diff --git a/DoppelVision/DoppelVision.json b/DoppelVision/DoppelVision.json index 9138238..e60ea90 100644 --- a/DoppelVision/DoppelVision.json +++ b/DoppelVision/DoppelVision.json @@ -1,13 +1,13 @@ { "type": "FolderSyncDefinition", - "name": "DoppelVision", + "name": "Doppel Vision", "description": "Comprehensive overview of digital risk protection metrics and alerts", "children": [ { "type": "SavedSearchWithScheduleSyncDefinition", "name": "Alerts By Product", "search": { - "queryText": "$$logsrc \n| dedup id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ", + "queryText": "$$logsrc \n| dedup id\n| sort by product", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", @@ -22,7 +22,7 @@ "type": "SavedSearchWithScheduleSyncDefinition", "name": "Alerts By Status", "search": { - "queryText": "$$logsrc \n| dedup id\n | timeslice 1d\n| count by _timeslice, queue_state\n| sort by _timeslice asc\n| transpose row _timeslice column queue_state as * ", + "queryText": "$$logsrc \n| dedup id\n| sort by queue_state", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", @@ -91,7 +91,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| dedup id\n| count", + "queryString": "$$logsrc \n| where id = \"{{AlertId}}\" or \"{{AlertId}}\" = \"*\"\n| where product = \"{{ProductFilter}}\" or \"{{ProductFilter}}\" = \"*\"\n| where queue_state = \"{{AlertStatus}}\" or \"{{AlertStatus}}\" = \"*\"\n| dedup id\n| count", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -118,7 +118,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| where queue_state=\"reported\" or queue_state=\"needs_confirmation\"\n| dedup id\n| count", + "queryString": "$$logsrc\n| where id = \"{{AlertId}}\" or \"{{AlertId}}\" = \"*\"\n| where product = \"{{ProductFilter}}\" or \"{{ProductFilter}}\" = \"*\"\n| where queue_state = \"{{AlertStatus}}\" or \"{{AlertStatus}}\" = \"*\"\n| where queue_state=\"reported\" or queue_state=\"needs_confirmation\"\n| dedup id\n| count", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -145,7 +145,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| where queue_state=\"taken_down\"\n| dedup id\n| count", + "queryString": "$$logsrc \n| where id = \"{{AlertId}}\" or \"{{AlertId}}\" = \"*\"\n| where product = \"{{ProductFilter}}\" or \"{{ProductFilter}}\" = \"*\"\n| where queue_state = \"{{AlertStatus}}\" or \"{{AlertStatus}}\" = \"*\"\n| where queue_state=\"taken_down\"\n| dedup id\n| count", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -172,7 +172,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| dedup id\n| count by product\n| sort by _count\n| limit 10", + "queryString": "$$logsrc \n| where id = \"{{AlertId}}\" or \"{{AlertId}}\" = \"*\"\n| where product = \"{{ProductFilter}}\" or \"{{ProductFilter}}\" = \"*\"\n| where queue_state = \"{{AlertStatus}}\" or \"{{AlertStatus}}\" = \"*\" \n| dedup id\n| count by product\n| sort by _count", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -199,7 +199,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| dedup id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ", + "queryString": "$$logsrc \n| where id = \"{{AlertId}}\" or \"{{AlertId}}\" = \"*\"\n| where product = \"{{ProductFilter}}\" or \"{{ProductFilter}}\" = \"*\"\n| where queue_state = \"{{AlertStatus}}\" or \"{{AlertStatus}}\" = \"*\"\n| dedup id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -226,7 +226,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| dedup id\n| timeslice 1d\n| count by _timeslice, queue_state\n| sort by _timeslice asc\n| transpose row _timeslice column queue_state as * ", + "queryString": "$$logsrc \n| where id = \"{{AlertId}}\" or \"{{AlertId}}\" = \"*\"\n| where product = \"{{ProductFilter}}\" or \"{{ProductFilter}}\" = \"*\"\n| where queue_state = \"{{AlertStatus}}\" or \"{{AlertStatus}}\" = \"*\"\n| dedup id\n| timeslice 1d\n| count by _timeslice, queue_state\n| sort by _timeslice asc\n| transpose row _timeslice column queue_state as * ", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -244,14 +244,60 @@ "linkedDashboards": [] } ], - "variables": [], + "variables": [ + { + "id": null, + "name": "AlertId", + "displayName": "AlertId", + "defaultValue": "*", + "sourceDefinition": { + "variableSourceType": "LogQueryVariableSourceDefinition", + "query": "$$logsrc | dedup id", + "field": "id" + }, + "allowMultiSelect": false, + "includeAllOption": true, + "hideFromUI": false, + "valueType": "Any" + }, + { + "id": null, + "name": "ProductFilter", + "displayName": "ProductFilter", + "defaultValue": "*", + "sourceDefinition": { + "variableSourceType": "LogQueryVariableSourceDefinition", + "query": "$$logsrc | dedup product", + "field": "product" + }, + "allowMultiSelect": false, + "includeAllOption": true, + "hideFromUI": false, + "valueType": "Any" + }, + { + "id": null, + "name": "AlertStatus", + "displayName": "AlertStatus", + "defaultValue": "*", + "sourceDefinition": { + "variableSourceType": "LogQueryVariableSourceDefinition", + "query": "$$logsrc | dedup queue_state", + "field": "queue_state" + }, + "allowMultiSelect": false, + "includeAllOption": true, + "hideFromUI": false, + "valueType": "Any" + } + ], "coloringRules": [] }, { "type": "SavedSearchWithScheduleSyncDefinition", "name": "Resolved Alerts", "search": { - "queryText": "$$logsrc \n| where queue_state=\"taken_down\"\n| dedup id\n| count", + "queryText": "$$logsrc \n| where queue_state=\"taken_down\"\n| dedup id", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", @@ -266,7 +312,7 @@ "type": "SavedSearchWithScheduleSyncDefinition", "name": "Total Alerts", "search": { - "queryText": "$$logsrc \n| dedup id\n| count", + "queryText": "$$logsrc \n| dedup id", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", @@ -279,9 +325,9 @@ }, { "type": "SavedSearchWithScheduleSyncDefinition", - "name": "Total Alerts By Product", + "name": "Top 10 Alerts By Product", "search": { - "queryText": "$$logsrc \n| dedup id\n| count by product\n| sort by _count\n| limit 10", + "queryText": "$$logsrc \n| dedup id\n| count by product\n| sort by _count\n| limit 10", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", @@ -296,7 +342,7 @@ "type": "SavedSearchWithScheduleSyncDefinition", "name": "Verified Alerts", "search": { - "queryText": "$$logsrc \n| where queue_state=\"reported\" or queue_state=\"needs_confirmation\"\n| dedup id\n| count", + "queryText": "$$logsrc \n| where queue_state in (\"reported\", \"needs_confirmation\")\n| dedup id", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", diff --git a/DoppelVision/resources/screenshots/DoppelVisionDashboard.png b/DoppelVision/resources/screenshots/DoppelVisionDashboard.png index 64bf4c2..6522b97 100644 Binary files a/DoppelVision/resources/screenshots/DoppelVisionDashboard.png and b/DoppelVision/resources/screenshots/DoppelVisionDashboard.png differ