Azure-Sentinel/Workbooks/ThreatIntelligence.json

{
  "version": "Notebook/1.0",
  "items": [
    {
      "type": 1,
      "content": {
        "json": "## Threat Intelligence overview"
      },
      "name": "text - 12"
    },
    {
      "type": 9,
      "content": {
        "version": "KqlParameterItem/1.0",
        "parameters": [
          {
            "id": "833ae48a-1060-4d97-9849-bf3a2a5d0c90",
            "version": "KqlParameterItem/1.0",
            "name": "TimeRange",
            "type": 4,
            "isRequired": true,
            "value": {
              "durationMs": 604800000
            },
            "typeSettings": {
              "selectableValues": [
                {
                  "durationMs": 300000
                },
                {
                  "durationMs": 900000
                },
                {
                  "durationMs": 1800000
                },
                {
                  "durationMs": 3600000
                },
                {
                  "durationMs": 14400000
                },
                {
                  "durationMs": 43200000
                },
                {
                  "durationMs": 86400000
                },
                {
                  "durationMs": 172800000
                },
                {
                  "durationMs": 259200000
                },
                {
                  "durationMs": 604800000
                },
                {
                  "durationMs": 1209600000
                },
                {
                  "durationMs": 2419200000
                },
                {
                  "durationMs": 2592000000
                },
                {
                  "durationMs": 5184000000
                },
                {
                  "durationMs": 7776000000
                }
              ],
              "allowCustom": true
            }
          }
        ],
        "style": "pills",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "parameters - 13"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n                        iff(isnotempty(Url), \"URL\",\r\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n                        iff(isnotempty(FileHashValue), \"File\",\r\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n                        \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ",
        "size": 0,
        "title": "Indicators imported into Sentinel by indicator type and date",
        "timeContext": {
          "durationMs": 0
        },
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "customWidth": "50",
      "name": "query - 1"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked",
        "size": 0,
        "title": "Indicators imported into Sentinel by indicator provider and date",
        "timeContext": {
          "durationMs": 0
        },
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "customWidth": "50",
      "name": "query - 3"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n    and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n    and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n                        iff(isnotempty(Url), \"URL\",\r\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n                        iff(isnotempty(FileHashValue), \"File\",\r\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n                        \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
        "size": 0,
        "title": "Active indicators by indicator type",
        "timeContext": {
          "durationMs": 0
        },
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "customWidth": "50",
      "name": "query - 5"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n    and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n    and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
        "size": 0,
        "title": "Active indicators by indicator source",
        "timeContext": {
          "durationMs": 0
        },
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "customWidth": "50",
      "name": "query - 7"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n    and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n    and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart",
        "size": 0,
        "title": "Active indicators by confidence score",
        "timeContext": {
          "durationMs": 0
        },
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "customWidth": "50",
      "name": "query - 10"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "SecurityAlert\r\n// Select alerts where the alert rule query includes the threat intelligence data table\r\n| where ExtendedProperties containscs \"ThreatIntelligenceIndicator\" \r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfAlerts = count() by AlertSeverity, bin(TimeGenerated, 1h)\r\n| order by CountOfAlerts desc \r\n| render barchart kind=stacked ",
