Last active
February 4, 2025 16:58
-
-
Save SvenAelterman/e8528b021ce548602e6d52759f9743f4 to your computer and use it in GitHub Desktop.
A custom version of the Connections workbook with an additional hierarchy option and additional child detail.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "version": "Notebook/1.0", | |
| "items": [ | |
| { | |
| "type": 9, | |
| "content": { | |
| "version": "KqlParameterItem/1.0", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "parameters": [ | |
| { | |
| "id": "80a15801-7442-49f3-a82f-6e55849ec7fb", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "DefaultWorkspace", | |
| "type": 5, | |
| "isRequired": true, | |
| "value": "value::1", | |
| "isHiddenWhenLocked": true, | |
| "typeSettings": { | |
| "resourceTypeFilter": { | |
| "microsoft.operationalinsights/workspaces": true | |
| }, | |
| "additionalResourceOptions": ["value::1"] | |
| } | |
| }, | |
| { | |
| "id": "90119d28-e9c1-4c0d-8715-1f601d337f5c", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "DefaultSubscription", | |
| "type": 5, | |
| "value": "value::1", | |
| "isHiddenWhenLocked": true, | |
| "typeSettings": { | |
| "resourceTypeFilter": { | |
| "microsoft.resources/subscriptions": true | |
| }, | |
| "additionalResourceOptions": ["value::1"] | |
| } | |
| }, | |
| { | |
| "id": "7da21a07-10f4-4455-9105-c37132dcee0d", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "ContextSelection", | |
| "type": 1, | |
| "query": "// {DefaultWorkspace}\r\nwhere strcat(\"'\", id, \"'\") =~ \"{DefaultWorkspace:value}\"\r\n| project value = tostring(pack('sub', subscriptionId, 'rg', resourceGroup, 'ws', id))", | |
| "crossComponentResources": ["value::all"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 1, | |
| "resourceType": "microsoft.resourcegraph/resources" | |
| }, | |
| { | |
| "id": "7324c544-2fd2-4d61-b529-481a0f5fd286", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "HybridMode", | |
| "type": 1, | |
| "isHiddenWhenLocked": true, | |
| "criteriaData": [ | |
| { | |
| "condition": "if (ContextSelection is empty ), result = 'false'", | |
| "criteriaContext": { | |
| "leftOperand": "ContextSelection", | |
| "operator": "is Empty", | |
| "rightValType": "param", | |
| "resultValType": "static", | |
| "resultVal": "false" | |
| } | |
| }, | |
| { | |
| "condition": "else result = 'true'", | |
| "criteriaContext": { | |
| "operator": "Default", | |
| "rightValType": "param", | |
| "resultValType": "static", | |
| "resultVal": "true" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "id": "2942e38e-232e-4d89-9ada-12f9863b3c5b", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Subscriptions", | |
| "type": 6, | |
| "isRequired": true, | |
| "multiSelect": true, | |
| "quote": "'", | |
| "delimiter": ",", | |
| "query": "// {DefaultWorkspace} {ContextSelection} {DefaultSubscription}\r\nsummarize by subscriptionId\r\n| project strcat('/subscriptions/', subscriptionId), selected = iff({HybridMode} == true, iff(subscriptionId == todynamic('{ContextSelection}').sub, true, false), iff(strcat('/subscriptions/', subscriptionId) == '{DefaultSubscription}', true, false))", | |
| "crossComponentResources": ["value::all"], | |
| "typeSettings": { | |
| "additionalResourceOptions": [] | |
| }, | |
| "queryType": 1, | |
| "resourceType": "microsoft.resourcegraph/resources", | |
| "value": ["/subscriptions/efd2877e-cc6a-4660-ab6d-60f1c33f3ded"] | |
| }, | |
| { | |
| "id": "2bc1e5fc-cc2d-4eb5-bead-5f7d96664dec", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Workspaces", | |
| "type": 5, | |
| "isRequired": true, | |
| "multiSelect": true, | |
| "quote": "'", | |
| "delimiter": ",", | |
| "query": "// {DefaultWorkspace} {ContextSelection} {Subscriptions}\r\nwhere type =~ 'microsoft.operationalinsights/workspaces'\r\n| summarize by id, name\r\n| order by tolower(name) asc\r\n| extend Row = row_number()\r\n| project id, selected = iff({HybridMode} == 'true', iff(id == todynamic('{ContextSelection}').ws, true, false), Row == 1)", | |
| "crossComponentResources": ["{Subscriptions}"], | |
| "typeSettings": { | |
| "limitSelectTo": 5, | |
| "additionalResourceOptions": ["value::1"] | |
| }, | |
| "queryType": 1, | |
| "resourceType": "microsoft.resourcegraph/resources" | |
| }, | |
| { | |
| "id": "a9393837-8ef0-40e5-b223-4df1208a691e", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Test", | |
| "type": 1, | |
| "query": "VMConnection\r\n| take 1\r\n| summarize count()", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "label": "Not Onboarded" | |
| } | |
| ], | |
| "style": "above", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| "name": "parameters - 0" | |
| }, | |
| { | |
| "type": 1, | |
| "content": { | |
| "json": "⚠ `VMConnection` table was either not detected or empty. Try the following:\r\n\r\n* Select a different time range\r\n* Try different scope selections\r\n* Onboard to Azure Monitor for VMs ([Azure Monitor for VMs GA FAQ](https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-ga-release-faq))." | |
| }, | |
| "conditionalVisibility": { | |
| "parameterName": "Test", | |
| "comparison": "isNotEqualTo", | |
