diff --git a/Azure AD Workbooks/Identity Protection Workbooks/IdentityProtection_RiskAnalysis_Prevew.workbook b/Azure AD Workbooks/Identity Protection Workbooks/IdentityProtection_RiskAnalysis_Prevew.workbook deleted file mode 100644 index fc34992..0000000 --- a/Azure AD Workbooks/Identity Protection Workbooks/IdentityProtection_RiskAnalysis_Prevew.workbook +++ /dev/null @@ -1,1116 +0,0 @@ -{ - "version": "Notebook/1.0", - "items": [ - { - "type": 1, - "content": { - "json": "# Identity Protection Risk Analysis \n" - }, - "customWidth": "60", - "name": "text - 5" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "84eebf73-be69-410d-9b95-72ad02b7ab30", - "version": "KqlParameterItem/1.0", - "name": "Workspace", - "type": 5, - "isRequired": true, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "typeSettings": { - "resourceTypeFilter": { - "microsoft.operationalinsights/workspaces": true - }, - "additionalResourceOptions": [ - "value::1" - ], - "showDefault": false - }, - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange" - }, - { - "id": "14270858-14b9-4fa7-8375-d7d583fcfc9f", - "version": "KqlParameterItem/1.0", - "name": "Guide", - "type": 10, - "isRequired": true, - "typeSettings": { - "additionalResourceOptions": [], - "showDefault": false - }, - "jsonData": "[\r\n {\"value\": \"On\", \"label\": \"On\", \"selected\":true},\r\n {\"value\": \"Off\", \"label\": \"Off\"}\r\n]" - }, - { - "id": "7bb4cbcc-f0d2-44b5-a82f-565ad66bf987", - "version": "KqlParameterItem/1.0", - "name": "Time", - "type": 4, - "isRequired": true, - "typeSettings": { - "selectableValues": [ - { - "durationMs": 3600000 - }, - { - "durationMs": 86400000 - }, - { - "durationMs": 604800000 - }, - { - "durationMs": 2592000000 - }, - { - "durationMs": 5184000000 - } - ], - "allowCustom": true - }, - "timeContextFromParameter": "TimeRange", - "value": { - "durationMs": 5184000000 - } - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "100", - "name": "parameters - 24 - Copy - Copy" - }, - { - "type": 1, - "content": { - "json": "## Guide to using this workbook\r\n\r\nIn order to use this workbook, you must be collecting \"RiskyUsers\" and \"UserRiskEvents\" logs. Please check your Diagnostic Settings to make sure these logs are being sent to your Logs Analytics Workspace. \r\n\r\n\r\n### What is Identity Protection\r\nIdentity Protection is a tool that allows organizations to accomplish three key tasks:\r\n\r\n\t1. Automate the detection and remediation of identity-based risks.\r\n\t2. Investigate risks using data in the portal.\r\n\t3. Export risk detection data to your SIEM.\r\n\r\nIdentity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses 6.5 trillion signals per day to identify and protect customers from threats.\r\n\r\nThe signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation based on your organization's enforced policies.... [Learn more](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).\r\n\r\n\r\n### Feedback\r\nLeave your feedback at https://aka.ms/risk-workbook-feedback\r\n\r\n### Troubleshooting\r\nIf all the graphs are not rendering, try hitting the refresh button at the top of page or selecting a smaller time range parameter.\r\n\r\n\r\n" - }, - "conditionalVisibility": { - "parameterName": "Guide", - "comparison": "isEqualTo", - "value": "On" - }, - "name": "Getting started" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "# Heatmap of Risk Risk Detections" - }, - "name": "text - 23" - }, - { - "type": 1, - "content": { - "json": "Map location is based on longitude and latiude data. Size of the circles are based on number of risk detections. Color of circles are based on the Weighted Risk = Number of Detections x Weight\r\n\r\nWeight: High Risk = 10, Medium Risk = 5, Low Risk = 1\r\n\r\nLower risk circles are yellow and higher risk circles are red.