        "size": 0,
        "title": "Alerts generated from threat intelligence by alert severity and date",
        "timeContext": {
          "durationMs": 0
        },
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "customWidth": "50",
      "name": "query - 11"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "let tiObservables = ThreatIntelligenceIndicator \r\n| project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, observableValue = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\r\nlet alertEntity = SecurityAlert \r\n| project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\r\n| mvexpand(Entities)\r\n| extend entity = iif(isnotempty(Entities.Address), Entities.Address,\r\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\r\n iif(isnotempty(Entities.Url), Entities.Url,\r\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))) \r\n| where isnotempty(entity) \r\n| project entity, SystemAlertId, AlertTime;\r\nalertEntity \r\n| join kind= inner tiObservables on $left.entity == $right.observableValue\r\n| summarize Alerts = dcount(SystemAlertId) by Value = observableValue, ThreatType, Description, Source = SourceSystem\r\n| order by Alerts desc",
        "size": 0,
        "title": "Alert counts by indicator",
        "timeContext": {
          "durationMs": 0
        },
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "gridSettings": {
          "formatters": [
            {
              "columnMatch": "Value",
              "formatter": 0,
              "formatOptions": {
                "showIcon": true
              }
            },
            {
              "columnMatch": "ThreatType",
              "formatter": 0,
              "formatOptions": {
                "showIcon": true
              }
            },
            {
              "columnMatch": "Description",
              "formatter": 0,
              "formatOptions": {
                "showIcon": true
              }
            },
            {
              "columnMatch": "Alerts",
              "formatter": 8,
              "formatOptions": {
                "palette": "redBright",
                "showIcon": true
              }
            }
          ]
        }
      },
      "customWidth": "55",
      "name": "query - 13"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "let tiObservables = ThreatIntelligenceIndicator \r\n| where TimeGenerated < now() \r\n| project IndicatorId, Active, SourceSystem, IndicatorTime = TimeGenerated , observableValue = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName)\r\n| summarize arg_min(IndicatorTime, *) by IndicatorId;\r\n// Create a temp table containing all alerts generated from threat intelligence.\r\nlet alertEntity = SecurityAlert \r\n| where TimeGenerated < now()\r\n// | where ExtendedProperties contains \"ThreatIntelligenceIndicator\" \r\n| project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\r\n| mvexpand(Entities)\r\n| extend entity = iif((isnotempty(Entities.Address)), Entities.Address,\r\n                  iif(isnotempty(Entities.HostName),strcat(Entities.HostName, '.', Entities.DnsDomain),\r\n                  iif(isnotempty(Entities.Url), Entities.Url,\r\n                  iif(Entities.Type == 'account', strcat(Entities.Name,'@',Entities.UPNSuffix),'')))) \r\n| where isnotempty(entity)\r\n| project entity, SystemAlertId, AlertTime;\r\n// Join the two temp tables and summarize the data in a table showing indicator sources by detection time and count of alerts.\r\nalertEntity \r\n| join kind = inner tiObservables on $left.entity == $right.observableValue\r\n| project SystemAlertId, IndicatorId, timedelta = AlertTime - IndicatorTime, SourceSystem\r\n| summarize DetectionTime=case(toint(avg(timedelta))>0,strcat(replace(@'\\-',@'',replace(@'(\\:\\d+\\:\\d+\\.\\d+)',@'',tostring(avg(timedelta)))),' hrs',' DELAYED'),toint(avg(timedelta))<0,strcat(replace(@'\\-',@'',replace(@'(\\:\\d+\\:\\d+\\.\\d+)',@'',tostring(avg(timedelta)))),' hrs',' AHEAD'), 'None'), Alerts = dcount(SystemAlertId) by Source = SourceSystem\r\n| order by Source asc\r\n| render table",
        "size": 0,
        "title": "Average detection time by source",
        "timeContext": {
          "durationMs": 0
        },
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "gridSettings": {
          "formatters": [
            {
              "columnMatch": "Source",
              "formatter": 0,
              "formatOptions": {
                "showIcon": true
              }
            },
            {
              "columnMatch": "DetectionTime",
              "formatter": 18,
              "formatOptions": {
                "showIcon": true,
                "thresholdsOptions": "colors",
                "thresholdsGrid": [
                  {
                    "operator": "contains",
                    "thresholdValue": "AHEAD",
                    "representation": "green",