| "value": "1" | |
| }, | |
| "name": "text - 1" | |
| }, | |
| { | |
| "type": 9, | |
| "content": { | |
| "version": "KqlParameterItem/1.0", | |
| "parameters": [ | |
| { | |
| "id": "addcec31-b7ac-4715-a78d-9b803f86af8a", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "TimeRange", | |
| "type": 4, | |
| "isRequired": true, | |
| "value": { | |
| "durationMs": 3600000 | |
| }, | |
| "typeSettings": { | |
| "selectableValues": [ | |
| { | |
| "durationMs": 300000, | |
| "createdTime": "2019-01-28T23:37:45.024Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 900000, | |
| "createdTime": "2019-01-28T23:37:45.024Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 1800000, | |
| "createdTime": "2019-01-28T23:37:45.024Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 3600000, | |
| "createdTime": "2019-01-28T23:37:45.024Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 14400000, | |
| "createdTime": "2019-01-28T23:37:45.024Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 43200000, | |
| "createdTime": "2019-01-28T23:37:45.024Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 86400000, | |
| "createdTime": "2019-01-28T23:37:45.025Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 172800000, | |
| "createdTime": "2019-01-28T23:37:45.025Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 259200000, | |
| "createdTime": "2019-01-28T23:37:45.025Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 604800000, | |
| "createdTime": "2019-01-28T23:37:45.025Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 1209600000, | |
| "createdTime": "2019-01-28T23:37:45.025Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 2592000000, | |
| "createdTime": "2019-01-28T23:37:45.026Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 5184000000, | |
| "createdTime": "2019-01-28T23:37:45.026Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| }, | |
| { | |
| "durationMs": 7776000000, | |
| "createdTime": "2019-01-28T23:37:45.026Z", | |
| "isInitialTime": false, | |
| "grain": 1, | |
| "useDashboardTimeRange": false | |
| } | |
| ], | |
| "allowCustom": true | |
| }, | |
| "label": "Time Range" | |
| }, | |
| { | |
| "id": "db9b2f1d-188a-4dda-af4a-b39deeb34da3", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Direction", | |
| "type": 2, | |
| "description": "Direction of the network connection from the VMs", | |
| "isRequired": true, | |
| "value": "inbound", | |
| "typeSettings": { | |
| "additionalResourceOptions": [] | |
| }, | |
| "jsonData": "[\r\n { \"value\":\"inbound\", \"label\":\"Inbound\" },\r\n { \"value\":\"outbound\", \"label\":\"Outbound\" }\r\n]" | |
| }, | |
| { | |
| "id": "8744c427-f060-4725-95af-850af2fa08b1", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "ComputerNameContains", | |
| "type": 1, | |
| "label": "Computer Name Contains" | |
| }, | |
| { | |
| "id": "b141bd6c-cd8d-488e-a5f6-83ab00d31161", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Computers", | |
| "type": 2, | |
| "multiSelect": true, | |
| "quote": "'", | |
| "delimiter": ",", | |
| "query": "VMConnection\r\n| where Computer contains '{ComputerNameContains}'\r\n| summarize by Computer\r\n| project Value = Computer, Display = Computer, isSelected = false\r\n| order by Display asc\r\n| union (datatable(Value:string, Display:string, isSelected:boolean)['*', 'All',true])", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "typeSettings": { | |
| "additionalResourceOptions": [] | |
| }, | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "488d1f86-cabc-4fcc-8dc9-9a2e5803fb20", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "ComputerFilter", | |
| "type": 1, | |
| "isRequired": true, | |
| "query": "let computerFilter = iff('*' in ({Computers}), \"| where Computer contains '{ComputerNameContains}'\", \"| where Computer in ({Computers})\");\r\nprint(computerFilter)", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "56ab6626-c12d-4de1-8a3d-8a6099db3cd3", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "hierarchy", | |
| "type": 1, | |
| "isRequired": true, | |
| "isHiddenWhenLocked": true, | |
| "criteriaData": [ | |
| { | |
| "criteriaContext": { | |
| "leftOperand": "Direction", | |
| "operator": "==", | |
| "rightValType": "static", | |
| "rightVal": "inbound", | |
| "resultValType": "static", | |
| "resultVal": "[ \t{ \t\t\"value\": \"0\", \t\t\"label\": \"Computer -> Process -> Port -> Remote IP\" \t}, \t{ \t\t\"value\": \"1\", \t\t\"label\": \"Computer -> Process -> Port\" \t}, \t{ \t\t\"value\": \"2\", \t\t\"label\": \"Computer -> Process\", \t\t\"selected\": true \t}, \t{ \t\t\"value\": \"3\", \t\t\"label\": \"Computer\" \t}, \t{ \t\t\"value\": \"4\", \t\t\"label\": \"Computer -> Remote IP\" \t} ]" | |
| } | |
| }, | |
| { | |
| "criteriaContext": { | |
| "operator": "Default", | |
| "rightValType": "param", | |
| "resultValType": "static", | |
| "resultVal": "[ { \"value\": \"0\", \"label\": \"Computer -> Process -> Remote IP -> Port\" }, { \"value\": \"1\", \"label\": \"Computer -> Process -> Remote IP\" }, { \"value\": \"2\", \"label\": \"Computer -> Process\", \t\t\"selected\": true }, { \"value\": \"3\", \"label\": \"Computer\" } ]" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "id": "8be4bd82-b145-4602-af53-52c9e8f8d51e", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Hierarchy", | |