\r\n\r\n" - }, - "name": "text - 2" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADUserRiskEvents\r\n| where UserDisplayName != \"\"\r\n| extend ParseLocation = parse_json(Location)\r\n| extend City = iff(ParseLocation.city == '', 'Unknown', tostring(ParseLocation.city))\r\n| extend State = iff(ParseLocation.state == '', 'Unknown', tostring(ParseLocation.state))\r\n| extend GeoCoord = ParseLocation.geoCoordinates\r\n| extend ParseGeoCoord = parse_json(GeoCoord)\r\n| extend Latitude = ParseGeoCoord.latitude\r\n| extend Longitude = ParseGeoCoord.longitude\r\n| extend LowRiskWeight = iff(RiskLevel == \"low\", 1, 0)\r\n| extend MedRiskWeight = iff(RiskLevel == \"medium\", 5, 0)\r\n| extend HighRiskWeight = iff(RiskLevel == \"high\", 10, 0)\r\n| extend TotalRiskWeight = LowRiskWeight + MedRiskWeight + HighRiskWeight\r\n| project UserDisplayName,RiskLevel, Location, Latitude, Longitude, City, State, TotalRiskWeight\r\n| summarize Count = count() by UserDisplayName, tostring(Latitude), tostring(Longitude), City, State, TotalRiskWeight\r\n//| summarize LocationCount = count() by tostring(Latitude)\r\n| sort by Count desc", - "size": 3, - "showAnalytics": true, - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "map", - "mapSettings": { - "locInfo": "LatLong", - "latitude": "Latitude", - "longitude": "Longitude", - "sizeSettings": "Count", - "sizeAggregation": "Sum", - "labelSettings": "City", - "legendMetric": "Count", - "numberOfMetrics": 50, - "legendAggregation": "Sum", - "itemColorSettings": { - "nodeColorField": "TotalRiskWeight", - "colorAggregation": "Count", - "type": "heatmap", - "heatmapPalette": "yellowOrangeRed" - } - } - }, - "showPin": false, - "name": "query - 25 - Copy" - } - ] - }, - "name": "group - 17" - }, - { - "type": 1, - "content": { - "json": "# Offline vs Real-Time Risk Detections" - }, - "name": "text - 4" - }, - { - "type": 1, - "content": { - "json": "Real-Time detections may not show up in reporting for five to ten minutes. Offline detections may not show up in reporting for two to twenty-four hours.\r\nThe offline risk events are those that cannot be remediated via a sign in risk policy, and are important for admins to investigate/turn on risky users policy to remediate​" - }, - "name": "text - 17 - Copy" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADUserRiskEvents\r\n//|summarize RiskEvents = count () by bin (TimeGenerated, 1h)\r\n|where IpAddress != ''\r\n| summarize count() by bin (TimeGenerated, 1h), DetectionTimingType", - "size": 0, - "showAnalytics": true, - "title": "Hourly Risk Detections - Offline vs. Real Time", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "barchart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "RiskEvents", - "color": "gray" - }, - { - "seriesName": "offline", - "label": "Offline", - "color": "blue" - }, - { - "seriesName": "realtime", - "label": "Real-Time", - "color": "orange" - }, - { - "color": "orange" - } - ] - } - }, - "customWidth": "50", - "name": "query - 25 - Copy" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADUserRiskEvents\r\n//|summarize RiskEvents = count () by bin (TimeGenerated, 1h)\r\n|where IpAddress != ''\r\n| summarize count() by bin (TimeGenerated, 1h), DetectionTimingType", - "size": 3, - "showAnalytics": true, - "title": "Total Count - Offline vs. Real Time", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "piechart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "RiskEvents", - "color": "gray" - }, - { - "seriesName": "high", - "label": "High", - "color": "redBright" - }, - { - "seriesName": "medium", - "label": "Medium", - "color": "orange" - }, - { - "seriesName": "low", - "label": "Low", - "color": "yellow" - }, - { - "seriesName": "none", - "label": "None", - "color": "green" - }, - { - "seriesName": "offline", - "label": "Offline", - "color": "blue" - }, - { - "seriesName": "realtime", - "label": "Real-Time", - "color": "orange" - } - ] - } - }, - "customWidth": "50", - "name": "query - 25 - Copy - Copy" - } - ] - }, - "name": "group - 13" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "# Risk Detection Trends" - }, - "customWidth": "100", - "name": "text - 5b" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "483c5e61-6d4b-408d-9fd1-d9bf7edd6b73", - "version": "KqlParameterItem/1.0", - "name": "DetectionTimingType", - "type": 2, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" - ], - "showDefault": false - }, - "jsonData": "[\r\n { \"value\":\"offline\", \"label\":\"Offline\" },\r\n { \"value\":\"realtime\", \"label\":\"Real-Time\", \"selected\":true }\r\n]", - "defaultValue": "value::all" - }, - { - "id": "2aa046f2-df65-4560-a7e4-021ce814d3ed", - "version": "KqlParameterItem/1.0", - "name": "riskLevel", - "label": "RiskLevel", - "type": 2, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" - ], - "showDefault": false - }, - "jsonData": "[\r\n {\"value\":\"high\", \"label\":\"High\" },\r\n { \"value\":\"medium\", \"label\":\"Medium\" },\r\n { \"value\":\"low\", \"label\":\"Low\"},\r\n { \"value\":\"none\", \"label\":\"None\", \"selected\":true }\r\n]", - "defaultValue": "value::all" - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "75", - "name": "parameters - 24 - Copy - Copy - Copy" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADUserRiskEvents\r\n|where IpAddress != ''\r\n| extend riskLevel = case(RiskLevel == \"\", \"none\", RiskLevel)\r\n| where DetectionTimingType in ({DetectionTimingType}) or '*' in ({DetectionTimingType})\r\n| where RiskLevel in ({riskLevel}) or '*' in ({riskLevel})\r\n| summarize count() by bin (TimeGenerated, 1h), riskLevel", - "size": 0, - "showAnalytics": true, - "title": "Hourly Risk Detections by Level", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "unstackedbar", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "high", - "label": "High", - "color": "red" - }, - { - "seriesName": "medium", - "label": "Medium", - "color": "orange" - }, - { - "seriesName": "low", - "label": "Low", - "color": "blue" - }, - { - "seriesName": "none", - "label": "No Risk", - "color": "gray" - } - ] - } - }, - "customWidth": "50", - "name": "query - 25" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADUserRiskEvents\r\n|where IpAddress != ''\r\n| extend riskLevel = case(RiskLevel == \"\", \"none\", RiskLevel)\r\n| where DetectionTimingType in ({DetectionTimingType}) or '*' in ({DetectionTimingType})\r\n| where RiskLevel in ({riskLevel}) or '*' in ({riskLevel})\r\n| summarize count() by bin (TimeGenerated, 1h), riskLevel\r\n|sort by riskLevel desc\r\n", - "size": 3, - "showAnalytics": true, - "title": "Total Count by Risk Level", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "piechart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "medium", - "label": "Medium", - "color": "orange" - }, - { - "seriesName": "high", - "label": "High", - "color": "red" - }, - { - "seriesName": "low", - "label": "Low", - "color": "blue" - }, - { - "seriesName": "none", - "label": "No Risk", - "color": "gray" - } - ] - } - }, - "customWidth": "50", - "name": "query - 25 - Copy - Copy - Copy" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADUserRiskEvents\r\n|where IpAddress != ''\r\n| extend riskLevel = case(RiskLevel == \"\", \"none\", RiskLevel)\r\n| where DetectionTimingType in ({DetectionTimingType}) or '*' in ({DetectionTimingType})\r\n| where RiskLevel in ({riskLevel}) or '*' in ({riskLevel})\r\n|summarize RiskEvents = count () by bin (TimeGenerated, 1h), RiskEventType", - "size": 0, - "showAnalytics": true, - "title": "Hourly