                    "text": "{0}{1}"
                  },
                  {
                    "operator": "contains",
                    "thresholdValue": "DELAYED",
                    "representation": "redBright",
                    "text": "{0}{1}"
                  },
                  {
                    "operator": "Default",
                    "thresholdValue": null,
                    "representation": "blue",
                    "text": "{0}{1}"
                  }
                ]
              }
            },
            {
              "columnMatch": "Alerts",
              "formatter": 0,
              "formatOptions": {
                "showIcon": true
              }
            },
            {
              "columnMatch": "AvgProtectionTime",
              "formatter": 0,
              "formatOptions": {
                "showIcon": true
              }
            },
            {
              "columnMatch": "AvgDetectionTime",
              "formatter": 0,
              "formatOptions": {
                "showIcon": true
              }
            }
          ],
          "sortBy": [
            {
              "itemKey": "Alerts",
              "sortOrder": 2
            }
          ]
        },
        "sortBy": [
          {
            "itemKey": "Alerts",
            "sortOrder": 2
          }
        ],
        "graphSettings": {
          "type": 0,
          "topContent": {
            "columnMatch": "Source",
            "formatter": 1
          },
          "centerContent": {
            "columnMatch": "Alerts",
            "formatter": 1,
            "numberFormat": {
              "unit": 17,
              "options": {
                "maximumSignificantDigits": 3,
                "maximumFractionDigits": 2
              }
            }
          }
        }
      },
      "customWidth": "45",
      "name": "query - 15"
    }
  ],
  "fromTemplateId": "sentinel-ThreatIntelligence",
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
updated workbooks JSONs and logos 2019-09-05 09:23:48 +03:00			`{`
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`"version": "Notebook/1.0",`
			`"items": [`
			`{`
			`"type": 1,`
			`"content": {`
			`"json": "## Threat Intelligence overview"`
			`},`
			`"name": "text - 12"`
			`},`
			`{`
			`"type": 9,`
			`"content": {`
			`"version": "KqlParameterItem/1.0",`
			`"parameters": [`
			`{`
			`"id": "833ae48a-1060-4d97-9849-bf3a2a5d0c90",`
			`"version": "KqlParameterItem/1.0",`
			`"name": "TimeRange",`
			`"type": 4,`
			`"isRequired": true,`
			`"value": {`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			`"durationMs": 604800000`
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`},`
			`"typeSettings": {`
			`"selectableValues": [`
			`{`
			`"durationMs": 300000`
			`},`
			`{`
			`"durationMs": 900000`
			`},`
			`{`
			`"durationMs": 1800000`
			`},`
			`{`
			`"durationMs": 3600000`
			`},`
			`{`
			`"durationMs": 14400000`
			`},`
			`{`
			`"durationMs": 43200000`
			`},`
			`{`
			`"durationMs": 86400000`
			`},`
			`{`
			`"durationMs": 172800000`
			`},`
			`{`
			`"durationMs": 259200000`
			`},`
			`{`
			`"durationMs": 604800000`
			`},`
			`{`
			`"durationMs": 1209600000`
			`},`
			`{`
			`"durationMs": 2419200000`
			`},`
			`{`
			`"durationMs": 2592000000`
			`},`
			`{`
			`"durationMs": 5184000000`
			`},`
			`{`
			`"durationMs": 7776000000`
			`}`
			`],`
			`"allowCustom": true`
			`}`
			`}`
			`],`
			`"style": "pills",`
			`"queryType": 0,`
			`"resourceType": "microsoft.operationalinsights/workspaces"`
			`},`
			`"name": "parameters - 13"`
			`},`
			`{`
			`"type": 3,`
			`"content": {`
			`"version": "KqlItem/1.0",`
			"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n\| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n\| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\r\n\| order by CountOfIndicators desc \r\n\| render barchart kind=stacked ",
			`"size": 0,`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			`"title": "Indicators imported into Sentinel by indicator type and date",`
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`"timeContext": {`
			`"durationMs": 0`
			`},`
			`"timeContextFromParameter": "TimeRange",`
			`"queryType": 0,`
			`"resourceType": "microsoft.operationalinsights/workspaces"`
			`},`
			`"customWidth": "50",`
			`"name": "query - 1"`
			`},`
			`{`
			`"type": 3,`
			`"content": {`
			`"version": "KqlItem/1.0",`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			`"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Summarize and order the data, then render the chart\r\n\| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n\| render barchart kind=stacked",`
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`"size": 0,`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			`"title": "Indicators imported into Sentinel by indicator provider and date",`