| "type": 2, | |
| "description": "Select the level of detail to be shown in the table below", | |
| "isRequired": true, | |
| "query": "{\"version\":\"1.0.0\",\"content\":\"{hierarchy}\",\"transformers\":[{\"type\":\"jsonpath\"}]}", | |
| "typeSettings": { | |
| "additionalResourceOptions": [] | |
| }, | |
| "timeContext": { | |
| "durationMs": 0 | |
| }, | |
| "timeContextFromParameter": "TimeRange", | |
| "queryType": 8, | |
| "value": "0" | |
| }, | |
| { | |
| "id": "5526f711-6d04-469e-8d06-351508f1014e", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "TableFilter", | |
| "type": 2, | |
| "description": "Filter table based on presence of malicious connections or at least one link failing", | |
| "multiSelect": true, | |
| "quote": "", | |
| "delimiter": "", | |
| "value": [], | |
| "typeSettings": { | |
| "additionalResourceOptions": [] | |
| }, | |
| "jsonData": "[\r\n {\r\n \"label\": \"Only Malicious Connections\",\r\n \"value\": \" | where MaliciousConnectionsCount >= 1\"\r\n },\r\n {\r\n \"label\": \"Only Links Failed\",\r\n \"value\": \" | where LinksFailed >= 1\"\r\n }\r\n]", | |
| "label": "Table Filter" | |
| } | |
| ], | |
| "style": "above", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| "conditionalVisibility": { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| }, | |
| "name": "parameters - 2" | |
| }, | |
| { | |
| "type": 9, | |
| "content": { | |
| "version": "KqlParameterItem/1.0", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "parameters": [ | |
| { | |
| "id": "5e335a1b-7f99-4647-854a-d7b5cb489bb2", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "ServiceMapComputers", | |
| "type": 1, | |
| "isRequired": true, | |
| "query": "print(\"let computers = VMComputer | summarize (TimeGenerated, Properties) = arg_max(TimeGenerated, pack_all()) by Computer;\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "c69fbaae-4fd2-4527-acdd-a2c358eebffa", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "MaliciousIpData", | |
| "type": 1, | |
| "query": "print(\"let maliciousIpData = VMConnection | where Direction == '{Direction}' {ComputerFilter} | where MaliciousIp != '' | summarize by Computer, ProcessName, MaliciousIp, DestinationPort, RemoteIp, IsActive, IndicatorThreatType, RemoteCountry, RemoteLongitude, RemoteLatitude, Confidence, Severity, FirstReportedDateTime, LastReportedDateTime | project MaliciousIp = strcat(Computer, '-', ProcessName, '-', MaliciousIp), MaliciousPort = strcat(Computer, '-', ProcessName, '-', DestinationPort), MaliciousPortIp = strcat(Computer, '-', ProcessName, '-', DestinationPort, '-', RemoteIp), Computer = Computer, Process = strcat(Computer, '-', ProcessName), MaliciousIpInfo = pack('Malicious IP', MaliciousIp, 'Is Active', IsActive, 'Indicator Threat Type', IndicatorThreatType, 'Remote Country', RemoteCountry, 'Longitude', RemoteLongitude, 'Latitude', RemoteLatitude, 'Confidence', Confidence, 'Severity', Severity, 'First Reported DateTime', FirstReportedDateTime, 'Last Reported DateTime', LastReportedDateTime, 'Destination Port', DestinationPort, 'Remote IP', RemoteIp);\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "dd933ac8-1273-48fe-8d09-bd65d857ce83", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "ComputerData", | |
| "type": 1, | |
| "query": "print(\"let computerData = VMConnection | where Direction == '{Direction}' {ComputerFilter} | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) by Name = strcat('🖥️ ', Computer), ComputerName = Computer, Type = 'Computer', TypeKey = 1, Key = Computer, ParentKey = '---' | join kind=leftouter (maliciousIpData | summarize MaliciousIpInfo = tostring(count()) by Computer) on $left.Key == $right.Computer | project-away Computer | order by Name asc;\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "fb879823-c082-4c53-af7e-18d044032f99", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "RemoteIpDataInbound", | |
| "type": 1, | |
| "query": "print(\"let remoteIpDataInbound = VMConnection | where Direction == 'inbound' | where 'inbound' == 'inbound' {ComputerFilter} | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) by Computer, ProcessName, RemoteIp, Type = 'Remote Computer', TypeKey = 3, Key = strcat(Computer, '-', ProcessName, '-', tostring(DestinationPort), '-', RemoteIp), ParentKey = strcat(Computer, '-', ProcessName, '-', tostring(DestinationPort)), Id = strcat(Computer, '-', ProcessName, '-', RemoteIp), ComputerName = Computer | join kind=inner sourcePortData on $left.ParentKey == $right.Key | project-away AverageResponseTime1, Computer1, Key1, LinksFailed1, MaxLinksLive1, ParentKey1, ProcessName1, Responses1, TotalBytesReceived1, TotalBytesSent1, Type1, TypeKey1 | order by Name asc | join kind=leftouter ipComputerMapping on $left.RemoteIp == $right.Ipv4 | extend Name = iff(RemoteIp == '', 'Unknown', strcat('🌐 External (', RemoteIp, ')')) | project-away Computer, Ipv4 | order by Name desc | join kind=leftouter maliciousIpData on $left.Key == $right.MaliciousPortIp | extend MaliciousIpInfo = tostring(MaliciousIpInfo1) | project-away MaliciousIp, Computer, Process, Computer1, MaliciousIpInfo1, Id;\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "3ad60c70-b530-49c0-a59b-8df690dffbc8", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "ProcessName", | |
