redGreen\"}},{\"columnMatch\":\"TotalExposed\",\"formatter\":4,\"formatOptions\":{\"palette\":\"red\"}}]}},\"customWidth\":\"67\",\"name\":\"top-breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | where PasswordRisk == \\\"plaintext\\\" | project Email, Domain, BreachName, BreachedDate=format_datetime(BreachedDate, 'yyyy-MM-dd') | order by BreachedDate desc | take 25\",\"size\":0,\"title\":\"\\u26a0\\ufe0f Plaintext Password Exposures\",\"noDataMessage\":\"None found \\u2713\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"plaintext\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"XonBreachDetails_CL | summarize arg_max(TimeGenerated, *) by Email, BreachName | summarize Count=count() by EmailDomain | order by Count desc | take 10\",\"size\":0,\"title\":\"\\ud83d\\udce7 Email Domains\",\"noDataMessage\":\"Awaiting data sync...\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"email-domains\"},{\"type\":1,\"content\":{\"json\":\"---\\n*Data sourced from [XposedOrNot](https://xposedornot.com) \\u2022 Microsoft Sentinel*\"},\"name\":\"footer\"}],\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}"
}
}
]
}