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`"timeContext": {`
			`"durationMs": 0`
			`},`
			`"timeContextFromParameter": "TimeRange",`
			`"queryType": 0,`
			`"resourceType": "microsoft.operationalinsights/workspaces"`
			`},`
			`"customWidth": "50",`
			`"name": "query - 3"`
			`},`
			`{`
			`"type": 3,`
			`"content": {`
			`"version": "KqlItem/1.0",`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n\| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n\| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n\| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n\| summarize CountOfIndicators = count() by IndicatorType\r\n\| order by CountOfIndicators desc \r\n\| render barchart kind=unstacked",
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`"size": 0,`
			`"title": "Active indicators by indicator type",`
			`"timeContext": {`
			`"durationMs": 0`
			`},`
			`"timeContextFromParameter": "TimeRange",`
			`"queryType": 0,`
			`"resourceType": "microsoft.operationalinsights/workspaces"`
			`},`
			`"customWidth": "50",`
			`"name": "query - 5"`
			`},`
			`{`
			`"type": 3,`
			`"content": {`
			`"version": "KqlItem/1.0",`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n\| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n\| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n\| summarize CountOfIndicators = count() by SourceSystem\r\n\| order by CountOfIndicators desc \r\n\| render barchart kind=unstacked",
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`"size": 0,`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			`"title": "Active indicators by indicator source",`
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`"timeContext": {`
			`"durationMs": 0`
			`},`
			`"timeContextFromParameter": "TimeRange",`
			`"queryType": 0,`
			`"resourceType": "microsoft.operationalinsights/workspaces"`
			`},`
			`"customWidth": "50",`
			`"name": "query - 7"`
			`},`
			`{`
			`"type": 3,`
			`"content": {`
			`"version": "KqlItem/1.0",`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n\| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n\| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n\| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n\| order by CountOfIndicators desc \r\n\| render piechart",
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`"size": 0,`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			`"title": "Active indicators by confidence score",`
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`"timeContext": {`
			`"durationMs": 0`
			`},`
			`"timeContextFromParameter": "TimeRange",`
			`"queryType": 0,`
			`"resourceType": "microsoft.operationalinsights/workspaces"`
			`},`
			`"customWidth": "50",`
			`"name": "query - 10"`
			`},`
			`{`
			`"type": 3,`
			`"content": {`
			`"version": "KqlItem/1.0",`
			`"query": "SecurityAlert\r\n// Select alerts where the alert rule query includes the threat intelligence data table\r\n\| where ExtendedProperties containscs \"ThreatIntelligenceIndicator\" \r\n// Summarize and order the data, then render the chart\r\n\| summarize CountOfAlerts = count() by AlertSeverity, bin(TimeGenerated, 1h)\r\n\| order by CountOfAlerts desc \r\n\| render barchart kind=stacked ",`
			`"size": 0,`
			`"title": "Alerts generated from threat intelligence by alert severity and date",`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			`"timeContext": {`
			`"durationMs": 0`
			`},`
			`"timeContextFromParameter": "TimeRange",`
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`"queryType": 0,`
			`"resourceType": "microsoft.operationalinsights/workspaces"`
			`},`
			`"customWidth": "50",`
			`"name": "query - 11"`
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			`},`
			`{`
			`"type": 3,`
			`"content": {`
			`"version": "KqlItem/1.0",`
Adding new workbooks for version 2.2 2020-10-16 01:47:48 +03:00			"query": "let tiObservables = ThreatIntelligenceIndicator \r\n\| project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, observableValue = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\r\nlet alertEntity = SecurityAlert \r\n\| project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\r\n\| mvexpand(Entities)\r\n\| extend entity = iif(isnotempty(Entities.Address), Entities.Address,\r\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\r\n iif(isnotempty(Entities.Url), Entities.Url,\r\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))) \r\n\| where isnotempty(entity) \r\n\| project entity, SystemAlertId, AlertTime;\r\nalertEntity \r\n\| join kind= inner tiObservables on $left.entity == $right.observableValue\r\n\| summarize Alerts = dcount(SystemAlertId) by Value = observableValue, ThreatType, Description, Source = SourceSystem\r\n\| order by Alerts desc",
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			`"size": 0,`
			`"title": "Alert counts by indicator",`
			`"timeContext": {`
			`"durationMs": 0`
			`},`