| "type": 1, | |
| "query": "print(\"let processData = VMConnection | where Direction == '{Direction}' {ComputerFilter} | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) by Computer, ProcessName, Name = strcat('🎫 ', ProcessName), Type = 'Process', TypeKey = 2, Key = strcat(Computer, '-', ProcessName), ParentKey = Computer, ComputerName = Computer | join kind=inner computerData on $left.ParentKey == $right.Key | project-away Name1, Responses1, LinksFailed1, MaxLinksLive1, TotalBytesSent1, TotalBytesReceived1, AverageResponseTime1, Type1, Key1, ParentKey1 | join kind=leftouter (maliciousIpData | summarize MaliciousIpInfo = tostring(count()) by Process) on $left.Key == $right.Process | project-away Process, MaliciousIpInfo | extend MaliciousIpInfo = tostring(MaliciousIpInfo1) | project-away MaliciousIpInfo1 | order by Name asc;\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "c9eea7db-3d14-4fbf-8ae6-b7507ec1d43f", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "RemoteIpData", | |
| "type": 1, | |
| "isRequired": true, | |
| "query": "print(\"let remoteIpData = VMConnection | where '{Direction}' == 'outbound' | where Direction == '{Direction}' {ComputerFilter} | extend RemoteIp = iff(Direction == 'outbound', DestinationIp, SourceIp) | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) by Computer, ProcessName, RemoteIp, Type = 'Remote Computer', TypeKey = 3, Key = strcat(Computer, '-', ProcessName, '-', RemoteIp), ParentKey = strcat(Computer, '-', ProcessName), ComputerName = Computer | join kind=inner processData on $left.ParentKey == $right.Key | project-away Name, Responses1, LinksFailed1, MaxLinksLive1, TotalBytesSent1, TotalBytesReceived1, AverageResponseTime1, Type1, Key1, ParentKey1 | join kind=leftouter maliciousIpData on $left.Key == $right.MaliciousIp | project-away MaliciousIp, Computer, Process, Computer1, Computer2, MaliciousIpInfo | extend MaliciousIpInfo = tostring(MaliciousIpInfo1) | project-away MaliciousIpInfo1 | join kind = leftouter (ipComputerMapping) on $left.RemoteIp == $right.Ipv4 | extend Name = iff(Computer == '', iff(RemoteIp == '127.0.0.1', '🌐 Localhost', strcat('🌐 External (', RemoteIp, ')')), strcat('🖥️ ', Computer)) | project-away Computer, Ipv4 | order by Name desc;\")", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "4a9ed59b-002e-4c81-b437-8456faeef6a6", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "SourcePortData", | |
| "type": 1, | |
| "query": "print(\"let sourcePortData = VMConnection | where Direction == '{Direction}' | where '{Direction}' == 'inbound' {ComputerFilter} | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) by Computer, ProcessName, DestinationIp, DestinationPort, Name = strcat('🔶 ', DestinationPort), Type = 'Remote Port', TypeKey = 4, Key = strcat(Computer, '-', ProcessName, '-', tostring(DestinationPort)), ParentKey = strcat(Computer, '-', ProcessName), ComputerName = Computer | join kind=leftouter maliciousIpData on $left.Key == $right.MaliciousPort | extend MaliciousIpInfo = tostring(MaliciousIpInfo) | project-away Computer1, MaliciousIp, MaliciousPort, MaliciousPortIp, Process; {RemoteIpDataInbound}\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "e31a8d21-e24b-45ec-9806-e6c45bca15aa", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "DestinationPortData", | |
| "type": 1, | |
| "query": "print(\"let destinationPortData = VMConnection | where Direction == '{Direction}' | where '{Direction}' == 'outbound' {ComputerFilter} | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) by Computer, ProcessName, DestinationIp, DestinationPort, Name = strcat('🔶 ', DestinationPort), Type = 'Remote Port', TypeKey = 4, Key = strcat(Computer, '-', ProcessName, '-', DestinationIp, '-', tostring(DestinationPort)), ParentKey = strcat(Computer, '-', ProcessName, '-', DestinationIp), ComputerName = Computer | join kind=inner remoteIpData on $left.ParentKey == $right.Key | project-away Name1, Responses1, Type1, Key1, ParentKey1 | order by Name asc;\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "a54f3df8-c872-4a19-a280-84b203987ec8", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "QueryProject", | |
| "type": 1, | |
