使用 KQL 在 Azure 哨兵工作簿中创建磁贴
Creating tiles in azure sentinel workbook using KQL
我正在使用此查询在工作簿中显示我想要的内容,但我希望具有分别具有非常高、高、中等值的各个图块。但是当我编写此查询并打开图块时可视化,它不会为我提供为图块设置中的每个变量创建图块的选项。我该怎么做才能实现这一目标?
InALogs_CL
| summarize VeryHigh=count(risk_level_s=="very-high" or risk_assessment_risk_level_s=="very-high"), High=count(risk_level_s=="high" or risk_assessment_risk_level_s=="high"), Medium=count(risk_level_s=="medium" or risk_assessment_risk_level_s=="medium"), Low=count(risk_level_s=="low" or risk_assessment_risk_level_s=="low"), VeryLow=count(risk_level_s=="very-low" or risk_assessment_risk_level_s=="very-low"), None=count(risk_level_s=="none" or risk_assessment_risk_level_s=="none")
查询的每一行结果都将成为一个磁贴。所以如果你想要每个严重性的瓷砖,你会想要做一些更像
| extend severity = case(
risk_level_s=="very-high" or risk_assessment_risk_level_s=="very-high". "Very High",
risk_level_s=="high" or risk_assessment_risk_level_s=="high","High",
risk_level_s=="medium" or risk_assessment_risk_level_s=="medium", "Medium",
risk_level_s=="low" or risk_assessment_risk_level_s=="low", "Low",
risk_level_s=="very-low" or risk_assessment_risk_level_s=="very-low", "Very Low"
risk_level_s=="none" or risk_assessment_risk_level_s=="none", "None",
"unknown")
| summarize count() by severity
最终会得到这样的结果
severity
count_
Very High
1
Low
1
unknown
27
然后您可以使用图块中的“阈值”渲染器将特定图标分配给严重性作为图块的标题字段,并使用图块左侧部分的“大数字”渲染器。
对于没有任何匹配行的严重性,您将没有磁贴。
如果您需要所有的图块,甚至是 0,您可以 anti-join 使用一个数据表,该数据表的各个行都带有 0,或者您可以保留类似于原始查询的内容(尽管我认为 count 你上面的项目应该是 countif ?),并在末尾添加一个 | evaluate narrow()。
尽管并非所有数据源都支持 evaluate 运算符(例如 Azure Resource Graph 查询不支持)。
你可能还想在所有这些比较中使用 =~ 如果在其他情况下这些值有可能是,现在,你会得到“未知”的风险级别值是“ High”或“HIGH”,因为这只是寻找所有小写的“high”
我得到了答案,我必须使用 datatable 将这些值转换为单独的 table,以便可以在磁贴设置中检测到每个严重性类别。
datatable (Count: long, status: string) [0, "Very High", 0, "High", 0, "Medium", 0, "Low", 0, "Very Low", 0, "None"]
| union
(
InALogs_CL
| extend status = case(
risk_level_s == "very-high" or risk_assessment_risk_level_s
== "very-high", "Very High",
risk_level_s == "high" or risk_assessment_risk_level_s
== "high", "High",
risk_level_s == "medium" or risk_assessment_risk_level_s
== "medium", "Medium",
risk_level_s == "low" or risk_assessment_risk_level_s
== "low", "Low",
risk_level_s == "very-low" or risk_assessment_risk_level_s
== "very-low", "Very Low",
risk_level_s == "none" or risk_assessment_risk_level_s
== "none", "None",
"True"
)
| where status != "True"
| summarize Count = count() by status
)
| summarize Count=sum(Count) by status
我正在使用此查询在工作簿中显示我想要的内容,但我希望具有分别具有非常高、高、中等值的各个图块。但是当我编写此查询并打开图块时可视化,它不会为我提供为图块设置中的每个变量创建图块的选项。我该怎么做才能实现这一目标?
InALogs_CL
| summarize VeryHigh=count(risk_level_s=="very-high" or risk_assessment_risk_level_s=="very-high"), High=count(risk_level_s=="high" or risk_assessment_risk_level_s=="high"), Medium=count(risk_level_s=="medium" or risk_assessment_risk_level_s=="medium"), Low=count(risk_level_s=="low" or risk_assessment_risk_level_s=="low"), VeryLow=count(risk_level_s=="very-low" or risk_assessment_risk_level_s=="very-low"), None=count(risk_level_s=="none" or risk_assessment_risk_level_s=="none")
查询的每一行结果都将成为一个磁贴。所以如果你想要每个严重性的瓷砖,你会想要做一些更像
| extend severity = case(
risk_level_s=="very-high" or risk_assessment_risk_level_s=="very-high". "Very High",
risk_level_s=="high" or risk_assessment_risk_level_s=="high","High",
risk_level_s=="medium" or risk_assessment_risk_level_s=="medium", "Medium",
risk_level_s=="low" or risk_assessment_risk_level_s=="low", "Low",
risk_level_s=="very-low" or risk_assessment_risk_level_s=="very-low", "Very Low"
risk_level_s=="none" or risk_assessment_risk_level_s=="none", "None",
"unknown")
| summarize count() by severity
最终会得到这样的结果
| severity | count_ |
|---|---|
| Very High | 1 |
| Low | 1 |
| unknown | 27 |
然后您可以使用图块中的“阈值”渲染器将特定图标分配给严重性作为图块的标题字段,并使用图块左侧部分的“大数字”渲染器。
对于没有任何匹配行的严重性,您将没有磁贴。
如果您需要所有的图块,甚至是 0,您可以 anti-join 使用一个数据表,该数据表的各个行都带有 0,或者您可以保留类似于原始查询的内容(尽管我认为 count 你上面的项目应该是 countif ?),并在末尾添加一个 | evaluate narrow()。
尽管并非所有数据源都支持 evaluate 运算符(例如 Azure Resource Graph 查询不支持)。
你可能还想在所有这些比较中使用 =~ 如果在其他情况下这些值有可能是,现在,你会得到“未知”的风险级别值是“ High”或“HIGH”,因为这只是寻找所有小写的“high”
我得到了答案,我必须使用 datatable 将这些值转换为单独的 table,以便可以在磁贴设置中检测到每个严重性类别。
datatable (Count: long, status: string) [0, "Very High", 0, "High", 0, "Medium", 0, "Low", 0, "Very Low", 0, "None"]
| union
(
InALogs_CL
| extend status = case(
risk_level_s == "very-high" or risk_assessment_risk_level_s
== "very-high", "Very High",
risk_level_s == "high" or risk_assessment_risk_level_s
== "high", "High",
risk_level_s == "medium" or risk_assessment_risk_level_s
== "medium", "Medium",
risk_level_s == "low" or risk_assessment_risk_level_s
== "low", "Low",
risk_level_s == "very-low" or risk_assessment_risk_level_s
== "very-low", "Very Low",
risk_level_s == "none" or risk_assessment_risk_level_s
== "none", "None",
"True"
)
| where status != "True"
| summarize Count = count() by status
)
| summarize Count=sum(Count) by status