			`"timeContextFromParameter": "TimeRange",`
			`"queryType": 0,`
			`"resourceType": "microsoft.operationalinsights/workspaces",`
			`"gridSettings": {`
			`"formatters": [`
			`{`
			`"columnMatch": "Value",`
			`"formatter": 0,`
			`"formatOptions": {`
			`"showIcon": true`
			`}`
			`},`
			`{`
			`"columnMatch": "ThreatType",`
			`"formatter": 0,`
			`"formatOptions": {`
			`"showIcon": true`
			`}`
			`},`
			`{`
			`"columnMatch": "Description",`
			`"formatter": 0,`
			`"formatOptions": {`
			`"showIcon": true`
			`}`
			`},`
			`{`
			`"columnMatch": "Alerts",`
			`"formatter": 8,`
			`"formatOptions": {`
			`"palette": "redBright",`
			`"showIcon": true`
			`}`
			`}`
			`]`
			`}`
			`},`
			`"customWidth": "55",`
			`"name": "query - 13"`
			`},`
			`{`
			`"type": 3,`
			`"content": {`
			`"version": "KqlItem/1.0",`
Adding new workbooks for version 2.2 2020-10-16 01:47:48 +03:00			"query": "let tiObservables = ThreatIntelligenceIndicator \r\n\| where TimeGenerated < now() \r\n\| project IndicatorId, Active, SourceSystem, IndicatorTime = TimeGenerated , observableValue = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName)\r\n\| summarize arg_min(IndicatorTime, *) by IndicatorId;\r\n// Create a temp table containing all alerts generated from threat intelligence.\r\nlet alertEntity = SecurityAlert \r\n\| where TimeGenerated < now()\r\n// \| where ExtendedProperties contains \"ThreatIntelligenceIndicator\" \r\n\| project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\r\n\| mvexpand(Entities)\r\n\| extend entity = iif((isnotempty(Entities.Address)), Entities.Address,\r\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, '.', Entities.DnsDomain),\r\n iif(isnotempty(Entities.Url), Entities.Url,\r\n iif(Entities.Type == 'account', strcat(Entities.Name,'@',Entities.UPNSuffix),'')))) \r\n\| where isnotempty(entity)\r\n\| project entity, SystemAlertId, AlertTime;\r\n// Join the two temp tables and summarize the data in a table showing indicator sources by detection time and count of alerts.\r\nalertEntity \r\n\| join kind = inner tiObservables on $left.entity == $right.observableValue\r\n\| project SystemAlertId, IndicatorId, timedelta = AlertTime - IndicatorTime, SourceSystem\r\n\| summarize DetectionTime=case(toint(avg(timedelta))>0,strcat(replace(@'\\-',@'',replace(@'(\\:\\d+\\:\\d+\\.\\d+)',@'',tostring(avg(timedelta)))),' hrs',' DELAYED'),toint(avg(timedelta))<0,strcat(replace(@'\\-',@'',replace(@'(\\:\\d+\\:\\d+\\.\\d+)',@'',tostring(avg(timedelta)))),' hrs',' AHEAD'), 'None'), Alerts = dcount(SystemAlertId) by Source = SourceSystem\r\n\| order by Source asc\r\n\| render table",
Update the TI workbooks for RSA 2020-02-16 11:58:21 +03:00			`"size": 0,`
			`"title": "Average detection time by source",`
			`"timeContext": {`
			`"durationMs": 0`
			`},`
			`"timeContextFromParameter": "TimeRange",`
			`"queryType": 0,`
			`"resourceType": "microsoft.operationalinsights/workspaces",`
			`"gridSettings": {`
			`"formatters": [`
			`{`
			`"columnMatch": "Source",`
			`"formatter": 0,`
			`"formatOptions": {`
			`"showIcon": true`
			`}`
			`},`
			`{`
			`"columnMatch": "DetectionTime",`
			`"formatter": 18,`
			`"formatOptions": {`
			`"showIcon": true,`
			`"thresholdsOptions": "colors",`
			`"thresholdsGrid": [`
			`{`
			`"operator": "contains",`
			`"thresholdValue": "AHEAD",`
			`"representation": "green",`
			`"text": "{0}{1}"`
			`},`
			`{`
			`"operator": "contains",`
			`"thresholdValue": "DELAYED",`
			`"representation": "redBright",`
			`"text": "{0}{1}"`
			`},`
			`{`
			`"operator": "Default",`
			`"thresholdValue": null,`
			`"representation": "blue",`
			`"text": "{0}{1}"`
			`}`
			`]`
			`}`
			`},`
			`{`
			`"columnMatch": "Alerts",`
			`"formatter": 0,`
			`"formatOptions": {`
			`"showIcon": true`
			`}`
			`},`
			`{`
			`"columnMatch": "AvgProtectionTime",`
			`"formatter": 0,`
			`"formatOptions": {`
			`"showIcon": true`
			`}`
			`},`
			`{`
			`"columnMatch": "AvgDetectionTime",`
			`"formatter": 0,`
			`"formatOptions": {`
			`"showIcon": true`
			`}`
			`}`
			`],`
			`"sortBy": [`
			`{`
			`"itemKey": "Alerts",`
			`"sortOrder": 2`
			`}`
			`]`
			`},`
			`"sortBy": [`
			`{`
			`"itemKey": "Alerts",`
			`"sortOrder": 2`
			`}`
			`],`
			`"graphSettings": {`
			`"type": 0,`
			`"topContent": {`
			`"columnMatch": "Source",`
			`"formatter": 1`
			`},`
			`"centerContent": {`
			`"columnMatch": "Alerts",`
			`"formatter": 1,`
			`"numberFormat": {`
			`"unit": 17,`
			`"options": {`
			`"maximumSignificantDigits": 3,`
			`"maximumFractionDigits": 2`
			`}`
			`}`
			`}`
			`}`
			`},`
			`"customWidth": "45",`
			`"name": "query - 15"`
changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00			`}`
			`],`
			`"fromTemplateId": "sentinel-ThreatIntelligence",`
			`"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"`
Adding new workbooks for version 2.2 2020-10-16 01:47:48 +03:00			`}`