| "query": "print(\"| extend MaliciousConnectionsCount = iff(MaliciousIpInfo == '', 0, iff(Type == 'Computer' or Type == 'Process' or Type == 'Overall', tolong(MaliciousIpInfo), 1)) | project ComputerName, ProcessName, RemoteIp, DestinationPort, Name = iff(Name == '🎫 ', '🎫 <Unknown>', Name), Type, MaliciousConnections = iff(MaliciousIpInfo == '', '✅ No Malicious Connections', iff(Type == 'Computer' or Type == 'Process' or Type == 'Overall', iff(MaliciousConnectionsCount > 1, strcat('❌ ', MaliciousIpInfo, ' Malicious Connections'), strcat('❌ ', MaliciousIpInfo, ' Malicious Connection')), '❌ Malicious Connection')), Responses, MaxLinksLive, LinksFailed, AverageResponseTime, TotalBytesSent, TotalBytesReceived, Info = iff(MaliciousIpInfo != '', MaliciousIpInfo, ''), Key, ParentKey, TypeKey, MaliciousConnectionsCount | order by TypeKey asc, MaliciousConnectionsCount desc, LinksFailed desc, AverageResponseTime desc, Responses desc, MaxLinksLive desc, Name asc | project-away TypeKey\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "9789ead5-eae5-4f52-86c2-ac197da62f30", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Computer_Process_IP_Port", | |
| "type": 1, | |
| "query": "print(strcat(\"{ServiceMapComputers}\", \" let ipComputerMapping = computers | project Computer, Ipv4 = todynamic(tostring(Properties.Ipv4Addresses_s)) | mvexpand Ipv4 to typeof(string); \", \"{MaliciousIpData}\", \" let totalMaliciousConnectionsCount = maliciousIpData | summarize MaliciousIpInfo = count() | extend Type = 'Overall'; \", \"{ComputerData}\", \"{ProcessName}\", \"{RemoteIpData}\", \"{DestinationPortData}\", \"{SourcePortData}\", \" let overalldata = VMConnection | where Direction == '{Direction}' {ComputerFilter} | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) | extend Name = '🔵 Overall', Type = 'Overall', TypeKey = 0, Key = '--Overall--', ParentKey = '----' | join kind=leftouter totalMaliciousConnectionsCount on Type | extend MaliciousIpInfo = iff(MaliciousIpInfo == '0', '', tostring(MaliciousIpInfo)) | project-away Type1; computerData | union processData | union remoteIpData | union destinationPortData | union remoteIpDataInbound | union sourcePortData | union overalldata\t\", \"{QueryProject}\"));", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "2876be54-34fa-4751-99d5-d6c436d372ad", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Computer_IP", | |
| "type": 1, | |
| "query": "print(strcat(\"{ServiceMapComputers}\", \" let ipComputerMapping = computers | project Computer, Ipv4 = todynamic(tostring(Properties.Ipv4Addresses_s)) | mvexpand Ipv4 to typeof(string); \", \"{MaliciousIpData}\", \" let totalMaliciousConnectionsCount = maliciousIpData | summarize MaliciousIpInfo = count() | extend Type = 'Overall'; \", \"{ComputerData}\", \"{ProcessName}\", \"{RemoteIpData}\", \"{DestinationPortData}\", \"{SourcePortData}\", \" let overalldata = VMConnection | where Direction == '{Direction}' {ComputerFilter} | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) | extend Name = '🔵 Overall', Type = 'Overall', TypeKey = 0, Key = '--Overall--', ParentKey = '----' | join kind=leftouter totalMaliciousConnectionsCount on Type | extend MaliciousIpInfo = iff(MaliciousIpInfo == '0', '', tostring(MaliciousIpInfo)) | project-away Type1; computerData | union remoteIpData | union destinationPortData | union remoteIpDataInbound | union sourcePortData | union overalldata\t\", \"{QueryProject}\"));", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "0d6a320e-2cef-44fd-ac0b-ad833f8d0c03", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Computer_Process_IP", | |
| "type": 1, | |
| "query": "print(strcat(\"{ServiceMapComputers}\", \" let ipComputerMapping = computers | project Computer, Ipv4 = todynamic(tostring(Properties.Ipv4Addresses_s)) | mvexpand Ipv4 to typeof(string); \", \"{MaliciousIpData}\", \" let totalMaliciousConnectionsCount = maliciousIpData | summarize MaliciousIpInfo = count() | extend Type = 'Overall'; \", \"{ComputerData}\", \"{ProcessName}\", \"{RemoteIpData}\", \"{SourcePortData}\", \" let overalldata = VMConnection | where Direction == '{Direction}' {ComputerFilter} | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) | extend Name = '🔵 Overall', Type = 'Overall', TypeKey = 0, Key = '--Overall--', ParentKey = '----' | join kind=leftouter totalMaliciousConnectionsCount on Type | extend MaliciousIpInfo = iff(MaliciousIpInfo == '0', '', tostring(MaliciousIpInfo)) | project-away Type1;\" ,\" computerData | union processData | union remoteIpData | union sourcePortData | union overalldata \", \"{QueryProject}\"));", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "2de0d685-4382-4822-a8aa-f3583ff11b66", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "QueryPadDestinationPortTable", | |
| "type": 1, | |
| "isRequired": true, | |
| "query": "print(\"let destinationPortPadding = datatable (DestinationPort: string) [];\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "df8a6322-511e-40e0-a258-fe717099a072", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "QueryPadRemoteIpTable", | |
| "type": 1, | |
| "isRequired": true, | |
| "query": "print(\"let remoteIpPadding = datatable (RemoteIp: string) [];\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "e8f2c394-18e8-4d6d-8f5e-8453cb67128c", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Computer_Process", | |
| "type": 1, | |