Risk Detections Event Type", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "barchart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "newCountry", - "label": "New Country", - "color": "blueDark" - }, - { - "seriesName": "unfamiliarFeatures", - "label": "Unfamiliar Features", - "color": "purple" - }, - { - "seriesName": "riskyIPAddress", - "label": "Risky IP Address", - "color": "blue" - }, - { - "seriesName": "passwordSpray", - "label": "Password Spray", - "color": "orange" - }, - { - "seriesName": "adminConfirmedUserCompromised", - "label": "Confirmed User Compromise", - "color": "red" - }, - { - "seriesName": "anonymizedIPAddress", - "label": "Anonymized IP Address", - "color": "pink" - }, - { - "seriesName": "mcasImpossibleTravel", - "color": "magenta" - } - ] - } - }, - "customWidth": "50", - "name": "query - 25 - Copy" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "\r\nAADUserRiskEvents\r\n|where IpAddress != ''\r\n| extend riskLevel = case(RiskLevel == \"\", \"none\", RiskLevel)\r\n| where DetectionTimingType in ({DetectionTimingType}) or '*' in ({DetectionTimingType})\r\n| where RiskLevel in ({riskLevel}) or '*' in ({riskLevel})\r\n|project RiskEventType, UserDisplayName\r\n|extend riskEvent = case(RiskEventType == \"\", \"blank\", RiskEventType)\r\n|summarize count() by riskEvent\r\n|sort by riskEvent desc\r\n", - "size": 3, - "showAnalytics": true, - "title": "Total Count by Risk Event Type", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "piechart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "newCountry", - "label": "New Country", - "color": "blueDark" - }, - { - "seriesName": "unfamiliarFeatures", - "label": "Unfamiliar Features", - "color": "purple" - }, - { - "seriesName": "riskyIPAddress", - "label": "Risky IP Address", - "color": "blue" - }, - { - "seriesName": "passwordSpray", - "label": "Password Spray", - "color": "orange" - }, - { - "seriesName": "adminConfirmedUserCompromised", - "label": "Confirmed User Compromise", - "color": "red" - }, - { - "seriesName": "anonymizedIPAddress", - "label": "Anonymized IP Address", - "color": "pink" - }, - { - "seriesName": "mcasImpossibleTravel", - "label": "MCAS Impossible Travel", - "color": "magenta" - } - ] - } - }, - "customWidth": "50", - "showPin": true, - "name": "query - 25 - Copy - Copy" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADUserRiskEvents\r\n|where IpAddress != ''\r\n| extend riskLevel = case(RiskLevel == \"\", \"none\", RiskLevel)\r\n| where DetectionTimingType in ({DetectionTimingType}) or '*' in ({DetectionTimingType})\r\n| where RiskLevel in ({riskLevel}) or '*' in ({riskLevel})\r\n| summarize TotalCount= count(), HighRiskCount = countif(riskLevel == \"high\"), MediumRiskCount = countif(riskLevel == \"medium\"), LowRiskCount = countif(riskLevel == \"low\"), NoRiskCount = countif(riskLevel==\"none\") by UserDisplayName\r\n| sort by HighRiskCount, MediumRiskCount, LowRiskCount desc\r\n", - "size": 3, - "title": "Count of Risk Detections by User", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "table", - "gridSettings": { - "rowLimit": 10 - }, - "sortBy": [], - "tileSettings": { - "showBorder": false, - "titleContent": { - "columnMatch": "IpAddress", - "formatter": 1 - }, - "leftContent": { - "columnMatch": "Count", - "formatter": 12, - "formatOptions": { - "palette": "auto" - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } - } - } - } - }, - "customWidth": "50", - "showPin": true, - "name": "query - 29 - Copy - Copy - Copy", - "styleSettings": { - "margin": "10" - } - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADUserRiskEvents\r\n|where IpAddress != ''\r\n| extend riskLevel = case(RiskLevel == \"\", \"none\", RiskLevel)\r\n| where DetectionTimingType in ({DetectionTimingType}) or '*' in ({DetectionTimingType})\r\n| where RiskLevel in ({riskLevel}) or '*' in ({riskLevel})\r\n| summarize TotalCount= count(), HighRiskCount = countif(riskLevel == \"high\"), MediumRiskCount = countif(riskLevel == \"medium\"), LowRiskCount = countif(riskLevel == \"low\"), NoRiskCount = countif(riskLevel == \"none\") by IpAddress\r\n|sort by HighRiskCount, MediumRiskCount, LowRiskCount desc", - "size": 0, - "title": "Risk Detections by IP Address", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "table", - "gridSettings": { - "rowLimit": 10 - }, - "tileSettings": { - "showBorder": false, - "titleContent": { - "columnMatch": "IpAddress", - "formatter": 1 - }, - "leftContent": { - "columnMatch": "Count", - "formatter": 12, - "formatOptions": { - "palette": "auto" - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } - } - } - } - }, - "customWidth": "50", - "showPin": true, - "name": "query - 29 - Copy - Copy - Copy - Copy", - "styleSettings": { - "margin": "10" - } - } - ] - }, - "name": "group - 19" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "# Risky Users\r\nA user risk represents the probability that a given identity or account is compromised.\r\n\r\nThese risks are calculated offline using Microsoft's internal and external threat intelligence sources including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.\r\n" - }, - "name": "text - 5" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "81337f3c-7ed4-4a93-a0ec-eca3fcbf358a", - "version": "KqlParameterItem/1.0", - "name": "RiskDetail", - "type": 2, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" - ], - "showDefault": false - }, - "jsonData": "[\r\n { \"value\":\"none\", \"label\":\"None\" },\r\n { \"value\":\"userPassedMFADrivenByRiskBasedPolicy\", \"label\":\"UserPassedMFAbyRiskBasedPolicies\" },\r\n { \"value\":\"userPerformedSecuredPasswordReset\", \"label\":\"UserPerformedSecuredPasswordReset\"},\r\n {\"value\":\"aiConfirmedSigninSafe\", \"label\": \"AIConfirmedSigninSafe\"},\r\n {\"value\":\"adminDismissedAllRiskForUser\", \"label\": \"AdminDismissedAllRiskForUser\", \"selected\": true }\r\n]", - "timeContext": { - "durationMs": 2592000000 - }, - "timeContextFromParameter": "Time", - "defaultValue": "value::all" - }, - { - "id": "76beea00-bcf6-4881-bd9d-2caa7a3fb038", - "version": "KqlParameterItem/1.0", - "name": "RiskLevel", - "type": 2, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" - ], - "showDefault": false - }, - "jsonData": "[\r\n { \"value\":\"high\", \"label\":\"High\"},\r\n { \"value\":\"medium\", \"label\":\"Medium\"},\r\n { \"value\":\"low\", \"label\":\"Low\"},\r\n { \"value\": \"none\", \"label\":\"None\",\"selected\":true}\r\n]", - "timeContext": { - "durationMs": 2592000000 - }, - "timeContextFromParameter": "Time", - "defaultValue": "value::all" - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "100", - "name": "parameters - 6", - "styleSettings": { - "margin": "50" - } - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADRiskyUsers\r\n| where RiskDetail in ({RiskDetail}) or '*' in ({RiskDetail})\r\n| where RiskLevel in ({RiskLevel}) or '*' in ({RiskLevel})\r\n |summarize count(RiskLevel) by bin(TimeGenerated,1d), RiskLevel\r\n\r\n", - "size": 0, - "showAnalytics": true, - "title": "Daily Count of Users by Risk Level", - "color": "turquoise", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "barchart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "low", - "label": "Low", - "color": "blue" - }, - { - "seriesName": "none", - "label": "None", - "color": "gray" - }, - { - "seriesName": "high", - "label": "High", - "color": "red" - }, - { - "seriesName": "medium", - "label": "Medium", - "color": "orange" - }, - { - "seriesName": "hidden", - "label": "Hidden", - "color": "greenDarkDark" - } - ] - } - }, - "customWidth": "50", - "showPin": true, - "name": "query - 3 - Copy" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADRiskyUsers\r\n| where RiskDetail in ({RiskDetail}) or '*' in ({RiskDetail})\r\n| where RiskLevel in ({RiskLevel}) or '*' in ({RiskLevel})\r\n|summarize count() by RiskLevel\r\n\r\n", - "size": 3, - "showAnalytics": true, - "title": "Total Count of Users by Risk Level", - "color": "turquoise", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "piechart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "low", - "label": "Low", - "color": "blue" - }, - { - "seriesName": "none", - "label": "No Risk", - "color": "gray" - }, - { - "seriesName": "high", - "label": "High", - "color": "red" - }, - { - "seriesName": "medium", - "label": "Medium", - "color": "orange" - }, - { - "seriesName": "hidden", - "label": "Hidden", - "color": "greenDark" - } - ] - } - }, - "customWidth": "50", - "showPin": true, - "name": "query - 3 - Copy - Copy", - "styleSettings": { - "margin": "20px", - "padding": "20px" - } - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "//let startTime = ago(90d);\r\n//let endTime = now();\r\nlet noRisk = AADRiskyUsers\r\n| where TimeGenerated between (ago(90d) .. ago(20d))\r\n| where RiskLevel == 'low' or RiskLevel == 'none'\r\n| summarize by Id;\r\nlet highRisk = AADRiskyUsers\r\n| where TimeGenerated between (ago(19d).. now())\r\n//| where UserDisplayName in (noRisk)\r\n| where RiskLevel == 'medium' or RiskLevel == \"high\"\r\n| summarize by Id;\r\nAADRiskyUsers\r\n|where Id in (noRisk) and Id in (highRisk)\r\n|summarize by RiskLastUpdatedDateTime, UserDisplayName, RiskLevel, RiskDetail\r\n| order by RiskLastUpdatedDateTime\r\n", - "size": 3, - "showAnalytics": true, - "title": "Users with changes in Risk Level", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "gridSettings": { - "filter": true - } - }, - "customWidth": "50", - "showPin": true, - "name": "query - 3" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "\r\nAADRiskyUsers\r\n| where RiskDetail in ({RiskDetail}) or '*' in ({RiskDetail})\r\n| where RiskLevel in ({RiskLevel}) or '*' in ({RiskLevel})\r\n| summarize count() by RiskDetail", - "size": 3, - "showAnalytics": true, - "title": "Action taken on Risky Users", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "piechart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "none", - "label": "No Action", - "color": "pink" - }, - { - "seriesName": "hidden", - "label": "Hidden", - "color": "blueDark" - }, - { - "seriesName": "adminConfirmedUserCompromised", - "label": "Admin Confirmed", - "color": "red" - }, - { - "seriesName": "adminDismissedAllRiskForUser", - "label": "Admin Dismissed", - "color": "purple" - }, - { - "seriesName": "userPerformedSecuredPasswordReset", - "label": "User Performed Password Reset", - "color": "blue" - } - ] - } - }, - "customWidth": "50", - "showPin": true, - "name": "query - 14", - "styleSettings": { - "margin": "20px", - "padding": "20px" - } - }, - { - "type": 1, - "content": { - "json": "." - }, - "customWidth": "50", - "name": "text - 7" - }, - { - "type": 1, - "content": { - "json": "To reduce the number of risky users with no action taken on them, [enable user risk policies for automatic remediation](https://go.microsoft.com/fwlink/?linkid=2171421)", - "style": "info" - }, - "customWidth": "50", - "name": "text - 7 - Copy" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADRiskyUsers\r\n//| where RiskDetail in ({RiskDetail}) or '*' in ({RiskDetail})\r\n//| where RiskLevel in ({RiskLevel}) or '*' in ({RiskLevel})\r\n| where RiskLevel == 'high'\r\n| project TimeGenerated,UserDisplayName, RiskLevel, RiskDetail\r\n| order by TimeGenerated", - "size": 3, - "showAnalytics": true, - "title": "High Risk Users by Time Generated", - "color": "red", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "table", - "gridSettings": { - "rowLimit": 20, - "filter": true - } - }, - "customWidth": "50", - "showPin": true, - "name": "query - 17 - Copy" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADRiskyUsers\r\n//| where RiskDetail in ({RiskDetail}) or '*' in ({RiskDetail})\r\n//| where RiskLevel in ({RiskLevel}) or '*' in ({RiskLevel})\r\n| where RiskLevel == \"medium\"\r\n| project TimeGenerated,UserDisplayName, RiskLevel, RiskDetail\r\n| order by TimeGenerated", - "size": 3, - "showAnalytics": true, - "title": "Medium Risk Users by Time Generated", - "color": "red", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "table", - "gridSettings": { - "rowLimit": 20, - "filter": true - } - }, - "customWidth": "50", - "showPin": true, - "name": "query - 17 - Copy - Copy" - } - ] - }, - "name": "group - 18" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "# Summary" - }, - "name": "text - 34" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADUserRiskEvents\r\n//| summarize buildschema(Location)\r\n| where IpAddress != ''\r\n| extend ParseLocation = parse_json(Location)\r\n| extend CountryOrRegion = iff(ParseLocation.countryOrRegion == '', 'Unknown', tostring(ParseLocation.countryOrRegion))\r\n| extend GeoCoord = ParseLocation.geoCoordinates\r\n| extend ParseGeoCoord = parse_json(GeoCoord)\r\n| extend Latitude = ParseGeoCoord.latitude\r\n| extend Longitude = ParseGeoCoord.longitude\r\n| extend LowRiskWeight = iff(RiskLevel == \"low\", 1, 0)\r\n| extend MedRiskWeight = iff(RiskLevel == \"medium\", 5, 0)\r\n| extend HighRiskWeight = iff(RiskLevel == \"high\", 10, 0)\r\n| extend TotalRiskWeight = LowRiskWeight + MedRiskWeight + HighRiskWeight\r\n| project UserDisplayName,RiskLevel, Location, Latitude, Longitude, CountryOrRegion, RiskEventType, IpAddress, DetectionTimingType, TotalRiskWeight\r\n| summarize by UserDisplayName, CountryOrRegion, tostring(Latitude), tostring(Longitude), IpAddress, RiskLevel, RiskEventType, DetectionTimingType\r\n//| summarize LocationCount = count() by tostring(Latitude)\r\n| sort by RiskLevel asc\r\n", - "size": 3, - "title": "Summary of Risk Detections by Risk Level", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "table", - "gridSettings": { - "rowLimit": 10, - "filter": true - }, - "mapSettings": { - "locInfo": "LatLong", - "latitude": "Latitude", - "longitude": "Longitude", - "sizeSettings": "Count", - "sizeAggregation": "Sum", - "labelSettings": "CountryOrRegion", - "legendMetric": "Count", - "numberOfMetrics": 10, - "legendAggregation": "Sum", - "itemColorSettings": { - "nodeColorField": "RiskLevel", - "colorAggregation": "Count", - "type": "heatmap", - "heatmapPalette": "greenRed" - } - } - }, - "customWidth": "100", - "name": "query - 25 - Copy - Copy" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "AADRiskyUsers\r\n| project UserDisplayName, RiskLevel, RiskDetail, RiskState, CorrelationId, TenantId\r\n| order by RiskLevel", - "size": 3, - "title": "Summary of Risky Users by Risk Level", - "color": "red", - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "Time", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "crossComponentResources": [ - "{Workspace}" - ], - "visualization": "table", - "gridSettings": { - "rowLimit": 10, - "filter": true - } - }, - "customWidth": "100", - "showPin": true, - "name": "query - 17" - } - ] - }, - "name": "group - 17" - } - ], - "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} \ No newline at end of file diff --git a/Azure AD Workbooks/Identity Protection Workbooks/README.docx b/Azure AD Workbooks/Identity Protection Workbooks/README.docx deleted file mode 100644 index 5fdb74e..0000000 Binary files a/Azure AD Workbooks/Identity Protection Workbooks/README.docx and /dev/null differ