| "query": "print(strcat(\"{ServiceMapComputers}\", \" let ipComputerMapping = computers | project Computer, Ipv4 = todynamic(tostring(Properties.Ipv4Addresses_s)) | mvexpand Ipv4 to typeof(string); \", \"{MaliciousIpData}\", \" let totalMaliciousConnectionsCount = maliciousIpData | summarize MaliciousIpInfo = count() | extend Type = 'Overall'; \", \"{ComputerData}\", \"{ProcessName}\", \" let overalldata = VMConnection | where Direction == '{Direction}' {ComputerFilter} | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) | extend Name = '🔵 Overall', Type = 'Overall', TypeKey = 0, Key = '--Overall--', ParentKey = '----' | join kind=leftouter totalMaliciousConnectionsCount on Type | extend MaliciousIpInfo = iff(MaliciousIpInfo == '0', '', tostring(MaliciousIpInfo)) | project-away Type1;\", \"{QueryPadDestinationPortTable}\", \"{QueryPadRemoteIpTable}\",\" computerData | union remoteIpPadding | union destinationPortPadding | union processData | union overalldata \", \"{QueryProject}\"));", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "084fb5fc-e8e4-42df-8a9f-ac1001950ba2", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "QueryPadProcessNameTable", | |
| "type": 1, | |
| "isRequired": true, | |
| "query": "print(\"let processNamePadding = datatable (ProcessName: string) [];\");", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "a4b0e146-7c89-40bb-ade2-ed2e392e9311", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Computer", | |
| "type": 1, | |
| "query": "print(strcat(\"{ServiceMapComputers}\", \" let ipComputerMapping = computers | project Computer, Ipv4 = todynamic(tostring(Properties.Ipv4Addresses_s)) | mvexpand Ipv4 to typeof(string); \", \"{MaliciousIpData}\", \" let totalMaliciousConnectionsCount = maliciousIpData | summarize MaliciousIpInfo = count() | extend Type = 'Overall'; \", \"{ComputerData}\", \" let overalldata = VMConnection | where Direction == '{Direction}' {ComputerFilter} | summarize Responses = sum(Responses), LinksFailed = sum(LinksFailed), MaxLinksLive = max(LinksLive), TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived), AverageResponseTime = 1.0 * sum(ResponseTimeSum) / sum(Responses) | extend Name = '🔵 Overall', Type = 'Overall', TypeKey = 0, Key = '--Overall--', ParentKey = '----' | join kind=leftouter totalMaliciousConnectionsCount on Type | extend MaliciousIpInfo = iff(MaliciousIpInfo == '0', '', tostring(MaliciousIpInfo)) | project-away Type1;\", \"{QueryPadDestinationPortTable}\", \"{QueryPadRemoteIpTable}\", \"{QueryPadProcessNameTable}\",\" computerData | union remoteIpPadding | union processNamePadding | union destinationPortPadding | union overalldata \", \"{QueryProject}\"));", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "a08757da-e72b-474d-a1d2-65fb7020cc14", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "FinalQuery", | |
| "type": 1, | |
| "query": "print(strcat(\r\niff({Hierarchy} == 0, \"{Computer_Process_IP_Port}\", \r\niff({Hierarchy} == 1, \"{Computer_Process_IP}\",\r\niff({Hierarchy} == 2, \"{Computer_Process}\",\r\niff({Hierarchy} == 3, \"{Computer}\",\r\niff({Hierarchy} == 4, \"{Computer_IP}\", \"{Computer}\"))))),'{TableFilter:value}'));", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "874eeebe-2ea2-4c04-a3b9-ab3b30e95573", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "ConnectionGrid", | |
| "type": 1, | |
| "value": "{}", | |
| "isHiddenWhenLocked": true | |
| } | |
| ], | |
| "style": "above", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| "conditionalVisibility": { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| }, | |
| "name": "parameters - 3" | |
| }, | |
| { | |
| "type": 1, | |
| "content": { | |
| "json": "💡 <em>Select a row from the table below to view connection details for that entry.</em>" | |
| }, | |
| "conditionalVisibility": { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| }, | |
| "name": "text - 4" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "{FinalQuery:value}", | |
| "size": 0, | |
| "showAnalytics": true, | |
| "noDataMessage": "No data to be shown for this particular scope combination, please adjust the time range, table filters, etc.", | |
| "timeContextFromParameter": "TimeRange", | |
| "exportParameterName": "ConnectionGrid", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "visualization": "table", | |
| "gridSettings": { | |
| "formatters": [ | |
| { | |
| "columnMatch": "Computer", | |
| "formatter": 5, | |
| "formatOptions": {} | |
| }, | |
| { | |
| "columnMatch": "ProcessName", | |
| "formatter": 5, | |
| "formatOptions": {} | |
| }, | |
| { | |
| "columnMatch": "RemoteIp", | |
| "formatter": 5, | |
| "formatOptions": {} | |
| }, | |
| { | |
| "columnMatch": "DestinationPort", | |
| "formatter": 5, | |
| "formatOptions": {}, | |
| "numberFormat": { | |
| "unit": 0, | |
| "options": { | |
| "style": "decimal" | |
| } | |
| } | |
| }, | |
| { | |
| "columnMatch": "Responses", | |
| "formatter": 4, | |
| "formatOptions": { | |
| "palette": "blueDark" | |
| }, | |
| "numberFormat": { | |
| "unit": 17, | |
| "options": { | |
| "style": "decimal" | |
| } | |
| } | |
| }, | |
| { | |
| "columnMatch": "MaxLinksLive", | |
| "formatter": 4, | |
| "formatOptions": { | |
| "palette": "lightBlue" | |
| }, | |
| "numberFormat": { | |
| "unit": 17, | |
| "options": { | |
| "style": "decimal" | |
| } | |
| } | |
| }, | |
| { | |
| "columnMatch": "LinksFailed", | |
| "formatter": 4, | |
| "formatOptions": { | |
| "palette": "red" | |
| }, | |
| "numberFormat": { | |
| "unit": 17, | |
| "options": { | |
| "style": "decimal" | |
| } | |
| } | |
| }, | |
| { | |
| "columnMatch": "AverageResponseTime", | |
| "formatter": 4, | |
| "formatOptions": { | |
| "palette": "purple" | |
| }, | |
| "numberFormat": { | |
| "unit": 23, | |
| "options": { | |
| "style": "decimal" | |
| } | |
| } | |
| }, | |
| { | |
| "columnMatch": "TotalBytesSent", | |
| "formatter": 4, | |
| "formatOptions": { | |
| "palette": "orange" | |
| }, | |
| "numberFormat": { | |
| "unit": 2, | |
| "options": { | |
| "style": "decimal" | |
| } | |
| } | |
| }, | |
| { | |
| "columnMatch": "TotalBytesReceived", | |
| "formatter": 4, | |
| "formatOptions": { | |
| "palette": "green" | |
| }, | |
| "numberFormat": { | |
| "unit": 2, | |
| "options": { | |
| "style": "decimal" | |
| } | |
| } | |
| }, | |
| { | |
| "columnMatch": "Info", | |
| "formatter": 5, | |
| "formatOptions": { | |
| "linkTarget": "CellDetails", | |
| "linkLabel": "ℹ️ Info" | |
| } | |
| }, | |
| { | |
| "columnMatch": "Key", | |
| "formatter": 5, | |
| "formatOptions": {} | |
| }, | |
| { | |
| "columnMatch": "ParentKey", | |
| "formatter": 5, | |
| "formatOptions": {} | |
| }, | |
| { | |
| "columnMatch": "MaliciousConnectionsCount", | |
| "formatter": 5, | |
| "formatOptions": {} | |
| } | |
| ], | |
| "rowLimit": 10000, | |
| "filter": true, | |
| "hierarchySettings": { | |
| "idColumn": "Key", | |
| "parentColumn": "ParentKey", | |
| "treeType": 0, | |
| "expanderColumn": "Name", | |
| "expandTopLevel": false | |
| } | |
| }, | |
| "tileSettings": { | |
| "showBorder": false, | |
| "titleContent": { | |
| "columnMatch": "Computer", | |
| "formatter": 1 | |
| }, | |
| "leftContent": { | |
| "columnMatch": "KPIValue", | |
| "formatter": 12, | |
| "formatOptions": { | |
| "palette": "auto" | |
| }, | |
| "numberFormat": { | |
| "unit": 17, | |
| "options": { | |
| "maximumSignificantDigits": 3, | |
| "maximumFractionDigits": 2 | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "conditionalVisibility": { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| }, | |
| "showPin": true, | |
| "name": "query - 5" | |
| }, | |
| { | |
| "type": 9, | |
| "content": { | |
| "version": "KqlParameterItem/1.0", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "parameters": [ | |
| { | |
| "id": "7e4c3d29-2be6-4288-903b-95502ddab577", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "ComputerName", | |
| "type": 1, | |
| "query": "let row = dynamic({ConnectionGrid});\r\nlet computerName = row.ComputerName;\r\nprint computerName", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "3bda15ac-c4ea-487f-acf5-2c14c8d33038", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "ProcessName", | |
| "type": 1, | |
| "query": "let row = dynamic({ConnectionGrid});\r\nlet ProcessName = row.ProcessName;\r\nprint ProcessName", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "e424020b-8c6e-4a06-9639-ed696192442a", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "RemoteIp", | |
| "type": 1, | |
| "query": "let row = dynamic({ConnectionGrid});\r\nlet RemoteIp = row.RemoteIp;\r\nprint RemoteIp", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "a479367c-f99b-4c93-b18c-51f07ce5069d", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "DestinationPort", | |
| "type": 1, | |
| "query": "let row = dynamic({ConnectionGrid});\r\nlet destinationPort = row.DestinationPort;\r\nprint destinationPort", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "dcf5f274-fbbf-4fb8-8c35-6b528a08cac9", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "ShowDetail", | |
| "type": 1, | |
| "isRequired": true, | |
| "query": "print(strcat('{ComputerName}{ProcessName}{RemoteIp}{DestinationPort}' != ''))", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "1ce27926-6842-497b-ac53-70c006e11231", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "Heading", | |
| "type": 1, | |
| "query": "print(strcat('💻 {ComputerName}',iff('{ProcessName}' != '',' > 🎫 {ProcessName}',''),iff('{Direction}' == 'outbound',strcat(iff('{RemoteIp}' != '',' > 🌐 {RemoteIp}',''),iff('{DestinationPort}' != '',' > 🔸 {DestinationPort}','')),strcat(iff('{DestinationPort}' != '',' > 🔸 {DestinationPort}',''),iff('{RemoteIp}' != '',' > 🌐 {RemoteIp}','')))))", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| { | |
| "id": "b44edb14-76ad-48b3-9921-b5dfb5a6db60", | |
| "version": "KqlParameterItem/1.0", | |
| "name": "QueryFilter", | |
| "type": 1, | |
| "query": "print(strcat(' where Computer == \"{ComputerName}\"',iff('{ProcessName}' != '', ' | where ProcessName == \"{ProcessName}\"', ''),iff('{RemoteIp}' != '',' | where RemoteIp == \"{RemoteIp}\"',''),iff('{DestinationPort}' != '',' | where DestinationPort == \"{DestinationPort}\"','')));", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "isHiddenWhenLocked": true, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| } | |
| ], | |
| "style": "above", | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces" | |
| }, | |
| "conditionalVisibility": { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| }, | |
| "name": "parameters - 6" | |
| }, | |
| { | |
| "type": 1, | |
| "content": { | |
| "json": "<h2 style=\"font-weight:normal;\">{Heading}</h2>" | |
| }, | |
| "conditionalVisibility": { | |
| "parameterName": "ShowDetail", | |
| "comparison": "isEqualTo", | |
| "value": "True" | |
| }, | |
| "name": "text - 7" | |
| }, | |
| { | |
| "type": 1, | |
| "content": { | |
| "json": "### Responses" | |
| }, | |
| "conditionalVisibilities": [ | |
| { | |
| "parameterName": "ShowDetail", | |
| "comparison": "isEqualTo", | |
| "value": "True" | |
| }, | |
| { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| } | |
| ], | |
| "customWidth": "25", | |
| "name": "text - 8" | |
| }, | |
| { | |
| "type": 1, | |
| "content": { | |
| "json": "### Latency" | |
| }, | |
| "conditionalVisibilities": [ | |
| { | |
| "parameterName": "ShowDetail", | |
| "comparison": "isEqualTo", | |
| "value": "True" | |
| }, | |
| { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| } | |
| ], | |
| "customWidth": "25", | |
| "name": "text - 9" | |
| }, | |
| { | |
| "type": 1, | |
| "content": { | |
| "json": "### Network" | |
| }, | |
| "conditionalVisibilities": [ | |
| { | |
| "parameterName": "ShowDetail", | |
| "comparison": "isEqualTo", | |
| "value": "True" | |
| }, | |
| { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| } | |
| ], | |
| "customWidth": "25", | |
| "name": "text - 10" | |
| }, | |
| { | |
| "type": 1, | |
| "content": { | |
| "json": "### Links" | |
| }, | |
| "conditionalVisibilities": [ | |
| { | |
| "parameterName": "ShowDetail", | |
| "comparison": "isEqualTo", | |
| "value": "True" | |
| }, | |
| { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| } | |
| ], | |
| "customWidth": "25", | |
| "name": "text - 11" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "let SourceMachineData = VMConnection\r\n| where TimeGenerated {TimeRange}\r\n| {QueryFilter}\r\n| where Direction == '{Direction}'\r\n| summarize Responses = sum(Responses) by bin(TimeGenerated, time('{TimeRange:grain}'));\r\nSourceMachineData", | |
| "size": 1, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "visualization": "areachart" | |
| }, | |
| "conditionalVisibilities": [ | |
| { | |
| "parameterName": "ShowDetail", | |
| "comparison": "isEqualTo", | |
| "value": "True" | |
| }, | |
| { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| } | |
| ], | |
| "customWidth": "25", | |
| "name": "query - 12" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "let SourceMachineData = VMConnection\r\n| where TimeGenerated {TimeRange}\r\n| {QueryFilter}\r\n| where Direction == '{Direction}'\r\n| summarize P50 = percentiles(ResponseTimeSum, 50), P90 = percentiles(ResponseTimeSum, 90), P95 = percentiles(ResponseTimeSum, 95) by bin(TimeGenerated, time('{TimeRange:grain}'));\r\nSourceMachineData", | |
| "size": 1, | |
| "aggregation": 3, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "visualization": "linechart" | |
| }, | |
| "conditionalVisibilities": [ | |
| { | |
| "parameterName": "ShowDetail", | |
| "comparison": "isEqualTo", | |
| "value": "True" | |
| }, | |
| { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| } | |
| ], | |
| "customWidth": "25", | |
| "name": "query - 13" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "let SourceMachineData = VMConnection\r\n| where TimeGenerated {TimeRange}\r\n| {QueryFilter}\r\n| where Direction == '{Direction}'\r\n| summarize Sent = sum(BytesSent), Received = sum(BytesReceived) by bin(TimeGenerated, time('{TimeRange:grain}'));\r\nSourceMachineData", | |
| "size": 1, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "visualization": "areachart" | |
| }, | |
| "conditionalVisibilities": [ | |
| { | |
| "parameterName": "ShowDetail", | |
| "comparison": "isEqualTo", | |
| "value": "True" | |
| }, | |
| { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| } | |
| ], | |
| "customWidth": "25", | |
| "name": "query - 14" | |
| }, | |
| { | |
| "type": 3, | |
| "content": { | |
| "version": "KqlItem/1.0", | |
| "query": "let SourceMachineData = VMConnection\r\n| where TimeGenerated {TimeRange}\r\n| {QueryFilter}\r\n| where Direction == '{Direction}'\r\n| summarize MaxOpenPorts = max(LinksLive), SumFailed = sum(LinksFailed) by bin(TimeGenerated, time('{TimeRange:grain}'));\r\nSourceMachineData", | |
| "size": 1, | |
| "aggregation": 3, | |
| "queryType": 0, | |
| "resourceType": "microsoft.operationalinsights/workspaces", | |
| "crossComponentResources": ["{Workspaces}"], | |
| "visualization": "areachart" | |
| }, | |
| "conditionalVisibilities": [ | |
| { | |
| "parameterName": "ShowDetail", | |
| "comparison": "isEqualTo", | |
| "value": "True" | |
| }, | |
| { | |
| "parameterName": "Test", | |
| "comparison": "isEqualTo", | |
| "value": "1" | |
| } | |
| ], | |
| "customWidth": "25", | |
| "name": "query - 15" | |
| } | |
| ], | |
| "fallbackResourceIds": [ | |
| "/subscriptions/d08095f8-98fa-434e-8f14-6d06471029b0" | |
| ], | |
| "fromTemplateId": "community-Workbooks/Virtual Machines - Network Dependencies/Connections Overview", | |
| "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment